Up to now in this series of blog posts on cybersecurity for industrial companies across the Middle East, I’ve been looking at the evolving challenges confronting Chief Information Security Officers (CISOs) in these organizations—and suggesting how they may overcome these challenges.
Now, in this fourth blog, I want to focus on why zero-trust architectures (ZTAs) may have a vital role to play in the operational technology (OT) world. I’ll also be looking at how to manage the challenges that can arise when CISOs seek to translate ZTAs from an IT to an OT world.
Understanding zero-trust
First of all, let me explain what we mean by zero-trust architectures. At their heart, these are cybersecurity models that diverge from classical perimeter-based approaches that try to separate an organization from the outside world.
Instead of being grounded in the presumption that internal networks (within the perimeter, protected by firewalls and barriers) are secure, while those outside the perimeter are not, ZTAs describe secure architectures where no resource—inside or outside the perimeter—is trusted.
This means every device, user, service and application, regardless of its location, is considered non-trustworthy, until proven otherwise. Communications between them are tightly controlled, and every session must be mutually authenticated between endpoints.
Users only get access to resources with the minimum privileges required, with additional factors such as software versions, time of request, installed credentials, and so on, all taken into account.
ZTAs recognize that we’ve moved on from the days when the “crown jewels”—servers and databases—were physically located within the enterprise. Nowadays, boundaries aren't as clear-cut as they used to be. Networks are more interconnected, more complex and more dynamic. And of course, we have the cloud. So organizations don’t necessarily always know (or need to know) where their data and assets are located.
ZTAs bundle together a lot of well-established security principles and practices. But they do it for the really complex IT environments that most large organizations operate with. And there are plenty of vendors out in the market who can help put together holistic packages of solutions that make zero-trust in the IT environment a reality. But for OT it’s a more complex proposition.