As the world pivots towards remote working, and as governments and organisations alike digitally transform, valuable data is being shared on the digital space today at an unprecedented amount.

The proliferation of mobile devices and cloud technologies has also become more interconnected and made access to networks available from anywhere, everywhere. This means that cybersecurity will have to be more dependable than ever.

While traditional network security operates on the assumption that everything within an organisation’s network is trustworthy, this can sometimes leave the system exposed if it is infiltrated. This is where Zero Trust comes in.

Zero Trust is a model that has become increasingly mainstream in recent years. It functions under the assumption that a system can always be breached by default. It operates under a simple principle: Never Trust, Always Verify. Assessing a system built around the Zero Trust model means that all accesses to the different layers of the system have to be authenticated.

Zero Trust is anchored on three key pillars: Infrastructure, Data, and Identity. Infrastructure ensures that the network flow always remains encrypted, while a data-centric approach ensures that information remains secure through the likes of tokenisation and encryption.

But in this piece, we will zoom in on Identity as a critical challenge for users of Zero Trust regimes. As the first line of defence, Identity can be potentially exploited by attackers to attain sensitive data. The 2020 SolarWinds cyberattack is one example of this, when hackers managed to breach SolarWinds’ Orion platform that gave them access to almost any file and system of over 18,000 organisations worldwide. 

The cost of data breaches is getting increasingly expensive as more organisations pivot online in light of the COVID-19 pandemic. In 2021, the average cost of a data breach reached an all-time high of US$4.24 million. Establishing a good Identity programme is now more imperative than ever.   

Forming Identity’s defensive perimeter

The Zero Trust approach to Identity requires two things: a robust identity access management programme and end-to-end data protection. Fulfilling both criteria requires five steps.

First, organisations need to begin with the first principle: identity is the first line of defence. This will ensure that all resources are accessed in a secure manner regardless of location and devices. Today’s digital space has rendered corporate firewalls near irrelevant as users can access a company’s network from just about anywhere. This is where a strong identity access management programme comes for added security.

Second, the concept of least privilege must be enforced. This means applying the minimal level of user rights that will allow employees to fulfill their roles. Grant access to users strictly only on a ‘need-to-know’ basis.

The third step is to always verify. Using Multi-Factor Authentication (MFA) can be one way of ensuring that the information is being accessed by the right person. For example, this can be done through the use of software tokens and One-Time Passwords (OTPs).

Fourth, always inspect and log all network traffic. This can be done using the Continuous Adaptive Risk and Trust Assessment (CARTA) approach, which advocates complete visibility and constant monitoring of every online activity on the network. It ensures that potential anomalies can be pin-pointed almost immediately, which reduces the risk of data breaches.

The fifth and final step is to design the network from inside out. This means dividing the system into separate segments, each with different access credentials. This enhances security, preventing unauthorised users from accessing the rest of the network even if one segment is breached.

The Singapore government has recently announced that it will shift its cyber-security posture to adopt a Zero Trust approach, given the shift towards accessing government services digitally and to cloud in the last few years.

Already, it has applied some Zero Trust aspects to its National Digital Identity (NDI) system, which is part of an effort to make access to government and private sector services more convenient, as the country pursues a Smart Nation agenda powered by digital technology.

For instance, the NDI’s SingPass Mobile application features a strong authentication mechanism through the use of MFA. Each time a transaction needs to be made, users are required to log in via facial recognition or a passcode, in addition to scanning a QR code.

This is applied regardless of which services the user interacts with – as long as the NDI is accessed, verification is required. Going back to the house analogy, this simply means that even if you get past the gate, whenever you want to enter a room, someone inside will request to see your identity before letting in. This secures the entire house, room by room.

The first step is always the hardest

While Zero Trust Identity promises superior security, implementing it will require plenty of fundamental changes. This is a factor that may leave many organisations struggling to reconfigure the security tools they have.

For instance, enforcing the concept of least privilege requires constant commitment to the administrative process.  As employees move into new roles or change locations within the organisation, access controls will need to be frequently updated accordingly. 

It may also impact productivity by preventing users from acquiring data needed for their work, or even impede work collaboration between colleagues if not all of them have access to files. This may be especially prevalent during the early stages of implementation.

Besides these technical requisites, there also needs to be a shift in perspectives towards security. This is especially pertinent in the Asia-Pacific region, where many workplace cultures are largely founded on trust. Many security leaders are concerned that having a Zero Trust approach could go against this principal.

In addition, the adoption of Zero Trust in APAC is being impeded by a ‘herd mentality’, where organisations only enact changes after seeing others do the same. There is also a lack of security staff in the region. As such, security leaders will need to work towards changing these perspectives and bolster their personnel. 

Laying the foundations, staying adaptive

But Zero Trust is never complete without a strong Identity framework, and visibility is first and foremost key to a good identity programme.

This means having full knowledge of everything happening across the entire network. It ranges from getting the full inventory of data assets and understanding the different profiles getting access to this data, to being aware of how and where the data is being accessed.

Once a framework has been established, organisations will also need to prioritise the implementation of zero trust policies across the network accordingly. This can be done via the use of threat modelling exercises that simulate examples of data breaches.

With the foundations of robust Identity framework, Zero Trust can be brought to life by adding on the layers of Infrastructure and Data protection technologies. If implemented correctly, the security model has user behaviour analytics capabilities that can automatically prevent irregular access, so that organisations can always remain adaptive to occurrences of risky access.

The success of Zero Trust depends very much on the stakeholders’ commitment to the process. For example, one reason why the Singpass Mobile app tripled its user base to over 2.5 million users in 2020 alone was because the government had played an active role in pushing for its adoption.

Similarly, organisations must have the right resources and commitment to embark on this journey of Zero Trust, have a solid strategy on how to implement it, and familiarise themselves with its implementation. Only then can Zero Trust be effective.

END

Disclaimer: This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors. This document refers to marks owned by third parties.  All such third-party marks are the property of their respective owners.  No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Indrani Chandrasegaran

Managing Director – Applied Cyber Security Services, Southeast Asia


Roger Goh

Director – Security, Digital Identity, Southeast Asia

Subscription Center
Subscribe to Future of Cities Blog Subscribe to Future of Cities Blog