Does your company operate using zero trust principles?
If you answered no, you may well be extending an open invitation to hackers to roam free on your company’s cyber networks, says Doctor Mafuwafuwane, Practice Manager, Logicalis South Africa.
Regularly updating critical cyber security technologies may seem like the most prudent of actions that forward-looking businesses can invest in, but… think again. Whether you have encountered the Zero Trust Network Access (ZTNA) model or not, the reality is that this practice – effectively implemented – is fast becoming the gold standard in cyber risk mitigation, especially across companies with hybrid models of work.
ZTNA is not new technology or a collection of defensive tactics, but rather a model founded on the principle of never trusting and always verifying. Ushering in a paradigm shift, zero trust requires every access request to be fully authenticated and encrypted before it is granted. It makes security more robust, minimising the likelihood of an attack through repeated validation of authorisation to avoid lateral movement (a technique used by hackers to further penetrate networks and access sensitive information).
Pinpointing the needle in the cyber haystack
Zero trust also enhances an organisation’s ability to respond to an attack. If a breach does take place (it's hubris to think any network is ever 100% secure), then ZTNA makes it easier and more effective to trace what happened and which data may be compromised. Access to accurate and timely information allows for swift remedial action and substantially enhances the management of reputational fallout – which often can be more damaging than the actual breach.
A VIP upgrade to your VPN
A good way to understand zero trust is to contrast it with alternative network access protocols. With many businesses now offering a hybrid work model, employees need a secure and efficient way to access the company network. In many cases, a virtual private network (VPN) is used. If you work from home, there’s a good chance you’ve used a VPN, even if you weren’t aware of the terminology.
How this has often worked is that once employees pass access control (for instance, by inputting a username and password, possibly with some form of two-factor authentication, such as a one-time pin), they have free rein across the network – or at least access to vast sections of it.
Just passing through
We can think of this process as akin to passing through security at the front desk of a large office. In many cases, once you sign into the visitors’ log, you can roam around the building pretty much freely. But suppose you visit a factory with a biohazard laboratory, you would hardly expect to be able to wander into the laboratory, even if you had a good reason to be on the premises. In facilities with heightened security, you may have an access tag that permits entry into limited sections of the building. Moreover, each time you tried to enter a room with sensitive/hazardous materials, such access would need to be validated using a set of authentication criteria.
That’s effectively the guiding principle of ZTNA architecture. Rather than simply focusing on the big heavy wall around the network, with zero trust, there are barriers and quizzical virtual security guards within the network, too.
Secure your virtual doorway
Now, with a traditional VPN, the primary concern is building a strong wall around the network and securing the doorway to get in. It’s pretty much a one-size-fits-all approach. Zero trust requires more finesse. Who should have access to what sections of the network, and when? How much extra time is reasonable for employees to spend on security protocols? If employees need to apply for authorisation to access files, will this affect client delivery?
These are not just technical cyber security questions; they are business considerations. And the answers will depend on a company’s operations, the existing capabilities of employees, regulatory issues that affect the sector and various other complex factors. For these reasons, implementing ZTNA requires the insight of an experienced consultant; it is not about simply deploying a suite of security tools. It’s a great chance to review the company’s network processes holistically and carefully consider if operational processes are working optimally.
Can you afford to become a statistic?
With nearly 25% of South African business experiencing a data breach in a given year, at a price tag that can quickly add up to millions in recovery costs and reputational damage, corporate South Africa could clearly benefit from more robust security upgrades. But while zero trust may be a no-brainer, is it affordable?
The good news is that ZTNA isn’t an all or nothing proposition. It’s a journey that can be implemented gradually, with the costs being split across different financial years. It’s a multi-layered security framework that requires an integrated approach, one that considers budget, operations, regulations and the stark reality of the increasingly frequent, enormously expensive and debilitating cyber attacks that a growing number of organisations continue to navigate. That may sound complex, but the alternative is for companies to leave themselves exposed to risks that they simply can no longer afford to recover from.