A matter of (zero) trust: the crux of security for modern businesses

Modern businesses have been given a face-lift by the pandemic: the move to remote and then hybrid workplaces has spearheaded and accelerated the pace of transformation exponentially.

The cloud is the underpinning technology that has fast-tracked this transformation – and this growing move to a distributed, off-premises computing environment has seen a massive increase in the security threat landscape, with the frequency, level and complexity of cyber attacks on the rise in South Africa.

This is according to Nevan Pillay, Senior Security Specialist at Microsoft South Africa, who will be presenting on: “How to protect and govern sensitive data” at the ITWeb Security Summit 2022, to be held at the Sandton Convention Centre from 31 May to 1 June.

Malware is only one of a budding number of threats to businesses, including ransomware, Trojans, phishing and denial of service attacks – and research by Accenture shows that South Africa suffers at least 577 malware attacks per hour. Another report shows that cyber crime has become more prevalent in South Africa, spurred on by the pandemic.

These evolving and ever more sophisticated threats have brought the importance of and need for security to the forefront of business leaders’ minds, and cemented the importance of zero trust for increased security and agility – especially in a cloud environment.

A Microsoft survey of CISOs, for instance, showed that cloud security is the number one priority for investment, because with the crown jewels of companies – their data – now largely living in the cloud, it is critical to ensure that this environment is underpinned by end-to-end security.

“This means not only investing in the most advanced and up-to-date tools and solutions to build layers of security that will protect the organisation’s data, apps, databases, networks and systems, but also in skilling and training people to keep pace with new types of attacks from multiple different vectors – essentially, ensuring that the holy grail of people, process and technology are in harmony,” says Colin Erasmus, Modern Work and Security Business Group Director at Microsoft South Africa.

Zero trust lies at the heart of getting this right, particularly as it has emerged as a guiding security strategy for businesses globally and in South Africa in the face of rapid change to workplaces. It means trusting no individual or system, and needing to verify their identity – both within and outside the organisation – before enabling access to specific systems or networks.

Early adopters are already seeing the benefits of this approach: organisations operating with a zero trust mindset across their environments are more resilient, responsive and protected than those with traditional perimeter-based security models. In fact, 96% of business leaders and security decision-makers say it is critical to their organisation's success, with 76% in the process of implementing a zero trust model.

At the centre of the zero trust approach are three main principles:

• Verify explicitly: In the era of remote and hybrid work, the user lies at the centre of security – and an IDC Cybersecurity survey commissioned by Microsoft found that confirming users’ identities with an additional layer of security was the top security priority for businesses in the next six to 18 months. This makes it important to go back to the basics around identity, with the foremost concern protecting a user’s identity to ensure that no breaches or attacks happen through it. This means modernising identity and endpoint management and putting the controls and processes around authorisation, authentication and privileged identity management, which are fundamental to security, in place. This will help verify who users are, where they’re trying to access systems from and then enable making real-time access decisions for them.
• Use least privilege access: This means giving people access only to what they need. A core component of this is conditional access: this allows the user into the system or network, checks what they want to do and use the system for – and based on that, re-authenticates their identity and provides access to the resource for a specific amount of time before revoking access. This type of access prevents leaving gaping holes that bad actors can exploit.
• Assume breach: The growing frequency of cyber attacks mean that it’s more a case of when than if an attack will happen. What this means is the need for constant vigilance and monitoring of the organisation’s computing environment – and assuming that any user or device coming onto the network is a threat, verifying their identity and providing just-in-time access for a specific period of time, and then re-checking and re-authorising the device.

During his presentation, Pillay will highlight that adopting a zero trust model – flanked by the right mix of people, process and technology – is the secret weapon in the fight against modern-day business risks.

“With an overall security landscape that is much deeper and wider than ever before because of the evolving nature of the workplace, businesses cannot afford to ignore security,” concludes Erasmus.