Serkan Cetin from One Identity explains how organisations can leverage the zero-trust strategy to achieve optimum cyber security outcomes.
Cyber security has become one of the key priorities for enterprises with the ongoing rise of malicious attacks across all sectors and industries globally.
Cyber-related incidents that have affected many global and national companies, with some including the start-up Canva, Australian Parliament, Service NSW and Western Australian Parliament, have once again proven constant and evolving threats all organisations face.
This is where zero trust can make a significant difference for a business and tackle issues of lacking cyber security systems, which 96 per cent of security decision-makers recognised as essential for enterprises’ success, according to Microsoft.
While the US has acknowledged and mandated zero trust as a critical element of every cyber security tactic, the Australian Cyber Security Centre (ACSC) has recommended implementing the Essential Eight as the most effective mitigation strategy, which I’ve already talked about in the context of privileged administrative access (PAM) earlier this year.
However, a successful cyber security strategy still bears very similar challenges to what it faced a year ago: ever evolving organisations, malicious actors and threat vectors. As these threats will never stop advancing, it is critical to adopt a new dynamic approach to cyber security and abandon the old practices that were once considered an industry norm.
Having said that, let me introduce you to the concept of adaptive zero trust.
What is adaptive zero trust?
Essentially, adaptive zero trust is enabling organisations to grow and adapt to external and internal factors, such as changes in the company’s enterprise applications, or changes to the risk landscape.
This approach has been founded in modern technology that can evolve alongside a continuous number of challenges for cyber security professionals and chief information security officers (CISOs). Think of adaptive authentication which utilises various factors beyond just a username and password for authentication.
How to successfully adopt (adaptive) zero trust?
Adaptive zero trust is a critical strategy for everyone looking to stay resilient for a long period, as well as strengthen and ensure organisational longevity. Here are a few things to be considered to successfully adopt zero trust, as successful adaptive zero trust takes significant knowledge and preparedness.
Complete visibility involves drawing a circle big enough to capture not just people, but any identity (human and machine) within the organisation. It also includes ever-changing accounts and access, across any platform, infrastructure or environment, whether it be hybrid, multigenerational and edge IT environments.
A second key element of adaptive zero trust is to verify everything before granting access to your most important and sensitive assets. With added visibility and insights available, security professionals can more quickly and efficiently add, remove and adjust privilege just in time. In doing so, they can control user access to only what is needed for their job and only at the right moment.
New threats and policies are constantly emerging and changing. By leveraging contextual awareness and behavioural analytics, organisations can more quickly and efficiently anticipate, detect and take corrective actions. For example, with the work-from-home arrangement, professionals need to be constantly aware of suspicious login or activities (such as an employee logging in from two different locations at the same time) to successfully prevent a potential threat to the organisation.
Just as the threat landscape evolves, so too does an organisation’s need to protect itself – as well as the people, applications and data that are the lifeblood of the enterprise. This often means adding in new functionality as needed without undue business disruption. With the need to adapt and expose new functionality, many organisations are turning to converged platforms for identity security. This will allow them to address access management obligations today but leverage additional capabilities, such as privileged access management, over time.
As cyber breaches have become more frequent and are expected to be on the continuous rise, companies are wondering how to suitably prepare for those attacks.
Given these attacks are inevitable for most businesses, it will be essential to adapt to more advanced cyber security strategies like zero trust, as well as recognising some of the key elements of its construction alongside technological development within an organisation.
Serkan Cetin is the APJ technical director of One Identity.