The last 18 months have seen enterprises accelerating their digital transformation initiatives in response to the rapidly evolving business landscape. We are seeing a massive surge in cloud adoption and a shift towards remote working in which users access their IT resources, bringing new cybersecurity challenges on the way. To meet these modern security demands, businesses are turning to the model of zero-trust security. Without verification, a zero-trust architecture helps address specific security demands that have come to life as a result of the covid-19 pandemic.
Identity to Zero Trust
Zero Trust drives the focus on authentication and authorization controls. “I think there are probably 3-4 important aspects. One is to ask what is to be accessed and how to”, Dr. Yask Sharma, CISO, IOCL explained. Traditional security has been based on the perimeters and the networks. The concept of zero-trust is moving the security towards as close to the resource as possible. It is “based on the identity of the user who is accessing, from where he is accessing, what time, what geographical location, so many things come into play”, he adds.
“Identity is the foundation for any commodity or a service, that at Indigo, we venture, or receive, or operationalize. Zero-trust is a concept which is covering all the layers whether it comes to trusting devices, networks, or even workloads. Identity plays a focal role in terms of when commoditizing any setup per se”, Ambuj Bhalla, director IT security, Interglobe Aviation (Indigo Airlines), explained. There is an algorithm which explains whether the access is to be given or not. That algorithm or “brain” of the zero-trust network decides on the basis of some data which is to be provided to that algorithm.
“When this pandemic happened, there was a forecast that in the cloud servers, India is expected to invest close to 4.1 Billion dollars by 2021 which means a 29.4% increase from the last year investments that have happened”, Bhalla said. “With cloud adoption, people are relying on the authentication mechanism for native cloud providers. Therefore, the paradigm shift that happened “is that the identity models have gotten decentralized. So, all commodities or any users are getting authenticated on a system. That’s when the problem is getting alleviated actually.”
“The need of zero-trust is more than the relevance of it now, which is so apt now. I think we have come to a stage where it is more needed”, Yask explained. Pre-pandemic, remote working was limited to very few companies and industries. “It was never a part of the culture. The mindset was not there for remote working. Secondly, even if it was there, it was through the controlled devices, the enterprise-owned devices”, he added.
Zero-trust as a concept is simple. However, the implementation is complicated. It has been around for more than a decade. But, the kind of response that the people have seen is unprecedented in terms of what the concept entails and how can it help organizations in building a better and resilient security architecture.
“When we think of implementing an identity framework in an organization, specifically with respect to zero- trust, some of the essential elements that have to be kept in mind are- for example, I am coming up with a commodity application. How will the user access management be defined, essentially in terms of automating the provisioning bed- can I make it self-centric, such that it’s a frictionless and flawless process”, Bhalla said.
There are various questions that come into play. “How will the password synchronization happen, can I comply to policies across all systems, if the system is critical, will there be a need for me to certify users at every time- whether federations would help or is there a need for privilege identity access at various levels. This plays a very essential role when you here to sit down and architect a solution in terms of how this will flow through”, Bhalla added.
Security has to be based on the resource, which is why identity and access management plays a “far bigger role than any other thing. According to Bhalla, while investing in identity access program is essential, what’s more important is the methodology that we opt for.
A point solution approach to any cybersecurity technology does not serve any purpose if it does not plug into the entire architecture, he pointed out.
What can go wrong?
“Most important roadblock is the mindset”, Yask exclaimed. He explains from a security’s point of view of when an employee moves from one position to another, the whole identity gets reset. This is a good thing according to him. “I am trying to bring in a lot more changes within the way it was being accessed. Secondly, zero-trust is obviously going to bring a lot more latency into the systems. This is certainly going to be a roadblock. Now, I have to not just access it at the beginning of the session, I have to certainly monitor it”, he further added.
“I have to know what my risk and failure factors are and I need to very categorically look at addressing them”, Bhalla said. A commodity is not capable enough to create “the levels of the trust that I want to trust people with. That’s where the problem lies”, he said.
One needs to look for the crown jewels which can cater to the requirements of zero trust access and then build on it. Another highlighter point to know is “when someone makes an investment, there’s always a mindset that you’ll start getting ROI (Return on investment) out of it. But in this, you have to take very slow steps to achieve at least a level 2 or 3 kinds of maturity,” Bhalla added.
Lastly, stakeholder management also plays an equally important role. “People don’t really adapt to changes. If I’ve been given to work only via remote access commands or let’s say, an RDB protocol, and if someone tells me tomorrow that they changed the interface for me, I won’t be able to accept it. People will not accept. So you have to educate yourself which can only happen when you do your stakeholder management appropriately,” Bhalla explains. One can invest, implement, design workflows, but the consumers are not aware of it, this wouldn’t sail through in the environment.