This article first appeared in Forum, The Edge Malaysia Weekly on August 8, 2022 - August 14, 2022

Modern businesses have been renewed by the pandemic. The move to remote and hybrid work has necessitated organisations to accelerate their digital transformations to convert an office-centric workplace into a complete homeworking space almost overnight.

Digital technologies, software-as-a-service (SaaS) and cloud computing were the enablers in altering workspaces to ensure businesses survive in a challenging environment. As the Internet of Things (IoT) expanded to accommodate and provide seamless processes in our lives and in the jobs we do, IT systems became relatively complex. This has inadvertently paved the way for vulnerabilities to sophisticated threats of cybercrimes in the digital sphere.

According to the Digital Crimes Unit of Microsoft Asia, in 2019, around 720 people fell prey to cyber criminals across the globe every minute — translating into one million victims every day. In 2018, the Royal Malaysia Police dealt with 10,742 cybercrime cases with an estimated loss amounting to RM400 million. The total number of cases increased to 11,875 in the following year with an estimated loss of RM500 million.

With the rise of hybrid and remote work, the continuous shift to cloud servicing, growth in the adoption of mobile devices, and an onslaught of cyberattacks that could potentially damage supply chains, zero trust is set to take centre stage in the world of cybersecurity.

Organisations have never been faced with as many challenges in protecting their data resources, and never was there a need to be more suspicious of users and devices accessing their networks. The zero-trust model, in layman’s terms, means trusting no one even when connected to a permissioned network.

For organisations, there is too much at stake to trust anyone or anything outside their entity. The most notable effect of the shift to zero trust is the realisation that traditional virtual private networks (VPNs) are no longer fully capable of securing remote access to corporate networks.

When the Covid-19 pandemic hit, the work-from-home concept became inevitable. Organisations relied on VPNs to support their distributed workforces — with results that fell short of expectations. VPNs may not be ideal to provide completely secure access for many users relying on devices that, in many instances, are not as secure as they could or should be.

As such, VPNs will not provide a sufficient defence mechanism against threats. Companies with a sizeable hybrid workforce will need to support a significant volume of VPNs, which will trickle the burden to the IT or cybersecurity team to manage and maintain.

There is no silver bullet when it comes to adopting zero trust. Zero trust is a framework that requires focus on people, process, and technology aspects to be effective. It drives a change in how cybersecurity is managed to strengthen organisations’ cybersecurity posture. It begs the question — where should organisations start this journey?

The emphasis is on the journey and any journey starts with the first step followed by others. The most effective approach is to adopt zero trust using a piecemeal, and not “big-bang”, approach. Focus on the most critical and sensitive data first — the data that if compromised, lost or exposed will have a detrimental impact on the organisation.

Where is this data hosted? Who has access to this data? What is the business justification for needing access to it? Start the adoption at this point and build it out over time.

Don’t underestimate the impact of culture. It is better not to call it zero trust as it is a nomenclature that is widely misinterpreted as a solution used when organisations do not trust their employees. This is of course opposite to the objective. It indicates that we do not trust our internal IT network.

See the adoption of zero trust as an opportunity to engage and collaborate with stakeholders. Build internal relationships to protect business data assets to provide access more efficiently to data that is needed by the right people at the right time to drive the business forward.

Zero trust is about eliminating dangerous trust assumptions of a technical nature in security architecture and establishing a singular security strategy to support the business.

1. The network is always assumed to be hostile, and all communication is secured regardless of the network location.

2. External and internal threats exist on the network and network locality is not sufficient for deciding trust in a network. Any person or device cannot be trusted just because they are part of the company, with the assumption that the person is already dealing with both outside adversaries and malicious insiders.

3. All data sources and computing services are considered resources that need to be protected.

4. Every device, user, network and data flow is authenticated and authorised. The former means positive confirmation that an entity confirms who or what they say they are. The latter means the entity has the need, rights, and reasons to do what they are doing.

5. Any access to resources is granted on a per-session basis.

6. All security policies are dynamic and incorporate as many sources of contextual data as possible.

The zero trust approach is most effective when it is extended throughout the entire digital landscape and used as an integrated security strategy. This is done by implementing zero trust controls and technologies across six foundational elements:

1. People

2. Devices

3. Applications and services

4. Infrastructure

5. Networks

6. Data

In a nutshell, zero trust is a new model and a general philosophy around cybersecurity. It is an approach that more effectively adapts to the complexity of the modern environment, embraces the mobile workforce, and protects people, devices, applications and data, wherever they are located.

Jaco Benadie is a partner at Ernst & Young Consulting Sdn Bhd

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.