Why are organizations still struggling with implementing zero trust?

Organizations have been implementing zero trust as an additional security framework since before the COVID-19 pandemic. However, its adoption peaked during the pandemic as organizations needed to have better visibility over who was accessing their networks, especially with remote work conditions still ongoing,

Zero trust takes a more proactive and granular approach to security. It assumes that both internal and external networks are not inherently secure and that all access requests should be carefully evaluated and verified before granting permission. Simply put, it focuses on the principle of not trusting any entity by default, whether it’s a user, device, or network component, regardless of whether they are inside or outside the organization’s network perimeter.

According to a Forrester report titled “The State Of Zero Trust Adoption In Asia Pacific,” organizations in APAC are starting to realize the benefits that zero trust offers, with 71% of APAC business and technology professionals saying that their organization will adopt zero trust edge in the next 12 months or have plans to do so.

The report also indicates that APAC has now overtaken Europe in zero trust implementation. APAC CISOs now have a deeper understanding of what zero trust is and acknowledge that it encompasses far more than just identity or micro-segmentation tools. Security leaders in APAC are also now typically looking to their competitors and other brands to evaluate whether zero trust adoption is right for them.

Interestingly in 2022, CISOs were much more willing to lead zero trust adoption rather than wait for their peers as they now see the benefits and opportunities in being the first to adopt, such as being seen as innovators, reaping business benefits, and allowing their teams to work with new solutions.

The challenges in implementing zero trust

Tech Wire Asia caught up with Abbas Kudrati, Microsoft Asia’s Chief Cybersecurity Advisor to get his views on the implementation of zero trust in organizations as well as the challenges CISOs are facing today in cybersecurity.

“Based on my experience after speaking to organizations around the world, many companies have started their zero trust journey but they have stopped halfway or failed in between. This is because they make zero trust implementation in an IT or security project. In my opinion, zero trust is actually a business project. You are helping the business move into a zero trust architecture model,” said Kudrati, who also authored a book on the topic, Zero Trust Journey across the Digital Estate.

Kudrati highlighted that when implementing zero trust, businesses need to bring on board different parts of the organization into the team. This includes the legal team and a HR team as they will now changing how people are going to work. There also needs to be a team to assess the end-user experience to ensure that there is a good framework in place or the entire implementation may fail.

For example, businesses can’t just implement multi-factor authentication. There needs to be a process on how this can be enacted and where the authentication should be. Kudrati also suggested businesses consider going passwordless for some applications.

Secondly, businesses don’t do an initial maturity assessment to identify gaps or assess solutions that they already have which can be used for a zero trust implementation. Most businesses only realize this halfway into their zero trust journey. They then realize they actually have a product that can be used in their zero trust architecture. This can disrupt the implementation process.

“Many organizations are taking the risk-based approach. By taking a risk-based approach, businesses can identify risks that they want to focus on. And by doing this new architecture, they’re able to focus on these risks. For example, addressing phishing concerns as the main risk in the business. Businesses can look at how phishing emails are coming in, which identities are being targeted and such. They can also look at the amount of protection in place and consider new security approaches like multi-factor authentication and such,” added Kudrati.

via GIPHY

It’s all about planning

Kudrati also pointed out that the project manager of zero trust needs to be agile. If a business wants to launch a new application, they most likely not going to wait for the zero trust implementation. An agile project manager needs to know how they can implement a secure online application online on the cloud while still meeting zero trust principles.

One example is Celcom Axiata in Malaysia.  The company took an identity-centric approach and was the first organization in Southeast Asia to enable passwordless access.

By utilizing facial recognition or fingerprint matching to verify identity on the employee’s device, optimal usability is achieved, especially for the company’s employees who are constantly on the go. The biometric Windows Hello for Business sign-in system ticked all the right boxes for its workforce of more than 12,500 employees. Beyond that, the combination of biometric and multifactor authentication creates a greater sense of awareness, therefore adding barriers to bad actors.

“Going passwordless is not something businesses can start in a month. It’s a cultural shift. But the user experience at Celcom Axiata was awesome. They hit the main milestone of an identity-centric project that was zero trust by doing passwordless. They are now in the second phase of their strategy, whereby they are working on how to move forward and get mature. This is a never-ending project. It’s a journey,” explained Kudrati.

The CISO

Zero trust, AI in cybersecurity, supply chain security – all these would fall under the purview of the Chief Information Security Office or CISO. Responsible for developing and implementing all these security procedures and policies, many CISOs are still finding the role to be increasingly challenging, especially when they have limited capabilities.

Kudrati believes organizations need to give enough authority and power to the CISO. They need to be able to make changes – from how cybersecurity is implemented to the processes in securing the supply chain.

“The problem is most CISOs don’t even have access to the CEO or board members. These are the people they need to show and inform the risks and the odds they are fighting against. Not having the right authority and visibility for the security team is one of the biggest challenges. Most organizations always think from the cost point of view. And while that is important, the CISO needs to explain to them how they can reduce the cost of the security operation, and do more with less,” said Kudrati.

At the same time, the regulations come into play as well. While the GDPR in Europe is going down hard on organizations, it’s a different scenario in this part of the world. In Malaysia for example, organizations don’t really come forward to report breaches. The information provided can be beneficial for other organizations to deal with threats. But it is not happening.

Meanwhile, in Australia, the Optus data breach sent a huge shockwave across the country. Not only did companies begin taking cybersecurity measures more seriously, but the authorities have also implemented stricter rules in managing data, within a short period of time since the breach occurred.

“There was damage reputation to Optus but their input has helped hundreds of other organizations within the country to be vigilant. They share who are the attackers, how they exploited APIs and organizations started looking into their API security. That’s the power of communication,” concluded Kudrati.

---

---

---

---