Corporate cyber-security for the 2020s: is it time for your enterprise to begin exploring a zero trust model?

Wondering why you keep hearing about cyber-security breaches every other day and questioning whether your current protection measures are fit for purpose?

You’re wise to do so. In 2019 Australia, hacking and cyber-security incidents are on the rise and if local enterprises feel like they’re under attack, it’s with good reason.

More than 500,000 Australian small businesses fell victim to cyber-crime in 2017, according to research by Norton. One in four experienced 25 or more hours of downtime as a result. Meanwhile, for mid-sized businesses, the average cost of a cyber-attack came in at a hefty $1.9 million; a sum many SMEs would struggle to raise.

Against a backdrop of rising threats and increasing awareness that traditional cyber-security models are less efficacious in a mobile, digital world, the ‘zero trust model’ can present as a viable solution to the perennial challenges of keeping corporate networks and data safe.

Trust no one: the zero trust model explained

So, what does zero trust mean and how might organisations look to implement it? In simple terms, the model shifts the focus away from firewalls, VPNs and other bolt-on security cordons which effectively throw a perimeter fence around your enterprise.

That sort of set-up worked well in the good old days of in-house data centres and desktop computing, before cloud computing and the mobile device revolution took hold.

It’s less effective in the flexible working era, when there’s a laptop or smart phone in almost every Australian’s pocket or briefcase, and enterprises are under pressure to allow employees to work remotely, logging in from wherever they choose.

The zero trust model acknowledges this paradigm shift. Its focus is not on maintaining a ring of steel around the organisation but, rather, on tailoring identity-based protection around key high-tech assets – think core applications, systems, networks and sensitive data stores.  

Presumed guilty

The key principle the model is based on is the presumption of guilt – the notion that users, devices, networks and applications are inherently untrustworthy.

Hence, identities are given access to IT assets on a need-to-use only basis and their bona fides are tested at every stage of the process. In essence, it’s an extremely thorough way of ensuring the employee or entity in question is indeed who or what they purport to be.

As a result, compromise of one identity type, be it a user, device, network or application, doesn’t automatically result in Open Sesame to the enterprise entire. Adversaries still need to smash the trust of all the other identity types before obtaining access to the data they’re seeking.

If the identity attributes presented are inconsistent or risky, a response can be enacted –either a request for additional authentication, or the isolation, containment or removal of the threat – to prevent a catastrophic breach.

Is zero trust a niche trend, or the mainstream security model of the future? It may be suffice to note that it’s found favour with some of the world’s biggest businesses, Google included. The high-tech behemoth has leveraged zero trust in its Beyond Corp initiative, which set out to enable all Google employees to work from untrusted networks, without recourse to a Virtual Private Network (VPN).

Getting up close and personal with your systems

So how can companies begin making like Google on the cyber-security front?

It’s impossible to implement a zero trust model without first taking a deep dive into your IT architecture and data repositories. The object of doing so should be threefold: identifying sensitive data stores; classifying roles within the enterprise and grouping employees based on those roles; and mapping the transaction flows of all roles.

The latter can be a protracted process, given it encompasses systems, applications, data stores and employees, and the often-complex interplay between them.

Once those requirements are completed, you’ll likely look to do two things: write rules for your chosen segmentation gateway; and begin monitoring network traffic to see how those rules are operating in practice.

Re-imaging cyber-security in the 2020s and beyond

Corporate systems and data are already critical assets for thousands of Australian enterprises. As digitisation continues to transform the business landscape, their value will rise yet further – and protecting them from infiltration and attack will be a chief priority for leaders across all industries and sectors. Against that backdrop, exploring emerging security models such as zero trust, which may be able to reduce the risk of compromise more effectively than the legacy, perimeter-based arrangements of yesteryear, makes sound sense.