Zero trust is complex, but getting started doesn’t have to be

(Dec 13): Adopting 'zero trust' is often recognised as a complex journey. In many ways, this reputation is well deserved.

Zero trust requires work that security and information technology (IT) are justifiably cautious about. It involves rethinking default-allow policies and perimeter-based network architecture, enabling collaboration between functionally different teams and trusting new security services.

Understandably, some organisations may postpone this transformation, citing the uncertainty involved in adopting zero trust across the organisation. The wide variety of available vendor offerings, coupled with different information sources and potential disruption to current workflows, may deter organisations from deploying zero trust security.

That said, today’s threat landscape is flooded with attackers using increasingly sophisticated methods to target unsuspecting victims. Cloudflare’s latest Cybersecurity Readiness Survey revealed that 96% of Malaysian businesses are concerned about artificial intelligence (AI) increasing the sophistication and severity of data breaches. In addition, 38% of Malaysian organisations reported data breaches in the past 12 months, with 62% indicating they suffered from 11 or more data breaches.

In other words, a zero trust approach may no longer be an option but a critical element of a robust, modern security strategy in today’s digital age. Security leaders in Malaysia need to rise to the occasion and take charge of their organisation’s security posture, or risk being vulnerable to cyberattacks.

What exactly does zero trust entail? In a networking context, zero trust security requires that every request moving into, out of, or within a corporate network is inspected, authenticated, encrypted, and logged. It’s based on the idea that no request should be implicitly trusted, no matter where it comes from or where it’s going. Every request must be validated.

Making early progress towards zero trust means establishing these capabilities where none are currently present. For organisations starting from scratch, this often means extending capabilities beyond a single ‘network perimeter’.

Here are five of the simplest zero trust adoption projects that focus on securing users, applications, networks and internet traffic. They won’t achieve comprehensive zero trust alone, but they do offer immediate benefits, create early momentum, and lay the foundation for broader transformation.

In a zero trust approach, the network must be extremely confident that requests come from trusted entities. Organisations need to establish safeguards against user credentials being stolen via phishing or data leaks. Multi-factor authentication (MFA) is the best protection against such credential theft. While a complete MFA roll-out may take significant time, focusing on the most critical applications is a simpler yet impactful win.

Organisations that already have an identity provider in place can set up MFA directly within that provider, through one-time codes or in-app push notifications sent to employee mobile devices. 

Even without an identity provider in place, organisations can opt for a different, simple route. Using social platforms such as Google, LinkedIn, and Facebook, or one-time passwords (OTP) sent to a mobile number, can help double-check user identities.

These are common ways to DIY access for third-party contractors without adding them to a corporate identity provider, and can also be applied within the company itself.

Enforcing zero trust is more than simply verifying user identities. Applications must also be protected with policies that always verify requests, consider a variety of behavior and contextual factors before authenticating, and continuously monitor activity. 

As in Project 1, implementing these policies becomes simpler when applied to an initial list of critical applications.

Email is the number one way most organisations communicate, the most-used software-as-a-service (SaaS) application, and the most common entry point for attackers. Organisations need to ensure they apply zero trust principles to their email to complement their standard threat filters and inspections.

Additionally, security professionals should consider using an isolated browser to quarantine links that are not suspicious enough to completely block.

Open inbound network ports are another common attack vector and should be given zero trust protection, only accepting traffic from known, trusted, verified sources.

These ports can be found using scanning technology. Then, a zero trust reverse proxy can securely expose a web application to the public internet without opening any inbound ports. The application’s only publicly visible record is its DNS record — which can be protected with zero trust authentication and logging capabilities.

As an added layer of security, internal/private DNS can be leveraged using a zero trust network access solution.

DNS filtering is the practice of preventing users from accessing websites and other internet resources that are known or highly suspected to be malicious. It is not always included in the zero trust conversation because it does not involve traffic inspection or logging.

However, with DNS filtering in place, organisations can ensure there are safeguards as to where users (or groups of users) can transfer and upload data — which aligns well with the broader zero trust philosophy.

Implementing these five projects can be a relatively straightforward foray into zero trust. Any Malaysian organisation that completes these projects will have made significant progress towards better, more modern security and established a sound foundation while doing so.

That said, broader zero trust adoption remains a complex topic for organisations today. Everyone’s journey will be slightly different, depending on business priorities, needs, and future plans.

Importantly, security leaders in Malaysia need to set out clear objectives in a zero trust road map to regain control of their IT environment. Malicious attacks are getting more creative than ever before, finding effective ways to infiltrate organisations and obfuscate security teams through the many digital touchpoints present today. 

Ransomware continues to be a cause for concern in Malaysia, with 77% of Malaysian organisations hit in the last two years paying the ransom, despite 69% having publicly pledged not to, according to Cloudflare’s research.

Only with a clear plan can Malaysian organisations make their employees, applications, and networks faster and more secure everywhere, while reducing complexity and cost.

Kenneth Lai is the vice-president (Asean) of Cloudflare, a global connectivity cloud company.