When a diverse group of security leaders gathers to discuss an evolving security architecture, it’s an exciting opportunity to explore challenges, evaluate assumptions and examine expectations—ultimately leading to a deepened understanding and further innovation, benefiting both industry and end users alike.
We at Ping Identity routinely host such events, and we recently presented two roundtables in Sydney and Melbourne, in partnership with Versent, an Australian services, product and platform provider. The aim was to stimulate discussion on the Zero Trust model, including what it is and why it starts with identity. The participants from a range of sectors including banking, aviation, education, manufacturing, transport and energy (see full list below*), provided unique insights into modernising cybersecurity strategies and aligning their roadmaps with Zero Trust principles.
I’m pleased to be able to share some of those key takeaways here.
Insight #1 The Current Ways Just Don’t Cut It
It’s no secret that online credential theft is out of control. Despite companies implementing password strength policies and other protections, breaches caused by hacked passwords still continue to wreak havoc. The 2019 Verizon Data Breach Report shows that stolen credentials and phishing combined were the number one cause of data breaches last year. In fact, bad actors don’t even need to steal credentials, as in many cases businesses are leaving the front door unlocked with no authentication in place or the back door unlocked by not implementing strong API security.
Clearly we can’t count on usernames and passwords exclusively for authentication or access control, nor can we go back to the old days of perimeter-based security. We need to find a better model, one that allows users to access applications and data anywhere, from any device while improving the security and productivity of the business.
Insight #2 Zero Trust Doesn’t Mean Distrusting Everyone
You’ll find a lot of definitions out there about what “Zero Trust” really means. Most agree that it’s a strategic concept with the goal of securing an organisation through less dependence on the network perimeter and more reliance on the secure processes and technologies that will allow users to access resources no matter where they’re located. And, in order to do that, the “zero trust” label implies you must trust no one.
But Zero Trust doesn’t signify you don’t trust anyone, ever. At some point in the realities of today’s cloud-based, bring-your-own-device environment, you will need to trust during the identity verification chain. Rather, Zero Trust means a continuous evaluation of everyone to ensure that they are who they say they are and that they should have access to the applications and data they’re requesting. At multiple steps along the way, organisations should be conducting dynamic, explicit assessments before deciding whether a user should be granted access.
“How do we incarnate the realities of an operational system, where someone has demand for an application? Because if we use an absolutist model, every customer would leave the company and go somewhere else.” – Richard Bird, Chief Customer Information Officer at Ping Identity
Insight #3 Confusion Reigns about What Zero Trust Is
Along with the confusion over the exact definition of the Zero Trust model, you’ll find misunderstandings over what it comprises. Zero Trust is more than just a marketing slogan; it’s a systematic strategy with identity at its core. Here’s a look at some of the key terms:
This is the process of placing security perimeters around small, isolated areas (or zones) to maintain separate access for different parts of the network. With micro-segmentation, files in a network can be placed in separate, secure zones. A user or program with access to one of those zones won’t be able to access any of the other zones without separate authorisation. This ties security to individual workloads and prevents lateral movement by bad actors who have breached the network perimeter.
Application Behaviour and Visibility
One of the benefits of micro-segmentation is the enablement of application security that includes built-in policies that define allowed behaviour and protection for each individual build. For example, ideation through development occurs in an environment isolated from the rest of the network so that any breach of an application will be contained and prevented from spreading into the rest of the network. Visibility into application behaviour on devices that access applications also needs to be taken into account so that anomalous activity can be detected and action can be taken more quickly.
Multi-factor Authentication (MFA)
The use of multi-factor authentication is now widely used and accepted by consumers and stakeholders. Other forms of authentication such as biometrics, for example, are emerging to bolster identity verification.
This is a principle of information security that grants only as much access as an end user—a device, a worker, a bot—needs for a particular purpose or role for a certain period of time. It’s a key part of Zero Trust, identity and access management, and unifying end user and data center security. It reduces risk to a segmented level—to applications and data—and is a way of containing or shrinking the perimeter of each individual user and device.
Insight #4 Boards Need to Care about Zero Trust—But Often Don’t
Cybersecurity lags far behind other strategic concerns for the majority of boards as security practitioners struggle to frame security as a compelling business case. Consider a recent study by the Harvard Business Review, which placed cybersecurity as only 10th in importance as a strategic challenge, far behind the top three issues of finding and retaining talent, regulatory environment and global competitive threats.
This lack of prioritisation comes with a significant cost. High-flying companies regularly fall prey to stolen credentials, with 69 data records lost or stolen every second and credential stuffing costing U.S. businesses alone more than $5 billion annually. Adherence to the Zero Trust model can mitigate this, but it will take more investment and attention than Zero Trust is currently receiving.
“Common sense has to apply at some point and then has to support investment. Yes it’s hard to do and it can be expensive, but it’s a lot less expensive than losing your business.” – Thor Essman, Chief Executive Officer and Founder at Versent
Insight #5 Zero Trust is Complicated for Governments
Zero Trust can be complicated in any industry, but for government agencies it can be especially tricky because they often deal with entities or individuals that are administering and managing services on behalf of someone else. The delegation model that a Zero Trust scenario requires introduces complexities that demand extra considerations around processes and technology. For instance, parents may need access to student information or authorised caretakers may require access to healthcare recipient data. Additional checks and balances in the identity verification model must be present to take these variations into account.
Get in on the Discussion
As the Zero Trust model evolves to meet the demands of our changing world, we at Ping will continue to explore the issues of how the security architecture is enabling digital transformation. Learn more about how Ping Identity is helping to further the discussion in the Zero Trust Executive Roundtable Issues Paper.
* The roster of participants at our roundtable discussions is impressive, and offers a broad range of industries and perspectives. These roundtable participants included:
Richard Bird, Chief Customer Information Officer, Ping Identity
Mark Perry, APAC Chief Technology Officer & Principal Architect, Ping Identity
Thor Essman, CEO & Founder, Versent
Eddie Smith, CISO & Cofounder, Versent
James North, Head Of Technology, Media & Telecommunications, Corrs Chambers Westgarth
Tim Sheedy, Principal Advisor, Ecosystm
Jason Laverty, Senior Manager, Major Business Programs - Security, Westpac Group
John Mihalis, Enterprise Security Architect, TransGrid
Puru Nayak, Senior Program Manager - Governance & Transformation (IT), Coca Cola Amatil
Katherine Sharah, Policy Officer, Policy & Legislation, NSW Department of Finance, Services and Innovation