I have been attending IT events and invited to share my thoughts on the implementation of ‘Zero Trust’ environment. In fact, I also learned a lot from my fellow Panel Speakers on their strategy and experience in implementing it in their respective organisations. Honestly speaking, if you compare what they have achieved to ours as a company, we are not quite there yet. 

Nevertheless, I always believe that achieving a Zero Trust environment is a journey and not a one-time exercise. Nothing is easily achieved without proper planning in place. Hence, we aspire ourselves to achieve this state, for us to create a conducive working environment for all our staff and a trusted ecosystem for our clients to do business with us. 

What is it all about?

Zero Trust is a framework that is built around the principle of an ‘assumed breach’. Based on this concept, nothing is to be trusted and we should do away with the idea of a trusted internal network. The concern is very legit and not based on some security paranoia. Let’s take the Ransomware attack for example. When Ransomware attacks your organisation and encrypts all the files, then high chances are that your environment has already been compromised. The Ransomware would not encrypt all your files immediately after you clicked open a malicious attachment. Experts believe that the Ransomware would first be lurking inside your environment to study your company, searching for loopholes, consistently sending back information to the perpetrator before it finally attacks you where it would hurt you the most. 

However, some companies are still sceptical about this framework as they assume that Zero Trust is just another marketing talk, a way for the vendors to rebrand their products and sell. Some had already given up and thought that Zero Trust is not practical to be implemented in the real world. We also have this negative reaction from users that the company is not trusting their own employees by adopting the Zero Trust framework. These are among the myths that would prevent a company from adopting the framework.

The truth is, whether we realised it or not, most companies are already embarking on this Zero Trust journey. I believe that it is common for all the companies to already have the firewall, the Intrusion Detection System (IDS), the Intrusion Prevention System (IPS), the Endpoint Security Protection, etc. in their current infrastructure. They should know that all these IT Security tools are actually part and parcel of achieving this utopia state that we are talking about. Knowing this would help them in assessing the readiness of their respective organisations and determining the gaps to be addressed for them to achieve this Zero Trust state. 

Where are we on this?

Now that we know where we are in terms of readiness, then it is time for us to plan and strategize how to achieve the desired Zero Trust state. While doing that, we should also reinforce the fundamentals and all the IT Security protections that we’ve already have. 

• Get the Management’s buy-in 

This is indeed the core effort because they are the ones who are going to approve the funding for this initiative. The Management needs to be accurately advised so that they would understand the importance of the initiative, how it would contribute to the betterment of the overall business ecosystem and what kind of investment commitment they would have to make to achieve this state. Getting the Management’s buy-in also means securing the top-down decree for the rest of the staff to follow.

• Focus on Authentication

Take the opportunity to review and improve your authentication method for systems or any resources access in the company. Implementing a Multi-Factor Authentication (MFA) would help to enhance the identity verification. Creating layer upon layer of authentications would also allow you to verify the identity of the users in your environment to reduce the risk of loss should any of the layers get compromised.

• Securing the infrastructure 

Check and double check that all data are sufficiently encrypted, be it data at rest or data in motion. It would reduce the adverse impact of any potential exploits should any of the infrastructure be compromised. Expert highly recommends having a network segmentation under the Zero Trust environment for better containment and verification of users inside the environment.

• Improving the process

Take stock of all the existing processes and its relevance. Review the process again and always be ready to take out any redundant process or unnecessary steps so that we could make the whole process more efficient. Check on the compliance of the existing process and see how we could do better. Let’s take the ID Verification Process for example. How is the Business User’s compliance rate in ensuring that all the listed IDs are still valid to the assigned users and job functions? Address the fundamentals first before we move further.

• Continuous communication

Communication is essential to have support from everyone in the organisation. They need to get involved so that they understand the importance of these initiatives. One of the good approaches to involve the business users and to get their commitment is as follows:

• Discover – Make sure the business users are involved in discovering all the information assets of the company, be it hard copy or digital. As they are the Data owners, they would know best of the data that is being recorded or being used on a daily basis.
• Classify – Once they list all the information assets in the company, then let them classify and rank the most important asset that they would like to protect. It is impossible for us to protect everything with limited resources and hence classifying this data would help to assign the right protection to the most important data.
• Enforce – This is where IT comes in and enforce all the necessary controls like the ACL to make sure only the authorised person would get access to these data. Since, we have included the business from the beginning and they were the ones who defined which data to protect, it will be easier to get them to comply and accept.

So, what’s next?

As I mentioned in the beginning, the Zero Trust implementation is a journey and not a one-time exercise. Hence, we need to continuously improve and be ready with the ever-changing threats landscape and technology advancement that may arise. Even if you have already achieved a Zero Trust state, you would immediately become vulnerable whenever new critical patches come out and your system requires patching.

As for the companies which have just started and currently implementing this initiative, adopting my proposed BRAG Rule of Thumb would help in deciding the best tools to be implemented in your organisation. Please refer to the following link to learn more about it: CIOs Sailing Through Rough Seas.

You may also refer to the NIST (National Institute of Standards and Technology) Special Publication 800-207, which further clarifies the cybersecurity measures and guidelines highlighting the core components of Zero Trust principles. It is a good reference and guide to ascertain where you are throughout the whole journey of achieving the Zero Trust environment.