By Daniel Kwong, Field Chief Information Security Officer (CISO) for South East Asia and the Hong Kong region
Today’s hybrid workers require access to distributed applications deployed in the data centre, multi-cloud environments and Software as a Service (SaaS) locations. Digital acceleration involves adopting and implementing new technologies and practices to improve business agility and employee productivity. It is also redefining the network edge, especially in today’s Work-from-Anywhere (WFA) world — which has users moving between on-premises locations, interconnected branch locations, home offices, and temporary locations during travel — thereby expanding the attack surface and exposing the business to new and advanced threats.
Whether they are working from the road or a home office, Asia Pacific (APAC) organisations must provide employees with the proper security control they need to access applications and resources located in the cloud or data centre. Unfortunately, most traditional infrastructure focuses on rerouting traffic to fixed security points for inspection, causing a severe impact on user experience. Traffic bottlenecks will cause noticeable slowdowns for users, devices and applications are in constant motion, so this approach is inadequate.
Too often, organisations allow network traffic to bypass security by whitelisting, supposedly to ensure business performance uptime. Full access is given to all connected devices within the network because outdated tools cannot adequately examine encrypted applications, data, and video streams at high speeds. To say this has not panned out well, especially in the APAC, would be an understatement. IBM found that the region was the world’s most targeted last year, accounting for 26 percent of global cyberattacks.
Time is of the essence and APAC will stand to reap the rewards of intensifying efforts to move towards zero trust. In fact, a global survey by Fortinet found that the most significant benefits organisations gained with a zero trust strategy were “security across the entire digital attack surface” and ongoing authentication and monitoring. Respondents indicated they understand zero trust (77%) and over eighty percent reported already having a zero-trust strategy in place or in development. Yet, over fifty percent indicated being unable to implement core zero-trust capabilities and nearly sixty percent indicated they do not have the ability to authenticate users and devices on a continuous basis.
A long-term solution to regional challenges
Due to existing gaps regionally, the situation in APAC is characterised by a gulf in zero trust adoption levels, underscoring the need for custom-built solutions that leverage best-in-class technologies.
APAC’s organisations have also cited shortages in budget, skilled staff and resources as hindrances to taking the zero trust plunge. Yet, in reality, many security teams continue to try and weave an array of products from multiple vendors into tightly integrated platforms that span remote sites, corporate facilities, and multi-cloud deployments. Clearly, this traditional approach has been difficult from the outset, but now they are hopelessly ill-suited to today’s highly distributed networks.
As industry leaders and governments, including Singapore, add to the chorus calling for zero trust, APAC must respond by leaving behind the prevailing dysfunction and assimilating a model that ensures the least privileged access.
What an effective zero trust strategy offers APAC’s businesses
Embarking on a least privilege strategy and the adoption of zero trust tactics requires a platform that integrates products by design. As has already been established, traditional multi-vendor strategies are simply too complex and incapable of addressing the volume, variety, and velocity of data and threats found in today’s networks. Likewise, it is valid to ask questions about the speed and scalability of threat detection and mitigation under a zero trust approach, since it runs on the principle that every device or user is potentially compromised.
With zero trust, tight integration becomes the bedrock upon which organisations identify and classify all users and devices seeking network and application access — assessing their state of compliance with internal security policies to assign them zones of control automatically, and continuously monitoring them, both on and off the network.
Limiting user access only to the necessary resources for each role enables continuous visibility over everything on the network, safeguarding organisations’ critical assets.
Through a cybersecurity mesh, APAC’s organisations have access to a broad, integrated and automated platform that enables least privilege strategies to work no matter what stage of implementation they may be at and no matter where their users, devices, or resources may be located.
As they strive to stay secure and drive productivity under a WFA policy, Chief Information Security Officers (CISOs) across the region must consider charting a realistic path for their zero trust transition to minimise risks such as compromised credentials or incorrect provisioning or authentication, to remain competitive on the global stage.