The 2021 Data Breach Investigations Report (DBIR) defines an incident as a security event that compromises the integrity, confidentiality or availability of an information asset. The same report defined a breach as an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.
For over two decades organisations have continually expanded their computing defence strategies to encompass several independent methods for protecting against digital threats. Everything from authentication, encryption, detection, prevention and recovery. But an all-encompassing success using what the information security industry has labelled defence-in-depth strategies have yet to provide 100% protection.
In 2010, a Forrester analyst coined the term “zero trust” as a further extension of enterprise’s defence strategy against escalating cyber warfare. The premise is simple: trust no one. Meaning, require authentication at every point of the engagement.
At a time when users are clamouring for a way to have easier access to data they need to do their job, security professionals are calling for what looks like the reverse – more controls.
Is zero trust what we need? Will it prevent the next Colonial Pipeline, Sunburst or AXA Asia attack?
At the 25 May 2021 IBM media briefing on Zero Trust, Matthew Glitzer, vice president, IBM Security – APAC; Chris Hockings, chief technology officer, IBM Security, ANZ; and Shaibal Saha, digital trust leader, IBM APAC, came together to share their perspective on how cybersecurity is evolving in the region.
Glitzer noted that trust is the most fundamental currency we have. “Trust is essential to how we connect with our customers, partners and employees. Effective cybersecurity is a key element to maintaining this trust,” he continued.
“Cybersecurity needs to be incorporated into every aspect of the business, infused into every policy and wrapped around every transaction. We call this security by design.”
Glitzer said zero trust offers organisation a framework to address the complexity in cybersecurity. He pointed out IBM’s approach to zero trust is not a product but an open approach on how to programme cybersecurity.
Zero trust, according to IBM, is guided by three principles: enabling least privileged access, never trust – always verify, and assumed breached.
Q1: Is zero trust the best way to stop data breaches?
Hockings: With zero trust we are now able to apply context to security decision-making processes that we’ve not been able to do as an industry at scale. We can use context to identify threats as they emerge and remove them before they can become weaponised.
Q2: How is IBM’s implementation of zero trust different?
Saha: Our difference is we are helping customers find a zero trust roadmap that is right for their business. We are trying to make zero trust usable to the customer pulling expertise and experience in the security space.
Q3: What are the challenges to implementing a zero trust strategy?
Glitzer: There is no one challenge. It depends on the maturity of where an organisation is at. The starting point is developing a zero trust strategy plan.
Q4: What are prevailing misconceptions around zero trust?
Saha: Zero trust is not an off-the-shelf product you can buy, implement and you can achieve zero trust. There is a lot of noise today around zero trust with everyone having a point of view.
Q5: Is zero trust a silver bullet?
Glitzer: There are no silver bullets (when it comes to security). No one technology, process or policy that is zero trust. Zero trust is an approach, a philosophy, that is enabled by technology.
Q6: Will zero trust make obsolete existing security strategies and solutions?
Glitzer: Zero trust promotes the use of multi-vendor security solution. It recognises the strengths of these products and by adding context it enhances zero trust enhances these technologies.
Q7: How do you budget zero trust?
Hockings: By taking a zero trust model and refactoring the way you are doing security, you are able to boost some of that budget allocation. It is important to ask the question: Where am I spending my money today and what will this transformational approach do in order to move some of that budget to where it is better utilised?
Q8: Do you see regulators coming behind in support of zero trust to protect industries and systems?
Glitzer: Zero trust model takes the external view of the threat, applies it to a risk-based model and help governments and enterprises apply the right controls in the right place at the right time.
Saha akins zero trust to how organisations today are performing temperatures checks on people moving in and out of premises. In most office premises, workers will have security IDs to enable them to enter a building but until a temperature check is performed, a worker cannot enter the facility.
“Zero trust operates in a similar fashion. Irrespective of who you are and what you are authorised to access, somebody has to continuously evaluate you before trust can be established to let you in,” he added.