Raising the Zero Trust banner in an evolving threatscape

Like it or not, growing digitalisation has resulted in greater dangers on the cybersecurity front. Today, threat actors are continuously probing for gaps and weaknesses in digital systems, while new threat vectors and a rising cadence of attacks are hardly making things easy for cyber defenders.

How is the threatscape evolving, and how can a Zero Trust strategy protect organisations in an increasingly dangerous world?

New attack vectors abound

One area of concern for David Ng, the Head of Group Technology Information Security Office at OCBC Bank, is the risk posed by external providers, including providers of cloud services. He pointed to the widely reported global outage suffered by Microsoft Teams in July this year as an example.

“We were affected by the Microsoft Team's outage, which lasted for about half a [work] day. If an external provider of our essential or core services experiences an outage due to a cyberattack, it may have a very big, deep impact on our operations at OCBC,” noted Ng.

The growing geopolitical tension globally, despite being a political issue, might have serious downstream implications for businesses should things come to a head. A case in point is the Russia-Ukraine conflict which affected the global supply chain culminating in the supply of some hardware systems taking months instead of weeks.

Ng is keeping an eye on ransomware, too. While defending against ransomware is partly a technical challenge, a lot also hinges on the savviness of users. And this is where things can get dicey: “Attackers are constantly changing their methods. They go to the weakest link, which in this case is the users. They might entice them, befriend them, trick them… they merely need to succeed once, and then we have a problem,” explained Ng.

For Professor Yu Chien Siang, Chief Innovation and Trust Officer at Amaris.AI, the fundamental brittleness of AI could be an issue in an age where it is silently but swiftly making its way into every façade of our lives. From smart police cameras, chatbots or loan approval systems, the deep learning models running in AI systems could potentially be brought down or exploited using adversarial examples, he says.

Prof Yu, who has four decades of cybersecurity experience under his belt, also noted that our heavily digitalised world is vulnerable to a new class of digital attacks. Given how Zoom calls and digital contracts are par for the course when conducting business today, real-time deep fakes and disinformation campaigns by faceless adversaries might well trick an organisation into sending money to a fabricated entity.

The role of Zero Trust

So, can Zero Trust blunt the edge of new attack vectors? Having done extensive work on it many years back when the security model was still obscure, Prof Yu says Zero Trust is hardly the be-all-end-all of cybersecurity. While it is effective in addressing risks around infrastructure, a lot more needs to be done, he says. This includes risk modelling and heightened efforts to protect data, the crown jewels of modern businesses.

“Zero Trust doesn't address new developments like the Metaverse. In the Metaverse, for instance, you are more worried about representation. You are worried about your reputation, you are worried about unauthorised data access,” said Prof Yu.

While Prof Yu does not dismiss Zero Trust, he points to the presence of other cybersecurity issues that are trickier to address and which organisations need to think long and hard about. He said: “Implementing Zero Trust is a technical issue that is more solvable, but risk modelling is more of a decision-making problem that is much harder to solve.”

Many financial institutions and organisations have already embarked on some form of Zero Trust, observes Ng, though he is emphatic that Zero Trust will not solve every cybersecurity problem. Moreover, organisations implementing Zero Trust will do well to remember that it is not some off-the-shelf system for purchase.

Ng says this is a common misconception, perpetuated partly by its growing prominence and marketing by vendors. “One misconception is thinking that Zero Trust is a sort of turnkey solution I can purchase and deploy. That maybe I buy two or three of such systems that claim to support Zero Trust, I turn them on, and I get Zero Trust,” Ng said.

The reality is much more complicated: “There are many others controls across the entire ecosystem and the value chain that one must consider.” Indeed, larger businesses with a heterogeneous IT environment and equipment from multiple vendors can expect a harder time implementing Zero Trust. Hearing from Ng, one must roll up one’s sleeves to iron out compatibility and interoperability issues.

“Zero Trust is a relentless journey; you must keep moving. Yes, we will see light at the end of the tunnel, but we are still far away from where we need to be. In the true Zero Trust environment, the entire trust fabric must incorporate continuous monitoring, continuous authentication, and verification… and everything else must be put in place,” Ng said.

Securing tomorrow’s systems

So how can organisations prepare themselves for the evolving threat landscape? Speaking from the perspective of implementing Zero Trust, Ng said: “When all is said and done, every organisation will have very different investment priorities and risk appetites. It's about understanding the needs and requirements of the business. From there, you translate it down into what can be done now or later.”

It is equally important that executives and the board understand that implementing Zero Trust takes time, lest they see the security model as a product and start questioning what appears to be repeat purchases.

“It’s about having the big picture. Therefore, we need to educate our seniors and the board that Zero Trust is a journey. And to make sure that everyone understands what we can do with Zero Trust, and when will we achieve it,” said Ng.

Prof Yu advises organisations embarking on their Zero Trust journey not to be too fixated on a brand name or a specific product. It would bode well for cybersecurity leaders and decision-makers to be educated about the solutions they are evaluating, he says, and not be taken in by vendor claims of capabilities that might only apply in very narrow scenarios.

“Start with your priorities and resources, what needs to be protected and the technologies that can do that. Some technologies might be highly affordable but side-lined as there is no money to be made. Identify what works for you and implement them to protect your systems,” he summed up.