Should APAC businesses start moving to Zero Trust now?

In Singapore, the government earlier this month announced a new Zero Trust cyber security approach from preventing threats to assuming information technology systems have already been breached. 

Government applications and information technology systems will be made safer by verifying that all activities on them are secure. This will require all users to prove their identities – by using usernames, passwords and biometric data to sign in – before they can access information. 

While this serves as a marker for the industry and the region to go to be better prepared against rising cyber threats, moving to zero-trust for APAC businesses – and in particular SMEs – may be more difficult as they need to balance their IT systems on factors such as costs, how critical they are, the sensitivity of information and their business requirements. A piecemeal approach can also create gaps that cyber criminals can exploit.

In our monthly special feature, iTNews Asia speaks to analysts and several cyber security players to hear their views on the importance of Zero Trust and how businesses can map their journey towards Zero Trust for their people, network, devices and data.

James Nunn-Price, Security Growth Markets Lead, Accenture

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Zero Trust does not mean an organisation does not trust its employees, but rather it is about verifying their access, and their device, at each stage - the network, system, application, and data layers before granting access. Zero Trust is a term for a collection of good security practices which have been evolving as a concept that Accenture has been implementing for almost two decades. Zero Trust provides a more uniform enterprise-wide approach. This helps provide greater visibility and enforcement of access policies, which improves an organisation's overall security and compliance, reducing the attack surface.

The Zero Trust security model is critical for APAC businesses as they move to the cloud and digitally transform. It opens up to new ways of working, for example, securely collaborating in shared offices and hubs with partners and customers. In the age of remote work, where network boundaries have slowly disappeared, our hyperconnected society has enabled us to access critical data over networks anywhere and everywhere.

Traditional security networks and physical offices assume that everything is trustworthy, which can expose the systems and data if infiltrated. COVID-19 has shown us that this can get organisations into trouble with data breaches and ransomware, a challenge that has become increasingly prevalent and costly.

What steps should they take to strengthen their cyber security posture? 

 A Zero Trust approach can be easier for SMEs as they are already adopting cloud and SaaS services. However, there is no single technology that can cover all requirements for a Zero Trust model. Instead, it’s a cross-discipline exercise that requires robust identity access management and end-to-end data protection.

There are five steps organisations can take:

1. Ensure all resources can only be accessed securely, whatever the location and device, even from inside the organisations network and physical offices.
2. Verify identity by implementing, for instance, MFA via OTPs and the use of software tokens.
3. Enforce the concept of least privilege by granting access to users strictly only on a need-to-know basis and applying the minimal level of user rights required for an employee or contractor based on their job roles. Link these roles into the HR system so that when people change role or leave their access is updated automatically.
4. Design the network housing the key systems and data from the inside out. Organisations can improve security and block unauthorised users from accessing the network by dividing their environments into separate segments, logically on function or on levels of sensitivity/trust.
5. Instigate proactive monitoring of user and data access logs and security alerts supported with automated responses and quarantining for suspicious activity.

Kenny Yeo, Associate Director - Global Security Advisory and Head, APAC, Cyber Security Practice, Frost & Sullivan

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Today's environment – one year into the COVID pandemic, and the next normal will be very different. Based on studies Frost & Sullivan have conducted, we see that most enterprises will not be moving back to the previous model of staff working in physical office branches. Hybrid work is the future of this next normal. 

This means that enterprises, users and customers must rely on digital more and more. Hybrid forms of working from anywhere (not just the home) will become more commonplace even after the current pandemic measures are eased. We see digital transformation projects accelerated to better meet customer needs and increased adoption of cloud and cloud services to scale up. Unfortunately we also see this expanding digital footprint leading to more cyber security incidents and attacks. 

Zero Trust is a framework for businesses to adopt that can help protect them in this dynamic next normal. 

What steps should they take to strengthen their cyber security posture? 

Zero Trust is not a technology, but a framework that assumes a breach and verifies often with identity at its core. There is some confusion because vendors are mixing the term "zero trust" into solution names. Identity would be the core of Zero Trust. 

For smaller businesses, it means taking more care with identity and changing some of the policies and processes. 

Practical steps they can take: 

• Are basic processes being followed? Is there regular changing of passwords and immediate removal of obsolete accounts when employees leave the organisation?  While basic cyber measures can be taken, it does not mean additional spending for the business. 
• How is the business managing identity? Are they leaving each endpoint with its own credentials, managed by the employee individually? Can this be centrally managed with the various cloud based identity and access management solutions? 
• Are there individual accounts for online services like Zoom or Office 365? Can they be centralised under a corporate account, and then managed through the service? 

For all businesses, we recommend focusing on three areas: 

• Identity, as described above 
• Email security, as it is the most common gateway into the organisation 
• Web security, as employees may accidentally click on the wrong links

Vijay Kolli, Head of Mobile Strategy, APAC, Akamai

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

It's vital for businesses to understand it’s only a matter of time until systems become infected. Just like how Indiana Jones dodged booby traps left and right in his quest to find treasure, cyber criminals will try all ways and means to bypass ‘booby traps’ a.k.a security systems to get their hands on data – all they need is a single compromised endpoint as a foothold to move throughout the network.

 This is where Zero Trust comes in. With a "never trust, always verify" approach across all entities regardless of location, device or application being used, and where the data is hosted, Zero Trust ensures that only the right business assets are available to the right people at any given time regardless of where the data resides – and if businesses are to continue innovating digitally while protecting valuable data, it’s critical they overhaul their cybersecurity strategy with Zero Trust.

What steps should they take to strengthen their cyber security posture? 

Transitioning to Zero Trust may seem difficult, but at its core is a simple protection model focused on granting the right people the right access at any time, regardless of location.

The first step businesses can take to strengthen their cybersecurity posture is to reframe their security strategy to focus on both external and internal attacks. While common countermeasures such as MFA, strong identity and access controls, antivirus tools and more, are a crucial part of the Zero Trust security strategy to defend against external attacks – organisations also need a strategy to minimise the risk of cybercriminals reaching critical assets once defences are breached.

This is where micro-segmentation technology comes in. It enables businesses to define security controls down to the individual software and workload level, while enabling deep visibility into data movements. Just like a waterproof bulkhead in a submarine, it helps contain the ‘blast radius’ from a malware attack, dramatically limiting its lateral spread.

Additionally, through these granular security controls, Zero Trust eases the burden on employees on having to determine whether something is malicious. This removes a significant source of risk, as it takes network access off the table, while removing complexity for IT and security teams.

Jonathan Jackson, Director of Engineering, BlackBerry

How critical is it for APAC businesses, including SMEs, to move to a  Zero Trust security model? 

In the dynamic digital landscape, organisations need systems in place to validate and authenticate any person, software, or device from reaching key resources on the company’s network. 

Zero Trust assumes that nothing is trusted until it proves its authenticity. Layered security, segmented networks and continuous authentication can prevent cybercriminals from infiltrating, compromising, and crippling an organisation’s network.  

Zero Trust is important in this hybrid work norm where employees access enterprise data, services, and applications stored on the cloud via home Internet connections and on their own devices. While a mobile and distributed workforce has enabled greater agility and efficiency, it has also resulted in a larger threat surface that cyber criminals can exploit. Without a Zero Trust model, malware can easily infiltrate deep into the network from any compromised device with little to no resistance, opening the door for severe and potentially costly attacks. 

 When implementing Zero Trust, it is also important to minimise friction with continuous user verification. To ensure that productivity is uninterrupted, businesses should leverage AI solutions that can continuously track usage patterns and determine risk. For instance, when risk level exceeds a pre-set threshold, users will be challenged to authenticate before being allowed to continue with their task. 

What steps should they take to strengthen their cyber security posture? 

Enhancing one’s cyber security posture can no longer be an afterthought, even for SMEs. The cost incurred when an attack happens is more than monetary — reputations are at stake and once trust is lost, it will be a near-impossible task to regain. By harnessing AI and fostering a workforce that is more aware of cyber security risks, SMEs can better protect themselves. 

There are cost-effective, AI-based solutions that help companies stay ahead of cyber security threats. By deploying AI-driven cyber security solutions, SMEs can enjoy a lower cost of maintenance and administration, while leveraging enterprise-grade technology to prepare for attack, prevent threats, detect suspicious activities, and respond to malicious actors in real-time.  One challenge SMEs face is lack of staff and skills in cyber security, so many are looking to offload these tasks to Managed Security Services Providers (MSSPs).

Another line of defence is the organisation’s employees. When SMEs empower employees with knowledge through security awareness training on common threats like phishing attacks, they can be an effective line of cyber security defence. Employees should also be encouraged to report potential security risks to cyber security teams promptly, so that investigation and remediation can be carried out as soon as possible. 

Clement Lee, Security Architect, APAC, Check Point Software Technologies

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Zero Trust is not a new concept. Since we were children, we have been taught not to interact or trust strangers. This has been ingrained into the physical human interactions that we experience everyday. Why should this be different in the digital age?

Digital security should have been a primary focus from the get-go. However, simplicity to accessibility has always be favoured over security. This is because of the convenience it brings to our digital lifestyle. 

The principles of data security have always been confidentiality, integrity and availability. However, most people ignore the principles of trust in the pillars, which are authentication and non-repudiation.

Fast forward to the pandemic — with more businesses relying on the cloud, and the work from home evolution — what was already an issue has just been magnified due to the heavier reliance on digital services to conduct our lives and livelihoods. Similarly, digital threat actors have found a new avenue of attack with newfound efficacy, largely fuelled by said reliance.

With cyber threats existing inside and outside the security perimeter, it has become essential to adopt a Zero Trust security approach to keep business data protected. It will help the organisation reduce risks of breaches and future-proof their business.

What steps should they take to strengthen their cyber security posture? 

There is a saying, “It is not a matter of if, but a matter of when.” Your organisation is only as strong as your weakest link. 

Zero Trust is both a mindset for thinking about security as well as a well-architected solution that helps to minimise risk from a changing working environment as well as an increasingly hostile world. Zero Trust helps users make sense of the complexity of cyberspace in the effort to slow down the attacker’s advancements. 

For most organisations, the government has aptly highlighted the fundamentals of Zero Trust – Authentication and Non-Repudiation of identities. If you cannot ascertain the authenticity of your users, then the potential fall-out may be significantly more costly to your business. 

I would recommend businesses to document their most critical revenue lines in both tacit and non-tacit context. Review with your IT teams and/or providers on the “lowest hanging fruits” of mitigation that can be implemented, then follow up with a review of mitigation for more pertinent but effective measures that should be implemented in the short term. 

Security is not a destination, but the journey that changes its course constantly. Similarly, it is knowledge applied through a keen mindset, ideologies, and vigilance. Remember, Zero Trust is not a standard but a living mindset. 

Lani Refiti, ANZ Regional Director, Claroty

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

The short answer is yes. A Zero Trust approach is essential in the age of digital and cloud first, as they enable access to services that traditionally reside within organisational boundaries, anywhere and at any time. This shift has necessitated a rethink of our approach to security in terms of making assumptions that all users accessing an organisation’s resources are untrusted until authenticated, authorised and assessed at multiple inspection points.  

However it is important to understand that Zero Trust is not a product - it is a cybersecurity design method that flows down to the technical architecture that enables it to operate.

What steps should they take to strengthen their cyber security posture? 

Cyber security architecture can be difficult to implement if not implemented properly. You will need to align your business processes to a Zero Trust approach i.e, will Zero Trust necessitate a change in how your customers and partners interact with your digital services? How about supply chain management or procurement? Can it be done frictionless? 

From there, you design the technology architecture needed and cyber security controls to enable and support that. SMEs may find it more difficult given they lack the resources but interestingly size or a lack thereof may actually be advantageous as their architecture is usually not as complex as large enterprises. 

Jonathon Dixon, Vice President and General Manager, APJC, Cloudflare

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

The shift to a Zero Trust security model is critical for all businesses in APAC. Apart from a consistent increase in security incidents, the COVID-19 pandemic brought about the biggest security threat companies have ever faced – the need to secure all employees, apps, data, and networks outside an office as everyone went remote. 

As employees began using personal devices to connect to business networks, IT teams having little or no management of these personal devices, and limited visibility into employee activity within business applications, Zero Trust has become essential in securing today’s work-from-anywhere economy.

According to Cloudflare’s recent APAC Zero Trust survey, 86% of respondents said their company is aware of Zero Trust, and over half (66%) said their company has implemented a strategy for it. Businesses were unprepared to cope with the challenges and added security risks moving into hybrid and remote work, so having a Zero Trust strategy is not just a nice-to-have but is essential in the future of work. 

What steps should they take to strengthen their cyber security posture? 

There are a few challenges to overcome on the journey to Zero Trust adoption within APAC. Our survey found that 51% of respondents wanted more information on Zero Trust and only 38% claimed their current security posture was enough to protect them. However, reasons also existed at the boardroom level - with 37% of respondents citing the unlikelihood of securing funding while 32% struggled to make the business case for it.

For SMEs, the move towards Zero Trust can be a daunting task, but it doesn't need to be hard. For most organisations, they can start transitioning towards Zero Trust with next to no changes to their current network architecture. One of the key components of Zero Trust is to apply security controls based on the identity of the user, rather than the network, and that can be very easy to achieve, where within minutes, organisations can start publishing applications according to the identity and role of their users more securely. 

Due to remote work, a lot of the existing access technologies will also provide a poor user experience, using legacy technologies like VPNs and Virtual Desktops, and this is an area SMEs should be focusing on.

Vincent Goh, Senior Vice President of APJ, CyberArk

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

 The rise of cloud and digital services adoption, coupled with the new way of working, makes a Zero Trust security model even more paramount. We need to look at Zero Trust not as a solution or technology - but rather an approach to security based on the principle of “never trust, always verify.” By assuming that a breach has already occurred and the bad guys are already in your network and have access to your applications, organisations must grant no implicit trust to human or machine identities. All identities must be continuously authenticated and authorised. 

Studies and research have also shown that a Zero Trust security model can be effective in preventing data breaches and mitigating security risks. The “trust nothing; verify everything” philosophy is critical in helping companies address cloud security challenges today.

 What steps should they take to strengthen their cyber security posture? 

 Zero Trust is a holistic and strategic philosophy in which organisations often take a phased, programmatic approach over time. It is not just technology; it’s about process and mindset as well. Organisations will find that adopting Zero Trust is not an overnight accomplishment. It will also not be easy, particularly if they have legacy systems that do not transition well to this new model. Effective Zero Trust strategies utilise a mix of existing technologies and approaches such as the following:

• Protect high-power privileged accounts. The majority of insider threats and external attacks involve privileged access abuse. Organisations should identify the most important privileged accounts, credentials and secrets across their environment and implement access controls to protect the accounts that present the most risk as it relates to Zero Trust.
• Implement the principle of least privilege. It’s essential to know who (among both human and non-human users) has access to what assets and when and which actions they can perform. Organisations should enforce the principle of least privilege broadly along with attribute-based access controls that combine enterprise-level policy with specific user criteria to balance security with usability.

Parvinder Walia, President of Asia Pacific and Japan, ESET

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

ESET’s recent threat report has shown that cybercriminals continue to take advantage of the remote working arrangements to mount cyberattacks. There has been a 104% increase in public-facing Remote Desktop Protocol (RDP) services brute-force password attacks in May - Aug 2021, as compared to first four months of the year.

Adopting the Zero Trust security model is especially critical now, due to the prevalence of remote working arrangements where devices are used to access corporate network from home. Another component driving the need for zero-trust is the growing adoption of cloud services, which stores troves of sensitive data. Without Zero Trust, all this data and resources will be completely vulnerable once an attacker gains access to the network or application, as users inside the network are trusted by default.

Using multifactor authentication is also crucial as it adds an additional layer of authentication if passwords are compromised.

What steps should they take to strengthen their cyber security posture? 

The transition to a Zero Trust model does not always require a major overhaul of the company’s security infrastructure as many companies, including SMEs, may already be using some of the fundamental tools and techniques needed.

These include:

• Data:  Ensure regular backups of data are done. Use file encryption and data loss prevention solutions to ensure corporate data is protected.
• Devices: It is imperative to only allow devices that you know be connected to your network. Use an effective endpoint detection and response (EDR) or endpoint security solution to protect these assets.
• Networks: Determine who should have what access to the resources in your network. Micro-segmentation and least privilege are key here.
• People: Employees are integral to any operation, especially SMEs. Ensure there is adequate cybersecurity training and implement roles-based access controls. Multi-factor authentication (MFA) should be widely used to prevent unauthorised access.  

Jess Ng, Country Head, Singapore and Brunei, Fortinet.

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

A Zero Trust approach is a must for securing any organisation that allows remote connections to access the company system. Using the Zero Trust model allows organisations to rely less on traditional virtual private network (VPN) tunnels to secure assets being accessed remotely. A VPN often provides unrestricted access to the network, which can allow compromised users or malware to move laterally across the network seeking resources to exploit. 

Cyber criminals are relentless and will target every device as a potential entrypoint into the network. With Zero Trust , no devices are allowed to connect to corporate resources freely and by denying all unvalidated traffic by default, bad actors and compromised devices can’t easily breach or compromise the network. A Zero Trust security model applies security policies equally, whether users are on or off the network. So, an organisation has the same protections, no matter where a user is connecting from.  

What steps should they take to strengthen their cyber security posture? 

To implement Zero Trust security, organisations need to develop and execute a plan that ensures consistent protocols and policies that are implemented across the entire network, not just in the cloud. If a company uses a hybrid network, they need the same Zero Trust  policies applied on their physical headquarters remote workers and assets. 

With the right tools, implementing a zero-trust approach to security requires a few basic steps. 

1. Define a Protect Surface

These are the types of data which organisations must protect:

• Customer data
• Financial records
• Employee information

2. Limit Access to Data

Determine what resources each user needs to access to perform their duties, ensure they can only access those specific areas. 

3. Provide Visibility

IT teams can keep a watchful eye on the network using visibility tools such as:

• Reports: User activity reports can be analysed to identify attempts to break into the system.
• Analytics: Analysing user activity may reveal patterns of behaviour. 
• Monitoring: Real-time monitoring of the system can reveal hackers’ attempts at infiltration.

Joanne Wong, Vice President, International Markets, LogRhythm

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Business and work as we know it has been irrevocably changed since the pandemic hit. We have seen how companies in APAC especially, double down on digitalisation efforts and embrace a future of hybrid work. 

But while this changing landscape has unearthed new growth opportunities, it has simultaneously also introduced complex vulnerabilities and security risks. After all, traditional castle-and-moat approaches to security will do little to fend against threats in today’s cloud-based and remote-work reality.

This is why the Zero Trust approach is key. Businesses need to maintain oversight across their entire digital operations, and adopt an “assume-breach” mindset to nip cyber-incidents in the bud. 

They cannot afford to risk even a single weak-link, and must verify activity at every step to ensure that only trusted identities have access to the right data and information. Only then can they safeguard their business and be future-proof in the digital era.

What steps should they take to strengthen their cyber security posture? 

The truth is that SMEs, like any other business, are equally positioned to adopt a Zero Trust approach. Many SMEs hold the misguided belief they won’t be targeted by cybercriminals. Thus, they don’t invest resources in security infrastructure and cybersecurity training. This inaction is precisely what puts a hot target on their backs as opportunistic actors are quick to take advantage of poor cyber defences to mount an attack.

Smaller companies with resource constraints certainly may find it daunting to balance their cybersecurity needs with other business priorities. But this doesn’t mean that they should abandon efforts. Instead, they must be more strategic and take baby steps to establish the cybersecurity posture that they need.

This starts with a focus on data - what needs to be secured, where it is stored, and how it is accessed by users and applications. From there, they can expand outwards to focus on user governance and device trust, where they provision roles, entitlements and access levels across all employees. 

Finally, they may be in a position to create a comprehensive business plan centered around Zero Trust, factoring in all their returns on investment and assessing how else they can optimise their security processes. 

Jonathan Tan, Managing Director, Asia, McAfee Enterprise

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

In today’s threat landscape, Zero Trust is no longer an option but a necessity. Traditional cybersecurity follows the concept of a moat for defense. While any attempts to access data from outside the moat need to be verified, all users inside the moat are assumed to be trusted.

However, as we move into a cloud-first and remote work era, our data is now spread out over multiple areas instead of a single platform - making it increasingly difficult for businesses to keep their data secure. Teleworkers today, for instance, may be accessing secure applications from a multitude of personal devices.

With data being accessed in ever-increasing numbers of ways – all while threats continue to increase and seek out the weakest points in ever-expanding threat surfaces – Zero Trust is now a critical requisite for any and all APAC businesses.

What steps should they take to strengthen their cyber security posture? 

Instituting Zero Trust may seem daunting to SMEs with small IT teams and limited budgets. After all, the core of Zero Trust is about continuous monitoring, inspection, and logging of traffic and activities. 

However, we believe that it is an attainable and critical step that all APAC businesses can take to maintain an effective cybersecurity system to protect their valuable data in today’s digitally connected world. What’s more, the continuous innovation around automation technology has also rendered modern Zero Trust solutions even more efficient and affordable.  

As a starting point, businesses will need to think of all facets of their organisation’s threat profile: critical assets, applications, data, and services. Businesses must micro-segment their data to decide who needs access to what data, and how to restrict that access. 

More than that, organisations should also strive to achieve real-time visibility so that they can have a complete and updated picture of their data, make necessary changes in short order, and quickly adjust should anything go awry.

Critically, businesses should remember that Zero Trust is an iterative effort to constantly improve and adapt one’s digital infrastructure – only then will we be able to keep up with an ever-changing threat landscape.

Mary Jo Schrade, Assistant General Counsel and Regional Lead, Digital Crimes Unit Asia, Microsoft

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Asia has become a driver of global innovation. Organisations of all sizes are embracing change to meet the demands of their customers, partners, and employees. Enhanced security in technologies is required to keep businesses and people safe.

Zero Trust matters now more than ever to instill trust in technology and to support the increasing prevalence of cloud-based services, mobile computing, and devices that drive Asia’s workforce. Security architectures that rely on network firewalls and virtual private networks to isolate and restrict access are no longer sufficient for a workforce that regularly requires information access beyond traditional corporate network boundaries. 

The Zero Trust security model assumes breach and verifies each request as though it originates from an open network, instead of assuming everything behind the corporate firewall is safe. This reduces risk across all environments, helping networks to remain healthy and protected in a hybrid, perimeterless world. 

What steps should they take to strengthen their cyber security posture? 

We are seeing an unprecedented digital transformation across businesses in the region. With SMEs comprising more than 98% of all enterprises in APAC, cyber security needs to be a top-of-mind priority for any organisation. Every company is increasingly relying on technology – this means that no one is safe from cyber security attacks. 

Having good email hygiene is the baseline that businesses and individuals need to implement to protect themselves, especially since 90% of attacks start with an email. Organisations need to educate employees about phishing and its voicemail- and text-based variants. 

But education is not enough on its own – organisations should also ensure that the email system they use incorporates filtering and link checking to provide the most comprehensive protection. Additionally, the use of multi-factor authentication can block over 99.9% of account compromise attacks. 

Organisations also need to ensure that their apps and systems are patched and updated in a timely manner to fix vulnerabilities that are susceptible to cyber attacks before they are exploited by cyber criminals.  

Migrating to the cloud will also provide a level of security that most small and medium businesses might find challenging to achieve on their own given that cloud infrastructure is built from the ground up with modern security and privacy in mind. 

Ben King, Chief Security Officer, APAC and EMEA, Okta

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Remote working policies have resulted in a more diverse IT infrastructure and fragmented workforces. Consequently, we have witnessed an evolution of cyber security threats in APAC. Four of the top 5 territories most affected by ransomware, for instance, are in APAC – South Korea, Vietnam, China and Singapore.

In today’s distributed digital landscape, identity is the new perimeter. For organisations to meet the access and usability demands of modern users and avoid becoming the next victim of a data breach, it is crucial for them to move towards a more robust and comprehensive security posture that’s centred around the Zero Trust security principle of “never trust, always verify”. This ensures that the right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously.

What steps should they take to strengthen their cyber security posture? 

Okta’s ‘The State of Zero Trust Security in Asia Pacific 2021’ study found that although 77% of APAC organisations have accelerated Zero Trust security as a priority, only 13% have implemented a Zero Trust security strategy. 

The top challenges include talent and skill shortages, cost, and technology gaps. Given SMEs’ more limited resources, the hurdles faced by them are likely to be greater and require more creative solutions to deliver the required return on investment.

For organisations to strengthen their cybersecurity posture, best practice is to leverage identity as the foundational control across the security stack. Businesses can implement a unified identity & access management (IAM) ecosystem, and eliminate poor password hygiene by implementing single sign-on (SSO) and multifactor authentication (MFA) for employees to access key resources.

Additionally, businesses can strengthen security by extending access controls to other resources such as their APIs, and use rich context and diverse factors to better inform authentication decisions. 

Organisations should also consider more advanced security measures such as passwordless authentication and context-based access policies, and then shift beyond protecting employee accounts to also securing access for partner and customer accounts.

Identity is the new perimeter, and strong authentication must be adopted across all services.

Ian Lim, Field Chief Security Officer, APAC, Palo Alto Networks

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

The move towards hybrid work required APAC businesses to migrate the majority of their digital assets - including IT resources and applications - to the cloud for greater speed and efficiency. As a result, security teams now have to protect a much wider attack surface. Hence, it is essential that organisations move away from traditional security models which rely on implicitly trusting data, applications, and users inside of an organisation’s network. 

The Zero Trust model recognises that this trust is a vulnerability. By continually validating critical digital interactions rather than trusting solely on authentication and authorisation, Zero Trust combats the exfiltration of sensitive data while preventing threats from moving laterally within a network. 

The adoption of a Zero Trust security model has become absolutely critical for APAC businesses today and it is integral to protecting an organisation from new gateways that hackers may attempt to enter the network. 

What steps should they take to strengthen their cyber security posture? 

Achieving Zero Trust is often perceived as costly and complex, but it starts with adopting a mindset of continuous validation. Additional capabilities can be added as resources permit. 

There is a five-step methodology for businesses to achieve a well-coordinated architecture and solutions that validate, authenticate, and apply threat prevention capabilities across their entire infrastructure. 

1. Define the protect surface by identifying the most valuable critical data, application, assets, or services.
2. Map the transaction flows to understand the way traffic moves across the network. This will allow organisations to better insert controls and monitoring to protect critical data and assets.
3. Create Zero Trust policies and procedures around critical assets through awareness and standard operating procedures. Practicing cybersecurity hygiene that minimises trust violations is essential. 
4. Build Zero Trust capabilities needed to enforce Zero Trust policies consistently across the entire organisation. A platform approach can provide comprehensive visibility, integrated control and automated defense across various cloud and on-premise environments. 
5. Monitor and maintain by continuously inspecting and validating all traffic on the network and in the cloud. Just because a user or application is authenticated and authorised does not mean that they are to be trusted. 

Alex Lei, Senior Vice President, APJ, Proofpoint

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Zero Trust is a great approach, and is a genuinely critical way to move past legacy security models that never worked in the first place. As people, not infrastructure components, have become the primary targets for attackers - limiting access to only what each individual needs has never been more critical to prevent the compromise of a single user from turning into a much bigger breach. 

In addition, as users need to access resources across on-premises and cloud systems, Zero Trust becomes an essential way to limit the attack surface for both the corporate network and cloud-hosted systems.

With that said, no technology can completely reduce the security risks end users create and Zero Trust network solutions should be leveraged in conjunction with cyber security awareness training and other measures. 

What steps should they take to strengthen their cyber security posture? 

Zero Trust is a difficult model to move toward overnight, especially if resources are limited. Instead, we believe in identifying the greatest areas of risk and mitigating those first. For example, limiting third party and contractor access to only authorised resources rather than the entire corporate network is a critical control to reduce enterprise risk, and a great first step in Zero Trust. 

In addition, organisations must work to identify which employees are most targeted with attacks within the business. These more targeted employees are referred to by Proofpoint as Very Attacked People (VAPs). And these VAPs aren’t always the people you expect. That’s because today’s attacks target users in countless ways, across new digital channels, with objectives that aren’t always obvious.

Gaining insights into your most targeted employees can go a long way toward reducing your exposure to targeted threats. By knowing who your VAPs are, you have a good sense of who is getting targeted and who is going to fall for the tactics and techniques of bad actors. This ultimately gives you an advantage over attackers as you can use this intelligence to prioritise your security efforts. 

Aaron Bugal, Global Solutions Engineer, Sophos 

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Zero Trust security incorporates many ‘moving parts’, different security controls and processes that a business should implement.  Although the complete vision of Zero Trust can have a dramatic effect on overall positive security outcomes for any business large or small, the fundamental building blocks are most important to focus on initially.  

If an organisation is in a good place with its IT and has a well-defined cybersecurity awareness plan, then the slow transition to adopting Zero Trust security models and controls should naturally happen.  Cybersecurity is a journey after all, and anyone responsible for the overall security of the business will be planning to insure this persists.

What steps should they take to strengthen their cyber security posture? 

Walk before you run.  Take the time to understand the basics of cyber security, cyber resiliency and, in turn, cyber security awareness that can be shared with your employees – everyone needs to play a part. 

The Cyber Security Agency of Singapore has a SMB Security guide on what to be aware of and how to mitigate it. In practise, users and how they authenticate to computing/cloud services should be modernised - this includes unique credentials for everyone and the enforcement of multi-factor authentication. 

Additionally, ensuring basic computer hygiene and keeping your operating system and applications up to date with the latest patches and releases will do wonders in preventing cyber criminals getting easy access to your money and data.

Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC)

How critical is it for APAC businesses, including SMEs, to move to a Zero Trust security model? 

Zero Trust architectures create a network configuration where users are validated that they have an explicit right to access services or data prior to the access. These architectures are based on restrictions and validation performed within the network - meaning that even if someone having malicious intent gained access, a properly configured Zero Trust implementation would prevent them from accessing the network. 

Zero Trust networking is based on the application requirements, so whether the application itself is deployed in a cloud or on-premise, the protections afforded by a Zero Trust network are equally valid. Zero Trust protections become even more important in remote work scenarios as they can limit the damage a compromised laptop with a valid VPN connection might have. 

In effect, even if a user has authorisation to access the network, Zero Trust requires that they authenticate with the network to access specific services on that network.

What steps should they take to strengthen their cyber security posture? 

Transitioning to a Zero Trust model isn’t based on business size, but rather the ability of the business to identify critical systems and implement effective network policies. 

The first phase of any Zero Trust implementation is to determine precisely which systems need to communicate to each other, and what the minimum requirements for that communication are. In effect, if a system is only expected to see network traffic from a peer service, there should be no reason for an end user to access it and that should then be enforced in network policies. 

Once this baseline is performed, then user authentication requirements can be applied. But the first step is to understand what the communication requirements are for all software within the business.