Zero Trust – Once again

By Juan Carlos Gómez –Digital Security Director & Group CISO, Alejandro Becerra – Information Security Director and Nikolaos Tsouroulas – Head of Security Architecture, Telefonica Group Digital Security

In the last few months, many factors have been impacting the cybersecurity landscape, including the ongoing COVID-19 pandemic, increasing geopolitical tension, supply chain challenges and new technologies such as the cloud, AI, and 5G, to name a few. Basic cybersecurity practices such as secure configuration and vulnerability management have, unfortunately, proved insufficient to effectively mitigate cyber threats in this changing environment. To protect themselves from evolving cyber risks, organizations will need new and more coordinated approaches. Most importantly, they will need to revisit old concepts such as Zero Trust and  embracing some newer ones such as Secure Access Service Edge (SASE).

Protecting from cybersecurity risks has become increasingly challenging for organizations from all sectors:

  1. Extensive teleworking and the evolution to the cloud have resulted in greater digital dependence with the definitive rupture of the digital perimeter;
  2. There has been an increase in potential attackers who can carry out malicious operations from anywhere in the world;
  3. State-sponsored groups have become increasingly prevalent; and
  4. There has been a popularization of technologies and tools for cybercrime and certain criminals have acquired almost unlimited resources to carry out cyber intrusions for profit.

On the one hand, basic cybersecurity processes are still relevant to cover the threat cycle to anticipate, protect, detect, defend and recover. On the other, these basic processes are not effective enough as organizations are not prioritizing action against immediate risks. The dilution of responsibilities in large organizations, the complexity of supply chains, digital transformation accentuated by the massive incorporation of cloud services, lack of well-trained profiles (not only in security) with awareness of cyber-risks and the growing pressure to reduce costs and deadlines undoubtedly play a role as well.

It is in this context that old concepts such as Zero Trust become extremely important.

These concepts are based on the hypothesis that nothing is reliable a priori, demonstrating the risk model’s evolution. It used to be difficult to breach a digital perimeter, but today there is almost no perimeter, or it has moved to the last extreme – reaching the data and varying in time and location. More recent is SASE, which lands down into solutions/implementation patterns/technology a part of those Zero Trust concepts plus some other.

The concept of Zero Trust originated in the initial work of the Jericho Forum in 2009 on de-perimeterization and was later integrated within the Open Group. As the name suggests, Zero Trust is based on methodical distrust: No user, device or application, inside or outside the network, should be considered safe a priori; each must be validated continuously as a prerequisite to using any corporate resource. It also presupposes that every organization’s technological systems may already be affected by an intrusion.

Zero Trust is developed according to the data axes: People, devices, computing loads, networks and meticulous and continuous monitoring. These axes take shape through concrete actions that involve deploying technological components but, above all, affect how the systems and their associated processes are developed. A simplified message consists of implementing continuous and contextual authorization mechanisms for each access of each person or device to each digital resource.

The concept of SASE is complementary to that of Zero Trust. Access to a resource from any device does not presuppose any prior trust and is contextualized according to all possible  decisions. SASE is reflected in the integration of this concept of Zero Trust with the intelligence of connectivity from the cloud (with SD-WAN, VPN-less, etc.).

Aspects that in the past decade were foundational concepts but not applied in practice today become practical realities with specific technologies. Given the profound transformation that this approach implies in technological production processes, adoption lines are proposed according to maturity levels to attack the problem in stages depending on each organization’s possibilities, starting point and priorities. One of the key roadblocks on this path is the implementation of Zero Trust in legacy systems.

The training and awareness of cyber risks, as well as the lack of professionals is a fundamental gap, given the last level of any technological process is constituted by people. It is critical that this training/awareness occurs on two levels: The end users and the specialists according to each function at the company. There is no better security defender than a responsible expert in an area. It is who is ‘certified’ in the processes of the business, company, department, etc., and may better match controls to actual risk. You can’t assure what you don’t know. Perhaps the next security unicorn is offering a “brain-hack SASE.”

In short, mechanisms such as Zero Trust and SASE are now finding their moment of opportunity and maturity to serve as key levers for a more consistent security.

We must remember that these digital transformations have a different penetration according to criteria such as sector, company size, the starting point, etc. That is why it is important that the concept of Zero Trust also reaches every employee, including non-security staff. Further, it is always necessary to continuously question cyber-risk in each of our online activities to guide decisions.