With the growing number of cyber attacks targeting operational disruption and reputational damage, organisations are being forced to make robust cyber security a strategic priority. Implementation of emerging technologies like artificial intelligence (AI) and machine learning, a rise in digitisation initiatives leading to increased cloud adoption among other things, and strong regulatory requirements are all set to influence the cyber security strategies over the coming years. Organisations need to be mindful of potential risks and integration capabilities of the systems to develop sound security strategies.
Here Nexus experts discuss how an identity-based zero-trust approach can help organisations build long-term systemic cyber resilience.
As the cyber landscape gets more complex, identity-first security strategy is gaining the recognition it deserves. The identity-based approach requires that every authorised user, device, or application must be assigned a verifiable digital identity. Before gaining access to protected corporate information, this digital identity must be validated using appropriate security mechanisms.
Simply put, all entities within the ecosystem are treated as untrustworthy until they can successfully authenticate themselves. This approach is more popularly known as the zero-trust security approach.
Zero-trust can help prevent attacks arising out of identity theft by, for example, implementing multi-factor authentication and limiting access to sensitive data based on a user’s role and permissions. This simple, yet highly effective method can also be extended to external users such as contractors, suppliers, partners, and end-customers to ensure secure access across supply chains to enhance overall security posture.
Successfully adopting a zero-trust approach requires organisations to develop dynamic company policies that ensure secure work environments without hindering usability for employees. For example, use the same login method for all purposes instead of forcing your users to remember multiple insecure passwords.
Security mechanisms can also be applied at various levels. For example, if an authorised corporate device, connected to the domain, is authenticated to the corporate network with a certificate then for certain services and applications it does not require any additional authentication. But to access the same service from home or from the airport, multi-factor authentication is needed to confirm user identity.
Another great way to enhance usability is to leverage existing devices such as smartphones and laptops for user authentication rather than having them carry additional hardware tokens. Introducing passwordless authentication and single sign-on also go a long way in enhancing user adoption.
Remember that physical and digital security are intertwined and cannot be separated from each other. Integrating physical access control with a solid identity management system and digital access ensures full control over corporate identities. Automation and self-service bring down costs by keeping manual work and helpdesk issues to a minimum.
The often-forgotten corporate devices – IT, OT, and IoT – must also be brought under the purview of zero-trust security. It is important to cover every connected device as even one unprotected device can be an opportunity for exploitation.