How to protect your business with a zero-trust approach
Webinar presented by Ameet Naik, Zscaler’s Director of Product Marketing for Secure Access Service Edge (SASE) and David Senf, Bell’s National Cybersecurity Strategist.
A zero-trust approach may seem inherently pessimistic. However, it’s a smart and rational response to the cybersecurity realities that companies face. The approach is based on the belief there is no trusted perimeter, with security incidents occurring on traditional networks or remotely, at any time. It assumes an attacker already has access somewhere within the organization, recognizing that at any time an employee could click on a phishing link, a piece of software could go unpatched, account passwords could be exposed, and cloud service could be compromised.
In a recent webinar hosted by Canadian Security Magazine, Bell’s National Cybersecurity Strategist, David Senf, and Zscaler’s Director of Product Marketing for Secure Access Service Edge (SASE), Ameet Naik, discussed how a zero-trust approach helps businesses secure their networks, devices, data and applications in a cost-effective manner, while improving the user experience. They explored how SASE is at the core of a zero-trust practice.
Cyberattacks are changing
Artificial intelligence (AI) is making it easier for threat actors to launch many more attacks than in the past. In our recent research on The State of Cybersecurity in Canada, we found that two-thirds of Canadian organizations experienced a security breach last year, with some estimates putting the numbers even higher. Senf noted that according to the same research, the greatest contributors to an organization’s security performance were factors related to governance. Good governance is essential to defining and enforcing security policy, which is central to the effective practice of zero trust.
“But to get from governance to the technology guardrails we have in place, there’s something in the middle,” Senf said. “Because governance on its own doesn’t do anything. It just sits there. In the middle is policy. So, we need to be able to get to the best possible policy from good governance, and then have that deployed in our technology guardrails.”
That means organizations must take a new approach to securing their technology and data – one that doesn’t rely on increasing security budgets.
Rethinking security approaches
Traditional cybersecurity involves building a perimeter (e.g., a firewall, network access control, intrusion protection systems, etc.) around an organization’s network. This approach is based on the idea that only authorized users can enter the perimeter, and therefore considers anyone inside as “safe” with minimal additional scrutiny. Attackers have proven to be able to rapidly inflict a lot of damage within this model.
In contrast, a zero-trust approach treats every attempt to access data or applications as potentially malicious, regardless of where it originates. This continuous verification is based on several factors, such as user identity, device health and location, as well as the specific data or application being accessed. It is also based on threat intelligence about the trustworthiness of the links employees click on, the cloud services they wish to use and the websites they need to visit.
The traditional approach made sense when users were accessing the network from the same office. Today, many employees now work remotely, and more vendors and other external partners need access as well, all of which are highly distributed.
Recognizing the realities of remote work and collaboration, the zero-trust approach assesses every interaction with an organization’s applications, cloud services and data based on defined policies about who is allowed to access what, and for what purposes. Senf noted that the cornerstones of zero trust are 1) reducing discoverability, “the ability of the threat actor to be able to know … what applications are on my network, what data is there, what cloud services might they potentially have access to” and 2) reducing lateral movement from one application or device to another.
This approach is not only more secure but also reduces complexity and cost while delivering a better user experience – which is vital to ensuring adherence to security policies and practices.
“Security cannot come at the expense of user experience,” said Naik. “We’ve seen strategies like virtual desktop infrastructure for a very long time that help with data protection, but it’s a very inferior user experience, and when that happens, users will find ways around it.”
What about AI for cybersecurity?
The rise of AI in recent years adds to the urgency of moving to a zero-trust security approach. While threat actors can use AI to launch more sophisticated attacks, organizations can also use it to enhance existing security measures – including a zero-trust practice.
“The only way you stay ahead of this is by including AI on your side,” said Naik. “Security monitoring is something that has to be done continuously, and this is where AI has the biggest potential.”
One of the ways AI can enhance security is by drawing on intelligence from around your business to add more context when assessing interactions. Naik shared the example of an employee making a large transfer to their personal Dropbox. The employee might just be sharing a file with a client that’s too big to send by email. But if they also recently gave notice of their resignation, the AI might connect these two events and flag the transfer as suspicious.
A safety net for your data
Cyber risk is business risk, and the stakes have never been higher for data protection, demanding constant vigilance from everyone involved. But with threat actors launching ever-more sophisticated attacks, vigilance and training can only get you so far. A zero-trust approach, like the solutions offered by Bell and Zscaler, provides the defence your organization needs to keep your data and systems safe, offering effective security and a seamless user experience.
For more insights into what a zero-trust approach to security can do for your organization, watch the full webinar recording.
Q&A session
As a security professional, how do you talk to your C-suite in order to communicate the risk as a fundamental business issue?
About connecting from your home network to an application hosted in a remote server secured by ZTNA-SASE – are there any best practices to implement this?
Can SASE help with social engineering attacks?