How can nations prepare for a 'Zero Trust' future?

By Thales

Experts from Thales share tips on how to secure networks in the new normal of cloud and remote working.

“Trust, but verify” is a rhyming Russian proverb popularised by Ronald Reagan, the former President of the United States. Though Reagan was using it in the context of politics, some lessons can be applied to our daily lives.

In today’s new normal of remote working, security professionals have taken the Russian proverb one step further. Now, cybersecurity is all about “don’t trust, and verify.” The ‘Zero Trust’ approach leaves nothing to chance and trusts no one, reducing the risks of attacks.

According to Allan Tan, ASEAN Regional Director for Access Management solutions at Thales, “Every organisation has a need to identify an employee and control access on a need-to-know basis. This used to be easy – all data used to reside on-premises, behind firewalls and within the perimeter. However, the exponential rise in cloud adoption and multiple Software-as-a-Service (SaaS) deploy to enable remote and tele-commuting, organisations have to face the new “no perimeter” reality and ensure the right people get the right access to the right resources at the right time for the right reasons.”

Enter Zero Trust

In the past, organisations took a traditional castle-and-moat approach to cybersecurity. Security teams only guarded the network perimeters, and assumed everything inside had already been cleared for access.

That is now out-of-date. Hackers have advanced their skills and are now able to enter networks undetected. Such a ‘moated’ approach would give the attacker free reign over everything on the inside.

Organisations and nations need a Zero Trust model of cybersecurity. They must assume there are attackers both inside and outside the network, and always require strict identity verification for every person and device trying to access the network.

Zero Trust security also minimises the potential damage an employee or hacker can cause by limiting their access to only networks or data required for their jobs.

Cloud-based access management

"With the uptake of cloud, data is located on different platforms. This creates a need for a consolidated access management solution for public servants", says Tan.

That would look something like Singapore’s access management platform SingPass, and would allow public servants to seamlessly and securely access these tools.

A cloud-based access management solution can secure access to both cloud services and on-premise platforms. This helps to keep cyber criminals out and offer employees an easy and secure way to log into all the applications they need.

Cloud-based platforms offer several advantages over traditional VPN tools. First, they are easier, faster and simpler to deploy than on-premises solutions. VPNs typically require an organisation’s software to be installed and configured - which is not easy to do in the event of an emergency.

A cloud-based access management solution also offers a more intuitive user experience, since authentication is part of the login workflow.

Thales SafeNet Trusted Access (STA) solution is a cloud-based access management service that ensures secure access to multiple cloud platforms from a centralised console. Its Smart Single-Sign On (SSO) technology lets employees log in with a single identity, eliminating password fatigue.

The solution also provides data-driven insights into access events, enabling organisations to fine-tune their access policies using context-based authentication to ensure authorization is given into the right resources at an appropriate time set by the organization.

Tips for securing your data

On top of securing employees’ remote access, securing data is also key. Data breaches can result in penalties under global and local data protection regulations.

Data Discovery and Classification

Thales’ experts share a simple three-step approach tips to secure data. First, organisations need to understand what and where are data stored and process and where the risks are. This can be done by conducting a data sweep to find out where the most sensitive and valuable parts are. Having such a risk-based approach also helps organisations identify data categories and employ the most appropriate security practices to mitigate breaches.

Encryption and Key Management

Second, organisations also need to encrypt sensitive data to ensure data is not accessible even after it is compromised. Encryption keys should be stored in a FIPS certified tamper-free hardware security module (HSM), separate from the encrypted data to prevent stolen keys in an event of a breach.

Identity and Access Management

Finally, having in place a step-up two-factor or multi-factor authentication will ensure that only authorised employees have access to the data during the times they are given access. In a 2019 Thales Access Management Index (AMI) reports that an average employee logins to five or more cloud applications a day, which could be a potential cause for password fatigue or reusing of passwords across multiple cloud applications. When access controls are silo without any centralised visibility by the IT administration, a single sign-on IAM solution that integrates with hundreds of cloud applications using common open standards used to extend identities to the cloud, including SAML, WS-Fed, OpenID Connect and OAuth, can quickly and securely deploy in the cloud enables organisations to focus on their core business, without deploying additional time and money on internal risk management.

‘The key benefit of Thales STA is the ability to apply unified and consistent access policies across your entire IT environment. It’s not only about securing O365, it’s about making sure that other key applications are also secure," says Tan.

As nations embrace cloud technology and digitalise processes, a corresponding enhancement of cyber defenses is needed. A robust cloud access management platform with a Zero Trust approach will help organisations guard against today’s complex threats. To find out how your agency can secure remote access and protect data, download Thales CPL’s eBook here.