Zero Trust Architecture: A New Approach to Cybersecurity for Indian Enterprises
By Amit Jaju, Senior Managing Director, Ankura Consulting Group
It’s a strange paradox of the digital age: our connectedness has produced a level of visibility that’s revolutionized our access to information and services. But this connectivity has also created the possibility of our information being exploited by those with ulterior motives. There is a need to balance our need for access, Requirements to protect data has created a new category of security threats called ‘low-trust environments’.
Most businesses today operate in a low-trust environment. It’s a world where trust is low because of the uncertainty of who is watching and what they might do with your information. The digital ecosystem is rife with low-trust environments, from peer-to-peer networks to public Wi-Fi hotspots. It’s a place where you have to be extra cautious with what you say, who you talk to, and what you share.
Especially for businesses based in low-trust environments—like most Indian companies—the concept of ‘data security’ is synonymous with the heavy-handed, high-security procedures and hardware solutions that came before. The low-trust environment is a threat to security, not an aid to it. The solution is a new low-trust approach that we call the ‘Zero-Trust Security’ (ZTSA) architecture. Let’s explore how an Indian company can adopt this approach to increase security of its data while making itself more accessible to customers
The Problem with Traditional Cybersecurity
The problem with traditional data security is that, it doesn’t work. The reasons are simple: You can’t trust your technology and you can’t trust your employees. The only solution is trust. You need to trust employees, you trust your vendors, and you trust your technology. You can’t trust any of them.
Trust is ephemeral and fragile. It takes time to build and even more time to lose. Once it’s gone, you can never get it back. It’s like money in an account. If someone steals your money, they can keep it. But if you lose the account information, you can’t get it back.
Trust is so ephemeral that it’s easy to blow through in a single breach. Internal trust is like a pair of glasses. Once you’ve broken it, it’s not as easy to fix. Zero-Trust Security is like wearing no glasses at all. It doesn’t require you to trust anything.
What Is Zero-Trust Security?
Zero-Trust Security is when you apply minimal trust to your data and technology. The key is to apply as little trust as possible, while still allowing the technology to operate. This is the opposite of traditional data security where you try to apply as much trust as possible to any given input and hope that it does not lead to bad outcomes.
Zero-Trust Security is about separating data and control. Data should be held by a service provider, while control should remain with the entity that generates it. Data-holding providers should be open and auditable. They should follow industry best practices and hold data as securely as possible. They should be as open as possible, so that all inputs can be audited and verified.
How Does Zero-Trust Increase Security?
Data security in a low-trust environment can be increased in a number of ways without having to build trust between the parties.
Encryption – With data stored and encrypted in the data-holding provider, it cannot be accessed by the entity that generates it. The data-holding provider holds the keys and can prove they did not access the data. Encryption is a ‘trust-free’ technology.
Authentication – In addition to being encrypted, data should also be authenticated. This provides an additional level of confidence that the data is coming from the source it claims to come from.
Auditing – Auditing is essential to Zero-Trust Cybersecurity. Without auditing, it would be impossible to know who had accessed the data and when. In a low-trust environment, this is essential to prevent malicious activity. Data-holding providers should be open and auditable. They should follow industry best practices and hold data as securely as possible. They should be as open as possible, so that all inputs can be audited and verified.
Zero-Trust for an Indian Company
The average Indian company operates in a low-trust environment. It has to be careful about what it shares and with whom. It’s also easy for its employees to share sensitive data, like login credentials and business plans, with competitors.
To protect data, the best thing a low-trust Indian company can do is to separate data and control. Data should be held in a data-holding provider while control should remain with the entity that generates the data. A company can create a data-holding service by using an open source tool like GuardCM. It’s a simple process:
– Generate a GuardCM API key and provide it to your data-holding entities.
– Create a GuardCM user and provide the user’s API key and GuardCM user name to your data-holding entities.
– On your data-holding entities, enable data export and import via the GuardCM API.
The internet of things (IoT) promises a more connected world, but it also brings new security risks. As businesses connect more devices to the network, they increase their security and privacy risk when it comes to data loss.
Investors are more inclined to invest in businesses with a low-trust ecosystem. In order to operate in a low-trust ecosystem, businesses have to operate with a minimal amount of trust.
Zero-Trust security architecture is a conceptually new architecture that seeks to combine security and accessibility through a minimal level of trust. On the contrary, a Trust based approach has become increasingly challenging in a world where data breaches and identity theft have become commonplace.