Zero-Trust: A Security Model
BSP Governor Benjamin E. Diokno has encouraged banks and all other BSP-supervised financial institutions to shift to a zero-trust operational model to address cyberthreats and attacks which soared during the lockdown as financial consumers conducted more transactions online.
However, this discussion must be continued for all enterprises now that an organization’s physical perimeter is vanishing, especially in the wake of the transition to remote working environments where productivity is expected from employees from non-office settings and on devices which are likely not company owned.
The zero-trust approach to network security has been around since 2010 after Chinese hackers successfully breached Google and other Silicon Valley giants’ networks, and stole intellectual property. The Google BeyondCorp service was born out of this incident.
On 26 February 2021, the US National Security Agency (NSA) has released its Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing zero-trust within critical networks.
What is zero-trust?
A zero-trust network is not a product but a strategy. This model is based on the concept that trust is a vulnerability and the acknowledgement that threats exist both inside and outside traditional network boundaries.
Traditional information security models trusts internal networks by default and automatically distrusts external networks. In contrast, a zero-trust network assumes that both internal and external networks is fraught with danger. Thus, no user, device, application, or traffic is allowed access to the network until it proves that it is uncompromised and any attempt to access a business system must always be authenticated before any level of access is granted.
How it works?
Under the zero-trust model, an organization’s infrastructure is protected from both internal and external hostile factors.
Zero-trust is not location dependent and treats every user, device, application, or traffic as untrusted. This is especially relevant under the present work arrangements for most establishments, since it is no longer sufficient that an enterprise purchases the best perimeter firewall and other security software to keep malicious actors out of its perimeters when its workforce is mobile (working from home, coffee shops, or co-working spaces) and using non-office issued devices.
How to implement it?
Creating a zero-trust environment is often seen as daunting and expensive. It is actually quite simple, although time consuming. The successful execution of the zero-trust model is not an overnight accomplishment. There are no zero-trust products nor does it require the purchase or replacement of any existing security technology. A zero-trust architecture is often built on an enterprise’s existing infrastructure. The real landmine is posed by the implementation of a zero-trust governance within an organization.
Generally, there is a five-step model for implementing and maintaining zero-trust. First, an entity has to identify its protect surface — this means identifying its critical data, application, assets, and services. Second, the entity has to understand the transaction flows or the traffic within the organization. Thirdly, it must design the zero-trust architecture. Penultimately, the organization must draft its zero-trust policies and protocols. Lastly, it must monitor and maintain the network.
This may seem intimidating but enterprises and businesses may secure the services of cybersecurity practitioners and lawyers to assist them in developing a customized zero-trust architecture designed specifically for their business model.
While a zero-trust environment is not a cybersecurity panacea, it is one of the most efficient while being cost-effective and non-disruptive. Even after the pandemic, when life returns to the “next normal”, however that looks like, the zero-trust model will remain material to enterprise security.
Keeshia Alyanna H. Alix is a Mid-Level Associate and a member of the Technology Media and Telecommunications, Litigation, Corporate Services, and Data Privacy Groups of Gorriceta Africa Cauton & Saavedra (www.gorricetalaw.com). Keeshia’s practice areas include general corporate law and data privacy and cybersecurity. She also assists clients in determining licensing and in complying with legal and regulatory requirements for their specific industries and activities.
