Virtual lock and key in front of hands typing on the laptop keyboard

Three Keys to a Successful Zero-trust Implementation

Securing networks is more difficult than ever, and it’s not going to get any easier. Enterprises must manage hundreds of thousands of devices, users, systems, and applications. That means that organizations have hundreds of thousands of potential vulnerabilities. Yet a single compromised password can bring down the entire network, and it has in cases such as the air transport IT company SITA suffered a serious breach earlier this year, where data belonging to 580,000 Singapore Airlines Krisflyer and PPS members were compromised. Or the WordPress incident where a compromised password left the data of over 1 million of the hosting companies’ customers vulnerable.

Thus, the Zero-Trust mantra of “never trust, always verify” is becoming more attractive to businesses in APAC to protect networks from adversaries. It is a security approach in which constant validation is needed to access a network. In other words, zero users, devices, systems or services are automatically trusted — anything connecting to the network must be verified. Additionally, every time a user or device connects to the network it must be validated again. In a Zero-Trust approach, instead of verifying digital identity based on IP addresses, digital identities must be regularly verified based on adaptive authentication methods such as PKI, multi-factor authentication (MFA) and single sign-on (SSO).

The quick transition to the Zero-Trust model is mainly fueled by remote work, cloud adoption and an increase in deploying devices in recent years. Remote work increases the number of connected devices to the network and consequently the number of connected users remotely. Additionally, cloud solutions require Zero-Trust architecture because network infrastructures are no longer solely on premises, but are fully in the cloud or, more often, a hybrid approach, which requires a complex security posture.

Organizations face problems with Zero-Trust implementation

According to one survey, about a third of organizations have already adopted a Zero-Trust strategy and 60% plan to adopt it in the next year.

However, despite the emphasis on Zero-Trust security, APAC organizations are lagging behind their counterparts in EMEA and North America as only 13% had already implemented a Zero-Trust security strategy compared to 20% of organizations each in EMEA and North America. Challenges faced when implementing the Zero-Trust framework include the lack of resources and costs, talent and skill shortages and technology gaps.

Three keys to successfully implementing Zero-Trust

Having the right security solutions to support a Zero-Trust strategy is critical. Here are three keys to implement a Zero-Trust approach successfully:

1.    Use Public Key Infrastructure (PKI)

Implementing a Zero-Trust architecture hinges on a secure way to verify identity. PKI is a tried-and-true way to provide digital identity for a variety of use cases. It can provide authentication and authorization solutions and form the foundation for secure identity inside a Zero-Trust environment.

Even though PKI may not cover every aspect of a Zero-Trust strategy, it does provide a strong foundation for the authentication and trust that’s required. In fact, 96% of IT security executives believe that PKI is essential to building a Zero-Trust architecture. This is because PKI provides what’s needed for a Zero-Trust model:

  • Authentication of the identity of every user and/or device on the network.
  • Encryption of all data at transit across the organization.
  • Data & system integrity by maintaining the integrity of data coming to and from users/devices, automation tools to issue, revoke and replace certificates in a reliable, scalable, and agile manner.
2. Combine PKI with Multi Factor Authentication (MFA)

MFA is one of the most common technologies adopted nowadays as part of the Zero-Trust approach, with 86% of companies worldwide having implemented MFA for their employees. However, this approach comes with its own set of challenges such as pushback from employees who have limited experience with cybersecurity and view the addition of extra security measures as troublesome.

Attacks such as SolarWinds demonstrate that MFA alone can be sidestepped and exploited. That’s why PKI, in conjunction with MFA, is one of the more secure ways to implement the Zero-Trust framework.

3. Automation

Automated PKI is a flexible solution which can support Zero-Trust initiatives. With an increasing number of certificates, automation makes it easier to manage PKI infrastructure. Additionally, applications constantly need to be updated, employees onboarded and offboarded, or accesses moved. Manual management requires a heavy workload that increases the chance of human error and potential vulnerabilities.

Having the right #security solutions to support a #zerotrust strategy is critical. Here are 3 keys to a successful approach: #PKI infrastructure, #MFA and automation. #cybersecurity #respectdataClick to Tweet

Furthermore, most automation solutions also come with increased visibility over the certificate inventory. This is key to a Zero-Trust architecture because when verification is always required, knowing where every digital certificate is located on the network is not just nice to know, it’s critical. Any unknown or undiscovered certificates could leave the entire network vulnerable.