With remote work being the norm during the pandemic, many businesses in Asia-Pacific found their old perimeter cyber defences no longer tangible and had to consider a Zero Trust approach.
Since employees would be logging in from home, a cafe or any other location, the better way is to “trust no one” until a user has been authenticated. In other words, no access to information or other assets without being checked each time, even if a user is logged in to a trusted corporate network.
Despite the overhaul involved in this new digital architecture, businesses have been spurred on by the pandemic-driven digitalisation efforts to adopt Zero Trust in some manner, says Fernando Serto, chief technologist and evangelist for Asia-Pacific, Japan and China at Cloudflare, a content distribution network and cloud security vendor.
Yet, many in the region are still to use Zero Trust as a holistic security setup to protect an entire organisation, partly because they are being held back by legacy, on-premise systems, he adds.
At the same time, with AI becoming a part of everyday work soon, Zero Trust will be a critical piece of the security puzzle to let employees use new AI tools safely without exposing an entire organisation to an attack.
“With Zero Trust, even if one single device is compromised, the blast radius of the compromise can be managed effectively, meaning all other devices within the network remain safe,” he tells Techgoondu, in this month’s Q&A.
NOTE: Responses have been edited for brevity and style.
Q: How far along have most of the Asia-Pacific businesses you speak to moved towards Zero Trust?
A: In general, most businesses in the Asia-Pacific region have moved towards Zero Trust security in recent years, primarily to provide the ability for their employees to work remotely in a secure manner. This shift has been spurred on by the pandemic, as hybrid work environments became the norm across sectors.
Many organisations had to provide remote access for roles that were not remote in the past, opening up exposure to new risks. Hence, the need for Zero Trust solutions arose.
That said, I believe that Asia-Pacific, as a whole, has not yet moved towards large-scale Zero Trust adoption. Many organisations are still looking at Zero Trust adoption as a mode of remote access, rather than a holistic security posture that protects the whole organisation.
Within the region, the level of Zero Trust adoption differs among countries. Cloudflare’s own research revealed that Australia and Singapore lead the pack in Zero Trust adoption, though there is still room for more progress across the region.
Q: What seem to be some of the most common stumbling blocks and what’s being done to overcome them?
A: One of the main reasons we are seeing organisations hold back on Zero Trust adoption is because of issues faced with cloud migration. Many businesses who might not have the available resources and access to cloud infrastructure still use legacy, on-premise systems, which hinder the adoption of Zero Trust.
I believe that conversations around security budgets are tied towards cloud adoption as an overall business transformation. Cloud adoption paves the way for other digital transformation projects, and provides the need and opportunity for IT teams to implement better security controls for the whole application ecosystem.
This is where Zero Trust comes in, enabling a more robust security infrastructure across different functions in an organisation.
Another hurdle that many organisations face is not having stakeholder buy-in for Zero Trust adoption. Many stakeholders, unfortunately, still do not fully understand the risks present in today’s highly distributed and evolving threat landscape.
This is especially true in organisations that have only invested in small security teams and still work on-premises. Often, when there are other competing business priorities, these organisations tend to live with the risks, rather than work on reducing them.
In these cases, stakeholder education is key, particularly in highlighting the real danger of ignoring these risks and understanding that a better security system with Zero Trust does not have to come with a lot of cost and complexity to deploy.
Q: AI brings new challenges to cybersecurity, for example, with staff leaking valuable data to generative AI chatbots. How can a business tap on the technology and keep secure?
A: AI has been a gamechanger in the way businesses operate. In reality, tools such as ChatGPT will be available to everyone on every device, so even if controls are put in place to prevent access, employees will still be able to access these tools on their personal devices. Against this backdrop, AI use cases will only become more prevalent in all aspects of work and play in the years to come.
That said, the increasing use of AI also brings new risks to businesses. This is especially so with phishing, which is the biggest threat vector today. AI has the potential to help attackers craft more convincing phishing e-mails that look legitimate.
This extends beyond just e-mails from users within the organisation – malicious actors are also leveraging AI to impersonate brands and target consumers. When employees click on these phishing e-mails, they are exposing their devices to penetration by attackers, putting the whole organisation’s network at risk.
To counter this, organisations need to use AI to their advantage to move faster on the detection side. This means applying smarter security controls that can detect these phishing emails quicker, through understanding language models, and looking into threat feeds and threat intelligence around URLs that are being used in e-mails.
Educating employees about good cyber hygiene is also key – with generative AI being fairly new to most people today, a lot of the potential risks and dangers are still relatively unknown. IT and security teams need to ensure that proper protocols and education are in place to raise awareness of the potential pitfalls and educate employees on how they can stay vigilant.
Faced with increased cyber risks amid the rise in AI, organisations should see Zero Trust as a critical security solution that will allow users to continue harnessing the power of AI innovations, without the fear of falling for an attack, or exposing the organisation to an attack.
With Zero Trust, even if one single device is compromised, the blast radius of the compromise can be managed effectively, meaning all other devices within the network remain safe. This makes it easier to mitigate and respond to the threat, as well as communicate remedial steps to all parties involved, as they have full knowledge of what data has been compromised.
Q: We’ve talked about AI versus AI in the cybersecurity cat-and-mouse game, where both the good and bad guys rely on AI to get ahead. Who is likely to have the edge with AI tools now being unleashed?
A: I believe that it is a bit of a sci-fi ideology to be thinking about AI fighting AI across the board at this stage. As a tool, AI on either side will look to and learn from each other to advance.
From a defender’s perspective, it is about knowing which areas to protect, because AI is not going to deploy itself into every single part of the ecosystem. Rather, defenders need to train AI models to look into environments, anomalies, and behaviours.
In terms of public-facing applications for instance, we are going to see AI generating requests against API (application programming interface) endpoints, and we are going to see AI looking into anything that is an anomaly to a normal behaviour of the user. So, AI has the power to conduct the analysis and make a decision on whether there is a malicious intent on any particular request.
From an attacker’s perspective, AI is used to breach the perimeter of a network by identifying and exploiting particular vulnerabilities in pieces of software. After a breach, attackers might then use AI for analysis of the network traffic and application ecosystem to find what is valuable.
All in all, it is not to say one has an edge over the other, but rather, these tools will be used on both sides for detection of a vulnerability as well as detection of an attack.
In addition, launching a multi-vector attack on a single target is not that easy a task. Even with AI, it involves a lot of other vectors from social engineering to phishing. While AI might be a tool for attackers to be more agile and smart with their attacks, it is not an automated attack that will just run its course.