Zero Trust

Ved Sen, Digital Evangelist, TCS, explains how modernising our approach to cybersecurity can also empower business growth.

The risk of cyberattacks has increased steadily in recent years but the COVID-19 pandemic has made these threats even more of a reality. With 65% of employees around the world working from home, according to a new study from Tata Consultancy Services, and 40% expected to continue to do so in 2025, it is unsurprising that cybersecurity is top of mind for companies of all sizes.

This change in how businesses are operating has opened the door to opportunistic cybercriminals, who are seizing the opportunity created by the global crisis. From COVID-related phishing schemes to Remote Desktop Protocol attacks, which have soared by 140% in Q3, cybercriminals now have far easier access to company networks. This means having a strong VPN is no longer enough to keep your organisation safe.

The traditional approach to cybersecurity tends to focus solely on external threats, with IT teams using firewalls to secure the network perimeter. However, if this perimeter is breached, the entire network is put at risk, which can lead to unimaginable losses.

Companies are now facing newer, more sophisticated and pervasive threats, which if left unaddressed could result in shutdowns across entire industries. It is therefore essential that businesses turn their focus away from simply ensuring compliance and following the outdated philosophy of “trust but verify”, as this only goes as far as securing the network perimeter. For a truly robust stance on cybersecurity, organisations must close as many loopholes as possible — whether external or internal – so no opportunistic criminal can exploit the network.

At the same time, the challenge for cybersecurity is that while nobody disagrees with the need for the best possible security model, it is often seen across business as an onerous and often over-engineered impediment to getting work done on a day to day basis. It is absolutely critical for cybersecurity teams to work closely with businesses to understand their needs and to build context aware models that actually enable work. Cybersecurity can and should improve the employee experience.

A more resilient model equal to today’s challenges begins with the premise of “never trust, always verify”. A Zero Trust Security Model enables cybersecurity to become more adaptable to emerging threats and changing access needs. It also takes into consideration the context of requests for any protected resource. It can detect threats in real time and take immediate action to protect an enterprise’s data, devices and operations in ways reused passwords and VPNs no longer can.

Zero trust relies on eight core principles and associated technologies:

  1. Never trust. Always verify.
    Today, nearly all work takes place in a networked environment. Where systems and resources are spread across the cloud and can be accessed in any way via any smart device, no single security check can suffice for overall security. Instead, the secure approach requires validation for any identity before access can be permitted.
  2. Purpose-driven access
    Earlier methods, such as a “one-time password” sent to an email address via internet protocols, no longer suffice; they are too prone to compromise. Instead, access must be contextual and time-bound to deliver required business outcomes. Password-less multifactor authentication (MFA) is both more secure and faster for users.
  3. Continuous risk-discovery, real-time treatment
    A “find to fix” approach should replace the long cycles of audit, testing and remediation under which most IT organisations have operated. While compliance is always necessary for regulatory adherence, reporting, and security hygiene, real technology risk is contextual. By having a zero trust model in place, organisations can monitor and verify a user’s risk score before granting them access to the network and other enterprise resources.
  4. Security by design
    As cybersecurity must be central to the customer experience and business continuity, it should be considered as early in the development cycle as possible. The earlier security is prioritised, the easier it is for companies to deliver flawless projects repeatedly and without risk.
  5. Information-centric security
    From a business perspective, it makes sense for many organisations to choose to focus on their business rather than the data they hold or the IT functions they have in place. However, from a security perspective, by putting proprietary information and expertise — their data and its uses — at the core of the business, companies can secure a perimeter. Thanks to the proliferation of cloud-based models for many computing needs, this is much more achievable.
  6. Security as culture
    As the saying goes, a chain is only as strong as its weakest link, and a company’s data is only as secure as its most vulnerable vector. Beyond making cybersecurity an enforcement issue, a culture of security makes it everyone’s responsibility. This means putting training in place for every employee to empower each user to sense and act on cybersecurity matters.
  7. User Experience focus
    In all of this, security organisations need to work with user experience specialists to ensure that work can still get done and the demands of corporate security do not become an impediment to getting work done, or delivering consistently bad user experiences, as that will in many cases lead to behaviours that will compromise the security. This is both in terms of how processes are designed (not just engineered) but also in how they are communicated, and the user community engaged. Just as users need to understand corporate security principles, the security teams need to understand how work is done, to truly get the best outcomes.
  8. Intelligence
    Patterns are everywhere, and with the use of AI Ops and related toolkits, it is likely that any breaches, or attempts, are leaving their own fingerprints and patterns which are traceable. It’s imperative that security teams also add AI and intelligence to their toolkit to pre-empt attacks or breaches and for early recognition of the patterns which can lead to these breaches.

Leading-edge, risk-focused and context-aware security is increasingly available as a service and should be invested in, rather than adopting a one-size-fits-all software solution. Forward-looking companies must take a “never trust, always verify” approach when granting access to their data and processes. Thereby acknowledging that threats evolve and require the capabilities available in advanced technology — such as AI, automation, cloud computing, and agile development — to address them.

Through leveraging this technology, a business can embrace a more resilient and adaptable cybersecurity model. Not only does this increase an organisation’s chance to overcome challenges, but it also allows them to take advantage of the opportunities that come from emerging digital ecosystems.