Building trust in Zero Trust: Insurance security chiefs urge industry to adopt multi-year adoption plan

Citrix shifting user management to Zero Trust security model
Top L-R: M. Kamar, Bupa; J. Cozzupoli, Citrix (Mod); Bottom: A. Cunningham, IAG

While Zero Trust has in recent years generated huge buzz within cyber circles, particularly in the rapid shift to remote working and BYOD adoption during the 2020 Covid crisis, Michael Kamar, security platform chief at health insurance giant Bupa Australia, has warned that it is a fatal flaw to assume organisations can simply and quickly ‘plug and play’ a ZT framework into their digital systems.

Joined by fellow insurance industry counterpart Adam Cunningham, IAG’s head of offensive security, as part of FST’s Security Digital Discussions series, Kamar stressed that organisations should anticipate a “multi-year”, phased deployment roadmap for any Zero Trust implementation, noting it is not something one can simply “buy and plug into your cloud or data centre”.

A densely layered security framework with several moving parts, the success of any Zero Trust rollout depends on lining up several core pillars of the modern cybersecurity infrastructure and operations mix.

Fortunately, Kamar noted, there is a good chance most financial services organisations have already stood up several key Zero Trust pillars as part of their existing cybersecurity roadmap, “be it network segregation, some sort of identity and access provisions, or a digital sign-on [function]”. The challenge from here is to effectively “link” these pillars up to create an integrated ZT system.

IAG’s Adam Cunningham agreed, noting that organisations already have “most of these pillars in place”.

“Everyone has active directory… [and] a user repository. You’ve got network segregation.

“And everyone has trust models that they use, whether it’s single sign-on or solutions in place that figure out whether people are logging in from a ‘Maccas Wi-Fi’, for instance.”

“For here, it’s a matter of understanding, based on the data, what’s your new security strategy and how do you pull all of those [pillars] together?”

Zero Trust, conceived more than a decade ago by Forrester researchers, is not a single technology or platform, but rather a security concept – one based around a simple notion that an enterprise cannot automatically trust anything within or beyond its perimeter.

Instead, it demands constant verification of people, systems or indeed anything attempting to connect to enterprise systems before access can be granted.

The concept attempts to reconcile one of the key shifts occurring in security management, and indeed across the wider business, today – a recognition that data, not the device, is the most valuable digital asset in the modern enterprise.

It is also a fundamental recognition that today’s endpoints (increasingly overwhelmed by security-deficient BYO devices) have eroded the traditional enterprise perimeter, effectively providing an open door for attackers to advance into the wider enterprise network.

Moreover, it acknowledges that security breaches are inevitable – no longer if, but when scenarios – and that, to combat this, high-value data assets must be segregated and access to them strictly limited.

For many organisations, ZT provides a complete shift in thinking about security. It has long been standard practice to “think about the endpoint, our weakest link, and work backwards with a security mindset”, Cunningham said.

“Unfortunately, we now [have to accept the] idea that we have no control outside of our data.”

Cloud has been a key catalyst for this ‘data-first’ mindset shift – from a “focus on environment to a focus on information”, Cunningham said.

“That’s the biggest change with everything that’s happened, with remote working and everything else,” he said.

“We as an industry have to look at how we protect our IP – our information – as opposed to how we protect our assets and our systems.”

“And that’s what cloud acceleration has, in my opinion, done to our industry. We’ve increasingly got anything-as-a-service, meaning we don’t have to worry about the system or the services. We now have to worry about your information that sits on them.”

Identity is core to the Zero Trust framework. Establishing a benchmark for ‘least privilege’ – that is, the most restricted access rights for users, accounts, and computing processes, only allowing access to resources necessary to perform routine, legitimate activities – is critical to the successful functioning of Zero Trust.

“It starts off with proving the person should be there and who they are – that they should be there, that they have the right access,” Cunningham said.

Misconceptions around Zero Trust prevail. And awareness “remains one of the biggest gaps when it comes to Zero Trust”, he said.

For Kamar, the challenge of ZT implementation, particularly in the early stages of deployment, is thus less a concern of understanding technology than in understanding people (and a recognition by business heads that suddenly limiting network access can rankle staff that have long been accustomed to having unfettered access to enterprise systems).

This, he said, is about ensuring “engagement and acceptance” across an extended implementation process, “making [employees] understand” the value of Zero Trust to the business. Moreover, that the extension of ZT across the organisation remains an “ongoing activity”, he said, requiring continuous investment, which needs to be ‘sold’ to boards as such.

Cunningham similarly stressed that one of the biggest mistakes cybersecurity teams make in any Zero Trust implementation is to place undue emphasis on technology rather than “people and process”.

“Looking at their data, the process, and how people access it at the beginning of that process is the most important foundational piece,” he said.

He noted that “missing that step” is the chief reason why many companies that adopt identity and access management solutions “will fail to meet the expectations of the business”.

“Talk to the business; get them involved. Get decision-makers that aren’t in technology to understand the data that’s really important and where it’s going and how people are accessing it.

“From there, you can make rules based on identity access management and then systems.”


Breaking out of the cyber bubble

For both Cunningham and Kamar, it is too often the case that security teams remain sequestered from other parts of the business. As a result, while the solutions they devise may work well in a technical sense, they may lack an understanding of how unique business units function and use digital systems.

The pressure on security teams to simply “spin up quick, open projects”, particularly in the identity space, Kamar noted, mean unique use cases are often poorly accounted for.

“Sometimes we don’t spend enough time analysing applications or workflows, or the way that business users are using the applications to dig into that least privileged model,” Kamar said.

He added, the implementation of new security controls is not a matter of “simply turning something on”.

“It’s about changing the way that your developer or your finance analyst or whoever is using the system can understand what they can do within it.

Cunningham too often sees security and IT teams being “quite insular” during their project build-outs.

“They won’t stick with the development team, but they [also] won’t stick with the people using the system to understand what they’re doing and the process that they use,” he said.

Yet this co-design process is, he stressed, critical to understanding more human concepts, particularly in benchmarking ‘least privilege’ and how users may access applications, particularly understanding “what’s normal”, which is key to helping “rid false positives”.

For Kamar, awareness and communication are critical to any Zero Trust implementation – and “probably the most important beyond any sort of technology solution”.

This is about taking them on a journey to get to that ‘least privileged’ model and also about guiding staff into an understanding of why a business would move to Zero Trust model.

“If you don’t have that plan, there’s going to be frictional resistance across the board, because you’re disrupting the way they generally operate.”

“If they don’t see the benefit, they [won’t be] receptive to it.”


The legacy trap

Legacy is an inevitability of any large-scale organisation. Yet legacy tech remains the bane of any new security control regime.

For Cunningham, FSIs today face a “huge tech debt problem”, with an infrastructure mix likely supporting mainframes dating from the 70s that allow only “simple passwords” and limited security provisions.

“When it comes to a Zero Trust model, it’s really hard to start carrying your tech debt into the future.”

This legacy can harbour critical blackspots in the Zero Trust model – for Cunningham, who overseas IAG’s offensive security function, one of the weakest links in the chain for adversaries to exploit.

“In my role, if I’m looking at it as an adversary, the weakest links are always the oldest [systems], because, for the most part, they can’t be patched, they usually have bad business processes, and they don’t give very good information to the people who are looking to protect against [threats].”

Perhaps most critically, the biggest concern for Cunningham is the sheer number of people who can access easily compromisable systems.

“If you look at your own business, how many people have full access to the desktop, how many people have domain credentials – and domain administrative credentials that don’t need it – how many accounts are provisioned as a service account which can be logged in one?”

“If there’s one thing that would keep me up most nights, it would be that.”

Cunningham urged businesses not to be afraid to “turn [these legacy systems] off”, particularly when many of them sit idle.

“A lot of legacy systems have data that we have to keep because of compliance or regulatory obligation; but that doesn’t mean that they need to be turned on”.

He stressed that it is simply about ensuring processes are in place “to retrieve information in a timely fashion”.

“An awful lot of tech debt goes away almost instantly if you do that analysis; you’ll notice a lot of systems that don’t need to be on 24/7.”

This could take tech debt from something “massive”, down to an area “that’s at least manageable”, he said.

The end of the password?

The password, for better or worse, has served as the front line of defence in traditional digital authentication systems, including today’s more complex Zero Trust-backed networks, since the dawn of the personal computing age. However, there were mixed views as to the continued relevance of password protection.

Citing a US military paper from 1986, which had already sounded the death knell for the password, Cunningham noted that, while effectively moribund then, by now, passwords have almost become “completely obsolete”.

However, the fact that passwords still remain in such regular use today paints, he said, “a really good reflection of where the security industry is and needs to be”.

In the face of an expanding array of brute force technologies, set rules for password creation (for instance, being a certain character length, with special characters, numbers, or locations) have arguably made passwords “that were really hard for people to remember, but really easy for computers to crack”, Cunningham said.

Hence, why he advocates for the use of passphrases instead – which, he said, takes into account how individuals think, memorise and create passwords, and have the benefit of a length that would be near impossible to crack.

“I think it’s a good analogy for where security has come from to whatever is coming next”, he said.

“There are loads of technologies out there that could replace [the password]. But it all depends on how well they can still validate someone’s identity.”

For Kamar, the password, for its faults, still has decades of life left in it.

I don’t think they’re dead,” he said. “They’ll still be with us for a long time.”

He noted that the industry has invested so much time “getting people comfortable with the idea of passwords” the challenge and “complexity of now having to pivot to passphrases, which is a huge bridge, and then to pivot to something else – towards ‘passwordless’” – will not be a seamless process.

“It will take a long time to hit that critical mass where a [new authentication solution] becomes useful.”

Within security circles and privileged users bases, new solutions may arrive sooner, Kamar said. However, these will take some time to be rolled out across the wider market.

The success of any new authentication solution will, ultimately, be determined by convenience.

“Convenience will trump security every day,” he said.

USB-based hardware authentication systems, like YubiKey, have made inroads into this space.

But, as both Kamar and Cunningham stressed, “it’s going to be another 10 to 20 years before passwords finally do collapse”.