Patterns of work have changed throughout history. Urbanisation attracts rural populations, the industrial revolution concentrated workforces, and technology today allows hugely distributed workforces to collaborate on large projects from different time zones. Today, it’s not uncommon to see startup companies of considerable size and success with no central headquarters, and thanks to the enforcement of remote working over the last couple of years, many companies are settling into hybrid work patterns.
When we think of remote working technology, the role cloud computing has played is central. On-premise applications are becoming a less common sight in most companies’ topological maps, and that reality has significant implications for cyber security professionals. If the traditional perimeter is now much less in evidence than it was, how can individuals and their organisations be best protected from the seemingly unstoppable cybercriminal gangs that prey on internet users?
The emerging answer appears to be a zero trust approach to cyber security. This framework begins with the simple edict that no person, system, or machine may be granted access by default to any part of the organisation’s assets. Therefore, authorisation is required at every touchpoint where access is required throughout the working day. Furthermore, the degree of access is controlled too–the simplest example is whether a user must write (or execute) access to a file or just needs read-only access.
“Six plus years ago when I first joined Zscaler, a zero trust conversation was almost unheard of here in Asia Pacific. You know, the term itself had not really been coined.” So said Scott Robertson, the Singapore-based SVP of Zscaler, the world’s leading provider of zero trust cyber security and secure access solutions. “The concept of moving your perimeter from around your network to around the internet was not something that many organisations have necessarily contemplated or committed to. As we see, [over] these last six years, that narrative of a zero trust posture, or zero trust network architecture has accelerated. And of course, it’s only accelerated even faster in these last 18 or 24 months.”
The challenge facing any organisation is adapting to the new patterns of data movements caused by cloud computing and remote working. Spearheading this in most organisations is the trusty stalwart of Microsoft Office, Scott told us. “What really triggered this change over the last few years, in my opinion, is the rapid adoption of Office 365. So, I moved my traditional Exchange Server from an on-prem environment where maybe 40% of my internal email would be going through my internal network. Now every single email wants to go out through perimeter to the internet, and back again.”
There’s also been a change in the way we use the internet, too, relying on it so much more for the services we use every day, both in our private lives and at work. As a result, Scott — ever the cyber security professional — states “All of my traffic is now going through a network which I don’t own, I don’t control, and I can’t secure. […] If you build a zero trust network architecture framework into your organisation, then you’re creating a direct to internet experience for every user whenever they want to access those services.”
Despite the prevalence of XaaS (just about everything as a [cloud] service), there is still room for traditional perimeter and endpoint protection. In fact, these technologies remain integral parts of the overall cyber security toolbox, Scott says.
“[Zscaler] is not expecting to do everything. We have to work with an ecosystem, and the strength of working with an ecosystem of partners is that the winner is the customer: they get the best possible protection and the best possible technology.” To that end, an integrative approach is essential to being more secure from attacks, both externally and internally. “So, we work with many different vendors, whether it be in the firewall space, or wherever. Obviously [we are] working with protocols to have firewalls direct their traffic from the corporate network to Zscaler, whether GRE or an IPsec tunnel, for example. […] We work with many endpoint [protection suppliers for] virus protection and controls that are placed on a mobile phone or computer, [also] orchestration and automation vendors who are providing SD-WAN.”
One of the obvious side benefits of systems that give organisations oversight of the entirety of data movements right across a distributed network, is the access to large amounts of learning data, which is perfect for machine learning applications. So, is there a realistic role for artificial intelligence in cyber security, we wondered?
“Perhaps AI can start to make better policy suggestions for our customers to say: hey look, yesterday ‘Joe’ was doing X and it created a vulnerability incident. You may not be able to visibly see this because you’re managing a network of 50,000 employees! We would recommend that you change the policy or update the policy to do this, this and this, because that would address [the issue].”
Artificial intelligence’s role in cyber security is in its infancy, so the overall shape of how the tech will be deployed remains unclear. Predicting the future is pretty much impossible, especially in technology. But Scott was able to point to what he sees as an emerging area of concern in cyber security practice that relates back to the growing, borderline exponential ramp-up in cloud technology’s use:
“The next frontier that we will see is business to business connectivity of those applications in the cloud […] What happens when we want to have business-to-business integrations enabled in a cloud world where we don’t necessarily manage the infrastructure that our instances are hosted on? And how do we create that business-to-business connectivity securely between customer A and customer B, to be able to make those transactions successfully [and safely]?”
Cloud providers and SaaS vendors do ensure the security of their provision, of course, but it’s security for the discrete infrastructure of the instance, be that hardware, virtual hardware, or application. Outside of those strict definitions, there’s no default protection for data to and from the cloud provider, and as Scott says, in the future’s cloud-to-cloud traffic.
That’s why companies committing to remote services need to examine the nature of their cyber security provisions and ensure that these too have evolved in line with the changes to the technology stack. A zero trust cyber security model is now a critical component of an overall strategy to stay safe. And Zscaler is pre-eminent in supplying these systems to organisations in the APAC (and across the world).
To support your journey to a cloud-first IT infrastructure, reach out to a representative from Zscaler near you today to request a hands-on demo.