What are some of the biggest challenges facing countries across the globe today? Technology is transforming human societies and communities across the globe, in different ways, changing the way we live and conduct business. As its pervasiveness becomes a reality in all walks of life, right from health care to education, so do the challenges it brings with itself. Over the last year or so, cybersecurity has emerged as one of the topmost concerns as enterprises and individuals opened closely guarded networks to enable remote working, hybrid workspaces, and multi-cloud environments. With every passing day, there’s a multifold surge in cases of cybercrime, including phishing, hacking, and ransomware attacks, putting sensitive information and data of citizens at risk. The cyberwar threat is real. It’s time for India’s government and public sector to embrace a Zero Trust approach to security.
By Anil Valluri, Regional VP and MD for India and SAARC, Palo Alto Networks
India is no exception. In recent years, India has taken rapid strides to leverage technology to build the country as a global economic powerhouse. Under ‘Digital India’, the country has committed to a massive investment of 1.13 lakh crore towards building a public digital infrastructure that will drive India towards a paperless and cashless economy. However, if the past few months are anything to go by, India has a long and challenging road ahead. Just earlier this year, multiple government websites reported a large-scale data breach, and citizens’ COVID-19 lab test reports were leaked. It was later reported that the criminals were found selling the sensitive data on the dark web for a few hundred rupees, potentially compromising the sensitive health records of over a million registered citizens. This incident has only reinforced our understanding that if India were to become an economic powerhouse, it is crucial to not only invest in building a strong network of IT and technology systems but also secure all the information that flows through it.
By various estimates, India continues to be among the top countries globally, hit by ransomware and cyberattacks every year, giving rise to massive reputational, financial, operational, legal, and compliance implications. A report by the Belfer Center of Harvard Kennedy School, U.S., on ‘National Cyber Power Index 2020’ that analyzed about 30 countries to examine their cyber power, reiterated this. According to the report, India lags behind at number 21, when it comes to adopting cyber strategies or lack of existing capabilities, therefore achieving policy goals. It is revealing for a country that’s placed much emphasis on growing its technology footprint to not yet have the preparedness required to thwart the ever-increasing cyberattacks. The Indian public sector, thus, needs to relook at its cybersecurity strategy to ensure safe, secure, resilient, vibrant, and trusted cyberspace and deliver on its promises of ‘maximum governance and minimum government.’
The good news is this is precisely what the Zero Trust approach is built for. Zero Trust isn’t a brand new concept. However, as new technologies emerge and mature, the approach seems to be drawing attention and acceptance, for all the right reasons. The power of Zero Trust was first recognized in 2009, by John Kindervag, when he was still an analyst at Forrester Research. Kindervag explained it as “the critical cybersecurity strategy for protecting critical data, applications, systems, and services.” Based on the principle of ‘never trust, always verify’, it assumes that trust could translate into vulnerability at any time and as such no single user, network or device can be trusted. In short, f Zero Trust involves enforcing the least privilege everywhere and never trusting, always verifying when it comes to identity, even if previously verified.
To be sure, the government and public sector agencies, in contrast to commercial enterprises and organizations, need to deal with multiple classifications of their data and information, which naturally creates a level of categorization. This increases complexities in processes and systems due to separated network deployments, strict compliance with regulatory requirements, and increased operational burdens. Moreover, with so many workers operating remotely during the pandemic, there’s heavier dependence on digital technologies, for everything right from learning, business, and even our medical response. Employees no longer have ready access to their IT departments, and share common networks and devices with their families, while no longer enjoying benefits from their usual protections. This, in turn, has left people and systems more vulnerable.
We can no longer guarantee that a threat can’t sneak in or that there is no bad actor existing within our systems and infrastructure. As multiple incidents suggest, bad actors, both foreign and domestic, are now finding alternative ways to pass through perimeter defense- perhaps through a bug that was not fixed, a hastily developed app or a system that was misconfigured. As such, threats have escalated in number and potential damage, where adversaries can enter networks and steal secrets, data while roaming undetected. In addition to this, intruders see big opportunities from even the slightest error and are well-equipped, well-funded with much more sophisticated tools and knowledge to get the job done. From this perspective, a zero-trust technology system offers exactly what the governments and public sector in India needs. It is a strategic approach that entails multiple solutions working together to provide the best defense.
How Can Governments Implement It?
Government agencies can’t simply flip a switch to turn on a zero-trust environment; it requires a major commitment and in-progress administration. Access and privileges are constantly changing and need constant observing. As India embraces cloud technology, digitalizes governance, and citizen services, a corresponding enhancement of government-industry cyber defense is needed.
Embracing a Zero Trust approach therefore will require verifying every attempted access through location awareness, proper device controls, user authentication controls by considering every access as a threat until verified otherwise. To move to zero trust, first and foremost, agencies should evaluate their preparedness with the current security architecture and understand where the challenges may emerge. Instead of replacing legacy systems overnight, agencies should look at opportunities for integrating them with newer solutions, thus saving precious monies. Given the rise of hybrid working models, agencies should review their most sensitive data and workflows to determine access entitlements and policies for employees working both in-offices and remotely. Additionally, policies must be often reviewed and altered to cut off non-essential access immediately.
But this sounds easier than done. A sudden attempt to modernize legacy systems and implement a Zero Trust architecture might put people and processes at risk, bringing overall productivity and effectiveness down. Government agencies, therefore, must consider investing in a robust integrated cybersecurity platform across clouds, networks, and devices that rely on Artificial Intelligence (AI) and Machine Learning (ML) and constantly evolve to keep sophisticated threats at bay. Eventually, the model can scale up and down, as organizational needs evolve. Instead of a piecemeal approach, that may still contain tiny gaps and could expose vulnerabilities, government agencies must adopt a platform-centric approach, reducing the need to integrate solutions from different security vendors. This will enable increased visibility access controls and put more balances and checks at each level.
The Zero Trust architecture does away with the notion that bad threat actors attack the target directly. Instead, it is firmly rooted in the belief that they are more likely to attack a weaker link and then roam laterally across the network. This link is often humans within the system who are prone to making mistakes, can have a lapse in judgement and misplaced trust.
Using the Zero Trust model, government agencies can tackle this and fill in the inherent cybersecurity skills gap within the organization. Government employers can put multimodal teams in place that are technically equipped and can undertake infrastructure modernization based on sound strategy and regular policy inputs. Agencies can also undertake employee awareness campaigns that can help guide, sensitize employees, partners, and other stakeholders, on the effects of cyberthreats and their role in it. While reliance on home networks and remote work practices may be unavoidable for the foreseeable future, agencies can also alert employees by keeping them abreast of internal cyber incident response protocols to adapt as and when threats arise.
It is crucial to note that Zero Trust is no magic wand. It’s a journey that involves many milestones and each deployment will expand as new needs emerge and processes are assessed. If governments and agencies enter Zero Trust with the right resources and expectations in place, it will go a long way to protecting the government’s most sensitive assets from assault, spying, hacking, and exploitation.
Earlier this year, when U.S. President Joe Biden passed an executive order to implement a strong cybersecurity framework, it validated and reaffirmed the relevance of ‘Zero Trust’ in a post-COVID-19 world. Government leaders and public officials in India must closely monitor the developments with the White House executive order, which could serve as a model for how to incorporate Zero Trust into government operations at all levels.
All said and done, most of the country’s critical infrastructure is linked to information highways and is interdependent. Cyber threats are now a national security threat and securing it is more important now than ever. Protecting it is vital to India’s national security and global positioning as it is intrinsically connected to people’s economic and social wellbeing.
About the Author
Anil Valluri is the regional vice president for the India and SAARC region at Palo Alto Networks. In this role, Valluri focuses on driving profitable growth and accelerating the technology footprint across customer segments, creating strategic go-to-market alliances, and scaling the partner ecosystems, while building talent within the organization’s ranks in the region.
Anil is an alumnus of Stanford University Graduate School of Business and is an avid single-digit golfer, analog audiophile, and DIYer.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.