This exclusive ARN Roundtable, in association with Arrow and Palo Alto Networks, assessed the understanding and application of Zero Trust practices among Australian customers, while examining how the channel can play a pivotal role in helping businesses adopt a strategic approach to security architecture.
Zero Trust has become one of cybersecurity’s latest buzzwords and it’s imperative to understand what Zero Trust is, as well as what it isn’t.
Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organisation’s network architecture.
Rooted in the principle of “never trust, always verify”, Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.
Zero Trust was created by Palo Alto Network's former Field CTO, John Kindervag, during his tenure as vice-president and principal analyst for Forrester Research. It is based on the realisation that traditional security models operate on the outdated assumption that everything inside an organisation’s network should be trusted.
Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted. The Zero Trust model recognises that trust is a vulnerability. Once on the network, users – including threat actors and malicious insiders – are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location.
As the security conversation amps up, it is vital to examine the Zero Trust security model and it’s viability as an approach to security for Australian channel partners and their customers. It’s been 10 years since the term was first coined and much has changed in the technology landscape, altering the original protection of the single enterprise-wide perimeter.
This includes the adoption of mobile phone devices, cloud computing, the internet of things (IoT) and, since the global outbreak of the coronavirus pandemic, the move en masse to remote work.
According to Riccardo Galbiati, cyber advisor at Palo Alto Networks Australia, the nation’s unprecedented adoption of remote working has given rise to a whole fleet of new security concerns among businesses.
“The majority of customers I meet weekly are concerned with the amount of new technology they are granting trust to,” he said. “Although the remote working situation, at least in Australia, has mostly normalised, the penny dropped for many CIOs and CISOs that trust is something they cannot afford to play with in the digital world.”
Unfortunately, over the last 10 years, Zero Trust has become a largely misunderstood and misconstrued term. From a channel perspective, the idea of Zero Trust is not simply a product suite to be sold but a “philosophical discussion”.
This is the view of Peter Stein, general manager of strategy, product solutions group, at Datacom.
“The confusion is in the fact that Zero Trust, no matter what some vendors say, is not a product, nor is it a service, it’s a strategy that needs to be adopted,” he explained. “It requires a full impact assessment across the organisation and then an implementation planned. It is not something you can just flick a switch on.”
For Kirk Jones, vendor alliance manager at Secure Agility, customer adoption in Australia is a work in progress. However, he said: “Customers are certainly adopting a higher level of security awareness and implementing new products and solutions to enhance their security posture towards Zero Trust.”
Nevertheless, while Australian customers may be concerned with Zero Trust security, many are more concerned with their cash flow and bottom lines after a year of pandemic-driven economic turbulence.
That is certainly the view of Chris Starsmeare, founder of Sydney-based IT service provider Diversus Group, who has so far seen a “low” uptake in Zero Trust adoption.
“Many customers are still struggling to free up budget for tactical spend on topical subjects such as ransomware,” he said. “Unfortunately, there still seems to be a view of 'it will not happen here' until it does.”
“There tends to be a vast gap between those within an organisation that understands Zero Trust as a concept and those that don’t," he continued. "We are trying to educate and inform clients about Zero Trust as a concept or framework and take them on a journey. It’s not something that you turn on overnight.”
A consultative approach
So just how does a security or channel partner take a customer on a Zero Trust journey? For Kevin Koelmeyer, chief technical officer at Somerville Group, a significant part of the problem is that many customers associate the idea was "just another jargon from the vendors".
As such, much of the work involves “educating and then showing the value and security posture improvement” of Zero Trust, he explained.
“We are taking an approach of educating the customers on the requirements of layering on the security products, essentially the security onion, and how these are still very relevant,” he added.
“I think by not pushing a product but an overall improvement of security, architecture and posture [we can] reduce the hype and jargon so everyone understands what we are trying to get to.”
In a similar manner, Jones argues that a “consultative” approach is the best from a partner perspective, taking into account that many customers will have done their own research.
“Customers are at various stages of maturity and implementation of security measures,” he said. “Many are after extra advice on different solutions we can offer to solve their security needs.
“Customers need to understand their digital footprint and the fact that it is dynamic. The Zero Trust approach and solution they implement today needs to be maintained and adapt as the business user, application and data locations.”
Once the customer and the partner are on the same page with regards to a Zero Trust framework, the next consideration is prioritising and identifying the most important surfaces to protect, rather than simply ringfencing an entire network.
“This approach allows us to gain visibility on the protect surface current exposure and compare against the ideal flows that align with business requirements,” explained Galbiati. “Once these steps are performed, a Zero Trust architecture becomes much more achievable because it is possible to segment the protect surfaces and start enforcing policies that are contextual to the business requirements and remove trust from the picture.”
As Galbiati emphasises, “the purpose of a good cyber security strategy is to reduce risk while not impeding business agility”.
And this where the channel comes in, he argues: “With so many vendor options and individual tactical approaches, it takes an external set of experienced eyes to ultimately join the dots and repurpose the long-term goal of cyber security in the business’s best interest.
“The channel is critical in promoting a strategic approach. A strategy needs its supporting tactics to be aligned correctly, and this is where we see clients are struggling the most.”
However, the next big question for channel players, is how they can make Zero Trust security work in their own favour.
As Peter Stein puts it, return on investment is the wrong measure in this context and “will always be difficult to measure for security strategies and solutions.”
“Security is risk-based, so the cost of control implementation is always lower, than the cost associated with the impact, should the risk eventuate into an issue,” he added.
At Somerville Group, explained Koelmeyer, to ensure a good return, a GAP analysis of the security posture is always carried out with a customer, which includes a scenario-based risk evolution.
“We then do the same after implementation or perceived implementation and obviously add dollar value to the risk, and then that provides the ROI,” he explained.
Meanwhile, Galbiati argues that investing in ecosystems that are designed to cover the largest amount of Zero Trust requirements will bring the greatest return for partners.
“Since tools and technologies need to co-operate within a Zero Trust framework, the complexity of assembling multiple components from different vendors can be daunting,” he explained.
“That is why adopting a platform approach where every product has been developed with Zero Trust in mind is effectively a shortcut to the outcome and provides the most significant long-term return on the investment.”
Ultimately, in the words of Jones, any kind of “prevention is better than a cure” when it comes to safeguarding Australian businesses and their data.
“The cost of recovery from a major incident, multiple incidents or data loss or breach is usually far more expensive than the measures to prevent it in the first place,” he said. "A product is only going to be part of any solution. The conversation has to evolve to beyond the product pitch.”