Insights from the State of Zero Trust Security in Asia Pacific 2021 report from this interview with a digital identity expert.

Initially a stop-gap measure, hybrid working arrangements have become a necessity, with corporate leaders increasingly recognizing the value of hybrid working in driving business growth.

Mobile and cloud technologies, in particular, will underpin the IT infrastructure of a hybrid workforce – in fact, 85% of businesses in APAC shared that cloud-native solutions have been crucial in helping them cope with the impact of the pandemic.

However, this makes organizations more vulnerable to threat actors – remote working introduces more devices, applications and networks into the infrastructure, opening up new avenues for exploitation.

To shed light into the capabilities of APAC organizations to adapt to a changing threat landscape, digital identity provider Okta conducted a study − The State of Zero Trust Security in Asia Pacific 2021. CybersecAsia gleaned more insights from Clarence Cheah, APAC Identity Lead, Okta:

Clarence Cheah, Identity Lead, APAC, Okta

In today’s hybrid work environment, how effective are legacy IT security solutions such as traditional firewalls and VPNs?

Cheah: Legacy solutions were built with two groups in mind: trusted individuals, able to access everything inside the organization, and untrusted individuals, kept on the outside.

Previously, security and IT teams would invest in defensive systems that protected these two groups, focusing heavily on securing the network perimeter, often with firewalls.

While they were successful in building a wall between potential threats and the safety of the corporate ecosystem, this full-trust model is problematic, because when that perimeter is breached, an attacker has relatively easy access to everything on a company’s privileged intranet—not to mention the havoc a rogue insider could wreak without even breaching the perimeter.

The potential harm this could cause has been exacerbated by the mass migration of organizations’ IT infrastructure to cloud and digital systems in the past year.

In the world of hybrid work, there is no longer a wall around a business’ sensitive assets − employees, contractors, partners and suppliers all access data from across the traditional perimeter. Legacy IT security solutions no longer work and organizations need to adopt a new mindset (Zero Trust – not trusting anyone until he/she has proven herself to be trustworthy) and strategy, with user identity at the centre.

How ready are APAC organizations to deal with the current threat landscape?

Cheah: Currently, APAC organizations slightly lag their counterparts in being able to deal with the threat landscape. At the time of the survey, only 13% of APAC organizations had already implemented a Zero Trust Security strategy, compared to 20% of organizations each in EMEA and North America.

At the same time, our survey also found that APAC organizations are intent on plugging this gap – we learnt that COVID-19 has accelerated Zero Trust Security as a priority in 77% of APAC organizations: slightly higher than EMEA (76%), and North America (74%).

Additionally, most companies plan to implement additional Zero Trust Security initiatives within the next 12-18 months; and intend to spend more than they have done before, with 76% of organizations in APAC planning to moderately or significantly increase their budget on Zero Trust.

Is a Zero Trust approach/strategy the way to go? Why?

Cheah: In today’s landscape, a Zero Trust approach has evolved from being a “good to have,” to a “must have” for organizations. Hybrid working arrangements, and consequently the adoption of cloud technologies, is set to sustain even post-pandemic.

To meet the access and usability demands of today’s users — and avoid becoming the next victim of a data breach or supply chain attack — organizations have to work towards implementing a more robust and comprehensive security posture that’s centered around the Zero Trust Security principle of “never trust, always verify.” At the same time, the process of assessing privileges has to be done without adding friction for the user.

The cybersecurity battle shouldn’t be fought by the IT department only. IT and security leaders’ efforts to remove friction and improve end user experience will go a long way in getting users to the organization’s side.

What is the adoption rate of Zero Trust in APAC organizations? What are the different stages of adoption?

Cheah: Okta breaks down Zero Trust adoption into four main stages:

During Stage 0, an organization might begin to embrace cloud technologies, but don’t yet integrate those solutions with an Identity & Access Management (IAM) platform or on-premises resources.

At Stage 1, teams start wrapping their arms around a unified IAM ecosystem and eliminating poor password hygiene by implementing single sign-on (SSO) and multifactor authentication (MFA) for employees to access key resources.

Moving into Stage 2, businesses adopt additional security best practices by extending access controls to other resources such as their APIs, and also using rich context and diverse factors to better inform authentication decisions.

Once companies reach Stage 3, they’ve successfully adopted a full risk-based authentication approach to Zero Trust, including passwordless and continuous access solutions.

Promisingly, within APAC, Stage 1 implementations such as single sign-on for employees (implemented at 84% of organizations) and multi-factor authentications (84%) have already been implemented across most organizations.

Implementation for several stage 2 strategies and solutions have been healthy as well, including secure access to APIs (35%). While only 3% of organizations have context-based access policies, 40% intend to implement it within the next 12-18 months.

This is an improvement from last year, when the majority of the companies we surveyed were still focused on Stage 0 or Stage 1 projects.

By 2023, 40% of organizations within APAC would have implemented context-based access policies; with 29% implementing secure access to APIs – applications categorized under Stage 2 of Okta’s maturity curve.

That said, there are areas currently being neglected by organizations in APAC. For one, no organizations had implemented passwordless access, and only 10% intend to do so within the next two years.

In your opinion, how should APAC organizations plan for a cybersecure future and stay a step ahead in protecting both corporate and individual data and identity?

When it comes to implementing Zero Trust Security, there is no silver bullet. At the same time, the digital nature of our modern economy means that security threats will only intensify, so no business can afford to stand still.

For starters, there are several ways businesses can make inroads with identity-driven security, including:

  • Recognize that people are the new perimeter, and adopt strong authentication across all services, everywhere.
  • Centralize identity and access control across the enterprise so that risk  can be more easily managed.
  • Reduce risk by reviewing the IAM maturity curve, determining where the organization is, and finding some immediate wins to quickly advance its position through an identity-first approach to Zero Trust.
  • Extend the security ecosystem by integrating key tools with the IAM solution, thus enabling holistic security visibility and collaboration.
  • Consider even more advanced methods such as adopting passwordless authentication and context-based access policies, as well as shifting beyond protecting employee accounts to also securing access for partner accounts.
  • Continuing education to ensure users are aware of evolving security risks is important. One way to build up healthy habits in employees is through periodic awareness education and use of technology that enforces the policies automatically, such as automated password resets or two-factor authentication.