Assume nothing, verify everything
ORGANIZATIONS worldwide continue to grapple with cyber security challenges as the pace of digital transformation, fast-evolving business models, remote work and increasingly complex partner ecosystems unleash new opportunities for cyber attacks.
Traditional cyber security approaches relying on security ‘at the perimeter’ were adequate in a world where data and its users resided within specific, well-defined locations. With physical boundaries disappearing—and with increasingly sophisticated cyber criminals using ransomware and other destructive malware to target organizations— conventional cyber security approaches are being rendered obsolete, ultimately driving the need for modern solutions to protect critical assets and information.
The same problems are also true in the context of the Philippines where digitalization in various business industries and government services has escalated over the past years. KPMG in the Philippines Technology Consulting Partner Gilbert T. Trinchera shares that “going digital has shown concrete and tangible advantages to different sectors in the country.” “However, such breakthrough also come with risks and liabilities that if taken for granted, will surely entail losses that could easily outweigh its pros,” he added.
Given the increased dependencies on data and digital transactions, together with the implementation of the Philippine government on data privacy, national ID and SIM card registration, digital identity in the country needs to be secured with zero-trust as a keystone capability.
Hence, Trinchera advises decision-makers and corporate leaders to value cyber security and other safety measures in the digital landscape to safeguard their data. “We couldn’t just be too trusting, and more and more businesses are wisely turning to a zero-trust mindset to restructure their cyber defenses.” Trinchera emphasized. “The shift to remote and online setup have accelerated the need to move from implicit to zero trust model for organizations and we have observed that Philippine firms are keen to implementing this model in the next 12-18 months,” he added.
What is zero trust?
A ZERO trust approach puts user identity, access management and data at the heart of cyber security. It is an evolutionary cyber security approach and model that has been developed in response to the everexpanding threat landscape. Zero trust is not a technology solution but a model and approach that requires a mindset shift based on three key principles: Assume nothing, check everything and limit access.
Zero trust relies on an identity-aware, context-driven and datacentric approach to cyber security strategy and operations. With user identity and data value as its key component, zero trust enables secure access to data and resources via strong identity management, modern software-defined networks, continuous monitoring and advanced analytics.
No one either inside or outside the enterprise network is automatically trusted—every user must prove their identity to gain access. Within the zero-trust framework, even with a valid username and password credentials, users are denied access to the system if their device has not been validated or the required trust level is not met.
Zero trust is different from previous approaches to IT security. Today’s hyper-connected world has broken down traditional perimeters—enabling the fluid movement of data beyond organizational boundaries as multiple parties and devices access business data and systems from anywhere in the world. Add to this dynamic environment 5G technology, edge computing and hundreds of millions of emerging Internet-of-things devices and it becomes clear that conventional security approaches are fast becoming outdated and increasingly inadequate.
Businesses are waking up to a new reality of threats
WHILE many businesses may not realize just how exposed they are to today’s cyber threats, an increasing number are showing a new sense of urgency in adopting a zero trust model.
By 2025, damages resulting from global cybercrimes are expected to reach close to $1 trillion annually. Primary drivers prompting more businesses to wisely pursue the zero-trust model for enhanced security include ongoing digital transformation that is revolutionizing business models and workforces, the proliferation of cloud-based services, and today’s increasingly complex supply chain networks.
As the pursuit of the zero trust framework gains momentum, CISOS and CIOS must work towards implementing organization-wide zero trust architectures that align with their operating priorities, risk management needs and technology capabilities.
In the race to better understand and manage today’s ongoing cyber threats, zero trust puts businesses in a predictive and proactive mode, providing timely context-based analysis, insights and automated responses to potential attacks. With a zero-trust approach, companies build an end-to-end cyber security approach that is “perimeter-less”— protecting every aspect of the ecosystem, including assets, workloads and other resources.
The future is identity-aware and data-centric
THE zero-trust approach to security is the latest crucial step in an evolutionary journey. Our goal at KPMG is to help organizations take the concept of zero trust and make it a reality by defining a strategic roadmap, and an implementation plan and continually building on zero trust’s capabilities, strengths and advantages—ultimately pursuing an identity-aware and data-centric approach to cyber security.
Zero trust is the right approach at this point in time—but what’s next as the threat landscape continues to be uncertain?
Thinking ahead, KPMG has developed the next evolution of the cyber security model—adaptive Security, which crystalizes the potential benefits of zero trust capabilities by grouping them using the National Institute of Standards and Technology’s Cyber Security Framework Functions—delivering deeper context through end-to-end visualization of threats, leveraging key automation and orchestration capabilities to auto-remediate vulnerabilities and protect assets.
The excerpt was taken from the KPMG Thought Leadership publication: https://spoglobal.kpmg.com/sites/go-oi-inf-thoughthttps://spoglobal.kpmg.com/sites/go-oi-inf-thoughtLeadership/sitepages/assume-nothing-verifyeverything-2022.aspx.
© 2023 R.G. Manabat & Co., a Philippine partnership and a member-firm of the KPMG global organization of independent member-firms affiliated with KPMG Intl. Ltd., a private English company limited by guarantee. All rights reserved.
For more information, e-mail ph-kpmgmla@kpmg.com, social media or visit www.home.kpmg/ph.
This article is for general information purposes only and should not be considered professional advice to a specific issue or entity. The views and opinions expressed herein are those of the author and do not necessarily represent the Businessmirror, KPMG International or KPMG in the Philippines.