Cyberthreats are part of life in a digital world
The COVID-19 pandemic highlighted how much Australians interact and work online and led to an exponential increase in people accessingthe internet for healthcare, working from home, education, entertainment and online shopping. Since 2020, 82% of company leaders plan to allow employees towork remotely at least part of the time after the pandemic, and 47% will allow them to permanently work from home full-time.
The proliferation of remote working, digital applications being used across organisations – out of people’s homes and across their own networks – has created new headaches for CIOs as cyber threats have also increased.
But it seems that one thing is clear – traditional notions of wrapping a perimeter around infrastructure and giving various access controls is no longer a sufficient strategy. It is now also important to manage the identity of users at the time and place at which they are accessing services, applications and data.
For the last decade, organisations have been grappling to keep ahead of the curve when it comes to cyber security measures. Before cloud technology existed, when organisations largely managed their own application infrastructure and stored data on-premise, security was physical as well as based on access controls – those who needed access were given whatever security credential was needed to access the data where it was stored (e.g. a physical pass to unlock the locked door, or a passcode to get into the locked database). Further controls were given to different areas of the database as needed. The perimeter was around internal networks containing the data and applications and were kept separate from external networks.
But in an increasingly digital world, a perimeter around infrastructure is no longer sufficient. Social engineering and ransomware attacks have shown that even with the best intentions, there are sometime people with the right access that do the wrong thing.
Cyberattacks are becoming more frequent, and with more and more of our lives online, the attacks are becoming more costly. Aust Cyber has released Australia’s Digital Trust Report in July 2020, that highlights the role ‘digital trust’ plays in attracting investment and driving jobs growth. Conversely it also models the impact of a major cyber security incident creating a digital interruption to the Australian Economy. In short, it would be catastrophic - a digital disruption spanning four weeks would significantly impact our economy to the tune of AU$30 billion or around 1.5 per cent of Gross Domestic Product (GDP), representing around 163,000 jobs. 
Organisations have taken up cloud technology at an exponential rate. Gartner estimates that global end-user spending on public cloud services is expected to exceed $480 Billion in 2022.
In order to better secure customers, employees, and businesses as mobile and cloud adoption sky rockets, the vast majority of technology and security leaders have moved past traditional security approaches. Rather than building a perimeter of protection around a “trusted” internal network vs. any “untrusted” external networks, they’re adopting zero trust frameworks as they are strongly recommended (and in some cases even mandated) by industry analysts and federal government agencies.
The US Government has directed that the Federal Government “must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
The Australian Government’s Cybersecurity Strategy refers to the need to build trusted identity credentials through the National Identity Security Strategy and the Digital Identity Program to provided trusted identity credentials for citizens accessing government services. States and Territory governments around Australia have adopted their own versions of cyber strategy relating to employees, citizens and industry partners. But so far, there is no harmonisation between the States and Territories, or between Government Departments when it comes to identity and access management.
What is Zero Trust?
The Zero Trust model refers to a model of security where each access request is considered potentially suspicious, and the response is based on identity and access management. It is about creating a secure environment for users and devices to access enterprise resources in real time. This can be referred to as an “identity-driven mindset”. This approach is session based, where access policies are dynamic, and is based on being able to grant access based on observable and verifiable data in the user's context.
The approach requires the administrator to ask “what is observable and what is verifiable about the identity of the person requesting access at this point in time?”
Multi-factor authentication, not just a user ID and password, is one key factor of the Zero Trust approach. But the path to Zero Trust will be different depending on the organisation’s identity management maturity, as well as the needs of their customers. Organisations will therefore need to consider how many levels of authentication are appropriate depending on their own assessment of threat level, balanced with good user experience (for both employee and citizen customer).
Let’s hope that a Zero Trust approach by Government, that starts with verifying contextual factors such as the request for access in real time, doesn’t put indigenous or regional customers at a further disadvantage of reduced accessibility to government digital services. Users that are on a shared computer or in regional areas with intermittent connectivity should not be put at a further disadvantage simply for trying to access Government digital services. Like any good Government service, it should be designed around empathy with and a deep understanding of the needs of its citizens.
For government organisations designing services for citizen customers, a Zero Trust approach requires some fine balancing of competing priorities.
Government is tasked with building trust from its citizens when delivering digital services, so an approach that starts with “trusting no one” has the potential to require some tightrope walking when designing delightful user experiences. For instance, it may seem too “creepy” for a government department to ask for too much personal identifying information when granting access to say, information on how to register your pet – a candidate for less levels of authenticating information to grant access. But on the other hand, a government department may seem not trustworthy enough if it didn’t ask for enough verifying personal information when granting access to medical records – a candidate for many levels of authentication of identity.
Government already sits on a mountain of verifiable data ofcitizens – birth date, postal address, education status, Medicare, drivers licence data, etc. But the challenge is how and when to use the data already held to authenticate and use other technology to observe the access request in the context within ethical limits – biometric scanning technology is one that springs to mind. The government will need to grapple with ethical considerations of emerging technologies in this context.
So there is no one size fits all for Government departmentsto apply a Zero Trust model to their internal users (employees) or external customers (citizens).
But one thing is clear- in a post-Covid remote-working digital world, people are the new perimeter and trust is everything.