As the threat landscape evolves and adversaries find new ways to exfiltrate and manipulate data, more organizations are adopting a zero trust strategy. However, many are only focusing attention on endpoints, leaving the database vulnerable to malicious attacks. Databases are the last line of defense against data exfiltration by cybercriminals. To combat this, it’s essential that zero-trust security controls are applied to critical database assets.

The zero trust information security model denies access to data and applications by default. Threat prevention is achieved by granting access to only networks and data utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero trust advocates these three core principles: 1) All entities are untrusted by default, 2) least privilege access is enforced, and 3) comprehensive security monitoring is implemented.

The traditional scope of cybersecurity was once considered to be perimeter protection of the enterprise network and associated data and applications. This castle-and-moat security model extends trust to all users and devices within the perimeter, allowing extensive or even unlimited access to assets within the castle. Despite massive investments in perimeter security defenses, cyber attackers can still access sensitive data. Zero trust is an evolution of security that no longer relies on castle-and-moat security to protect data environments. It moves enterprise cybersecurity away from over-reliance on perimeter-based security, including firewalls and other gating technologies, to create a barrier around an organization’s IT environment. 

The 2022 IBM Cost of a Data Breach Report, conducted by the Ponemon Institute, found the average total cost of a data breach reached an all-time high of $4.35 million. Implementing zero trust has a direct impact on potentially lowering the cost of a breach by limiting the risk of unauthorized access, insider threats, and malicious attacks. Just 41 percent of organizations in the study said they deployed a zero trust security framework. The 59 percent that didn’t deploy zero trust incurred an average of $1 million in greater breach costs compared to those that did deploy. 

While the initial goal of zero trust is to prevent data breaches, the core goal is data protection. Zero Trust Data Protection (ZTDP) is a new and evolving term for an approach to data protection based on the zero trust security model. Achieving ZTDP requires an effective data security and governance solution that can implement the zero trust model within the data environment. Privacera’s approach is built on three pillars:

Least privilege access control: Most cyber attacks occur when an attacker exploits privileged credentials. By imposing least privilege access-control restrictions on software and systems access, attackers cannot use higher-privilege or administrator accounts to install malware or damage the system. Strong user authentication and authorization: Providing a granular level of data access control across systems for different users by the client, partner, business unit, sub-contractor, customer, franchise, department, or by contractual terms requires unified authentication and authorization controls capable of scaling across large, distributed hybrid and multi-cloud environments.Data obfuscation, using encryption and/or masking: Organizations must be able to granularly encrypt or mask data at the table, column, row, field, and attribute level, not just the entire data set. This enables data science and analytics teams to use more data to build models and extract insights, drive new business opportunities, garner increased customer satisfaction, and optimize business efficiency.

The Cost of a Data Breach Report also noted security automation made the single biggest difference in the total cost of a data breach, making it more likely security best practices will be followed without fail. Zero trust should inform both what is protected and how access is controlled, while security automation can more efficiently put those zero trust principles into practice. The powerful combination of zero trust and Privacera security and governance automation helps your security team to more effectively apply data security controls as well as remediate incidents as quickly as possible — ensuring you maintain a stronger and more resilient security posture while reducing your cybersecurity risks.

Learn more about the emergence of data security governance for evolving zero trust strategies and get your roadmap to business success here.

Zero Trust

By Anand Oswal, Senior Vice President and GM at cyber security leader Palo Alto Networks

Critical infrastructure forms the fabric of our society, providing power for our homes and businesses, fuel for our vehicles, and medical services that preserve human health.

With the acceleration of digital transformation spurred by the pandemic, larger and larger volumes of critical infrastructure and services have become increasingly connected. Operational technology (OT) serves a critical role as sensors in power plants, water treatment facilities, and a broad range of industrial environments.

Digital transformation has also led to a growing convergence between OT and information technology (IT). All of this connection brings accessibility benefits, but it also introduces a host of potential security risks.

Cyberattacks on critical infrastructure threaten many aspects of our lives

It’s a hard fact that there isn’t an aspect of life today free from cyberthreat. Ransomware and phishing attacks continue to proliferate, and in recent years, we’ve also seen an increasing number of attacks against critical infrastructure targets. Even in environments where OT and IT have been traditionally segmented or even air-gapped, these environments have largely converged, presenting attackers with the ability to find an initial foothold and then escalate their activities to more serious pursuits, such as disrupting operations.

Examples are all around us. Among the most far-reaching attacks against critical infrastructure in recent years was the Colonial Pipeline incident, which triggered resource supply fears across the US as the pipeline was temporarily shut down. Automobile manufacturer Toyota was forced to shut down briefly after a critical supplier was hit by a cyberattack. Meat processing vendor JBS USA Holding experienced a ransomware cyberattack that impacted the food supply chain. The Oldsmar water treatment plant in Florida was the victim of a cyberattack that could have potentially poisoned the water supply. Hospitals have suffered cyberattacks and ransomware that threaten patients’ lives, with the FBI warning that North Korea is actively targeting the US healthcare sector. The list goes on and on.

Global instability complicates this situation further as attacks against critical infrastructure around the world spiked following Russia’s invasion of Ukraine, with the deployment of Industroyer2 malware that is specifically designed to target and cripple critical industrial infrastructure.

Today’s challenges place an increasing focus on operational resiliency

With all of these significant challenges to critical infrastructure environments, it’s not surprising that there is a growing focus on operational resiliency within the sector. Simply put, failure is not an option. You can’t have your water or your power go down or have food supplies disrupted because an outage of critical infrastructure has a direct impact on human health and safety. So, the stakes are very high, and there is almost zero tolerance for something going the wrong way.

Being operationally resilient in an era of increasing threats and changing work habits is an ongoing challenge for many organizations. This is doubly true for the organizations, agencies, and companies that comprise our critical infrastructure.

Digital transformation is fundamentally changing the way this sector must approach cybersecurity. With the emerging hybrid workforce and accelerating cloud migration, applications and users are now everywhere, with users expecting access from any location on any device. The implied trust of years past, where being physically present in an office provided some measure of user authenticity simply no longer exists. This level of complexity requires a higher level of security, applied consistently across all environments and interactions.

Overcoming cybersecurity challenges in critical infrastructure

To get to a state of resiliency, there are a number of common challenges in critical infrastructure environments that need to be overcome because they negatively impact security outcomes. These include:

Legacy systems: Critical infrastructure often uses legacy systems far beyond their reasonable lifespan from a security standpoint. This means many systems are running older, unsupported operating systems, which often cannot be easily patched or upgraded due to operational, compliance, or warranty concerns.

IT/OT convergence: As IT and OT systems converge, OT systems that were previously isolated are now accessible, making them more available and, inherently, more at risk of being attacked.

A lack of skilled resources: In general, there is a lack of dedicated security personnel and security skills in this sector. There has also been a shift in recent years toward remote operations, which has put further pressure on resources.

Regulatory compliance. There are rules and regulations across many critical infrastructure verticals that create complexity concerning what is or isn’t allowed.

Getting insights from data: With a growing number of devices, it’s often a challenge for organizations to get insights and analytics from usage data that can help to steer business and operational outcomes.

The importance of Zero Trust in critical infrastructure

A Zero Trust approach can help to remediate a number of the security challenges that face critical infrastructure environments and also provide the level of cyber resilience that critical infrastructure needs now.

How come? The concept of Zero Trust, at its most basic level, is all about eliminating implied trust. Every user needs to be authenticated, every access request needs to be validated, and all activities continuously monitored. With Zero Trust authentication, access is a continuous process that helps to limit risk.

Zero Trust isn’t just about locking things down; it’s also about providing consistent security and a common experience for users, wherever they are. So, whether a user is at home or in the office, they get treated the same from a security and risk perspective. Just because a user walked into an office doesn’t mean they should automatically be granted access privileges.

Zero Trust isn’t only about users: the same principles apply to cloud workloads and infrastructure components like OT devices or network nodes. There is still a need to authenticate devices and access to authorize what the device is trying to do and provide control, and that’s what the Zero Trust Model can provide.

All of these aspects of Zero Trust enable the heightened security posture that critical infrastructure demands.

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of implicit trust from an organization’s network architecture. The most important objectives in CI cybersecurity are about preventing damaging cyber physical effects to assets, loss of critical services, and preserving human health and safety. Critical infrastructure’s purpose-built nature and correspondingly predictable network traffic and challenges with patching make it an ideal environment for Zero Trust.

Applying a Zero Trust approach that fits critical infrastructure

It’s important to realize that Zero Trust is not a single product; it’s a journey that organizations will need to take.

Going from a traditional network architecture to Zero Trust, especially in critical infrastructure, is not going to be a “one-and-done” effort that can be achieved with the flip of a switch. Rather, the approach we recommend is a phased model that can be broken down into several key steps:

1. Identifying the crown jewels. A foundational step is to first identify what critical infrastructure IT and OT assets are in place.

2. Visibility and risk assessment of all assets. You can’t secure what you can’t see. Broad visibility that includes behavioral and transaction flow understanding is an important step in order to not only evaluate risk but also to inform the creation of Zero Trust policies.

3. OT-IT network segmentation. It is imperative to separate IT from OT networks to limit risk and minimize the attack surface.

4. Application of Zero Trust policies. This includes:

Least-privileged access and continuous trust verification, which is a key security control that greatly limits the impact of a security incidentContinuous security inspection that ensures the transactions are safe by stopping threats — both known and unknown, including zero-day threats — without affecting user productivity

By definition, critical infrastructure is vital. It needs to be operationally resilient, be able to reduce the potential attack surface, and minimize the new or expanding risks created by digital transformation. When applied correctly, a Zero Trust approach to security within critical infrastructure can play a central role in all of this — ensuring resilience and the availability of services that society depends on every day.

Learn more about our Zero Trust approach.

About Anand Oswal:

Anand serves as Senior Vice President and GM at cyber security leader Palo Alto Networks. Prior to this Anand, was Senior Vice President of Engineering for Cisco’s Intent-Based Networking Group. At Cisco he was responsible for building the complete set of platforms and solutions for the Cisco enterprise networking portfolio. The portfolio spans enterprise products across routing, access switching, IoT connectivity, wireless, and network and cloud services deployed for customers worldwide.

Anand is a dynamic leader, building strong, diverse, and motivated teams that continually excel through a relentless focus on execution. He holds more than 50 U.S. patents and is focused on innovation and inspiring his team to build awesome products and solutions.

Data and Information Security, IT Leadership

Businesses are always in need of the most robust security possible. As the remote workforce expanded during and post-COVID, so did the attack surface for cybercriminals—forcing security teams to pivot their strategy to effectively protect company resources. Furthermore, the rise of organisations moving to the cloud, increasing complexity of IT environments, and legacy technical debts means tighter security mechanisms are vital.

During this time of change, the hype around Zero Trust increased, but with several different interpretations of what it was and how it helps. Zero Trust means — as the name suggests — to trust nothing by default.

Zero Trust isn’t a software in itself, but a strategy. Meeting the mandate will mean using a number of approaches, techniques and software types. The challenge only grows for those working piecemeal, without an overarching plan for using software and platforms that work together.  In this article, I’ll discuss whether Zero Trust is a strategy to which all businesses should strive towards, the growing shift towards a holistic security approach and how XDR aligns with Zero Trust.

Is Zero Trust an achievable goal for all businesses?

Zero Trust is an approach, not something that can be purchased. Just like a company will never be “100% secure”, it will never likely have “achieved Zero Trust.” That doesn’t mean security and Zero Trust are abandoned, but instead they are goals that are continuously strived for.

At Trend Micro, we leverage the terminology and concept of “Zero Trust” to help our own employees gain awareness of cybersecurity, while focusing on enhancements of foundational cybersecurity maturity through people, process and technology:

People –  Enhancing awareness; turning the weakest link to the strongest link in defending against cyber threats.Process – Developing, communicating and enforcing cybersecurity policy with alignments to enterprise risk management prioritisation and remediation.Technology – Leveraging telemetry data integration and machine learning to gain full cyber risk visibility for action.

It is extremely costly to achieve the highest maturity of Zero Trust in an IT environment and in most cases, it is not economically feasible nor practical to do so. The maturity level should depend on the enterprise’s risk management framework and approaches as well as its data classification.

Shifting towards a holistic approach

Organisations often begin their Zero Trust journey when faced with new security considerations as they move to the cloud. Migrating on-premises resources to the cloud entails monitoring a growing digital attack surface, which equals all possible entry points for unauthorised access into any system that is typically complex, massive, and constantly evolving.

Since the cloud doesn’t have a perimeter like on-premises environments, IT teams are struggling to keep up. A recent global study by Trend Micro found that SecOps lack confidence in their ability to prioritise or respond to alerts, with 54% of respondents saying they were “drowning in alerts”. With many enterprises using a hybrid cloud environment, operating several siloed point products to catch cyberthreats can be extremely challenging.

Organisations should look towards a holistic approach, adopting defensive in-depth security with multiple layers of protection. A unified cybersecurity platform, like Trend Micro One, provides enterprise-wide visibility, detection, and response combined with the security capabilities you need throughout the attack surface risk lifecycle. Our platform enables SecOps teams by providing a single point of truth across the entire infrastructure, gathering telemetry from all environments and correlating threat data to deliver fewer, but highly relevant, alerts to manage.

How XDR creates a solid foundation for Zero Trust

To properly assess the trustworthiness of any devices or applications, you need comprehensive visibility across your environment. A well implemented XDR solution provides full cyber risk visibility into an IT environment and when used in tandem with the Zero Trust approach, organisations can further enhance their security.

Monitoring and managing behaviour patterns of user access and data access are critical parts of Zero Trust. Trend Micro’s XDR solution offers automated detection and responses through machine learning and big data analysis. XDR automated response enforces consistent security policy while aligning to enterprise risk management.

Since XDR is constantly collecting and correlating data, it establishes a continuous assessment pillar of the Zero Trust strategy. This means that even after you’ve approved initial access for an endpoint, that asset will continually be reviewed and reassessed to ensure it remains uncompromised.

All businesses should strive for a foundational level of Zero Trust. To address the complexity of risk, the process needs to be treated like a lifecycle, in which continuous visibility and assessment are used to discover an organisation’s attack surface, assess the risk, and then mitigate the risk. At Trend Micro, we advise our customers to take Zero Trust implementation one step at a time.

Zero Trust

“The barriers confronting organizations in South Africa that want to achieve carbon neutral status by 2030 are significant. Among them is the simple reality that most of the nation’s power production originates from coal-fired plants located in the northeastern part of the country while the greatest potential impact for sustainable approaches like solar and wind lie in the south. We can’t immediately upend the entire power grid structure, but together with a willing and enthusiastic government and strong partners like VMware, we can make a difference. We now have a framework in place to support Africa’s nascent efforts to achieve zero carbon emissions and support providers intent to achieve and apply the tenets of VMware Zero Carbon Committed program to their operations.” 

Bryce Allan, head of sustainability at Teraco Data Environments

Sumeeth Singh, head of VMware’s Cloud Provider Business in sub-Saharan Africa, was not surprised when the region’s leading cloud solutions and services companies enthusiastically embraced the VMware Cloud Verified initiative. With an established track record of success and extensive experience with the full VMware stack, many were ideally prepared to complete the rigorous process to apply for and receive the distinction.

The VMware Zero Carbon Committed initiative was, however, a different story. Singh knew that among providers the intent and desire to decrease their carbon footprints was strong. But the requirements, difficult in areas with an already mature sustainable energy infrastructure in place, were overwhelming in sub-Saharan Africa.

Specifically, partners would be required to commit that their data centers achieve zero carbon emissions by 2030, an effort that would require the use of 100% renewable energy. For partners in Europe where significant renewable energy sources exist in conjunction with a mature regulatory system of carbon offsets and credits, the process is still difficult.

“Like their counterparts in Europe, South African companies are increasingly mindful of resource constraints and the impact of fossil fuels on climate change,” said Singh. “They are also becoming more and more aware that their data center operations are a very large contributor to their overall carbon footprint. They also know that electricity in sub-Saharan Africa is primarily sourced from coal-fired plants. They want to do the right thing and minimize their emissions, but they are also seeing a dramatic increase in demand for hybrid and multi-cloud solutions and services – a reality that means they need more power, not less.”

Singh notes that for most partners, the resulting reality is that it would simply be unrealistic to pledge to achieve zero carbon emissions by 2030 because there are not enough renewable sources of energy in place to make it feasible. When no partners signed up for the VMware Zero Carbon Committed initiative, it was both a disappointment and a validation.

“Partners here didn’t sign up for this initiative not because they didn’t want to achieve zero carbon emissions by 2030, but because they didn’t think it was a realistic goal,” he says. More to the point, they didn’t view VMware Zero Carbon Committed as a marketing effort, but rather as a genuine commitment that should only be made if they believed they could achieve what they signed up for.”

Singh had a choice. He could either accept that the requirements for VMware Zero Carbon Committed were too challenging for the region, or he could find an alternative.

“We don’t have the luxury to postpone taking action when it comes to climate change,” he adds. “We have to do something now. In our case, we could either wait to ramp up the Zero Carbon Committed initiative until South Africa’s sustainability efforts are more mature – in other words do nothing now – or we could modify the requirements to find a more manageable solution.”

That solution came in the form of Teraco, South Africa’s largest and most interconnected data center platform. With four ultra high-performance data centers in South Africa – including facilities in Cape Town, Durban, and Johannesburg – the company forms the core of the nation’s internet backbone, and serves as the interconnection for both local and global cloud services. Providing the connectivity for the Africa Cloud Exchange, Teraco’s carrier and cloud neutral platform is also Africa’s largest hub for AWS, Google Cloud, and Microsoft Azure.

In addition, it serves as the direct access point for more than 300 network providers, including telecommunications, terrestrial fiber, satellite connectivity, and submarine cable carriers; as well as more than 130 IT service providers, leading enterprises and financial services companies, and innumerable Internet eXchange points. Recently acquired by Digital Reality – the world’s largest provider of cloud and carrier neutral data center, colocation, and interconnection solutions – the company’s role connecting Africa to the world’s IT infrastructure will only increase.

Teraco is also the co-location provider of choice for most VMware Cloud Verified partners. But perhaps most importantly for those organizations that want to embrace VMware Zero Carbon committed, it is also no stranger to efforts to reduce carbon emissions. In fact, it was already in the midst of Africa’s most ambitious effort to produce 100% sustainable power.

Singh saw an opportunity. If VMware Cloud Verified partners could engage Teraco for data center services that use the company’s renewable energy, they could offset their own power usage and realistically commit to significantly decrease their own carbon footprint.

It was an effort Bryce Allan, head of sustainability at Teraco Data Environments, immediately embraced.

“At Teraco we are aggressively pushing to increase our use of renewable energy sources,” he says. One of our two newest and most significant solar projects is already under construction and we’ve set aside nearly $250 million over the next five years for the development of renewable energy sources and facilities. We also entered into a development service agreement with an experienced renewable energy developer and are already working with them to build two 100 megawatt solar facilities in Cape Town.” 

Allan expects the first of those to go online early in 2023 and to produce 500 million kilowatt hours of electricity per year. Notably, this is in addition to the company’s extensive solar projects at its data centers, with the facility in Johannesburg already including a high-output solar system that is the first of its kind on the continent. Similar systems are being constructed for each of the company’s data centers, with those expected to be operational by the end of this year.

“We’re really excited to start building big solar plants that make a real impact on the region’s use of fossil fuels,” says Allan. “The fact that we can simultaneously provide motivated VMware Cloud Verified partners with the access to the power they need to make zero carbon emissions a realistic goal is another great benefit.”

Notably, Teraco committed to achieving the use of 50% renewable energy sources by 2027 and 100% renewable energy sources by 2035. Given the difficulty of achieving both goals in Africa, the decision was made to allow VMware Cloud Verified Partners who want to achieve the VMware Zero Carbon Committed distinction to pursue it in conjunction with Teraco and those metrics.

“We are years behind our partners in other areas of the world in our efforts to lower emissions,” adds Singh. “But if we can work together to achieve the use of 50% renewable sources of energy in five years, we will have accomplished something truly significant while simultaneously enabling Africa’s cloud solutions and services providers to pursue contracts that reward and encourage additional efforts to decrease emissions. That is a win for all involved.”

Within days of the partnership with Teraco being announced, five companies in South Africa joined the VMware Zero Carbon Committed initiative.

The inaugural partners in Africa’s VMware Zero Carbon Committed initiative

The first five VMware Cloud Verified partners to embrace the tenets of the VMware Zero Carbon Committed initiative – and to make the transition to renewable sources of energy a key focus with the goal of using only renewable sources of energy by 2035 –  include Network Platforms, Routed, Saicom, Silicon Sky, and Strategix. We recently asked senior leaders at each company to share why they believe it’s crucial to radically decrease carbon emissions.

Network Platforms – Servicing businesses since 2003, Network Platforms provides a host of solutions to create effective ICT business environments. Its services are tailored to help businesses grow through increased productivity, profitability, and peace of mind. Its range of world-class, innovative products and services enables businesses to connect, communicate, and collaborate.

“It is imperative for all companies in Africa to look at the big picture and how we can collectively transition to renewable sources of energy. By transitioning to the cloud and software-defined data centers enterprises are taking a positive step for the environment. If we can run the hardware required for those endeavors with renewable sources of energy, we can collectively make a huge difference.”

– Bradley Love, founder and CEO of Network Platforms.

Routed – Routed is an experienced South African specialist VMware Cloud Operator offering scalable – full or hybrid cloud – vendor neutral hosting solutions. As a VMware Principal Partner, Routed proudly boast many “firsts”: first VMware Cloud Verified provider in Africa; first Validated VMware DRaaS provider in Africa; and now also a VMware Zero Carbon Committed partner, backed by the highest levels of sales, service, and support for its partners and customers.

“Routed empowers its partners and its customers to prosper and grow, grounded by solid and secure cloud infrastructure foundations. In much the same way, the baobob tree, our company symbol, provides for people in Africa’s savannah regions – serving as the tree of life and giving them the materials they need for shelter, clothing, food, and water – all while providing the roots that serve as a strong foundation. We like to think of ourselves as the baobob of cloud infrastructure providers. That means we must safeguard our environment here in Africa and that starts with a commitment to decrease emissions.”

– Andrew Cruise, managing director of Routed

Saicom – Saicom is a leading service provider in the local market delivering a host of solutions designed to help organizations move to the cloud, improve their collaboration and deliver an unsurpassed customer experience. Saicom understands that what businesses need most, as they navigate the move to the cloud, is choice, support, and flexible solution architecture.

“The environment in Africa is one of the world’s richest and most beautiful. We must take action to ensure that we can pass it on to future generations. Climate change is a horrific danger, but it’s also a wakeup call that we cannot continue to build our businesses and our lives around sources of energy that are finite and that once used cannot be replaced. As an ICT leader, we have an opportunity to help our customers do more with less impact on the environment by embracing a software-defined approach that simultaneously delivers unprecedented computing power and potential.”

– Kyle Woolf, CEO of Saicom

Silicon Sky – Silicon Sky is a specialist IT infrastructure service provider. Silicon Sky specializes in Infrastructure as a Service (IaaS). Silicon Sky has a vast IaaS portfolio including compute, network, storage, security, backup, recovery and disaster recovery. Silicon Sky has enterprise grade managed cloud platforms co-located in multiple carrier natural data centers in South Africa and the USA.

“ICT has transformed how companies do business and so many aspects of how we live our lives. As a cloud services and solutions leaders, we have an opportunity, and an obligation, to demonstrate in our words and more importantly in our actions, how technology can combat climate change and make a difference. VMware Zero Carbon Committed presents us with an exceptional opportunity to do just that.”

– Brenton Halsted, CEO of Silicon Sky

Strategix – Strategix Cloud Services provides flexible, scalable, secure, simplified costings easy to scale. Strategix is the only certified cloud provider as well as VMware PSO certified (Professional Services Organization), thereby offering assurances to assist customers in their digital evolution including, application modernization and digital workspace in public, private, or hybrid Clouds.

“We strive to always make an impact in a positive manner in our work with customers and our interactions with each other. That same philosophy applies to imperatives like sustainability and efforts to address climate change. Action and positive impact begin with making a commitment. For Strategix, that begins with pursuing the VMware Zero Carbon Committed distinction.”

– Jaco Stoltz, CEO of Strategix

For more information on VMware’s partnership with Teraco, view VMware’s “Feature Friday” video podcast here.                                                                                                                                                               

Green IT, IT Leadership, VMware