From buzzword to action: Crafting a comprehensive and effective Zero Trust model

Cyber Security Evangelist, EC Council Master Trainer Belly Rachandianto

Brandix Digital Transformation Chief Operating Officer Oshada Senanayake

Commercial Bank CIO and CBC Tech Solutions Ltd. Managing Director Sumudu Gunawardhana

JIT Chief Technology Officer Neranjan Dissanayake

Talos Consulting Cyber Security Advocate Managing Director Asela Waidyalankara

Moderator Daily FT CEO-Editor Nisthar Cassim

From left: Cyber Security Evangelist, EC Council Master Trainer Belly Rachandianto, Brandix Digital Transformation Chief Operating Officer Oshada Senanayake, Commercial Bank CIO and CBC Tech Solutions Managing Director Sumudu Gunawardhana, JIT Chief Technology Officer Neranjan Dissanayake, Talos Consulting Cyber Security Advocate Managing Director Asela Waidyalankara and Moderator Daily FT CEO/Editor Nisthar Cassim

By Hiyal Biyagamage

The cybersecurity landscape is continually evolving, and amid the myriad of buzzwords, the concept of Zero Trust has emerged as a foundational paradigm. Beyond the industry jargon, Zero Trust represents a fundamental shift on how organisations approach security. Instead of assuming that everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’

The final session of the Daily FT-CICRA Cyber Security Summit titled ‘Zero Trust beyond Buzzwords: Implementing a comprehensive and effective zero trust security strategy’ saw local and global subject matter experts delving into the core principles of Zero Trust. They explored its significance in the current threat landscape and provided insights into implementing a comprehensive and effective Zero Trust security strategy and how it should be embedded into an organisation’s digital transformation (DX) journey.

Understanding Zero Trust: Going beyond perimeter defence 

Cybersecurity Evangelist and EC Council Master Trainer Belly Rachandianto, who also spoke at the CEO Forum on Zero Trust, said the new security model is a security framework that challenges the traditional notion of a trusted internal network and an untrusted external network.

“In a Zero Trust model, trust is never assumed, regardless of the user’s location or the network they are on. This approach acknowledges that threats can originate both externally and internally. The core tenet is to verify and authenticate every user, device, and transaction before granting access, irrespective of their perceived trustworthiness.”

He said the traditional perimeter-based security model is increasingly inadequate in the face of sophisticated cyber threats. 

“With the rise of remote work, cloud computing, and the proliferation of connected devices, the attack surface has expanded exponentially. Zero Trust addresses these challenges by adopting a “never trust, always verify” mindset. This becomes particularly critical as cyber threats become more sophisticated, often bypassing traditional security measures. Zero Trust mitigates the risk of lateral movement within a network, limiting the potential impact of a security breach,” said Rachandianto. 

While Zero Trust is a powerful security paradigm, its implementation is not without challenges. It requires a cultural shift within organisations, often challenging traditional models and practices. The complexity of implementing and managing a Zero Trust strategy can also be a barrier. Integration with existing systems, user experience considerations, and the need for continuous adaptation to evolving threats are factors that organisations must carefully navigate.

“In an era where cyber threats are dynamic and ever-evolving, Zero Trust goes beyond being a buzzword and emerges as a necessity. Implementing a comprehensive and effective Zero Trust security strategy is not just about adopting specific technologies; it’s a holistic approach that encompasses people, processes, and technologies. Organisations that embrace Zero Trust are better positioned to navigate the complexities of the modern threat landscape, fortifying their defences against both external and internal threats,” Rachandianto said.

Cybersecurity will be the next crisis

Rachandianto also discussed the notion of cybersecurity becoming the new crisis. He said as people delve deeper into the digital age, they are entrusting more aspects of their lives to technology.

“The inherent paradox in this digital age is that as our reliance on digital systems increases, so does our exposure to cyber threats. Malicious actors, ranging from state-sponsored hackers to cybercriminal organisations, continually evolve tactics to exploit vulnerabilities in our digital lives. Cyberattacks can range from data breaches and ransomware attacks to the compromise of critical infrastructure, and the consequences can be devastating, both on an individual and societal level.

“The convergence of these factors has set the stage for cybersecurity to become the new crisis that the world must grapple. Cyber threats pose risks not only to personal data and financial assets but also to the very fabric of the interconnected society. The potential fallout from large-scale cyberattacks on essential infrastructure, such as power grids or financial systems, can disrupt entire nations and compromise national security,” he opined. 

He also said, “The call to action is clear. Business leaders, governments, and individuals must prioritise cybersecurity as essential to our digital lives. Investment in robust cybersecurity measures, education on digital hygiene, and international cooperation are all crucial steps to mitigate this impending crisis. Failure to do so could leave us vulnerable to a new form of warfare and chaos in the digital age.”

Zero Trust’s impact on enterprise digital transformation 

Delivering the guest speech, Brandix Digital Transformation, Chief Operating Officer, Oshada Senannayake said in the ever-evolving landscape of digital transformation, where enterprises embrace innovative technologies to stay competitive and agile, the imperative of implementing a Zero Trust security model has become paramount.

“Traditional security paradigms, which relied heavily on perimeter defences and assumed trust within the network, are proving insufficient in the face of sophisticated cyber threats and the dynamic nature of modern business practices. Organisations must explore the critical role of Zero Trust in the context of enterprise digital transformation, its significance, key principles, and the transformative impact it can have on securing digital ecosystems,” said Senanayake. 

He said digital transformation has reshaped the way organisations operate, leveraging cloud services, mobile technologies, and interconnected networks to enhance efficiency and customer experiences.

“However, this digital evolution has also expanded the attack surface for cyber threats. Zero Trust recognises that the traditional approach of trusting users and devices within the network perimeter is outdated and inherently risky. In the era of digital transformation, where users may access corporate resources from various locations and devices, the need for a security model that validates identity and authorises access on a continuous basis is crucial.”

Explaining about key principles of the model, Senanayake said Zero Trust’s ‘never trust, always verify’ principle is challenging the traditional notion that once a user gains access to the network, they can be implicitly trusted. Instead, Zero Trust mandates rigorous verification at every access attempt, regardless of the user’s location or the network they are on.

“In the Zero Trust paradigm, identity assumes a central role as the new perimeter, necessitating robust identity and access management practices. Multi-factor authentication and continuous authentication form foundational elements, ensuring that access is granted based on verified and continually authenticated user identities. Continuous monitoring, involving real-time observation of user behaviour, network traffic, and data access, is imperative for the prompt identification of anomalous activities, enabling swift response and mitigation. Most importantly, data encryption is fundamental in Zero Trust, safeguarding sensitive information both in transit and at rest, aligning with the principle that data is always considered at risk,” said Senanayake.

Transformative impact on digital transformation and security 

Zero Trust, far more than a security protocol, serves as a transformative approach seamlessly aligned with the objectives of digital transformation. This shift from reactive perimeter defence to a proactive, identity-centric model brings about transformative outcomes, said Senanayake.

“Enhanced cyber resilience is a cornerstone, empowering organisations to withstand and recover from cyber threats through continuous identity verification and activity monitoring, reducing the risk of unauthorised access and lateral movement. Zero Trust exhibits inherent adaptability, accommodating the dynamic changes characteristic to modern digital ecosystems during the course of digital transformation. It facilitates remote work by enabling secure access to corporate resources from any location, emphasising identity-based authentication over physical proximity.

“In essence, Zero Trust not only bolsters security but fundamentally transforms the organisational landscape, fortifying resilience, fostering adaptability, and securing the digital future,” Senanayake emphasised. 

In conclusion, Senanayake highlighted that the imperative of Zero Trust in the context of enterprise digital transformation is not just a security necessity; it is a strategic enabler.

“As organisations navigate the complexities of digital evolution, Zero Trust provides a resilient and adaptive security model that safeguards against emerging threats while fostering the flexibility and innovation required for successful digital transformation. Embracing Zero Trust is not merely a choice; it is a fundamental shift that positions enterprises to thrive in the evolving digital landscape, securing their assets and sustaining their competitive edge.”

The two speeches were followed by a panel discussion moderated by the Daily FT Chief Editor and CEO, Nisthar Cassim. Alongside Rachandianto and Senanayake, JIT Chief Technology Officer Neranjan Dissanayake, Commercial Bank of Ceylon Chief Information Officer, CBC Tech Solutions Ld. Managing Director Sumudu Gunawardhana and Cyber Security Advocate and Talos Consulting Managing Director Asela Waidyalankara shared their expert insights at the panel discussion. 

Strategic partners of the summit were Visa and Huawei. The official Payment Network was LankaPay, official finance company partner was People’s Leasing and Finance PLC, knowledge partners were PCI Security Standards Council and ISC2 Chapter Sri Lanka, creative partner was Mullenlowe and hospitality partner, Cinnamon Grand.

Pix by UpulAbayasekara and RuwanWalpola