'Businesses must adopt zero-trust security to prevent supply chain attacks'

Cyberattacks on supply chains continue to wreak havoc, especially impacting small businesses that use information technology (IT) services. A zero-trust security model is one important model to help mitigate the impact of such attacks across industries. In an interview, Terence Gomes, head of security for Microsoft India, explains what zero-trust security is, and how it works. Edited excerpts:

What is a zero-trust security model, and how does it work?

The zero-trust model firstly mandates explicit verification, even for trusted devices. The second mandate is to minimise privilege access, including reducing user access to only required sections — and for limited time periods. The third mandate is to “assume breach”, which mandates enterprises to architect their infrastructure by assuming that an attacker is in their systems. 

Under these core blocks are six categories — an identity layer, which is the entry-point for users. The next is device health, to check if they are compliant with the organisation. The third is application security -- which moderates what an enterprise application accesses, and which KPIs it calls. The fourth category is encrypting data and closely authorising access, and the fifth and sixth ones are network segmentation and continuous monitoring of the entire setup.

Can adopting zero-trust help companies deal with supply chain attacks?

Supply chain attacks have become popular purely because the return on investment (RoI) for such an exploit for an attacker is high. This, too, boils down to the aspect of inherent trust in systems, which is being exploited. Here, too, a zero-trust model is critical. It makes it difficult for attackers to breach boundaries. Another key thing that zero-trust does is to significantly reduce the blast radius of a major cyber exploit.

How has adoption of password-less logins grown so far?

More than 200 million users on the Azure platform have already adopted password-less logins. The latter is a great strategy to minimise breach exposure. It is also convenient, so the benefits are clearly there.

What are the key security needs as enterprises adopt a hybrid work model?

The cyberattack surface has significantly expanded. These include mobile devices, personal devices and accessing company data from anywhere. These things have created concern regarding visibility of data and devices in an on-site environment. The volume of attacks, too, has significantly risen. Organisations are also dealing with a lot of operational complexity in too many vendors, and multiple security tools that are siloed and non-collaborative. This makes dealing with cyber security more difficult. 

Managing the attack surface (the number of possible points of entry for an attacker) to reduce the exposure areas is a key aspect for 2022. A second initiative is an end-to-end security management programme to secure all access points, consolidating multiple security tools and using default security tools for enterprise customers.

What can big tech corporations do to tackle cybercrime marketplaces?

This is where we collaborate with industry peers, agencies and government bodies. The Microsoft Digital Crimes Unit has been working to identify cyber criminals, as well as infrastructure to launch attacks. The infrastructure is typically at scale, where they target not just organisations, but countries as well. Our task is to collaborate to find ways to bring down such infrastructure, which makes barriers more difficult for cyber criminals to break down easily.