How a Zero Trust approach to cybersecurity can help digital native businesses keep their products and services secure

With an increasing number of cyberattacks taking place every single day, it’s essential for businesses — especially digital businesses — to integrate cybersecurity strategies that not just help them react to attacks, but also prevent threats from arising.

One of the ways companies can do so is through a Zero Trust approach that scrutinises every external interaction a product or service has, and therefore reduces the risk of an attack to single points of exposure at a time. The approach was the topic of discussion at a roundtable of experts organised by AWS and Palo Alto, in association with YourStory, titled ‘Empowering Cybersecurity with Zero Trust’, held in New Delhi on November 25, 2022.

Moderated by YourStory’s Director of Content, Brand Solutions Varnika Gupta, the discussion included a number of cybersecurity experts and industry professionals: Sunil Kumar - CTO, Shiprocket; Archie Jackson - Sr. Director, Head of IT & Cybersecurity, Incedo Inc; Deepak Kapoor - Executive Vice President Technology, RateGain; Bibhu Krishna - IT Head, PB Group; Riyaz Tambe - Director - Prisma Cloud Systems and Consulting Engineering, JAPAC, Palo Alto; and Lalit Kumar - Principal Security Architect, AWS.

Lalit opened the discussion by establishing that cybersecurity was more than just a necessity, and that it helped give value to companies as well. “When we start looking at cybersecurity from a business perspective — specifically in this world of cloud — we are seeing this as a trend of creating value. If you are building a product and you created a company out of it, what stops others from building a similar product? What’s the differentiator between the two organisations? One of the key differentiators is security. If your business could be killed by a lack of security controls, then your competitor wins. So security adds value to your business, how people trust you,” Lalit said.

Riyaz added that with more and more companies moving to the cloud, security had become a bigger priority in recent years, especially during the pandemic. However, a challenge in scaling security offerings within businesses was a skill gap. He explained, “Skill, I think, will always play a catch up game. The demand is much higher and security is something that — especially in the cloud space — becomes a little challenging. On one side, we have people who are developers or DevOps teams who are very good with that aspect of things, and then there are security professionals who have a good understanding of the threat landscape. Getting a combination of these two, I think that's where there is an open space.”

In the logistics industry, Sunil said that every digital data node within the supply chain was open to threats, since there are a number of interconnected devices transmitting data constantly. Data visibility, however, was something that helped Shiprocket secure its processes. “Zero Trust starts from the very first time you plan a specific feature to be built. Be it as simple as an API through which you have to expose data. What kind of data will flow out, what are the authentication mechanisms pointed out — how is your observability built in? At each and every step you have to ensure that you’re able to quickly take corrective action so that you don’t have to go to the very beginning,” Sunil explained, adding that SaaS offerings were helping companies be a lot more aware of security.

Deepak agreed that visibility helped prevent and track threats from an operational perspective, along with implementing automation and isolation zones within your product, once an attack did occur. How companies reacted to an attack also made the difference. “An attack can happen from any direction and you can theoretically be ready for it. But a solid response mechanism is also required. Once the attack happens, you need to understand how the little speck spreads and then how you recover from it, and how you come out stronger,” he said, adding that maintaining a “clean desk” policy — where no unattended copies of data are made — for developers and data science teams could help prevent attacks.

Archie also spoke about the importance of integrating security protocols right from inception of product and service building. “First of all, security is a mindset which should be by design. If we are looking at anything, without a holistic view, security cannot be implemented,” he said, adding, “Zero Trust is an approach without which at this point in time and beyond, we will not be able to execute any businesses. So that approach needs to be embedded in the entire architecture, not limited to segments. That’s what we are doing.”

As the discussion moved on to a developer-focussed conversation, Riyaz said that the developer and security professional community needed to keep upskilling and reskilling itself to be able to prepare for any threat. “I think the rate at which we are seeing the evolution in the security space, especially in the cloud native environment, is at a very fast pace. And there are so many new capabilities that keep on coming up, especially mainly because of the availability of open source tools,” Riyaz concluded.