The analyst group Forrester coined the term “zero-trust” to describe how an increasingly complicated online environment means people inside and outside your network need to be treated the same from a security perspective.

It is ten years since John Kindervag, then a Forrester analyst and now field chief technology officer at cybersecurity firm Palo Alto Networks, came up with the Zero Trust Architecture that has become so influential to network security efforts worldwide.

Frederic Giron, Forrester

This week, Forrester’s Singapore-based research director, Frederic Giron, said that the remote working movement sparked by the Covid-19 pandemic had, by necessity, put zero trust security front and centre as a security strategy as technology managers dealt with a more complex range of devices, applications and network configurations than ever.

“There is no more implicit trust,” Giron told those tuned into a virtual webinar held by Forrester and Microsoft earlier this week.

“The primary concept in the original Forrester Zero Trust model is to ensure that all resources are accessed securely, regardless of location,” he added.

That meant strictly enforcing access control to networks, applications and devices and preventing users from having more access than they need, what Forrester refers to as “least privilege access”.

Proving identity is integral to that, which involves multi-factor authentication systems and increasing use of biometrics. Device health was part of the zero-trust mix, which was a challenge as large organisations in some cases distributed thousands of new devices to set up employees to work from home.

“Zero Trust advocates for device security as part of the overall information protection model. Organizations must verify that devices are uncompromised and free of malware before they access data,” explained Giron.

“When they conduct these checks beforehand, it’s less likely that devices will introduce vulnerabilities into the environment.”

Forrester had just surveyed 408 “purchase influencers” across Asia Pacific about security-related issues, which had revealed some weaknesses in the business continuity planning undertaken prior to Covid-19 forcing most countries into lockdown.

Business continuity plans lacking

Only 49 per cent of Asia Pacific organisations surveyed said that their business continuity plans had accounted from cyber attacks and cybersecurity issues.

“They were not prepared, not because they didn’t have BCP plans in place, but more because they could not react quickly enough,” said Giron. 

“The scale and the speed of the pandemic took most companies by surprise.”

While 71 per cent of those surveyed advocated for improved plans for future disruption, Giron said that their ability to do so would be determined by the extent to which they’d been hit by the economic effects of the pandemic.

Some, such as airlines and hospitality and tourism companies, were in “survival” mode. Others had taken a 10 – 15 per cent hit on revenue and were adjusting to the new normal – or “adaptive mode” as Giron calls it.

A lucky minority, which included a lot of companies working in the tech space, were in “growth mode”, helping organisations adapt to the new working environment.

Forrester had been forecasting a 10 per cent increase in IT security spending for 2020, but has revised that to a drop of between zero and five per cent, indicating the strain on budgets as survivors and adapters weather the Covid storm.

Stagnant security budgets would see companies need to be smart in their approach to securing their networks, devices and data. While the lockdown had spurred a flurry of investment in servers, networking and devices, “endpoint security” systems and even virtual private network software to keep businesses operational, the nature of spending was beginning to change.

Companies pursuing security as a service

Companies were increasingly seeking out software as a service (SaaS) based security solutions to apply across their businesses. 

“This is something we had seen even before the crisis in Asia-Pacific, where companies were increasingly interested in leveraging software as a service-based security solutions,” said Giron.

They were also looking to boost their security staffing levels, which may prove challenging as there is a skill shortage in this area.

Forrester describes four phases of the pandemics and suggests we are currently in “phase 3”, the “management” phase, which will extend into early 2021. It followed the “infection” and “social distancing” phase and precedes the much-anticipated phase 4 – “eradication”.

From a security perspective, phase 3 would see continued cyber attacks aimed at exploiting lower levels of home working security and collaborative technology, such as video conferencing and document sharing systems.

“Security would be “absolutely primordial in phase 3,” said Giron

“But the reality is that budgets are going to, maybe not decrease, but at least stay flat.”

The leaders in the Asia Pacific region, from a security perspective, would be those organisations that had leveraged zero trust approaches. They had already re-engineered their systems to deal with remote workers, contractors, customers and suppliers operating in their networks in a zero trust environment.

Just under half of the organisations surveyed indicated that around 50 per cent of their workforce would continue to work from home.

And when would we finally exit phase 4 and eradicate Covid-19?

“This is almost impossible to answer,” Giron admitted. 

Two years to recovery

“It will vary from sector to sector. If you take airlines, for instance, IATA forecasts that the 2019 level of air travel will not be recovered until 2023. The situation could improve faster, but also take longer depending on a large number of factors. Suffice to say, the recovery will take at least one or two years.”

As for discovery and distribution of a vaccine, “we think it will take months, if not a couple of years before we can actually find this [vaccine],” said Giron.

But even then, we faced a less stable world in future which would have implications for IT security.

“I don’t want to be overly dramatic, but if we take into account some of the systemic changes regarding climate change or pandemics, we are going to live in a highly insecure and uncertain world.”

The answer was to use business resilience as a competitive advantage, to invest in security technologies and implement zero-trust policies to minimise the risk of damaging cyber-attacks and data breaches.

Forrester – four security trends for phase 3 and phase 4