Although these changes have been underpinned by a widespread move to the cloud and the shift to remote and hybrid work brought on by the pandemic, the benefits they have produced mean there is no going back for modern businesses.
In this new era of working, the traditional perimeter-based approach to security – which was fronted by firewalls, anti-virus and other technology, and defined by static permissions to company resources – is no longer sufficient.
Now, the dynamics have changed and employees need to access data, documents, databases and networks from external connections and various geographies. This increasingly distributed, off-premise computing landscape has the user at its centre, with the crown jewels – data – largely being stored in the cloud, and a growing number of security risks and cyberattacks.
A recent IDC Cybersecurity survey commissioned by Microsoft showed that 50 percent of South African business leaders are concerned with the consequences of security breaches – and that cloud security is the number one priority for investment, with 28 percent of leaders stating they will move to the cloud to help address security priorities.
This research also found that organisations are putting the user at the centre of this new paradigm: confirming users’ identities, together with an additional layer of security, emerged as the most important security priority for 49 percent of business leaders in South Africa in the next 6 to 18 months.
The need to confirm identity is a central feature of the Zero Trust principle, which has emerged as a guiding security strategy for businesses in the last few years. This model means trusting no individual or system, needing to explicitly verify their identity, using least privilege access to give them access only to what they need, for as long as they need it, and always assuming breach.
Protecting businesses where they’re vulnerable: using least privilege access and Zero Trust
Identity remains the number one place where people are vulnerable because many users simply do not know what security is required around accessing data, networks and confidential data and information – or do not realise their identity is being compromised.
Popular identity attacks currently involve credential theft through broad and spear phishing emails and credential-stealing malware – with research indicating that phishing attacks can successfully compromise employees from even well-trained organisations. Other attacks include using sophisticated automated tools for credential stuffing attacks and password spraying, because of people’s propensity to reuse credentials such as user names and passwords.
Many users – and even businesses – have traditionally only considered security when they have been breached. But because the Zero Trust mindset means now considering it a case of when rather than if a breach or attack will happen, and security architecture and strategies are built with this in mind, it is also ever more important to prioritise and protect a user’s identity to ensure that identity exploits are minimised.
Access control and management – as one of the main drivers of the Zero Trust principle – is the key in this new paradigm and world of work. Organisational data, systems and networks can no longer come with static permissions because this will leave a gaping hole that bad actors will be able to exploit.
More and more, businesses are using least privilege access – which essentially means granting users access only to what they need, for as long as they need it before revoking permission – to ensure that users are still able to perform their role with the minimum level of access required in order to plug as many holes as possible in their security environment, while ensuring minimal disruption to productivity.
Least privilege access is a core element of Zero Trust, which then needs to be matched by additional layers of security, such as multi-factor authentication, facial recognition or encryption, among others – as well as in strengthening the people and culture side of the equation to ensure that employees view security as a way of working and truly understand its value to the business rather than assume it is someone else’s responsibility.
The good news is that security, and cloud security especially, is becoming a boardroom discussion and priority for investment.
Going forward, the technical and cultural side of security need to merge: the people, processes and technology that underpin the security of modern businesses have to be in harmony. The IDC research showed that business leaders are increasingly recognising this, with 49 percent saying they are investing in building a security culture and increasing understanding of security’s value to the business.
Part of this culture change will also mean making security pre-emptive, rather than its traditionally reactive approach. In this changing world, it needs to move to being proactive and underpinned by end-to-end automated and intelligent security – using intelligent solutions and tools like Artificial Intelligence – to continuously monitor the organisation’s computing environment, and then pick up, triage and act on incidents before they happen. DM/BM
About Colin Erasmus, Modern Workplace and Security Business Group Lead at Microsoft South Africa
Colin Erasmus started his professional career as an entrepreneur in start-up technology consultancy, and developed niche technologies that are still being used today in the electronic events registration industry.
He is one of a select few privacy certified individuals in South Africa, and assisted in drafting South Africa’s privacy legislation (POPI Bill). Colin has over 20 years of experience with Microsoft that has equipped him with strong business acumen and people management experience. He is an expert in Microsoft Modern Workplace solutions, which help customers improve employee productivity and satisfaction, and create seamless communication and collaboration across locations and platforms while maintaining the security and integrity of systems and data.