In light of changing work habits and digital transformation initiatives, organisations around the world have looked to adopt zero trust as their cybersecurity approach. The “never trust, always verify” philosophy of zero trust meets many of the challenges facing organisations today where employees, third parties, and resources sit outside the traditional network perimeter.
To understand how Singapore organisations are progressing in their adoption of zero trust, BeyondTrust recently completed a survey on the subject, titled “Zero Trust Priorities for Singapore Companies”. This blog will reveal the findings of that data in order to benchmark Singapore’s progression in its zero trust journey.
While the vast majority of organisations indicated that they had the fundamentals of zero trust associated with authentication and privilege well under control in their plans, digging a little deeper has revealed that there is a significant security gap that remains largely unaddressed.
What were the key survey findings?
Key findings from the survey indicated that:
- 88% of Singaporean IT leaders say that zero trust is important to their organisation’s cybersecurity strategy. Unsurprisingly, this number is higher for the public sector, where zero trust is considered a priority for 97% of organisations.
- Of the above respondents, 89% indicated they have already catered, to some extent, to the fundamental requirements of zero trust, such as authentication, compliance, and privilege management in their budgetary and procurement plans.
- However, our recent survey also found that 54% of IT leaders in Singapore believe that users in their organisations have excessive privileges beyond what is required to do their jobs.
Why do excessive privileges indicate a security gap for Singapore organisations?
One of the key tenets of zero trust is the principle of least privilege: that users have the right amount of privileges for the right amount of time to successfully complete their tasks.
Overprivileged users are a major cyber security challenge: Past data from Forrester Research has shown that privileged credentials were implicated in 80% of data breaches. This new finding is a real concern as it suggests a significant immaturity in that part of the zero trust journey for Singaporean organisations.
How do Singapore Organisations compare to their APAC Peers?
Similar to findings from the recent Singapore survey, in a previous survey tracking Zero Trust Priorities for APAC companies, BeyondTrust found that APAC business and IT leaders consider the implementation of zero trust to be a top cyber security priority for the next 12 to 18 months. When it comes to the key drivers for organisations to initiate or augment identity management within zero trust, data protection is the top driver across both studies, with 46% of Singaporean IT leaders citing it versus 49% across the Asia Pacific. Specific to Singapore, other drivers such as meeting compliance mandates (16%) and providing secure remote access (12%), are also driving more impact to the initiative as compared to the Asia Pacific landscape.
Data gathered from BeyondTrust’s recent survey also shows that more than half of the surveyed Singapore companies are embracing third-party remote access in order to drive business productivity and continuity to its full potential.
This is not surprising given that the traditional workplace has evolved significantly, with Singapore being a significant adopter of remote working over the past three years. According to a survey by Robert Half, a leading specialist recruitment firm, 87% of Singapore employers are embracing the work-from-home model. This is a striking difference when compared to the employers generally in the Asia Pacific surveyed by CBRE, a global leader in commercial real estate services and investment. In their research, only 60% of employers are open to adopting a similar work model.
Yet the way remote access is made available amongst organisations does not align with zero trust fundamentals, with two-thirds providing third party access to assets via VPNs which, if configured incorrectly, can grant far more access than what is needed. Public sector organisations are even higher at 77%.
The VPN Challenge
VPNs have been a workhorse of remote access for many years. However, during the recent pandemic, what was asked of the technology has stretched beyond its capabilities in many respects.
While VPN access was offered in the past to users who may have needed remote access, the volume of connections has increased significantly over the past couple of years. There is an assumption of trustworthiness of any user on the VPN. Yet VPNs struggle to meet the requirements of least privilege.
Once connected, VPN users typically have freedom to move about within the network with an “access all areas” pass. While this is not always the case, often VPNs are not configured to allow access to specific resources on a network only. Contrast that with dedicated Secure Remote Access solutions, where access can be easily limited, if needed, to a single task, such as restarting a service on a server. These solutions meet the obligations of least privilege, helping organisations on their zero trust journey. However, barely 10% of the Singapore organisations have adopted dedicated remote access solutions.
With that said, there may be an appetite to step up the security associated with remote access. 75% of respondents acknowledged that securing the remote workforce is a challenge while 69% said that provisioning secured essential third-party access is also a challenge.
Growing cybersecurity concerns revolving around privilege escalation correlate directly with your organisation’s expanding digital universe and the number of people given some level of authority to operate within it. And most organisations are well acquainted with the cybersecurity risk that comes along with the information technology’s benefits.
A swiftly expanding digital perimeter—both physical and logical—inevitably makes organisations more vulnerable to the cyberattack chain, regardless of how far the perimeter has extended. The attack process starts with a successful perimeter breach or insider malfeasance, followed by the theft of “privileged” user credentials through either poor privilege security management or exploitation of a vulnerability. With privileged user IDs and passwords in hand, an attacker can then move laterally throughout an organisation, seeking its most valuable digital resources.
As the IT perimeter continues to evolve, threats and risks become increasingly difficult for IT and security teams to manage as they try to connect the dots between privileged accounts, vulnerabilities, exploits, and successful data and system breaches. This barrier is a big reason why compromised privileged credentials are such a dominant source of successful attacks, and why 88% of the IT leaders in Singapore believe that zero trust access is vital in their organisation’s cybersecurity strategy.
To learn more about Singapore’s response to zero trust, access the full infographic for free here.
Scott Hesford, Director of Solutions Engineering, APJ
Scott Hesford has over a decade of experience in IT security. Before joining BeyondTrust in 2019, he worked as Principal Consultant for CA Technologies and other large enterprises in Australia and New Zealand. A trusted cyber security advisor to enterprise customers, his experience spans across several industries such as banking, insurance, energy and utilities, in addition to state and federal governments. At BeyondTrust, Mr Hesford is an essential contributor in the regional security engineering department, helping enterprises and government agencies improve their security posture against internal and external threats.