In a recent announcement, the Government of India, voiced the concerns of the obsolete state of the over two-decade old IT Act (Information Technology Act 2000). The dynamics of the Cyber Domain and the sophistication of the attacks in this domain, has made the government think on revamping the laws and also making the rules of the game more inclusive and robust.
“Government’s goals are aimed at ensuring Open, Safe & Trusted and Accountable internet for its users. Since then, the technology and the internet today has evolved at a very fast pace. There is a paradigm change in the opportunity in the Cyberspace and the challenges associated with it, which was not envisaged in 2000.” This information was given by the Minister of State for Electronics & Information Technology, Shri Rajeev Chandrasekhar in a written reply to a question in Rajya Sabha today.
The concept of ‘Zero Trust‘ architecture as a cybersecurity practice has come into sharp focus among the third world countries, whose dependency on Cyber is at its full. Also, the breach or denial of any of the Cyber Infrastructure or Cyber ridden Services, has a colossal impact on the financial and human satisfaction index of the country. Many governments have already adopted or are in the process of adopting and implementing ‘Zero Trust‘ policies.
What is Zero Trust
‘Zero Trust’ is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its core IT infrastructure that cater for the Business and Management of the Organisation. Zero Trust, instead focuses on a mandatory verification of anything and everything trying to connect or interact with the systems before granting access.
How is ‘Zero Trust’ different from the cybersecurity measures already in place for most organizations? ‘Zero Trust’ architecture is a security method that requires all users of a given network to be continuously authenticated, validated and authorized in order to access that network’s data and tools. And in the regime of ‘Routine Cybersecurity’, we trust all accesses ab-initio trusted and the user credential once supplied, will establish the trust for the access to the IT systems. Also, in the ‘Zero Trust’ regime; No devices or users are automatically trusted to gain access to the network.
Zero Trust, Optimises and Maximizes the use and authority of authentication. It also provides, increased visibility into all user activity. It also ensures the optimisation of the ability to dynamically provide access based on current use case. Its implementation also ensures reduction in the attacker’s ability to move laterally within your organization, if in case the vertical ingress has been made.
Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.
What does an Information Technology Act with Zero Trust incorporation entail?
This Government of India’s recent mandate sets the precedence for the concerned stakeholders including industry, legal experts & academicians to achieve the objectives including new legislations, amendments of the Rules, etc in the Cyber Domain of the nation. It has been reported that the Ministry of Electronics & Information Technology (MeitY), Government of India, has received many ideas during different consultation processes, while concentrating on the amendment or release of the new IT Act. The new act is expected to provide a refreshed strategic methodology to Cyber Security for the Government, Entities and Private Organisations alike to adopt the concept of ‘Zero Trust‘ seriously, when implementing the provisions of the New Act.
The trust in technology and data is one of the largest challenges facing the tech industry, and hence the ‘Zero Trust Model’, will enable organisations’ to not trust anything or anyone ab-initio. The approach that India will be adopting by means of enactment of the New IT Act will be aimed at initiating the need to update the long-standing perimeter-based network security model. The perimeter approach assumed that any user inside the boundaries of a corporate or enterprise network, was a “trusted” user, able to access network data without multi-factor authentication. Those who were outside of the network were considered “untrusted” users.
It is envisaged that the New IT Act, will adopt the concept of ‘Zero Trust’ in its provisions for ‘Implementation Organisations’ and ‘Compliant Organisations’ to adopt solutions, that enable Zero Trust Strategies.
Core concepts of zero trust
There are four key concepts that can be highlighted while contemplating the adoption of ‘Zero Trust’:
- Assume the network is hostile;
- know that your environment contains active threats;
- always authenticate and authorise every user, device, and network flow; and finally
- ensure that network policies are dynamic and calculated from multiple telemetry sources.
Let us elaborate each of these principles from an adaptation and implementation perspective:
- The first principle — assume the network is hostile — is possibly the most central concept to the zero-trust ethos. Firewalls or intrusion detection devices have traditionally separated the “trusted” internal network from the “untrusted” internet. These devices can restrict control for simple things like IP addresses, ports or even services. The trust is then attributed to anything embedded in the network. As cybersecurity threats have become increasingly complex, bad actors are experts at bypassing these simple controls and gaining this attributed trust. Once inside, lateral movement can be completely unimpeded.
- Second, it’s always safest to assume that the present environment contains threats. Major breaches are still a risk even if your environment has extensive defensive measures in place. This emphasizes the need for continued monitoring and analysis of network artifacts. Additionally, never assume networks are low risk, thus requiring little protection, or that vendor solutions spouting machine learning and artificial intelligence will solve all your problems.
- Third, there is never a scenario in which a device or user should not be authenticated before entering any network. This extends beyond simple authentication and can be implemented using the Kipling method. This means asking the who, what, when, where, why and how for everything. This will inturn ensure that the organisation have the optimal tools or data to see and restrict this information.
- Finally, it’s crucial to remember that network policies are dynamic. A fully functioning ‘Zero Trust’ policy cannot be implemented in a single day. This requires continued analysis of the changing network, implementation of new controls, and a continuous inventory plan to identify the necessary applications, assets and services within a network. As environments evolve, we can implement the requirements in the evolving ecosystem, and also cater for dynamics in security.
The measures of proactive security adopted by the government and the recent initiative of indigenisation in many aspects of Cyber Security, including the Government of India’s RISC-V project; is a step in the right direction. Many of these and more will be provided the essential teeth through the New Act, that is being proposed. The concerned stakeholders including industry, legal experts & academicians, not to mention the Ministry under Government of India, are on the job to achieve the objectives of bringing out the new legislations, amendments of the Rules, etc.