John Keells Holdings Executive Vice President and Group CIO Ramesh Shanmuganathan, who is also the Chief Executive of John Keells IT, and Sujit Christy, Group Chief Information Security Officer and Cybersecurity Advisor of John Keells Holdings, break down the concept and the rising importance of Zero Trust security in building secure & resilient digital platforms and ecosystems. They begin with an insightful, lively, and thoughtful discussion with Ramesh defining the contours of Zero Trust:
Ramesh: To set the stage for our conversation, let’s consider the evolution of technology over the past three decades. From the advent of the internet to the rise of cloud computing and now the integration of AI, we’ve witnessed significant shifts that have prompted a re-evaluation of security practices. One of the most notable changes is the move away from traditional trust-based security models.
In the past, security often relied on trust. Individuals with validated identities were granted unrestricted access to premises or information. However, in today’s digitized and interconnected world, this approach is no longer sufficient. With the inclusion of customers, partners, and various stakeholders, the challenge becomes how to adapt security measures to this new landscape.
Enter Zero Trust. It’s more than just a strategy or framework; it’s a paradigm shift in security thinking. Zero Trust mandates a comprehensive re-architecture of security practices to address the complexities of modern technology environments. This includes implementing micro-segmentation, compartmentalization, and dynamic access controls to safeguard critical assets in an increasingly cloud-based and AI-driven world.
What do you think is driving this shift towards zero trust in today’s world?
Ramesh: The primary driver behind the shift towards zero trust is the rapid pace of digitization. As our world becomes increasingly digitized, access to information becomes more accessible, provided individuals can authenticate their identity digitally. This shift represents a departure from the traditional hierarchical approach to access control, where permissions were set at the time of employment and revoked upon resignation. Now, access decisions are made dynamically, based on various factors such as the user’s identity, location, and device. This approach to security is more fluid and adaptable, resembling a Lego-like model where components are assembled to fit the current context and protect assets accordingly.
Sujit: To illustrate this concept in simpler terms, let’s consider the experience of travelling through an airport. At the entrance gate, your identity is verified with a passport and ticket check, similar to user authentication in zero trust. At the check-in counter, additional verification steps are taken, including visa checks and baggage screening, mirroring the scrutiny of devices and compliance requirements in a Zero Trust environment. Even at immigration, your identity is further validated, often using advanced authentication methods like facial recognition or biometrics. This layered approach ensures security at every step, much like the principles of zero trust in technology architecture.
Sujit Christy – Group Chief Information Security Officer and Cybersecurity Advisor of John Keells Holdings
What do organizations have to gain from adopting a Zero Trust based policy to stay resilient whilst digitally transforming their organization?
Sujit: Adopting a Zero Trust policy fundamentally enhances security by continuously authenticating user identities, thereby reducing unauthorized access and minimizing the risk of data breaches.
Additionally, by segmenting access and applying the principle of least privilege, organizations can significantly reduce their attack surface and manage potential threats more effectively. This micro-segmentation approach limits the impact of breaches, making recovery smoother and more manageable.
Furthermore, zero trust emphasizes the importance of continuous verification and least privilege access, ensuring that users only have access to the resources necessary for their tasks, for the duration required. This approach extends beyond physical premises to cloud environments, where access must be tightly controlled and monitored to maintain security standards. By implementing these principles consistently across on-premises and cloud environments, organizations can strengthen their security posture and better prepare for potential breaches. Finally, zero trust encourages organizations to adopt a mindset of assuming breach, prompting proactive measures to assess and reinforce security measures continually. This proactive approach helps organizations stay ahead of evolving threats and adapt their security strategies accordingly.
Implementing a Zero Trust security environment for John Keells Group wasn’t a walk in the park, was it? What were the challenges you faced, and how did you overcome them?
Ramesh: Absolutely, the biggest hurdle was people. They’re often the weakest link in such endeavours. Shifting from a trust-based system to zero trust required significant change management. We had to navigate egos and ensure everyone understood the urgency and potential consequences of inaction.
Another challenge was developing a policy framework suitable for a conglomerate like John Keells, spanning 70 companies across six industries. We had to strike a balance between implementing zero trust and maintaining smooth business operations. So, we took a pragmatic approach, rolling out the changes gradually over the past three to four years. Critical segments were addressed in phases, focusing on identity, devices, information classification, network locations, and workloads.
Implementing Zero Trust security at John Keells Holdings has been a game-changer. We embarked on this journey in 2018, just before the onset of COVID-19, which turned out to be a blessing in disguise. The pandemic forced us to adapt to flexible working arrangements, including remote work, and having a robust security framework in place was crucial for this transition.
Our early adoption of technologies like Office 365 in 2013 gave us a head start and greater maturity to embrace zero trust. Being one of the early adopters in the region has not only bolstered our security posture but also propelled our digitization efforts.
By ensuring the protection of our crown jewels, including both IT and OT assets, such as IoT devices, we’ve gained confidence in driving digital initiatives across various sectors, from retail to hospitality. With the increasing proliferation of operational technologies, the threat landscape has expanded exponentially, making zero trust even more essential in safeguarding against potential breaches.
What are the key components of an approach to Zero Trust security, especially for a large organization?
Sujit: Initially, we focused on understanding our environment and culture shift towards Zero Trust. We piloted programmes centred on securing identities and devices, recognizing them as vulnerable points of entry. Our users can access from anywhere globally, so securing both was critical.
Ramesh: Drawing an analogy, we treat every user like someone at an airport gate, granting access based on need and duration—a principle known as least privilege. Then, we consider the data and applications they’re accessing, ensuring policy enforcement at various network points.
Sujit: Exactly. On one side, we have users and their devices; on the other, our data and applications are in the cloud. Network segmentation ensures security regardless of location. We classify data, assess application sensitivity, and enforce policies based on user-device-location-data combinations.
Ramesh: We’ve also integrated AI into our security posture. For instance, if someone attempts impossible travel—like logging in from Sri Lanka and then the US—AI alerts us, blocking access until investigated. Automation is key; human intervention can’t keep up with today’s threats. Human intervention alone isn’t enough to manage security in the digital era. AI enables rapid detection and response, crucial for today’s threat landscape.
How do you keep your Zero Trust security strategy up-to-date in the face of evolving threats?
Sujit: It’s a minute-by-minute challenge. We integrate multiple threat intelligence sources and use automation and analytics to assess vulnerabilities. If a threat is detected, devices are isolated until we investigate further. It’s a constant learning process, unlike passing exams in school; we’re always adapting.
Ramesh: Absolutely. The quality of our defence depends on the quality of our intelligence sources. We preempt threats using data from sources like Microsoft, Palo, and Cisco. This allows us to respond swiftly, even to zero-day attacks. We can quarantine vulnerable devices and restrict access to critical assets until they’re patched. It’s about sophisticated posture not just for users but also for devices and locations. Continuous monitoring and response are key, especially as incidents multiply, requiring human intervention.
Sujit: We’re not just focused on our internal operations; we’re looking at the entire supply chain—from customers to suppliers to partners. It’s an ongoing journey of evolution and learning, informed by our environment and conversations with experts.
Any CXO listening to you two might wonder: how do we begin? Ramesh, you prioritize people, processes, then technology. So, in practical terms, what’s the first step for a company looking to start?
Ramesh: Initially, a self-assessment is crucial. Companies need to evaluate their information assets and understand who’s accessing them, for what purpose, and via which devices. It’s about ensuring the security posture aligns with the value of those assets. For example, sensitive documents like strategy papers should be securely stored and shared, avoiding vulnerabilities like email attachments.
Creating awareness is key; people must realize the potential risks they face. From there, it’s about defining critical assets and how to protect them. Moving to the cloud can enhance security, providing a fortified environment. Establishing access controls and device policies follows suit. It’s a journey, not an overnight fix, but understanding the necessity is the first step.
Sujit: Ramesh hits the nail on the head: inventory is crucial. Do you have a comprehensive list of assets and data? It’s not just about IT assets; it’s also about operational technologies, vendors, and licenses. Many organizations lack this inventory, leaving them vulnerable to risks like rogue systems or shadow IT.
Ramesh: Exactly. Take the example of security cameras in a bank; if they’re on an unprotected network, they become a potential threat vector. It’s about understanding that even seemingly innocuous devices can pose risks in today’s interconnected world. We must be conscious of all assets, from cameras to IoT systems. It’s a shift in mindset, acknowledging that 100% security isn’t feasible. Instead, it’s about identifying and protecting what matters most, like insurance. We’ve transitioned from wired to wireless, from secure networks to public internet connections, adapting to a changing landscape.
Sujit: The pace of change is dizzying, and many dive into it without fully grasping the implications. Just like transitioning from gasoline to electric cars, the shift requires understanding the risks and challenges. It’s about assuming a breach and adopting a risk-based approach. What risks are acceptable, and which are deal-breakers? Like insurance, cybersecurity requires a nuanced understanding and proactive measures to mitigate risks. So, building a culture of security and risk management is imperative, requiring continuous education and adaptation to the evolving cyber landscape.
You engage with clients globally. How do you assess the awareness level here in Sri Lanka?
Ramesh: In the financial industry, there’s a noticeable need, driven in part by central bank initiatives and privacy legislation. Awareness is increasing, but there’s a lag in urgency for action. Fast-tracking is necessary given the evolving landscape, especially with advancements in multiple fronts including technologies related but not limited to cloud, mobility, wireless, internet and AI. We need to bolster defenses and adopt these changes swiftly.
Sujit: We must shift from a checkbox mentality to viewing security as an ongoing journey. This shift needs to permeate from top to bottom within organizations. Everyone, from boardrooms to entry-level employees, must understand their role in security. It’s a cultural shift that’s imperative.
Ramesh: Zero Trust is the most pragmatic and the best approach to security today. It’s crucial to understand its who, what, why, when, and how, and to engage experts who can facilitate its implementation in a holistic sense. This lays the groundwork for accelerating digitalization efforts whilst ensuring the security posture and resilience are not compromised. I advocate for a digital-first mindset, encompassing cloud, internet, mobile, and AI initiatives, all aligned with the principles of zero trust first.