big-data finance-concept-min

Zero Trust approaches in APAC

Estimated reading time: 6 minutes

EITN talks to Fernando Serto, Chief Technologist & Evangelist, APJC, Cloudflare, about DDoS, cybersecurity, and accountability.

EITN: Whose responsibility are DDoS attacks? As in who is responsible to prevent it, and when it happens, who should be held accountable for it?

Fernando: A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal web traffic, service or a network by overwhelming the target with a flood of traffic. DDoS attacks are carried out by generating traffic from either network connected devices, usually compromised and under the control of the attacker.

In general, the responsibility to protect an Internet property is of the owner/administrator of that property. While an Internet property can buy products or hire a cloud service to protect themselves against DDoS attacks, the responsibility is still theirs. In the case of an unprevented DDoS attack, it may be the fault of the product, of the service, or the case where wrong configurations were applied, but nevertheless, the responsibility is on the owner/administrator.

EITN: Please share some industry best practices for mitigating/preventing DDoS attacks.

Fernando: DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed single source attacks to complex and adaptive multi-vector attacks. Mitigating DDoS attacks involve dropping or limiting traffic indiscriminately as part of a layered countermeasure.

Some best practices include:

  • First and foremost, create an inventory of all Internet properties (websites, IP applications, prefixes, and any other services).
  • Second, protect each Internet property with a fitting service (e.g. WAF/CDN for websites, Magic Transit for prefixes, etc.). Based on the increasing size, frequency, and decreasing duration of attacks, they can hit hard and quickly vanish. But the damage is already done and felt long after the attack is over. Hence the recommendation is to use an always-on, fully automated solution that does not require human intervention in most cases. This solution needs to be comprehensive in terms of the attack vector coverage, but also user friendly to operate, and mature enough that it can integrate into your organizational work-flows (e.g. Single Sign-On integration, Logpush for Security Information Event Management (SIEM) system integration, PagerDuy integration for alerting and so on.)
  • Third, every Internet property can have different traffic patterns and behavior so make sure that the security settings are optimised for your needs by the vendor and in your equipment “on-prem” where your origin servers reside. e.g. only allow traffic from your vendor’s IP space so attackers can’t circumvent your protections. 
  • Finally, set up real-time alerts to be notified of important events, make sure you have visibility and access to the relevant dashboard. Draft and approve emergency runbooks so your team knows how to respond. Simulate DDoS attacks, run drills, and educate your employees to make sure your protection and your team are battle-ready.
  • Additional guides and real-world tips are available here:

EITN: There was a whitepaper Cloudflare released that surveyed Zero Trust approaches in APAC region. In your opinion, why is the level of awareness higher in Malaysia compared to the APAC average?

Fernando: In Cloudflare’s Journey to Zero Trust APAC study, it was revealed that 93% of Malaysia respondents had awareness of Zero Trust – higher than the APAC average of 86%. This could be attributed to several factors.

60% of respondents cited the pandemic has impacted how they approach IT security, leaving them ill-equipped to cope with the demands of hybrid work. Malaysian respondents cited a lack of talent, balancing maximising productivity with risk exposure and a realisation that they would benefit from upgrading their security. 57% of respondents also cited an increase in cyberattacks – which included low latency, data breaches and phishing attempts – again higher than the APAC average of 54%.  In light of growing cyber threats amidst the pandemic, 89% of respondents implemented changes to their IT infrastructure, with a desire to upgrade within the next year. All these factors have contributed to  Malaysia’s awareness of Zero Trust.

EITN: In your opinion how do you foresee companies educating their employees and leadership about zero trust?

Fernando: Zero Trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network or a cloud environment, regardless of whether they are sitting within or outside of the network perimeter. Simply put, traditional IT network security trusts anyone and anything inside the network. A Zero Trust architecture trusts nothing and no one. Traditional IT network security is based on the castle-and-moat concept, where it is hard to obtain access externally into the network, but everyone inside the network is trusted by default. The problem with this approach is that once an attacker gains access to the network, they have free rein over everything inside. It is important to raise this awareness around not trusting anyone and constantly verifying elements within the network as sometimes other employees may unintentionally let threat actors in. So basically, there’s no concept of internal and external anymore, every user and every device is treated as external.

In Cloudflare’s Journey to Zero Trust APAC study, it was revealed that stakeholder education was a key future priority when it came to transforming their IT infrastructure. This extends from leadership to all levels of the organisation in order for Zero Trust principles to be securely embedded, validate their work and investments, reduce workloads and ultimately, meet security goals. But the process to convince stakeholders is not easy – 51% of respondents cited a lack of information as their top reason for not making the case for Zero Trust. Organisations need help in understanding the value of the transition and putting together the case to convince senior management on the need for investment.

EITN: How can Cloudflare implement zero trust for companies?

Fernando: Zero Trust may sound complex, but adoption can be made simple by having the right technology partner. For instance, Cloudflare One is a Zero Trust, network-as-a-service (NaaS) platform that combines networking services with an in-built Zero Trust approach to user and device access. It allows enterprises to securely connect remote users, offices, and data centers to each other and the resources they need. With Cloudflare One, customers automatically implement Zero Trust protection around all their assets and data. This unified solution enables fast and safe connections to workplace applications, allows teams to use an app without exposing it to the public Internet, makes personal devices safe for business use, and works in any environment with any cloud provider. Cloudflare’s Zero Trust solution sits in its global network, which spans 250 cities in more than 100 countries, including 84 cities across Asia Pacific, Japan, and China.

At Cloudflare, we’re also constantly updating our Zero Trust offerings to ensure that our customers are best positioned to face the expanded threat surface area today. Cloudflare recently announced the expansion of our Zero Trust firewall capabilities to help companies secure their entire corporate network across all their branch offices, data centers, and clouds—no matter where their employees are working from.

Cloudflare One Firewall is the newest addition to our Cloudflare One suite of Zero Trust solutions. This secure, performant, and Zero Trust-enabled platform allows administrators to apply consistent security policies across all of their users and resources. CIOs can now use this cloud-native firewall to secure their entire corporate network across all their data centers and clouds — no matter where their employees are working from. As businesses adapt to the hybrid work environment of the future, Cloudflare is continuing to help CIOs replace disjointed legacy hardware boxes and niche point solutions with comprehensive, Zero Trust security controls for the entire corporate network.