1、Produced in partnership withZero trust closes the end-user gap in cybersecurity Organizations go beyond passwords to embrace a new approach to defending against cyberattacks.Key takeaways123ou may have noticed its a little harder to get around in cyberspace.More six-digit authorization codes texted

2、to your phone.More requests to confirm the name of your first pet or fourth-grade teacher.More boxes to check to“trust this device.”Overall,having to prove more often that you are you.Its not your imagination.Its a comparatively new cybersecurity philosophy called“zero trust,”and its transforming ne

3、tworks globally.Its just what it sounds like:the network,site,or application wont allow you in without proof you belong there.Mayank Agarwal,head of cybersecurity for North America at Infosys,thinks of zero trust as a mindset change.“Zero trust is front and center of all cybersecurity discussions.It

4、s about principles of least privilege.This means giving access only for a time,with the least amount of access.Once done with whatever job you are supposed to do,access is taken away.”An MIT Technology Review Insights poll of global business leaders reveals three out of four organizations have becom

5、e more aggressive in their approach to cybersecurity over the past two years,and end-user security tops the list of cybersecurity concerns.2 MIT Technology Review Insights in partnership with Infosys CobaltAbout 40%of poll respondents said their organizations have already adopted a zero-trust model,

6、while another 18%are in the process of implementing the model,and 17%are in the planning stages.And this is important says Vishal Salvi,chief information security officer for Infosys,because companies need to think about“adopting a new security architecture to support new connectivity models.”Securi

7、ng the cloud during covid-19In addition to the ever-growing cybercrime wave,thank covid-19 for this extra level of vigilance.The pandemic made cloud computing take center stage:lockdowns sent millions of workers to their homes,where they connected to company systems remotely,often using their person

8、al devices rather than the employers.Traditional centralized security where users log in once in the morningthe modern equivalent of a moat around the castlewas no longer feasible.The shift happened on a grand scale,and almost immediately so did an uptick in cyberattacks,such as ransomware,phishing

9、attempts,and denial of service.Earlier this year,MIT Technology Review Insights polled its global panel of executives about their current concerns and future plans regarding cybersecurity.Of the 256 respondents,about 70%were C-suite executives or directors.They represented a broad range of industrie

10、s,from retailing to transportation,with a slightly larger number of respondents in IT and telecommunications,professional services,and financial services.Although respondents came from all regions,the bulk of them were from North America(39%),Europe(33%)or Asia-Pacific(23%).All revenue categories we

11、re well represented:16%of respondents companies had total revenue of more than$5 billion in 2020,26%were under$50 million,and 27%were between$100 million and$1 billion.MethodologyY The zero-trust cybersecurity philosophy is transforming global networks.These networks,sites,or applications wont allow

12、 you in(or let you stay)without proof you belong there,and they monitor for unexpected behavior.The shift to cloud computing and decentralized work immediately led to an uptick in cybercrime.Security methods have had to move quickly to modernize.More than three-quarters of global organizations are n

13、ow taking a more aggressive approach to cybersecurity.About 40%have adopted a zero-trust model,moving security focus to the internet access point and away from end users.3MIT Technology Review Insights in partnership with Infosys CobaltThe newly distributed nature of information services guaranteed

14、an increase in the number of vulnerable points for cybercriminals to exploit.Organizations were in a delicate position,having to provide easy access to their employees and partners while simultaneously making sure their data and applications didnt end up in the wrong hands.Of the poll respondents,al

15、most 55%said their biggest challenge is securing a hybrid or entirely remote workforce.Their second biggest challenge,also related to decentralized IT infrastructure,is securing applications and data through the cloud(49%).Specifically,68%of the interviewees worry about cloud applications and data b

16、eing subject to malware,ransomware,and phishing attacks.Although 55%dont feel confident that their cloud security is properly configured,59%believe that they have adequate control processes and policies to secure the cloud.About one out of three respondents said its a challenge to train employees ad

17、equately on cybersecurity.End users under attackThe weakest link in any IT security strategy has always been people,says Keri Pearlson,executive director of the MIT research consortium Cybersecurity at MIT Sloan(CAMS).CAMS studies organizational,managerial,and strategic issues in the cybersphere.“It

18、 only takes one person to click on the wrong email or the wrong link or install the wrong program for systems to get infected.Why zero trust nowZero trust has dominated end-user cybersecurity discussions in the U.S.since May 2021,when President Joe Bidens executive order“Improving the Nations Cybers

19、ecurity”made it the core security framework of the federal government and all of its business partners,says Mayank Agarwal,Infosyss head of cybersecurity for North America.The order states the desired outcomes:Federal staff have enterprise-managed accounts,allowing them to access everything they nee

20、d to do their job while remaining reliably protected from even targeted,sophisticated phishing attacks.The devices that Federal staff use to do their jobs are consistently tracked and monitored,and the security posture of those devices is taken into account when granting access to internal resources

21、.Agency systems are isolated from one another,and the network traffic flowing between and within them is reliably encrypted.Enterprise applications are tested internally and externally,and can be made available to staff securely over the internet.Federal security teams and data teams work together t

22、o develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.This reflects fundamental changes in the threat landscape,as cybercrime becomes much more methodical and organized.“The threat actors run like their own industry,”sa

23、ys Agarwal.“Zero trust is front and center of all cybersecurity discussions.Its about principles of least privilege.This means giving the least amount of access,only for a time.”Mayank Agarwal,head of cybersecurity for North America,Infosys4 MIT Technology Review Insights in partnership with Infosys

24、 CobaltIts not just end users in the traditional sense,its all the people that interact with our systems.Every single person that interacts with systems is a possible vulnerability point,”Pearlson says.Although typically more than 99%of system security measures are handled on the back end by IT,says

25、 Salvi,the tiny sliver of security threats users are responsible for account for almost 19 out of 20 cyberattacks.“They all start through phishing emails,”Salvi says.“Theyre trying to get the keys rather than breaking the locks.”Some phishing attempts can fool even a wary user,masquerading as urgent

26、 messages from human resources or the C-suite.Covid lockdowns put end users in a position to do more damage,and security strategy adapted quickly.In contrast to traditional end-user security models,a users initial sign-in to a zero-trust environment even one confirmed by a fingerprint,a face scan,or

27、 multifactor authenticationisnt the end of surveillance.Once in,zero trust discreetly follows as users go about the cyber-day,making sure they arent up to something nefarious,and havent mistakenly clicked on a link that opens a door to a hacker.Except for an occasional request to re-authenticate,use

28、rs wont notice zero trust unless it decides it cant trust you and locks you out of somewhere you want to go.“I dont have to depend on the user to do the right thing for the security to work,”says Salvi.“They dont have to remember a complex password or change it every three months or be cautious abou

29、t what they download.”Using zero trust Molina Healthcare,a managed care provider head-quartered in Long Beach,California,uses zero trust as the organizations security model.The Fortune 100 company administers Medicaid and other health insurance programs to 5.2 million people.It has$27 billion in ann

30、ual revenues and manages partnerships with thousands of healthcare providers including hospitals,clinics,physicians offices,and home health providers.In addition to the usual security concerns,Molina Healthcare must protect personal health data to comply with federal and state privacy regulations.“T

31、hat data is rich in personally identifiable information and can be exploited for identity theft or financial gain,”says Molina chief security officer Mike Wilson,adding that cyberattackers have been targeting Molina at an unprecedented rate since the pandemic hit.of survey respondents are taking a m

32、ore aggressive approach to cybersecuritySource:MIT Technology Review Insights poll,202274%Securing the cloudSource:MIT Technology Review Insights poll,202255%of respondents dont feel confident that their cloud security is properly configured59%believe they have adequate control processes and policie

33、s to secure the cloud5MIT Technology Review Insights in partnership with Infosys Cobalt“Cybercriminals are investing in infrastructure and tools and people,just as we are,”Wilson says.“Its a monetary arms race.”Its an unfair race,Wilson points out,because so much healthcare is delivered through smal

34、l and medium-sized businesses like physicians offices,which are no match for the sophisticated criminals seeking to break into their systems.Covid dispersed Molinas 20,000-plus employees into remote locations whose only common feature was internet access.Zero trust was a key element in securing that

35、 IT infrastructure,via what Wilson calls the internet“choke point.”All Molina users,whether employees,contractors,members,or providers,connect to a secure internet gateway that checks not only their credentials,but those of their device and their network location.If the gateway sees a user demonstra

36、te an unusual patternsay,logging in from three different devices in the same day,it sends an alert.The gateway may ask for extra authentication and block the users activities until its satisfied with the users identity and intentions.“All this happens in a nanosecond,”Wilson says.The gateway also mo

37、nitors devices.Wilson says healthcare is more vulnerable than some other sectors because of the millions of medical devices that connect to the internet.Each devicenot just computer systems but everyday tools like patient monitoring equipment and imaging machinespresents opportunities for cybercrimi

38、nals to access a providers network,and from there,other organizations.“The art of zero trust is to start to think about personas of people or devices or whateverand how they interact with one another,”Wilson says.“Whats normal behavior for each one,and whats odd?If theyre acting odd,you step up the

39、authentication requirement or step down the level of access you allow.But all of it is generally seamless to the individual.”The path to zero-trust adoptionAbout 15%of poll respondents said the biggest challenge to adopting a zero-trust model was understanding what it is and how to start.For about 4

40、6%of the respondents,the single biggest challenge overall was either integrating the model into a legacy IT infrastructure or replacing old systems with zero-trustcompatible systems.Almost one in four respondents also cited the need for significant investments in IT and staff.Source:MIT Technology R

41、eview Insights poll,2022Lack of comprehensive security control,processes,or policies24%Insider threats19%19%Adhering to cybersecurity complianceSecuring software internally to prevent unauthorized tool or software use25%Vulnerabilities from where operational technology and IT meet29%Ensuring adequat

42、e cybersecurity training for employees32%“It only takes one person to click on the wrong email or the wrong link,or install the wrong program for systems to get infected.”Keri Pearlson,executive director of the MIT research consortium Cybersecurity at MIT Sloan(CAMS)Securing enterprise IT software f

43、rom attacks48%Securing the cloud infrastructure49%Securing a hybrid or entirely remote workforce55%The biggest cybersecurity challenges facing companies6 MIT Technology Review Insights in partnership with Infosys CobaltThe challenge of integration is formidable,says Wilson.“Zero trust is not a switc

44、h that you turn on,”but a philosophy of putting controls on data at the local level.A successful zero-trust strategy involves all vendors working together to ensure secure access to the applications or areas theyre responsible for.“A single large moat has become lots of little tiny moats everywhere,

45、”Wilson says.The technical challenge is to build the moats deep enough to protect,but not so deep that applications cant talk to one another as needed.“The segmentation piece is really,really hard,”he says.The good news is,zero trust is not an all-or-nothing proposition,but can be adopted incrementa

46、lly based on which assets an organization needs to protect most.”Its important to first lay out the overall strategy and then build programs in smaller chunks.Then work toward the whole plan based on that,and then move to the next phase,”says Agarwal.Some legacy systems may not be able to adapt to a

47、 zero-trust approach,and organizations may need to contemplate modernization to protect themselves adequately.“If you try to use the existing plumbing and build a patchwork of security on top of that,”Salvi says,“it will not be as secure as an entirely zero-trust approach,and its also likely to impa

48、ct the user experience.”However,by moving the security focus to the internet access point,organizations may reduce the overall cost of end-user security measures,Salvi adds.“With a distributed workforce,zero trust is the only way to manage and secure connectivity,”he says.“Zero trust is real,and its

49、 inevitable.Its just a question of whether you want to be a leader or a follower.”“Cybercriminals are investing in infrastructure and tools and people,just as we are.”Mike Wilson,chief security officer,Molina HealthcareIllustrationsCover art from created by Chandra Tallman Design with icons from The

50、 Noun Project,spot illustrations from The Noun Project.From the partnerInfosys is a global leader in next-generation digital services and consulting.We enable clients in more than 50 countries to navigate their digital transformation.With over four decades of experience in managing the systems and w

51、orkings of global enterprises,we expertly steer our clients through their digital journey.We do it by enabling the enterprise with an AI-powered core that helps prioritize the execution of change.We also empower the business with agile digital at scale to deliver unprecedented levels of performance

52、and customer delight.Our always-on learning agenda drives their continuous improvement through building and transferring digital skills,expertise,and ideas from our innovation ecosystem.Visit to see how Infosys(NYSE:INFY)can help your enterprise navigate your next.“Zero trust closes the end-user gap

53、 in cybersecurity”is an executive briefing paper by MIT Technology Review Insights.We would like to thank all participants as well as the sponsor,Infosys.MIT Technology Review Insights has collected and reported on all findings contained in this paper independently,regardless of participation or spo

54、nsorship.Laurel Ruma was the editor of this report,and Nicola Crepaldi was the publisher.While every effort has been taken to verify the accuracy of this information,MIT Technology Review Insights cannot accept any responsibility or liability for reliance on any person in this report or any of the i

55、nformation,opinions,or conclusions set out in this report.Copyright MIT Technology Review Insights,2022.All rights reserved.About MIT Technology Review InsightsMIT Technology Review Insights is the custom publishing division of MIT Technology Review,the worlds longest-running technology magazine,bac

56、ked by the worlds foremost technology institutionproducing live events and research on the leading technology and business challenges of the day.Insights conducts qualitative and quantitative research and analysis in the U.S.and abroad and publishes a wide variety of content,including articles,repor

57、ts,infographics,videos,and podcasts.And through its growing MIT Technology Review Global Insights Panel,Insights has unparalleled access to senior-level executives,innovators,and entrepreneurs worldwide for surveys and in-depth interviews.MIT Technology Review Insights in partnership with Infosys C made 3 organizations,3 cultures,3 ERP systemsand 3000 applications work in techreview mit_MIT Technology Review I made 3 organizations,3 cultures,3 ERP systemsand 3000 applications work in unison.