Cybersecurity innovation: Thinking outside (and inside) the perimeter

Cybersecurity Innovation: Is Zero Trust Security a New Norm?

In fact, in today’s security environment, there is no perimeter, so the best way for companies to protect themselves and their customers is by adopting a zero-trust approach. Listen to our cybersecurity Chief Technology Officer Luis Delabarre tells us about all the benefits and ramifications of trusting nothing and verifying everything.

Transcript

Karl Culley:
Hello, my name is Karl Culley and I’m your host for this Capgemini podcast on Zero Trust Architecture, part of a Capgemini Cybersecurity Podcast series. I have the great pleasure today of being joined by Capgemini’s own cybersecurity expert Luis Delabarre, who will be offering his insights. So welcome aboard Luis.

Luis Delabarre:
Thank you so much, Karl. You’re right. My name is Luis Delabarre. I’m actually the Chief Technology Officer for Cybersecurity at Capgemini. I’m also in the security space or domain since more than 20 years.

Karl Culley:
Great. Well, it’s wonderful to have you with us. Zero Trust is a much-talked-about topic, a recent topic in cybersecurity innovations. Could you give a definition of what it is and what benefits it brings?

Luis Delabarre:
Yes, indeed. Zero Trust is more like a kind of principle or approach for cybersecurity. It’s not the technology by itself. The idea is very simple. When you have a Zero-Trust approach or design, it means that you are not trusting any type of competence in your architecture. It could be people or it could be devices. So you, in this design, in this architecture, you want to make sure that every component, every asset in your architecture is verified or identified before allowing any access to this, to these, resources. Quite interesting because it has some consequences on the designers, the architecture.

Karl Culley:
Would a sort of accurate analogy be that, you know, that the personal asset in the castle is still asked for clearance going into each of the rooms of the castle and you always need to verify the identity?

Luis Delabarre:
Yes, you’re right because there is no more castle. A castle is not anymore the way we build architectures or IT systems. So you’re right. No matter if you are in the systems, I mean in the network, or you are outside of network, you have to prove who you are and you have to prove that you are allowed to access the resources you want to access.

So yeah, there is no differences between, I would say, outside and inside, in a Zero-Trust approach. And don’t forget that in cybersecurity, of course people could argue about the exact number, but we know that more than 60 or 70% of the threats are our insiders. So, it means that you, you cannot trust anymore employees or internal devices because they’re just inside of the castle, as you said.

Karl Culley:
Okay. And is there ever any tension between usability and security with this Zero-Trust approach?

Luis Delabarre:
It’s a challenge we need to address in Zero Trust Architecture because, you’re right, because you need to prove your identity and you prove who you are before getting the access to the resources you want. It could be cumbersome for the end user. This is where a, I would say, design authority or cybersecurity expert, we should be careful choosing the right solutions to be very, very user-friendly.

Even if we improve or yeah, we improve the, level of security. So I will give a very, very easy to understand example. We prefer, for example, when we are talking about identity and access management, new solutions are quite interesting where you want to do an adaptive solution, meaning that the same user inside the network will have to prove his identity thanks to maybe a password or just a one-time password, for example. But if he’s moving or traveling to a specific country, or if he’s outside of the network, in that case you will increase the level of security, asking more information before giving him access. So it’s kind of adaptive security. In that case, you succeed to be compliant with your Zero-Trust approach and you also tried to be more user friendly.

Karl Culley:
Okay, great. Great. And I think you mentioned that no specific technology is associated with Zero Trust, but that it is perhaps a combination of different technologies. Could you speak more about that, the technologies that might be involved in this approach?

Luis Delabarre:
Yes. As an example, in a Zero-Trust approach we try to be compliant with, I would say, very easy to understand cybersecurity principles. We have from the beginning, like for example, the least-privileged access. It means that every time you need to be given access to a resource, that could be a person, a user, or could be a device, you give this component…the least-privileged access possible. That way you reduce the attacks you face on the network. So, this is one principle or technology you need to implement in those Zero-Trust approach.

The other one is that are not anymore trusting people inside the network. You need to be careful that your network is micro-segmented. It means that you define smaller zones and every time someone needs to access these zones there is some kind of enforcement of the policy to make sure that this person has the right to access these resources. So micro-segmentation is one of the other technologies required to apply a Zero-Trust approach. And another one is that, for example, instead of using a former technology like you know, proxies or [inaudible] if your user wants to, to have access to the internet, for example. Of course you don’t trust internet. That’s the minimum, even without any Zero-Trust approach, but you don’t trust the internet. So, in the Zero-Trust approach, it’s not just a matter of having a proxy to authorize your user to go to the internet. You are analyzing all the traffic in and out to make sure that no threat or no vulnerabilities is exploited by the hackers, if they want to. So that’s a simple example on top of micro-segmentation and this privileged-access technologies acquired to do a Zero-Trust approach.

Karl Culley:
So the benefits seem clear. Just how many organizations are using Zero Trust, Luis, to your knowledge, or how widespread is it becoming?

Luis Delabarre:
I mean, it depends on how you implement a Zero-Trust approach. Of course, it’s like, you know when we start using a cloud. A lot of people are saying, “Oh, I’m using cloud.” There is a different way of using cloud that’s more or less the same for the Zero-Trust approach. I’ll give you a very simple example. Micro-segmentation, as I said, is quite new. It means that, for example, people are now shifting, lifting and shifting, the application to the cloud, their workload to the cloud, and micro-segmentation is not so easy to implement. So now large enterprise are considering having micro-segmentation in place.

But, for example, identity and access management was one of the first domains or technology that was used or modify or convert to the Zero-Trust approach. In the identity and access-management space, to apply a Zero-Trust approach, you should or you must implement a multifactor authentication. You must apply SSO, a single-sign-on option, you must apply technology like Gatsby, and I believe that large enterprise are all already using these technologies. So, to answer your question, a Zero-Trust approach is more or less already applied partially by a large enterprise for identity and access management. But if you go, if you want to move forward on this as a Zero-Trust approach, you need to go further, as I said, with micro-segmentation in the cloud for example, and this is quite new.

Karl Culley:
Could you talk about just the best practices the organizations can employ when using Zero Trust. What are the best practices involved?

Luis Delabarre:
In a Zero-Trust approach, identity and access management is even more important. As I said before, when I gave the example of adaptive security, we changed a little bit the way we address identity and access management. But to answer your question, multifactor authentication, real time, is a must for a Zero-Trust approach, including internally. As I said before, there is no more castle, so you need to be sure that your user is the person who mentioned they are. You should also extend the control to the endpoint. And when I say endpoint, in every case, use cases, it could be a mobile end point, could be phones, could be smartphones. So you need to make sure that not only you identified your user, but you also identified the devices, and you give the right access to the devices.

Of course, when you say identity and access management, in the world there is access, so it means it’s not only identifying and managing the identity, it is also managing the policy. In a Zero-Trust approach, it means that no matter where the user is, no matter what devices the user is using, you should apply the same policy to control the access to, of course, to resources. I spoke about smartphones. It means also that you, you should be about an outsourced approach to consider wiping, locking, and enrolling, or just remove a device from a policy because, you know, people now are using tablets, smartphones to access critical information. They won’t understand if you just tell them no, you cannot have access to the data because [you’re] using your smartphone. For example, emails, you know. So back to the Zero-Trust approach, because device, device management is key.

You should have this capability to wipe and lock devices. And of course, as I said, the user is key in every IT system, and education is always important in a Zero-Trust approach. You need to educate your user to be, I would say, aligned with the objective of a Zero-Trust approach. Meaning that they understand that in some cases, they have to be more in control. They have to prove the identity and maybe because they are outside and traveling to a specific country, they need to follow some specific technology or some specific requirements. So it’s a matter of education. And of course last but not least, monitoring. It’s always important to make sure that you monitor everything. Could be, as I said before, traffic in and out. You need to make sure that your endpoints were not compromised. The user is not compromised. I mean, for example, his password.

So back to a Zero-Trust approach. Again, it’s not because you are inside the network, it’s not because you’re an employee that we cannot control what you are doing. From a cybersecurity standpoint, I’m not talking about other types of control. So it’s important to monitor the traffic in and out.

Karl Culley:
Yes, and I suppose it means that the substantially increased capacity is needed to monitor all, all these things. So what are the implications of this for, for an organization?

Luis Delabarre:
Very good. Very good question, Karl. For example, as of today, before this type of approach, companies were like consolidating logs. You know, like, I want my logs everywhere. Now we are not talking anymore about logs. We mostly came out telemetry, means everything. Could be the volume of data. It could be what processes are running on your endpoint. Could be where you logged in, when you logged out, how many times you logged in. So it’s, it’s not only logs, it’s what we call artifacts or tele-imagery. Because with all this information, we will be able to not just detect what we call an indicator of compromise, but indicator of behaviors. Behavior is really important. Now, we want to make sure that people are behaving correctly, still talking about a cybersecurity standpoint. So, the consequences of monitoring everything is a big-data approach with a lot of volume and different technology, because you want to be, to do some, you know, earns and queries very quickly. So performance solution.

Karl Culley:
Thank you Luis, and thank you for your well-articulated, insightful observations on this topic.

Luis Delabarre:
Thank you very much.

Karl Culley:
Thank you to our listeners and we’ll see you next time.