Zero Trust is What Security Should Have Been From the Beginning
In this exclusive interview, Petko Stoyanov, the Global CTO at Forcepoint, speaks about their new Forcepoint One offering, the evolving security threat landscape, the skills gap in the industry, and more
You recently conducted the Forcepoint One event. What was it all about?
We announced Forcepoint One way back in February 2022, globally, as a marketing event. And then on, we started focussing on regional events. At the UAE event, we had over a hundred people attending the event and we’ve definitely had a lot of interest in Forcepoint One. We spent some time with our customers at the event, understanding their challenges and explaining how Forcepoint One is a better way to access the internet securely – not just the Internet or cloud, but also private applications.
During the pandemic, many people were working from home and though they wanted to be productive in a new working environment, they lacked the tools. So, the users started using tools they weren’t supposed to. However, if we had visibility into that and gave the users control over the data they could use, it would have been amazing. That’s what is unique with Forcepoint One – we have centralised the management.
In doing so, we don’t need all your data. Your data stays with you and we want to give you control over the data that matters to you. So, the beauty of our solution is centralised management, distributed enforcement of security, and data loss prevention, and just visibly at the same time.
Another pain point customers are facing is hiring the right talent. For managing cybersecurity products and solutions, one needs to be a CSSP. However, the number of certified professionals in this region is far lower than the demand. There is a precise skill gap in this industry that needs to be tackled. We need to change how we approach cybersecurity and hiring.
How has the security threat landscape changed over the past couple of years?
Well, it has changed even in the last two months. We are seeing lots of geo-political tensions everywhere and these instances are being used as a reason to attack government installations, utility services, oil and gas installations, banking systems, telecoms, and so on.
The safety we feel here in the UAE is because of the regulation we have in place, which is a lot of ways, applies to cybersecurity. Regulations also drive other things globally. At Forcepoint, we offer many tailor-made solutions for such industry verticals. Our data loss prevention solutions are used by some of the largest organisations in the world and our threat prevention capabilities are used to protect some of the most sensitive networks in the world.
In terms of the skills gap you mentioned, what do companies need to do to solve this?
I think there are two problems with this. One is the demand issue, where we don’t have enough people to fill up the specialised jobs available. So we’ve got to train more and more professionals so they are qualified to take up such critical jobs. Another problem is that most companies are hiring the wrong set of talents for job openings. We need to list out the job criteria that make sense.
Do not hire someone who is a jack of all trades – he/she will always be a master of none. Companies need to ask these questions. Why do I need that certification? Why do I need 20 years of experience in cybersecurity? Why do I need expertise in a 10-year-old language that is going to be non-existent in the next couple of years? So I would say, companies need to start asking questions about their hiring rates, making sure they have the right talent for the right job.
I think there are multiple things we’ve got to do as an industry. We’ve got to educate more customers so they make sure they have the right people for the job. They need to understand that you do not require a Ph.D. to go configure a router or configure something on the network. You shouldn’t be spending months deploying software. It should be done in days not months. And that is exactly what Forcepoint One is tackling.
What is your take on the Zero Trust Framework?
So, I’ve been working on the Zero Trust concept for the past three years. The US government’s been using it extensively. And the way they started is, they started actually started using Zero Trust almost 10 years ago. Zero Trust is what security should have been from the beginning. Because you’re applying security and controls only to the data – so users need to only access what they need to. But there are multiple layers of security in Zero Trust.
There’s Zero Trust where we need user data. There’s Zero Trust where you need the device. And then there are applications. You want to make sure that the user, the device, and the application have access to data, but also ensure at the same time that any data that goes to those users and devices are authorised. So it’s in many ways, applying the concept of what’s known as least privilege to the data element, the device element, the application layer, and the user.
Do you offer certification programs for your channel partners?
Yes, we do offer certification programs to make sure channel partners are at the forefront of everything we do. We are also investing a lot to make sure this happens – in the last 18 to 24 months, we’ve doubled the size of our team here. We keep our training and certification programs simple, so when our certified partners go to a customer, they know what they are talking about in order to suggest solutions to solve their issues.
What were your learnings from last year and how are you using those to better your strategies for this year?
So, in January 2016, Forcepoint spun out of Raytheon. Even though we are now an independent company, Raytheon still uses our software and hence they are our customers. So, as soon as we went on our own, we got into an acquisition mode – buying technologies and companies that complemented our ecosystem of solutions.
Our strategy has always been to invest in new solutions that complement our existing set of solutions and offer a complete end-to-end solution. So today we are capable of integrating additional solutions such as RBI, CDR and ZT, and so on. So all of these are being offered as a bouquet of services through our management platform.
Zero Trust is Not a One-Time Project
Deepa Kuppuswamy, the Director of Security at Zoho, says the technologies supporting Zero Trust are very much in mainstream adoption
How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
In the cybersecurity domain, Zero Trust is no more a buzzword, it is a decade-old concept that has been evolving for a while. It started as a concept introduced in 2010 in a Forrester research, by 2014 we had Google’s Beyondcorp initiative which reimagined the security architecture and was one of the earliest enterprise deployments of the Zero trust. In 2019 we saw the expansion of Zero Trust to SASE and ZTNA.
The pandemic period was when Zero Trust gained major traction fueled by the aspects of fast-paced digital transformation, and shift to cloud, and remote work. We also saw the evolution of standards and regulations related to Zero Trust – NIST published SP 800-207 as a unified framework for establishing Zero Trust architecture and last year we have the US government executive order mandating the adoption of Zero Trust principles for federal agencies.
Do you believe that technologies that support zero trust are moving into the mainstream?
The basic building blocks for implementing Zero Trust revolve around user identity management and device trust and identity. The technology solutions in these domains like SSO, MFA, Cloud-based directory services, PAM, Unified endpoint management, MDM, EDR, and XDR are already well mature and are an existing part of the security stack of many organizations.
The other crucial component of the Zero Trust Network Access (ZTNA) is the policy decision engine and policy enforcement engine. We have many existing security vendors extending their existing stack to provide agent-based or gateway-based ZTNA architecture solutions. The technologies supporting Zero Trust are very much in mainstream adoption.
Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Today’s digital-first enterprises are no longer operating within the confines of a traditional network perimeter. Apps are
everywhere and users are everywhere. With more than 80% of organisations adopting a cloud strategy, the business apps are hosted outside the organization network boundary.
The hybrid model of work is here to stay, and employees want seamless access to the business apps without any difference in experience based on the location from which they connect. BYOD is becoming a norm, with business data being accessed from personal devices that have lower security postures.
The traditional method of using network location, ownership, and control of physical assets as parameters for implicit trust is a flawed security paradigm. “Never Trust, Always Verify” should be the philosophy the IT department should internalise, implement and practice. Traditional tools like VPN are not designed to support remote access of this scale and do not offer flexible options for adaptive access control. It is imperative that the IT and Security departments work together to reinvent the security architecture in line with the current evolving business models.
How can companies get started with zero trust?
Moving from theory to practice has been challenging with Zero trust. To many organizations, zero-trust implementation is seen as a huge, expensive, and complex project. As it touches everything from user to device to network it involves various stakeholders within the organization. What works out practically is to start small, start from where you are, and start with what you have as the current technology stack.
To initiate zero-trust implementation, organizations can start by defining a strategy and baseline prior to embarking on a wider zero-trust technology implementation. There should be an overall phased approach – Assess, focus on the top critical use cases, break into smaller achievable milestones, implement, and optimize over time.
We followed what we call the “Crawl, Walk, and Run” approach in our organization. The initial crawl phase involved strengthening the identity and device pillar focusing on the below activities
c.Enrol corporate devices in UEM and MDM
d.Conditional access based on device certificates
This served as a good starting point and helped us to show the value early on to the users and the various stakeholders.
Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero trust is not a single silver bullet solution to all your security risks. There are other areas outside the scope of Zero trust like API security, hardware and software vulnerabilities, insider threats, and supply chain attacks. Multi-layered approach and defence in-depth controls are very much needed besides implementing Zero Trust. Security awareness training, incident response planning, regular monitoring and patching of systems and applications, comprehensive SOC capabilities, and threat intelligence are required to tackle the current cybersecurity challenges faced by organizations.
What according to you are the limitations of zero trust?
Zero Trust as a cybersecurity paradigm is a great evolution, but where we see limitations are in the practical implementation and deployment. With any new security model we experience challenges as the scope is expanded we try to increase the granularity of controls. Zero trust is not immune to this.
Zero trust is not a one-time project, it is a continuous journey toward better security. It is also not a one size fits all approach. Not every organization can follow the exact Beyondcorp approach, the strategy, and roadmap need to be evolved according to the business need. Organizations should build a solid strategy and plan and invest in resources and people to succeed with Zero Trust.
Zero Trust Will Become Even More Widely Adopted
Debanjali Ghosh, the Technical Evangelist at ManageEngine, says companies are adopting various technologies to improve their security posture and reduce the risk of a breach (more…)
“Don’t Be Afraid to Speak Up”
Julie Davila, the Vice President of Global Field CTO Operations at Sophos, says that to start a career in cybersecurity, review the different aspects of the field to get an overview