Cybernews: The Spotlight's On Zero Trust; Can It Deliver?
Our CEO, Jaushin Lee, recently spoke with Cybernews about the cybersecurity challenges that enterprises face, Zero Trust, and what we're doing to help small-to-medium enterprises (SMEs) transform their security with a limited budget.
You can read the article on Cybernews here.
Many businesses run into such issues as an unhappy customer or an unsuccessful project, but not a lot of them are aware of the less visible dangers, such as a cyberattack. But with increased vulnerabilities due to the switch to remote work, the attack surface got only bigger.
No matter what size the company is, each one is vulnerable to such threats like malware, ransomware, fraud, and others. Experiencing such attacks could cause massive financial harm or ruin brand reputation.
The way to prevent this is to make cybersecurity one of the company’s top values. This can be done by implementing such solutions as antivirus software for each employees’ computers or Zero Trust Network Access and Segmentation.
To learn more about next-generation cybersecurity and Zero Trust Network Access and Segmentation, we invited Jaushin Lee, the Founder, President, and CEO of Zentera – a company that provides services as such.
Can you tell us a little bit about what you do? How did the idea of Zentera come about?
Zentera was founded in 2012, right at the dawn of the public cloud. The idea that enterprises would move business resources outside of traditional corporate boundaries and into public clouds was radical at the time. We recognized this trend would be highly disruptive to network infrastructure, and that these changes would leave network security in the dark. We positioned Zentera to address the critical needs for next-generation hybrid cloud network security, with an alternative overlay-based security layer that could connect and protect the distributed users, applications, and resources across all environments.
Our vision is to enable enterprises to leave different sites or clouds as independent network silos. Our software-defined security overlay is what unifies the resources, connecting applications across the silos rather than connecting networks. The critical benefit of this approach is that enterprises can implement a “security-first” strategy when migrating critical applications to the cloud, instead of having security take a backseat to network infrastructure re-engineering.
At Zentera, you emphasize the importance of the Zero Trust principle when it comes to security. Can you tell us more about this approach?
Before the Zero Trust era, enterprises used corporate firewalls to implement a “perimeter of trust.” Anything outside that perimeter – on the Internet, for example – went through security scanning and filtering. However, users and applications inside the perimeter of trust are assumed to be safe and may communicate directly with each other over the shared network without further security controls. This strategy can be described as having a “hard shell” and a “soft inside”.
This legacy approach leaves the destination application responsible for its own security. This leads to a much weaker security posture; once a hacker gains access to the network, all applications are exposed.
The concept behind Zero Trust is actually very simple. It’s to move away from this idea that everything on your network is trusted, and instead positively verify all transactions prior to granting access.
One way to imagine this is to think of your internal network as the Internet. If all your internal apps ran over the Internet, you’d want some kind of access validation between all servers, like a device verification or user login — ideally both. If any step in the validation process fails, the destination app stays hidden, and therefore shielded from many potential attacks on the network.
Despite the security benefits of using this practice, certain companies still hesitate about implementing Zero Trust solutions. Why do you think that is the case?
While Zero Trust is easy to describe, the devil is in the details. Many solutions in the market today rely on physical network infrastructure to implement Zero Trust. For example, a gateway-based access control solution between two hosts needs the physical network between those hosts to be blocked in order to implement the default deny behavior that Zero Trust requires. This is extremely disruptive to the existing network and difficult to implement. It’s like a nightmare home renovation project that starts out as a minor upgrade that mushrooms into a complete tear-down! This is why adoption of such Zero Trust solutions has largely been limited to remote access cases, where the physical network is already blocked, or possibly in greenfield deployments.
That’s why our vision for Zero Trust is built around overlay. Overlay provides an alternate path to carry application traffic into or out of an endpoint, enabling the physical network traffic to be blocked. Not only is an endpoint-level block easier to implement, because it is done in software, it can also be quickly deployed on critical applications’ servers and changed later without affecting the physical network. An endpoint-level block can also be easily applied to user devices to prevent attack propagation. We believe these properties of the overlay approach are absolutely critical for enterprises to be successful in adopting Zero Trust.
Zentera’s software-based solutions for Zero Trust combine two key functions: ZTNA to create secure access and Application Chambers that create an “application cyber shield” around applications. Our solutions do not require any network infrastructure changes for Zero Trust enforcement.
Did you notice any new cyberthreats emerge as a result of the recent global events?
Recently, we have seen extra effort being put into crafting attacks that can provide a huge payoff. Take, for example, the supply chain attack on SolarWinds – injecting malware into a security vendor’s product without getting detected is not a trivial effort, but it instantly rewards the hacker with access to the networks of tons of companies. The hackers will install backdoors so they can access the network even after the initial entry point is closed off, and then they can take their time to sift through and monitor the companies they’ve just penetrated. The recent Log4Shell exploit is a related case. This vulnerability in the log4j logging package is very easy to trigger, and it’s ubiquitous – creating another “gold rush” moment for hackers to install backdoors.
Since new exploits are constantly being discovered, and because threat hunting can’t guarantee there aren’t any backdoors, I think it’s critical for companies to look at new approaches, such as an application cyber shield, to provide another layer of defense for mission-critical apps.
Another interesting trend we’ve noticed is the increase in hackers using cloud service providers (CSPs) to host their command and control and malware servers. It’s just not possible to block these based on IP reputation because companies have valid business with these CSPs. This means that traditional, score-based methodologies of blocking suspect IP ranges need to be replaced with Zero Trust to positively identify remote servers where possible, and to use application-centric policies to flag suspicious behavior where it is not.
Do you think the pandemic altered the way people perceive cybersecurity?
Yes, absolutely, the pandemic has been a wake-up call for enterprises of all sizes. Many companies, who had long resisted remote working, were forced to transition many or all employees to full remote working over a period of weeks or even days. This is the first time in modern history that such a large percentage of the workforce is remote.
For business continuity, companies rushed to implement more VPNs to support remote work. While VPNs have been used for decades, VPN access has typically been granted sparingly and intended for one-off, sporadic connectivity. As it wasn’t expected to serve all employees all the time, it didn’t trigger major security concerns.
That all changed quickly, and last year, reports indicated that attacks against VPNs shot up by 2,000%. This isn’t a big surprise to IT security professionals, but it may be shocking to executives.
Why do you think certain organizations are not even aware of the risks hiding in their own network?
I think many information security professionals are well aware that attackers may be lurking in the network – inside that “perimeter of trust.” There’s a lot of industry publicity around dwell time which measures how long it takes for companies to discover they have been hacked, and how it’s been increasing. That suggests many companies may have already been breached but just don’t know it yet. This isn’t a surprise to Infosec professionals, who know detection is hard. But executive management who are primarily focused on business issues may be surprised to discover the extent to which their companies may be exposed.
I think there are a lot of parallels between cybersecurity and insurance. For example, many homeowners recognize the terrible damage that a flood can do to their property, yet neglect to buy flood insurance because they think the probability is low. But the parallel ends there; a low-probability natural disaster with a determined bad actor, especially who has access to nation-state resources. Cybersecurity is something executive management absolutely needs to pay close attention to.
What are the most common challenges that companies run into on their digital transformation journey?
Digital transformation is one of the biggest opportunities for enterprises today. Modernizing legacy business processes helps improve the customer experience, streamlines operations to improve competitiveness, and creates new opportunities to capitalize on the data the business generates through sharing with other participants in the value chain.
Many digital transformation projects center around cloud migration, which inevitably creates a new hybrid cloud. One of the single biggest mistakes we see in these hybrid cloud deployments is the tendency to treat the cloud as yet another corporate site and use the same networking and security approaches they have for decades. DX projects need to move quickly in order to keep up with shifting business requirements and priorities, but legacy infrastructure-based methods are anything but fast. They require huge I&O (infrastructure and operations) effort, which is exactly what you don’t want to be given the overall shortages of talent in IT and cybersecurity, and evolving change management processes. Under these circumstances, an infrastructure-based approach is a recipe for delays and disappointment.
Additionally, the traditional infrastructure build and security model exacerbates the problems we noted with adopting Zero Trust by simply making the physical infrastructure bigger – not to mention the attack surface! We definitely believe the Zero Trust overlay, focusing on connecting and securing applications, rather than networks, is the way to achieve agility and adopt a Zero Trust approach for digital transformation.
In your opinion, which security measures should be a must both for companies and individual users?
There are two fundamental steps every company should be considering immediately. The first of these is to protect critical applications with an application cyber shield. If traditional network security is like the fences and the door locks on your house to keep the bad guys from getting in, an application cyber shield is like having a safe to protect your irreplaceable heirloom jewelry when the fences and door locks fail. An application cyber shield can be deployed instantly, without changing the way an application works, so there’s really no reason not to do it.
The second is to make a concrete plan to adopt a Zero Trust overlay and define corporate security and access policies. Companies that get this right sooner rather than later will reap tremendous agility benefits from being able to deploy a security policy once and having it automatically enforced in any and all environments that the company operates in.
Taken together, these steps will dramatically reduce the company’s exposure to cyber threats and help address concerns that the executive stakeholders and boards have about becoming a victim of a cyberattack.
Tell us, what’s next for Zentera?
Zentera has successfully helped large enterprises to adopt Zero Trust as an overlay to their global operations and complex hybrid environments. The business benefits are clear. However, cyber attacks don’t discriminate based on company size. Small to mid-size enterprises (SMEs) are also vulnerable to cyberattacks and are often preferable as they tend to have less security infrastructure, compared to large enterprises. In addition to being targeted, they can also act as a stepping stone to larger enterprises that they serve.
SMEs have the same security needs but have even more limited capacity to turn to any infrastructure-based method to implement Zero Trust, and therefore have an urgent need for our overlay-based security. We recently retargeted Zentera Air, our SaaS Zero Trust offering, to address the common cases we are hearing from SME customers, to help them accelerate their journey to Zero Trust. Zentera Air joins our standard product, CoIP Platform, providing dual-track options for access to Zero Trust that’s unique in the industry. We will continue to invest in these kinds of improvements to make Zero Trust easy to adopt and accessible to all kinds of companies.