Mazhar Hamayun is a cyber security professional with over 20 years of hands-on technology and leadership experience. At Check Point Software, Mazhar works as a cyber security engineer and in the Office of the CTO, committed to helping different organizations achieve success in both strategic and technical initiatives while contributing to Check Point’s own security practices.
In this dynamic interview, Mazhar Hamayun shares insights into how to conceptualize, actualize and improve upon Zero Trust. Discover cutting-edge and uniquely compelling information that you can use to advance your businesses’ security practices.
From your perspective, what are the core tenants of Zero Trust?
- All data sources and computing services are considered resources.
- All communication is secured regardless of the resource.
- Access to individual enterprise resources is granted on a per-session basis.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
What are you seeing across the threat landscape and why does Zero Trust need to be modernized?
No enterprise can eliminate cyber security risk. When complemented with existing cyber security policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, a properly implemented and maintained Zero Trust Access (ZTA) can reduce overall risk and protect against common threats. However, some threats have unique features when implementing a ZTA.
The most common issues we see are:
- Subversion of ZTA Decision Process
- Denial-of-Service or Network Disruption
- Stolen Credentials/Insider Threat
- Visibility on the Network
In what ways is Zero Trust still evolving?
Zero Trust as a strategy for the design and deployment of enterprise infrastructure is still a nascent concept. Industry has not yet coalesced around a single set of terms or concepts to describe ZTA components and operations. This makes it difficult for organizations to develop coherent requirements and policies for designing zero trust enterprise infrastructure and for procuring components.
The Zero Trust Concept is intended to work in concert with an organization’s cyber security strategy. Neither is static. Both must be as dynamic as the assets they aim to secure and the threats they endeavor to protect against. The cyber security strategy is over-arching; it defines WHAT needs to be accomplished. The Zero Trust Concept defines HOW to implement the strategy. That said, “Concept” is the wrong term. It is more than an idea. It is an actionable design element. Perhaps Zero Trust Model is more accurate.
Are there any myths about Zero Trust that you’d like to clarify for security leaders?
It is not a One-Size-Fits-All model. Each implementation must be right-sized for the organization. There is a misconception that Zero Trust Architecture is a single framework with a set of solutions that are incompatible with the existing view of cyber security. Zero Trust should instead be viewed as an evolution of current cyber security strategies as many of the concepts and ideas have been circulating for a long time. This gap is based on a misconception of ZTA and how it has evolved from previous cyber security paradigms.
Please tell us a bit about the relationship between Zero Trust and SASE?
SASE moves security to the cloud where it’s closer to apps, users and data— but it can still rely on the same detect-and-remediate approach to cyber security that may leave corporate resources open to breaches from increasingly sophisticated and numerous bad actors. They can customize phishing themes based on social engineering research, infect trustworthy sites through malvertising, or spin up fake login forms to maximize their chances of infection. Then, if the threat is detected, they implement a simple code change to make the attack virtually undetectable again.
What is the CISO’s role in Zero Trust adoption?
CISOs own strategy. Specifically, they own the cyber security strategy – the plan that takes an organization from an actionable target to a hard nut to crack.
Since the Zero Trust Model is the companion to the cyber security strategy, the CISO also owns the Zero Trust Model. Defining the components of the model, vendor selection, implementation, and maintenance are shared responsibilities among the security team.
What Zero Trust recommendations do you have for CISOs?
A properly implemented ZTA for an enterprise will improve the enterprise’s cyber security posture over traditional network perimeter-based security. The tenets of ZTA aim to reduce the exposure of resources to attackers and minimize or prevent lateral movement within an enterprise, should a host asset be compromised.
However, determined attackers will not sit idle, but will instead change behavior in the face of ZTA. The open issue is how the attacks will change. One possibility is that attacks aimed at stealing credentials will be expanded to target MFA (e.g., phishing, social engineering). Another possibility is that in a hybrid ZTA/perimeter-based enterprise, attackers will focus on the business processes that have not had ZTA tenets applied (i.e., follow traditional network perimeter-based security)—in effect, targeting the low-hanging fruit in an attempt to gain some foothold in the ZTA business process.
There are some best practices to follow along with Zero Trust
- Zero Trust Using Microsegmentation
- Zero Trust Network Infrastructure and Software Defined Parameters
- Host/Device Agents based protections
- Per session based authentication and authorization for key resources
Other actionable insights for security leaders around Zero Trust?
Implement or expand the use of AI/ML in your security architecture. While doing so, take the time and care needed to train the AI, build your operational plans around the use of automation, and map the next steps.
How should security leaders talk to executives about the need for Zero Trust and related topics?
Zero Trust is a model for how to implement a cyber security strategy. Security leaders should first build consensus among their executive team on the objectives of the cyber security strategy. With that, leadership has agreed on WHAT needs to be accomplished. Zero Trust can then be presented as HOW the strategy will be realized.
Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.