Anthony (Tony) Sabaj is currently the Head of Channel Security Engineering for the Americas at Check Point and member of the Office of the CTO, with over 25 years of experience in the Cyber/Information/Network security industry. Tony has been at Check Point since 2002 in a variety of sales and technical roles, including starting and building the Channel Team in North America. Prior to joining Check Point, Tony was a Senior Product Manager at Telenisus, a startup MSSP/VAR in Chicago. In 2001, the MSSP business of Telenisus was sold to Verisign to start their MSSP business and the VAR business was sold to Forsythe(Sirius/CDW).Tony joined Forsythe shortly thereafter as a Security Consultant and Certified Check Point trainer. Tony started his career with Arthur Andersen/Andersen Consulting, building their worldwide IP network, designing the security controls for the firm and helping build their external Security Consulting Practice.
In this outstanding interview, our guest will shed light on the distinctions between Zero Trust Network Access (ZTNA) and the broader Zero Trust Framework, highlighting the importance of trust levels – implicit, contextual and explicit – in this paradigm shift.
Further, get insights into Zero Trust implementation in public cloud environments, Zero Trust ROI and the type of Zero Trust approach that your organization should take.
Where are most organizations today when it comes to the Zero Trust journey?
The Zero Trust framework was commercially conceived by Forrester around 2010. Every organization that has started on a Zero Trust journey has their own timeline and a unique pace of progress. In the context of Forrester’s model, Zero Trust should be implemented for data, workloads, users, networks and devices. Many organizations start with implementing Zero Trust networks and users and are further along with these aspects than with other components, including workloads, data and devices. The vast majority of organizations are at different stages of the Zero Trust journey within different aspects of their environment.
Could you define Zero Trust (ZT)?
A Zero Trust framework is a set of guidelines, principles, and best practices that organizations can follow to implement a Zero Trust Architecture (ZTA). The Zero-Trust Framework provides a roadmap for building a security system that is based on the Zero Trust Network Access (ZTNA), Zero Trust Network Security (ZTNS), Zero Trust Container Architecture (ZTCA), Zero Trust DevOps concepts, which advocates for the strict verification of user, devices and applications’ identities before allowing access to network resources.
A Zero Trust framework typically includes guidelines for identifying and authenticating users and devices, setting access controls, and implementing network segmentation (Macro, Micro and Nano). It also includes recommendations for implementing multi-factor authentication, encryption, and other security measures to protect against threats such as malware, insider attacks, and unauthorized access to sensitive data.
What is the difference between the ZTNA versus the ZT Framework?
Zero Trust network access (ZTNA) is a security concept that advocates for the strict verification of user and device identities before allowing access to network resources. It is based on the idea that organizations should not automatically trust any user or device on their network, even if they are inside the network perimeter. A common misconception in design and implementation of a Zero Trust framework is that ZTNA is analogous to Zero Trust. ZTNA is an essential component of a Zero Trust framework, but many other controls also need to be implemented.
In the context of ZT, could you discuss implicit trust, contextual trust and explicit trust and why a transformation is important?
Implicit Trust pertains to the presumption that an individual or entity can be regarded as trustworthy without necessitating explicit validation. Within cyber security, implicit trust can constitute a notable susceptibility and hazard. For instance, an organization may extend implicit trust to its personnel, affording them access to sensitive resources without the rigorous verification of their identities or the assurance that they possess requisite permissions. This may result in security breaches in the event of an employee’s account being compromised or their misuse of access privileges. Implicit trust corresponds to manual configurations, static security policies, and the isolation of security strategies. Authentication sources remain non-federated and delimited. During this phase, the organization finds it imperative to undertake the comprehensive documentation of user-to-application and data mappings.
Contextual Trust presents trust that is contingent upon specific contexts or circumstances. In the context of cyber security, contextual trust manifests as trust that is not conditional upon specific static conditions. This trust level is associated with the initiation of preliminary phases of least-privilege implementation across various applications. The organization gains a heightened appreciation for the intrinsic value of data and subsequently undergoes a transition from network segmentation to security segmentation. Moreover, a pronounced focus is placed on users, applications, and data.
Explicit Trust denotes trust that derives from concrete evidence or authentication. It stands in opposition to implicit trust, which is predicated on assumptions or affiliations. Explicit trust often transpires through the validation of a user’s or device’s identity by means such as multi-factor authentication. This trust level corresponds to the automated allocation of attributes to assets and resources. Dynamic security policies are implemented with automated triggers in the event of a security incident. Utilization of open standards or APIs to facilitate cross-pillar interoperability through centralized visibility. Explicit trust assumes paramount importance within the framework of a zero-trust architecture (ZTA), an architectural paradigm that advocates for the rigorous verification of user and device identities prior to the conferment of access to network resources. By relying on explicit trust, organizations are better equipped to safeguard against malware, insider threats, and unauthorized access to data.
Can you talk about ZT in the context of public cloud?
Key components of implementing Zero Trust within public cloud include:
CSPM – Cloud Security Posture Management
An automatic and continuous check for misconfigurations that can lead to data breaches and leaks allowing organizations to make necessary changes on a continuous process of cloud security improvements and adaptations to reduce the likelihood of a successful attack.
CWPP – Cloud Workload Protection Platform
It helps to mitigate the impacts of poor security practices during the rapid development cycles common in DevOps keeping the applications secure by providing security for the application and all of the associated cloud capabilities.
CIEM – Cloud Infrastructure Entitlements Management
An automated process of managing user entitlements and privileges in cloud environments. An integral part of an organization’s identity, access management, and cloud security posture management (CSPM) infrastructure.
WAPP – Web Application and API protection
Web Application and API Protection (WAAP) are the cloud-based services designed to protect these vulnerable web applications and APIs
KSPM – Kubernetes Security Posture Management
It helps enterprises automate Kubernetes security and compliance to mitigate the security threats posed by human error and oversight across K8s clusters without hampering scalability.
IaCSec – Infrastructure as a Code Security
Infrastructure as a Code deals with automating the process of deploying and configuring virtualized IT resources (SDN, SDC, SDS), while Infrastructure as a Code security is the automation of secure configuration management for these resources.
Could you briefly speak to the type of Zero Trust approach that you’d like to see more organizations taking?
There are many models or frameworks to follow when implementing a Zero Trust architecture, Forrester, Gartner, NIST and others offer them. The foundation of all the individual models are based on implementing least privileged access. A common mistake in Zero Trust approaches is to focus on individual point solutions without regard for their interoperability, data sharing and orchestration. The Gartner Cyber security Mesh Architecture, Gartner’s Zero Trust model, identifies about 20 different solutions segments; ranging from CSPM to network firewalls. An organization that implements all 20 solutions as standalone implementations is no closer to achieving Zero Trust than when they started. At the center of Gartner’s Architecture connecting all 20 solutions together is a centralized operational dashboard, policy management, identity fabric and security intelligence layer. These important aspects of a Zero Trust implementation are often ignored or given less priority in less successful implementations.
What are some best practices for implementing Zero Trust in hybrid environments, where organizations have a mix of on-premises and cloud-based resources?
Most organizations have a hybrid environment that leverages on premise, private cloud, public cloud and as-a-service assets. The polices that govern Zero Trust should be consistent regardless the underlying infrastructure, although the method and tools used to enforce the policy may differ. A simple example for instance: If an organization states that only Human Resources can access historical performance review data, an organization my need to implement controls on their E-mail service, cloud storage/databases, cloud functions, network traffic and endpoint. All these controls are enforcing the same policy, but will require multiple integrated solutions to achieve Zero Trust. The NIST (https://www.nist.gov/publications/zero-trust-architecture) model illustrates this through detailing the differences between policy engines, policy administration, policy information and lastly policy enforcement responsibilities.
Could you share insights on the potential ROI associated with implementing Zero Trust, both in terms of security improvements and cost-effectiveness?
ROI on security spending has always been difficult to calculate. Zero Trust, at its core, is about reducing risk. Any risk reduction has a value that needs to be calculated as part of the overall risk tolerance of the organization. In regard to implementation of Zero Trust, costs can be reduced, time-to-value decreased and security effectiveness increased by starting with a defined model and a security platform that best fits your organization’s needs.
Is there anything else that you would like to share with the CyberTalk.org audience?
Zero Trust is journey that implements the least privilege access model. Once an organization embarks on a Zero Trust journey it is an ongoing endeavor.