In episode 10 of The CIO Evolution podcast, I welcomed Maneesh Sahu, director of OT networks and security transformation at Zscaler, along with Bil Harmer, operating partner, Craft Ventures and former Zscaler Americas CISO.
Across industries, we’ve seen strong global adoption of zero trust architecture (ZTA) as a key component and foundational layer for top CIOs aiming to build a company-wide digital operating system that is scalable, flexible, economically efficient, and secure. The goal is to enable business transformation and provide a sustainable platform capable of delivering a company’s digital aspirations. CIOs are now finding that ZTA is also a great enabler for implementing emerging cybersecurity capabilities. The panel explored the evolving cyber marketplace and discussed perspectives on its future direction.
In our wide-ranging conversation, we covered some of the biggest and most pressing questions in cybersecurity today, including identity management, supply chain attacks and minimizing third-party risk, IoT security and more. I asked my guests to peer into their cybersecurity crystal balls to offer predictions on where many of these top trends are heading.
The discussion started with a hot topic and common pain point for many CIOs – securing the supply chain by minimizing supplier risk. Integrating third-party identities like contractors, vendors, customers, and supply chain entities across organizations has become problematic.
Not surprisingly in the wake of breaches against Solarwinds and Keseya, Sahu's thoughts turned to mitigating the problem of supply chain attacks. After describing how the problem came to a head when Boeing faced the need to share sensitive information – manuals and information about parts – he noted that resulting solutions like SAML tokens and SSO have made little progress in the decades since.
“A 20-year-old standard is getting long in the tooth,” he said. “In this day and age, it is still difficult to do federated identities across organizations.” Information sharing while maintaining strong security practices is still a process in need of refining.
The industry is working hard to take us past SAML tokens and we are seeing companies address parts of the puzzle with proxy front ends and back end platform consolidators.
As a veteran of the financial services industry, Harmer also had a missing link in identity verification in mind. "How is zero trust going to be predicated upon identity," he wondered. After switching industries to solve the problem, he's still fixated on different approaches from various vendors. "With identity, the key focus is consistency."
Inevitably our conversation on identity shifted to the current frustrations and limitations surrounding device identity. After recounting the explosion in IoT, OT devices, and the current challenges with root-of-trust and baked-in-cert models, the discussion turned to aspirational progressive models and the emergence of “Secure Device Onboarding” as an exciting route forward.
"Right now we're looking at 13 billion IoT devices in 2021 with an expected growth rate to 30.8 billion by 2025." Each one of those devices, Harmer pointed out, has a root of trust – a birth certificate of sorts – and will take on a life of its own. “They have behaviors, they have jobs to do, they have lifespans. When you onboard it, it's almost like onboarding an employee to a company."
The Covid-19 pandemic has changed the workplace indelibly. Technologists have scrambled to provide efficient alternate work arrangements that enable remote workers to be productive. Hammer described the problem succinctly: “With work from home, every home is now a threat network.”
"Even though you have 50 smart home devices, you have to ask yourself the question, 'do you really own them,” Sahu said.
Administering the security process is becoming increasingly complex in this DevOpsSec connected world we now live in. With increasing delivery speeds aided by no-code and low-code development teams and cloud provisioning, corners are being cut where security needs to be built into code and process.
“The problem with federated de-centralized identity over the last 20 years is we’ve taken the users out of the loop,” Sahu reminds listeners. It helps achieve consistency at the enterprise level, but the user loses control over what they can do with their own data.
Sahu explained that while you have a bunch of identities in your wallet – including a health insurance card, driver’s license, library card – there’s still no decentralized identity verification entity for all use cases.
For end users, it might be better if there was.
New technologies are emerging to federate identity, but we also need to validate identities. The panel discussed the balance many organizations face between privacy (anonymity) vs validation.
With the rapid acceleration of advancements in technology across AI, ML, and cloud, the future cybersecurity landscape will continue to evolve. We expect many advancements across all sectors but our panel thought identity was a key driver and perhaps the area most primed for improved solutions.
This was an incredible conversation, exploring huge tracts of the technological frontier, that you really have to tune into to benefit from its full scope.
Click below to listen to The CIO Evolution Podcast Episode 10 – for this fascinating discussion and window into the future of cybersecurity.