Complexity is the watchword for describing the essential nature of today’s IT environments. And the only way to secure constantly evolving complex environments is to use a security model that can flexibly adapt to changes. One term that is frequently used these days to try and describe such an approach to cybersecurity is Zero Trust, and like most such concepts, different vendors tend to differ in how they define this concept. But all of them tend to focus on certain key things such as using strong identity to authenticate devices on your network, validating the health of endpoint devices and flagging them for updating and remediation when needed, monitoring for and responding to threats both well-known and emerging, and implementing processes like least privilege access to limit the damage when the inevitable breaches happen.
And breaches will happen. That is probably the core element of the Zero Trust security model. But it’s not just important to implement a Zero Trust solution for your company; it’s critical also that you choose the right Zero Trust solution, one where you, the customer, have control over your access policies, authentication tokens, and user passwords and data, instead of giving such control over entirely to your security provider. One such security vendor that thinks this matter is important is Cyolo, and to find out more about how their Zero Trust security solution works, I recently talked with Almog Apirion, CEO and co-founder of Cyolo. Almog is an entrepreneur with expertise in leading teams, building processes, and developing technologies from vision to execution. He is an experienced technology executive, CISO, and a former Navy Cyber Unit founder and commander with a long history of leading the cybersecurity and IT technologies domain. His extensive background includes building and securing critical infrastructures at large organizations and leading teams to success. You can find out more about him from his LinkedIn profile and can learn about the latest developments in this hot area of cybersecurity by following Almog on Twitter.
MITCH: Remind our TechGenix readers what Zero Trust is all about and why it’s so important for organizations.
ALMOG: The Zero-Trust approach is based on the assumption that the assets you have are already compromised. Rather than trusting any organization or individual because they have certain attributes — for instance, they’re inside the corporate network — the idea behind Zero Trust is to base everything on verifiable identities. No one is to be inherently trusted, not even your own employees. There is no user that has absolute trust at any time. No matter who you are, the system needs to report back on identities that are verifiable.
An example of this is a passport shown at an airport. You trust the entity that issued the person the passport, not the person themselves. The system should not trust the user but rather the verifiable credentials that they have.
The Zero-Trust approach is based on the assumption that the assets you have are already compromised.
MITCH: What’s the usual way that Zero Trust Network Access (ZTNA) solutions are implemented?
ALMOG: In the common ZTNA model, the cloud broker sends all users and devices, whether they originate from the external or internal network, to get authenticated before access is granted. This typical implementation of ZTNA aims to replace VPNs and minimize the attack surface, but it doesn’t do so completely. In reality, it only offloads some traffic and users from VPNs, and the attack surface remains with agents and cloud-based VPNs that are tunneling users in. Offloading some users in this way does have benefits, but it does not fulfill the promise of ZTNA. In addition, the typical ZTNA architecture places the broker inside the customer’s trust boundary — meaning that if the provider is breached, the customer’s data will likely be exposed.
MITCH: What is the main problem with this usual way of doing ZTNA?
ALMOG: Beyond the fact that ZTNA has up until now not actually replaced VPNs, there are additional problems to address as well. First, it simply isn’t feasible to put all the SaaS applications, mobile devices, operational devices, and other resources an organization needs under a single private network. Many ZTNA solutions also struggle to provide access to certain programs or applications, such as SAP, for instance, without network access. And the usual way of doing ZTNA has even more challenges if you need to change access from network-based to application-based (and vice versa) or if you want to adjust access controls at the application level.
Much of this is due to a problem at the vendor level — most vendors simply cannot deal with things like multiple environments and varying protocols that must be taken into consideration when you think about Zero Trust.
The first generation of ZTNA certainly started things moving in the right direction, but the attack surface remains wide, and access is very black-and-white — users are either fully in or fully out. What’s still missing is a deeper level of control or monitoring.
MITCH: How does Cyolo address this problem?
ALMOG: Cyolo is constantly striving to make our customers’ lives easier by enabling better productivity with a new level of security. Our aim is to redefine how users connect to their working environments with technology that can simplify and improve processes. Our end goal is to make secure connectivity more agile and easily integrated into modern operating systems for all users and organizations.
Cyolo’s distributed architecture decentralizes policy decision-making while providing end-to-end encryption. No data is stored or decrypted in the cloud, so there is no single point of compromise. All other ZTNA vendors put themselves inside the company trust boundary, but Cyolo stays on the outside, keeping your trust boundary smaller.
MITCH: Give us some examples of how Cyolo solutions can be deployed to enable users to securely connect users to their working environments.
ALMOG: Cyolo connects users to all systems — offline, online, inside a network, or outside a network. Cyolo provides full secure connectivity in one robust solution — you can be the end-user, the IT team, or the security team, and our solution will meet your needs. End-users have the ability to work from anywhere with a single sign-on to any system, and IT teams get the agility they always wanted with a solution that integrates smoothly with the existing environments in no time. And finally, security teams get a true Zero Trust solution that minimizes the attack surface and gives them control over exactly who is connecting where and what the user can do during the session based on risk.
Humans are the weakest link when it comes to security, and we always will be. The true Zero Trust architecture at the core of our solution acts as a fail-safe in the inevitable cases of human error.
MITCH: How can an organization that currently uses VPNs migrate to Zero Trust using Cyolo?
ALMOG: This transition can feel overwhelming, but it doesn’t have to be this way. It was very important to us to make this process easy, so the transition is not tough on companies. It’s also critical to realize that there’s no need to turn off your VPN and other controls on day one. Quite the opposite, we get customers up and running with our solution and then give them the opportunity to use their existing VPN alongside our software. This allows them to experiment at their own comfort level as they start to experience the benefits of the new approach.
This method of transition shows companies firsthand how they can improve their operational agility, level of security, user experience, and productivity. Once they’ve gained confidence in the Zero Trust solution and witnessed how it actually enhances their existing security stack through our seamless integrations, then they can disconnect network access and transfer all users to our solution. And throughout this process we are never cutting them off. We believe that you should be able to migrate at your own pace. This is a step-by-step process, and everyone should be comfortable and confident at all times.
MITCH: Anything else you’d like to add or say about Zero Trust and the future of workplace connectivity?
ALMOG: Humans are the weakest link when it comes to security, and we always will be. The true Zero Trust architecture at the core of our solution acts as a fail-safe in the inevitable cases of human error.
And the ultimate vision, as far as I’m concerned, is to connect all entities based on digital identities that can be verified securely. Our approach can and will eventually go far behind connecting just users to devices and applications.
Featured image: Shutterstock