Incentivizing Collaboration and Promoting Zero Trust Adoption


Posted on in Podcasts

Our world is becoming increasingly interconnected and more interdependent than ever before. We continue to see an increase in cybercrime, which brings us to an inflection point — who's responsible for addressing security in our integrated digital world and what should be the role of policymakers and industry regulators in promoting good cyber hygiene and incentivizing collaboration?

 

Sponsored by:

dnsfilter-logo

DNSFilter offers industry leading threat protection for companies across the globe. Utilizing powerful artificial intelligence, we identify and block threats 7 days earlier than competitors.


Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the World Talks Security.


Kacy Zurkus:
Hello listeners. And welcome to this edition of our RSAC 365 podcast series. Thanks so much for tuning in. I'm your host Kacy Zurkus, content strategist for the the RSA conference. And today I am joined by Shinesa Cambric and Jay Hira, who will be talking about building policies and regulations for zero trust adoption.


Kacy Zurkus:
Before we get started, I want to thank our sponsor for today's podcast, DNSFilter. 78% of data breaches involve the DNS layer and those threats are growing. This year, DNSFilter has seen a 200% increase in malware, 300% increase in phishing and a 1200% increase in botnet traffic. You can learn more about why and how it's happening in our midyear threat report at dnsfilter.com.


Kacy Zurkus:
I also want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted.


Kacy Zurkus:
And now, I'd like to ask Shinesa and Jay to take a moment to introduce themselves before we dive into today's topic. Shinesa, let's start with you.


Shinesa Cambric:
Thank you, Casey. I appreciate it. I'm Shinesa Cambric. I've been in the IT security and compliance space for a really long time. I tend to not want to say, but it's been 20 plus years. I'm currently a principal product manager at Microsoft in our identity division, where I lead a team that's focused on building protection for emerging identity types. So when you think of things actually the identity of things, and then non-human identity, that's what we focus on.


Jay Hira:
Thank you for having us, Kacy. My name is Jay Hira, and I speak to businesses in the financial services sector about strengthening cyber resilience through the adoption of zero trust principles during the day. I transform into a cyber warrior at night, advocating for diversity and collaboration in our industry, wearing my large black cape, with MAKECYBERSIMPLE imprinted in capital letters with no spacing.


Jay Hira:
Batman references aside, I started my career into cyber security back in 2006 as a penetration tester. And my curiosity to constantly learn and grow has led me to explore different areas of cyber that include attack, defense, architecture, strategy, and governance. I'm excited to be here alongside Shinesa, and I'm looking forward to a good discussion among this group that we've got going.


Kacy Zurkus:
We are excited to have you both. I'd like to start by asking each of you to share your thoughts on some of the challenges of the interconnected and interdependent ecosystem that we currently have. Jay, let's start with you.


Jay Hira:
Challenges arise with significant changes, and the fourth industrial revolution, industry 4.0 fundamentally shifts the way in which businesses operate and create value. This shift is largely attributed to the convergence of physical and digital systems. Now, while this convergence promises unprecedented growth opportunities, it is those same attributes of interconnectedness and interdependence that heighten cyber risk due to the increased attack surface area.


Jay Hira:
Now, if we were to time travel back to industry 3.0, our first line of defense was still man trap doors, security guards and cameras at entry and exit points, as most of the IT and network infrastructure was hosted on-prem or at third party hosted data centers. But fast forward to today where the pandemic fueled digital transformation and businesses have pivoted to digital first and cloud first strategies have not just survived, but thrived. If we take the example of the energy sector, this convergence that we talk about from a IT and OT perspective has enabled the sector to require less physical presence at remote sites to initiate manual changes. These changes can now be deployed remotely through sensors. However, it is the same convergence of IT and OT environments that provides for an extended attack surface where the threats can move laterally between the two environments.


Shinesa Cambric:
I totally agree with Jay in terms of the industry 4.0. And then to add a little bit of color to that from my perspective, so my world is around identity and I'm totally focused on where identity lives and how we protect identity and how that flows through different systems, so thinking about things like API. When I hear interconnected and interdependent, that's immediately where my mind goes is, where is the flow of identity in that ecosystem? Thinking about the challenges we have in cybersecurity now, companies may tend to want to focus on their own environment. However, when you're connected to other environments, their security posture is essentially your security posture and attackers may not necessarily be coming to you, but they could be coming through you to get to one of your connected partners.


Jay Hira:
I really like your whole message, Shinesa, on how an identity compromise in the interconnected ecosystem can have a damaging impact, both upstream and downstream. And in this digital first and cloud first world that we live in today, it doesn't take much for an adversary to target an individual or a group of individuals in an organization to click a link. And once that happens, we all know that with decompromised credentials, the adversary can walk right through the defenses and move freely in this interconnected ecosystem that we speak of.


Shinesa Cambric:
Exactly, Jay. I think that's why concepts like zero trust have become so important because identity, being the center essentially of the ecosystem now, when it comes to how you enter an environment, how you access data, how you even run your environment to some degree.


Kacy Zurkus:
It's interesting, Shinesa, you started with talking about the interconnectedness and identity and that down line risk, right? And Jay, you jumped in and started to touch on some of the consequences that come to there from some of these challenges of our interconnected world. I'm just wondering, is there sort of an awareness of shared consequences? Are there other consequences that you haven't mentioned here that are important to think about?


Jay Hira:
I believe that there isn't a lack of awareness of shared consequences, but rather there is the crisis of prioritization when it comes to which security gaps do we address as a business, as there isn't unlimited budget or resources that are available.


Jay Hira:
And let me expand that a bit more. I feel cyber security is an unfair fight for the simple reason that we are constantly defending. We're never attacking. And it becomes even more unfair when you partner with other entities multiplying the number of threat vectors each of these entity faces. Now, if we specifically focus on the supply chain risk perspective in an interconnected sort of an ecosystem, and if we use a classic four quadrant risk classification graph, the supply chain risk is definitely moving away from known/unknown bucket to the known/knowns bucket. But I believe the challenge comes from the fact that larger organizations that have ample budget and resources have too many supply relationships and these small and medium size businesses grapple with doing enough with limited security budget and resources to enhance their supply chain risk capabilities.


Shinesa Cambric:
And I would agree with the small to medium size businesses especially having some challenges. I work very heavily in the cloud space and there is still a big disconnect of who's responsible for security in a cloud environment. Some companies are assuming that the cloud provider is setting certain controls on behalf of that company. And in some cases that is true, but you're ultimately responsible for safeguarding your data. We have to push that sense of ownership of securities by companies and individuals.


Shinesa Cambric:
And then, especially when it comes to things like open source. I recently gave a talk where I mentioned that open source developers have this lack of desire to build in security for their code. And if you think about the growing use of open source solutions and how that is integrated in our digital life day to day, that means we're all under threat, essentially. There's potential for all of our identities to be compromised. If you think about how that flows through the ecosystem, going back to my earlier point, and us being interconnected, my identity being compromised means that some business downstream could potentially have their data being compromised.


Jay Hira:
A hundred percent. And I really like how Shinesa weaved in a completely different perspective of challenges in the cloud with shared responsibilities. And it really gets tricky when your organization, just as an example, leverages a SaaS provider and the SaaS provider itself leverages a platform as a service provider for providing their own services. So as a cloud consumer, you're not just dealing with a service provider that gives you a SaaS service, but you're dealing with your service provider's service provider, which adds a layer of complexity as you do not have any direct control on them.


Shinesa Cambric:
I think it goes back to your point about the supply chain risk challenges, Jay, so understanding who are the touch points within that supply chain, which could be other cloud solution providers. It could be other companies, third, fourth and fifth partners downstream.


Jay Hira:
A hundred percent agree with you, Shinesa.


Kacy Zurkus:
Then what do you envision will be the role of regulators and policy makers in advancing these cyber hygiene efforts?


Jay Hira:
The governments and regulators act as levers to push for a safer overall ecosystem. For example, entities in the financial services sectors or heavily regulated sectors have an industry body that provides them with a license to operate within the sector. This comes along with a series of obligations that each entity needs to maintain to demonstrate that their cybersecurity capabilities are fit for purpose.


Jay Hira:
We can draw simple parallels here to rates, road safety rules. Drivers in the road need to abide by rules that are defined by the department of transportation. At the time of securing a driver's license, we go through testing to determine if we have an understanding of the road safety rules. The department of transport's obligations do not just stop at monitoring driving behaviors, but also running checks to determine that the vehicle is fit for purpose as well as the driver is operating within the road safety rules. So similarly, if rules around maintaining good cyber hygiene need to be enforced top-down, that would help businesses to avoid the damaging effects of a cyber attack, which has a direct impact on both public trust, as well as brand reputation.


Shinesa Cambric:
Yeah, here in the U.S., you're already seeing executive orders and policy that's being set around certain cyber requirements, especially when it comes to incident reporting for critical infrastructure, for example. I think there's a unanimous sentiment that we need to do something from a policy perspective when it comes to cyber security. But where I sometimes have questions in my mind is what is that level of cyber hygiene that we require? And then thinking about what's the financial impact to those businesses when they're mandated to have a certain cyber hygiene? Going back to our conversation about small to medium size businesses, this may require them to hire additional staff for example, or have some additional training in order to meet those requirements. I think that's an interesting challenge ahead of us to figure out what's the exact level based on business size, based on industry that we want to mandate?


Kacy Zurkus:
Shinesa, I think, to your point with the executive orders, there's also been this movement toward developing public-private partnerships, right? Lots of conversations about collaboration. I'm just wondering if each of you could maybe talk to our listeners about your thoughts on what should be the role of regulators and policy makers when it comes to collaboration?


Shinesa Cambric:
In terms of the U.S. right now, we do have ISACs, so information sharing and analysis centers that go across different industry verticals. However, it's kind of maintained within those particular industries. For example, retail has their own ISAC. Hospitals, for example, would have their own ISAC. But where I see the potential for regulators and policy makers to help with some of that is making sure that information is shared across those different industries.


Shinesa Cambric:
Going back to some of our earlier points with this interconnected environment, there could potentially be some business that's connected to a hospital that's also connected to some retail environment. Thinking about contracting companies, for example, and I don't want to name any particular company, but if their consultants have access to these different systems, and say that consultants identity is compromised, then it's important for all of these connected partners to know what that threat is to their environment, which to me means that we need to have that cross industry collaboration. I'd like to see regulators and policy makers help to support that, but not necessarily mandate that. We have to find ways to give the carrot and not the sticks.


Jay Hira:
I love your point around support and not mandate, Shinesa. I almost think of collaboration as an extension of the concept of neighborhood watch, their families on a street share information with one another to prevent criminal activity. And in a similar manner, there's a need for collaboration between organizations in private sector and between private and public sector to strengthen cyber defenses and enhance resilience.


Jay Hira:
And in order to foster this knowledge early, in my view, collaboration needs to be almost incentivized. This could come in the form of tax incentives in exchange for sharing threat intelligence within the industry, or it could be incentivizing investment in cyber security measures, in cyber security transformation to uplift the capabilities.


Jay Hira:
With the point that Shinesa raised around how this increased digitization and convergence of IT and OT, there are opportunities for motivated threat actors more than ever before, and because of a large pool of businesses now being digital first, they're susceptible to a potential cyber attack. As a result of a combination of these two, the last digital first movement and the convergence of IT and OT, it leads to opportunities for threat actors to try different strategies, reuse successful ones, and move laterally, causing significant disruption to operations beyond the boundaries of IP. These damaging success and innovation in the way that adversities have evolved can be attributed to global collaboration. And the sooner we see collaboration within the private sector and between public and private sector, the sooner can we build capabilities to sustain and to be resilient against these adversities.


Shinesa Cambric:
If I could just jump in really quickly, so even beyond those industries, having collaboration as countries I think is going to be really important. That is, I think, a really big role that our regulators and policy makers can play. And building those relationships with other countries to make sure that we do have that knowledge sharing. I know from a government perspective, there's some level of knowledge sharing, but thinking about industries that are here in the U.S., industries that may be in Europe, for example, how do we make sure that they collaborate with one another?


Jay Hira:
How she just raised a really thought provoking question in terms of viewing this collaboration beyond the boundaries of a nation and beyond even the scope of regulators and policy makers. Because when you look at this collaboration across different nations, it's beyond the scope of a government to control it. I also really liked the point around how we need a, almost a holistic end to end approach to protecting these integrated ecosystems that aren't limited by borders of any sorts.


Kacy Zurkus:
These are all really good points. I'm wondering if you could help our listeners understand how all of this ties in with zero trust adoption, and even more to the point, to connect that to regulators. Do they play a role in zero trust adoption? And if so, what is that role? Jay, let's start with you.


Jay Hira:
Like Shinesa mentioned, Present Biden's executive order last year on improving cybersecurity capabilities through the adoption of zero trust architecture in itself serves as an example of the need for a top-down approach to deter, detect and respond to these persistent and increasingly targeted attacks against critical infrastructure. We've definitely seen reforms to the security of critical infrastructure in Australia, but we are yet to see the push for the adoption of the zero trust architecture through these reforms.


Jay Hira:
My view is similar to how collaboration needs to be incentivized by regulators and higher ups, beyond the regulators, by policy makers and governments. Similarly, we need to incentivize adoption of zero trust principles when it comes to systems of national significance or those that are identified as critical infrastructure components. Without that incentive of baking in the zero trust principles, there's very limited availability of resources or priorities or budgets to then deal with the changing adversary landscape.


Shinesa Cambric:
My take on that is that I would really like to see regulators and policy makers help companies understand that not adopting zero trust is a risk based decision and how did they calculate that risk for their own environments? And then helping them to understand where is their accountability, if their environment is compromised and they chose to not address particular risks within their corporate environment? Or even with small and medium sized businesses, offering resources to help them in those instances of adopting zero trust, because we know zero trust is a journey and it's not a one time fix or solution so how do we help them to maintain that posture after they've originally gone through an assessment and adopted certain behaviors? Especially with the small and medium sized businesses, that's going to be more of a challenge than it would be for corporate environments that are already being held accountable to certain standards when it comes to SEC disclosures and SOCs audits and things like that.


Shinesa Cambric:
But really, I think those small and medium sized businesses, where they may think that attackers don't want to attack their environments, "I'm too small. What do I have to offer?" But I really, going back to, they may be coming through you to go to some other environment. I believe from a U.S. standpoint, we stand on the backs of small businesses, which also means that we need to shore up their security posture.


Jay Hira:
That's a great point, Shinesa, around how zero trust almost needs to be viewed as a risk management tool. And for small and medium businesses, it's not about the journey to attain zero trust. It's more about how do you really shift the dial from the unreserved trust that you have in your users, in your environment then, and slowly, and in a staggered manner, move more towards zero trust and operate within your risk appetite? Because obviously if you're operating within your risk appetite, how are you going to be able to justify any investment in cyber transformation? It makes more sense to then view zero trust as just a vehicle that helps you and your business to manage risk.


Shinesa Cambric:
Totally agree.


Kacy Zurkus:
I think to your point, Shinesa, what's important for businesses to be thinking about is that when things are regulated, there is a cost impact on businesses, right? It's really important that organizations of all sizes are thinking forward about zero trust adoption and doing these risk based decisions to understand the impact, should regulations be coming down the pike, that they can pivot and respond without an exorbitant cost.


Kacy Zurkus:
I think this has been such a fascinating conversation. We've talked about everything from small businesses to international collaboration and we've covered a lot of ground. Jay and Shinesa, thank you so much for joining us today. It'll definitely be an interesting process to watch as businesses have gone through digital transformation and are continuing on that journey and now coinciding with that, the zero trust journey. As all of this unfolds and becomes more standardized, it's going to be really fascinating to watch.


Kacy Zurkus:
Thank you again for joining us, listeners. Thanks for tuning in. To find products and solutions related to policy and law, we invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cyber security vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels, using the hashtag RSAC and be sure to visit rsaconference.com for new content posted year round. Thanks so much.

 


Participants
Shinesa Cambric

Principal Product Manager, Microsoft

Jay Hira

Cyber Security Strategy and Transformation Director,

Law Policy & Government

governance risk & compliance government regulations innovation law legislation policy management practitioner perspectives standards & frameworks technology sovereignty


Share With Your Community