Interview: Why Zero Trust Is The Most Effective Approach To Cybersecurity

Paul Martini is the CEO, co-founder, and co-chair of leading Zero Trust cloud security provider, iboss. With nearly 20 years’ experience in his role, Martini holds over 230 patents in cloud cybersecurity and is a specialist in the realm of Zero Trust, a cybersecurity architecture designed to prevent data loss by ensuring that they’re kept private to all but authenticated, legitimate entities.

As well as his role at iboss, Martini has been recognized for his leadership, innovation and entrepreneurship by both Ernst & Young and Goldman Sachs. He has been published in a range of scientific journals, and is a respected thought leader in the cyber space.

At RSAC 2022, we spoke to Martini to discuss the importance of Zero Trust in tackling today’s sophisticated cyberthreats, the Biden Administration’s recent recommendations that federal agencies implement Zero Trust technologies and principles, and the steps that organizations can take to meet those guidelines.   

Can you please give us an introduction to iboss, your key use cases, and what sets you apart from your competitors in the cloud security space?

Yeah, absolutely. So, we deal with both connectivity and security. Post-COVID, every company is at least hybrid, or fully remote. Some users may be going back into the office, but being able to control where each person is, is going to be very difficult as we move forward.

We basically take the concept that users need access to applications and data but, instead of doing this by forcing them through an office or through VPNs and things of that nature, they connect to a cloud security service that understands who they are, and then provides connections to just the applications that they need, without ever connecting them to the office or the network directly, while providing all of the security functions like CASB, malware defense, and data loss prevention. So, you’re basically consolidating your VPN budget, your proxy budget, and the next gen security features of firewalls—that are only really protecting offices anyways—and moving that to a SaaS-based solution that enables users to connect from anywhere, as well as get security at all times from wherever they work.

What makes us different is that our Zero Trust Secure Service Edge is a unified service, meaning that no matter where the application sits—it could be in an office, it could be in Azure, the cloud, or a public SaaS app—we apply the same security as well as the same capabilities for connectivity, understanding who the user is and connecting that user to that application.

Whereas our competitors separate the concept of what they call “private access” and “internet access” into two separate services, depending on where the application sits. So, if the application is in an office, you go through private access with our competitor; if it’s in the public cloud, you go through internet access. But by separating those core functions—those two “service edges”, as they call them—you get different capabilities and features, and different levels of visibility. For example, their private access on prem, in some cases, offers no visibility to the data, no CASB, and no malware defense or DLP, while if you access it on the internet access edge, then you get those capabilities included.

In our case, we extract location of resources and users, and guarantee that all that a network administrator or security admin has to deal with is understanding which groups of users need access to what. We worry about where those resources sit and ensure that CASB, malware defense and data loss prevention are applied at all times, and at scale.

How have you developed the iboss platform to be so scalable, and what are some of the benefits that this scalability provides?

Scalability is critical, it’s like what Netflix is to DVD players. Think of firewalls and proxies and even VPN solutions, being installed somewhere to connect users. The “SaaSification” of that technology, where it’s all about multi-tenancy, where the user connects and the service itself automatically scales and follows the user wherever they are, is actually part of the magic, and it’s all done in software. And we own all that software; we built the software and the cloud backbone as well, so it’s native. We’re not running it in, let’s say, Azure or AWS, like a lot of competitors are.

We believe that the cloud isn’t in one place. If one competitor is running Google Cloud, for example, and you’re going to Microsoft 365, having to traverse through Google to get to Microsoft is only going to have latency, and it’s going to reduce the end user experience. With us, we’re naturally connecting the user through our backbone directly to Azure, Google, AWS, whatever they need, because we natively connect and peer to those resources.

We do over 150 billion transactions a day. Building that type of technology takes time. But scaling it also takes time, because there are so many different use cases for connectivity and security. And we need to make sure that users can connect to any application they need, without interrupting that connection.

In the last year, the Biden Administration has outlined the need for federal agencies to adopt Zero Trust principles as a means of protecting their most sensitive data and assets—and security experts are recommending that businesses in other sectors follow suit. What are some of the benefits associated with implementing a Zero Trust architecture?

First, I think it’s important to understand what Zero Trust is, because there’s so much noise in the market. We believe that we follow the NIST principles for a Zero Trust Architecture, which they defined in their Special Publication 800-207. The way that they see it, and the way we see it, is that Zero Trust is all about resource access; someone or something needing access to a resource—like an application, data or a service—and making the decision on whether to authorize or deny that access, using a lot of external sources like threat feeds, threat intel and user identity.

CISA, the Cybersecurity Infrastructure Security Agency, did a study with the UK and Australian government as other US Federal agencies. They wanted to study all of the ransomware attacks in 2021 and figure out what the root cause was for those breaches. They found there were three initial infection vectors: phishing, vulnerabilities in software that should authenticate you but just let you right through, and credential theft. The root cause of all three of those was unauthorized access. Why did the attacker have access to the resource to begin with?

And when you think about Zero Trust, the crux of the issue is to prevent unauthorized access to data and services, by making access control as granular as possible. Authorized and approved employees should be the only ones able to access the application, and just by default not anyone else.

This model reduces risk substantially because, if you’re an organization and you can solve for the top three initial infection vectors by solving for the ultimate root cause, which is unauthorized access, you can actually reduce risk at every step in the journey.

Gartner recently released a paper on Zero Trust and what’s happening in the market. They believe that by 2025, over 70% of all VPNs will move to Zero Trust. But why is that? Well, today, I usually have to turn on a VPN, which means I have to know that application sits in an office. It’s cumbersome, and it’s slow. In the future, you never turn on a VPN because you don’t know where that application sits. If you want to access something, a zero to a service determines who you are and connects you to that service with the right level of authentication automatically. So, it’s more secure, and it provides a better end user experience.

What steps can businesses take to meet the requirements laid out by the Administration?

To move to Zero Trust, I would start by looking at what you’re doing today for connectivity with the VPNs and move that over to a Zero Trust service because the end users can now use their internet connection at home, which might be 10 times more than what you have in your office without sending the traffic back through a VPN. So, you’re going to reduce your costs for data backhaul, you’ll have a reduced number of VPN connections and phone calls to the help desk with users having issues with slow connections.

We allow you to work faster because users can get to Microsoft 365 and do their work with 10 times the speed, while we maintain the security with the CASB, malware defense and data loss prevention. We do this by eliminating the need to backhaul connections to the office and instead allow users to connect directly to these applications from their home.

If you’re a small business and you’re buying firewalls and proxies that you have to install, nowadays with inflation, those could cost you a minimum of $5,000 and up to $200,000 or more, even for a very basic firewall. By doing this on a per user basis, you’re just paying the per user cost and eliminating the firewall. You don’t need the labor to manage the gear, and you get all of the benefits without worrying about where user sits.

So, I would start with first understanding what your end goal is: connecting users to what they need from wherever they work, while providing security to those connections. And then look for services like iboss that make it easy.

Start with the most critical applications; put those behind the Zero Trust service so no one can access them except your employees, and then move to the moderate and the low impact resources. This allows you to really measure risk reduction, as well as gain best great benefit from connecting users from wherever they work.

How does the iboss platform’s Zero Trust Edge enable organizations to operate in line with the principle of Zero Trust, and what are some of the threats you’re helping organizations to prevent by doing so?

We meet 100% of the requirements of the Zero Trust architecture in that NIST guideline, which actually internationally is aligning with ISO and their requirements. We’re seeing a lot of consolidation in terms of understanding what Zero Trust is about: connectivity and security, combined.

And what I like about it is, you’re solving for some fundamental requirements or critical capabilities. You can’t operate your business if the person can’t connect to an application. So, if you’re solving for that, and then you’re making it secure, you’re naturally getting security on top of that without doing a ton of extra work.

Security involves technology, people and processes. It’s all three. It’s not just technology that can solve your problems, you need the people and processes as well. But if we as a technology platform can organize your people and your processes so that you’re consistent as you implement capabilities, that means you’re also aligning with standard frameworks that are likely going to become regulation laws for compliance, as well as putting you in a better place in terms of security.

What is your final piece of advice to organizations struggling to protect themselves against today’s sophisticated cyberthreats?

The fundamental needs that you need to run a business in this world haven’t changed, but the way you actually deliver on those needs has changed. For example, in the past, you’ve always needed the ability to connect a user to an application, they just happened to be sitting in an office. You’ve always needed to inspect the traffic for malware and for data loss. The issue now is that people are everywhere and applications are everywhere. They are no longer constrained to the office.

But now, SaaS and Zero Trust enable even the smallest organizations, as well as the largest, to basically get technology and capabilities for security that were out of reach before, unless you had an enormous staff, a lot of money, and a place to install and manage the gear. And the best part is that is also works in an environment where you cannot control where the user works and in a world where data is scattered everywhere.

The term “Zero Trust” is used a lot, but you need to cut through the noise. It’s about resource access, and connecting users to what they need, with security baked into that. It’s that simple. And then think about what it is you’re replacing and the consolidation of budget. I don’t think there’s any better way to reduce your costs and provide better security that—on a per user basis—will connect users to what they need, securely. It makes companies more agile and it’s far more cost effective and ultimately provides the best end-user experience while increasing productivity.

Thank you to Paul Martini for taking part in this interview. You can find out more about the iboss Zero Trust Edge via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.