This week we had the pleasure to interview Fred Streefland, Director Cybersecurity (CSO/DPO) EMEA at Hikvision and discuss zero trust, software vulnerabilities and security practices.
Hi Fred, thanks for this interview. Jumping to my first question. What is Zero Trust and how does it differ from other approaches to cybersecurity?
Zero Trust is not a security product, architecture or technology. It’s a strategy or set of principles defining how to approach security. Rooted in the principle of ‘never trust, always verify,’ Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing threat prevention, and simplifying granular user-access control.
In simple words: Zero Trust is a strategy to secure an organization that focuses on the business, it designs security from the inside-out, implements the least-privilege principle and logs/monitors everything. Visibility is key in this approach. Other approaches in cybersecurity focus on securing the network from external attackers rather than also securing the network from internal threats.
Do you see anything new about zero trust recently or new approaches coming down the road shortly? (e.g. such as confidential computing)
Zero Trust itself is not new, but the attention to Zero Trust has been significantly increased lately, which is a positive development. More and more organizations become interested in Zero Trust and several global cybersecurity companies are promoting their Zero Trust solutions.
Besides this, the US National Institute of Standards and Technology (NIST) organization developed a Zero Trust Architecture document (NIST SP 800-27) and even the US Administration promoted Zero Trust with a Presidential Executive Order in 2021.
What are the major obstacles and challenges involved in implementing Zero Trust?
The major obstacles and challenges in implementing Zero Trust can be found in the adoption and acceptance of the Zero Trust approach within an organization. It is extremely important that Zero Trust is fully embraced by the Board of Directors and is communicated throughout the organization. Only 100% support of Zero Trust can make a Zero Trust implementation successful. The challenge is to explain Zero Trust in a simple way to anybody in the organization, so that anybody understands and supports the approach. Another challenge is to gain and maintain full visibility on the complete corporate IT infrastructure, which is especially challenging for large international organizations that might have many legacy applications.
What can businesses do to formulate a Zero Trust strategy?
It is essential that the business supports the Zero Trust strategy because at the end it is the Zero Trust approach that mitigates the risks for the business so that the business can do ‘its business’. Preferably, Zero Trust should be initiated by the business
Can you give us some examples of use cases?
Although there are several examples out there of companies that have embraced and implemented Zero Trust, I cannot provide the names of these companies. Without providing names, I believe that companies that have implemented Zero Trust do not face many challenges with cybersecurity incidents like ransomware.
The links below provide some examples of organizations that published their use case: