ETSI Security Conference 2023: Exploring Zero Trust Architecture with Dr. Galina Pildush

ETSI’s annual flagship event on Cyber Security, the ETSI Security Conference, took place face-to-face from 16 to 19 October 2023, in ETSI, Sophia Antipolis, France, and gathered more than 200 people. This year the event focused on Security Research and Global Security Standards in action. The event also considered wider aspects such as Attracting the next generation of cybersecurity standardisation professionals and supporting SMEs.

At the ETSI Security Conference 2023, we spoke to Dr. Galina Pildush, a seasoned expert in computer networking and cybersecurity. With over two decades of experience and an impressive background in industry standards contributions, Dr. Pildush provides valuable insights into Zero Trust Architecture (ZTA).

Can you start by providing a brief overview of Zero Trust and how has the concept evolved over the years?
Galina: Well, that’s a loaded question and we can talk about it for quite a long time. But, putting it in perspective, Zero Trust really means you don’t trust anyone or anything. So, when we talk about architecture – architecture is just one of the components of Zero Trust. ZT has several stages here you have to define what exactly you want to protect – define the surface. Then, you develop flows, as in, what should be the flows that you are concerned about within the surface you wish to protect? Then, you arrive at Zero Trust Architecture, ZTA. Then you discover and define what security policies should be – Zero Trust security policies – because you know where exactly to implement them. And then you monitor, maintain, and then recursively go through this again. So, it’s a recursion, a loop, therefore, it never ends.

Seems like a complex process. What are the key challenges you might face?
Galina: The process might be perceived to be complex, but once you begin dissecting and follow these steps very religiously, it becomes simple. A lot of automation would definitely help. As far as challenges are concerned, it’s a change – and change is the most constant in our lives. Be it business, perspective changes, and/or organizational changes, and/or which organization changes would lead to workflow changes and what you require to protect, and so on. So, as you go through this recursively, it becomes automatic. The key is to use automated tools with that.

You mentioned it’s a lot of change. Have you received some pushback because it requires a mentality shift? Are people hesitant to start?
Galina: Interesting question. Some people foresee that Zero Trust is a use case, which it is not. It’s a methodology, it is a strategy and, in my mind, you have to embrace it if you wish to do security, if you wish to call security as to what it should be because you are either following ZT to make it secure – and there is no such thing as 100% security, of course – but at least secure to the best of definition of what that is or there is no security. There is nothing in between, in my opinion.

With the constantly evolving threat landscape, how can ZTA adapt and remain effective over time?
Galina: Very simply. If you follow this methodology that I described, you recursively go through again – what is the surface I am trying to protect, what are the flows – it changed a little here or there – now, should my architecture be changed or adapted? So this process, this circle of love, Zero Trust is endless, it’s a recursion. Therefore, if you follow this process, then it becomes simple. Divide and conquer.

Are there specific industries and sectors where ZTA is particularly well suited, or do you think everybody should adopt it?
Galina: In my opinion, everyone should adopt it. If you are thinking about government, if you are thinking about military, financial institutions – those are the guys that adopt it even by definition. But, in my opinion, it should be not only enterprises, and critical mission infrastructures like utilities, or healthcare but it should also be network operators, mobile network operators specifically. I emphasize that this is because, once you go through ZTA, arrive at the step of, now you have defined the Zero Trust Architecture, the next step is to define what should be the Zero Trust security policies, as there would be disturbances everywhere. Kipling’s six questions should be answered – who, what, where, when, why and how? The idea is to be able to address all these questions. If you look into mobile network operators, some definitions are a bit blurry and that is because of the mobile protocols that are deployed where the actual traffic is hidden, what exactly is being sent. Is it legitimate, or is it not legitimate? How do I define all of that? It’s quite important. And then, of course, crypto is part and parcel of ZT. It is one of the components of ZT. Now, with that, can you just rely on crypto? Of course not because you must validate what you are encrypting. Otherwise, what you end up doing, is ensuring, providing that nobody can break the crypto, everything is sent securely, including malware.

In the context of ZTA, how important is collaboration and sharing among organizations and the cybersecurity community?
Galina: It is critically important. When we are doing information sharing, we must also be cognitive as to what exactly we mean by that information. As we have been doing within the security industry – we have been sharing what the vulnerabilities are and handling that situation. Some things are proprietary, depending on in which organizations these things are implemented. But, methodology, I am referring to NIST document, I am sure you’re aware of SP 800-207^[1]. This document describes exceptionally well. Not only that, but post-quantum world – ZT will apply there as well. It is just going to follow the line, the same problems. The faster the processing power is, the more exciting it gets because penetrations happen faster, and computing is much faster. We are yet to see what is going to happen. Although people are working on quantum-safe computes, with cryptology, there are still a lot of unknowns, a lot of things we will discover as it happens. So, sharing is very important, yes.

As a final takeaway, if you could distil your collective wisdom into one piece of advice regarding the adoption of Zero Trust Architecture, what would it be?
Galina: I would say that Zero Trust is not a luxury. I would say that it must be adopted. In other words, let’s go back – I hate going back – but, let’s go back for a second. Security has been adopted by many organizations a while ago. It’s like an insurance. It is not a matter of if, it is a matter of when. So, I am a strong believer that Zero Trust should be adopted the same way. Either you have it all, or you have no security. That’s one wisdom piece I could give you.

[1] NIST Computer Security Resource Center – SP 800-207, Zero Trust Architecture | CSRC