On todays episode:
I’ll be talking with Evgeniy Kharam, who has decades of experience from being a Cybersecurity Specialist in the Israeli Navy, to working at Check Point Software, to becoming the VP of Cybersecurity Architecture at the Herjavec Group. Evgeniy has also created the Security Architecture Podcast, in which he talks to executives from leading vendors in the security industry and the Cyber Inspiration Podcast, where he explores the minds of CTOs and CEOs, at the time they started their cyber security companies.
We will be discussing the evolution of Zero Trust, from the beginnings of Zero Trust Architecture, to ZTNA, SASE and beyond. We will also discuss how organizations can design an optimal strategy for modernizing their security architecture, taking into account constraints such as budget, staff and the adoption of cloud infrastructure.
Below is the transcript of the podcast and links to some of the references as well.
https://www.security-architecture.org/subscribe-to-podcast
https://cyber-inspiration.captivate.fm/listen
https://www.linkedin.com/in/ekharam/
[00:00:00] Daemon: Today I’m joined with, Evgeniy Kharam, who has long and distinguished career in the cybersecurity industry. Malcolm Gladwell quoted the phrase it takes 10,000 hours of investment in subject to become an expert in it. Evgeniy has over 40,000 hours, so he’s at least four times the expert. He was the VP of cybersecurity architecture for the Herjavec Group and has created multiple podcasts where he talks to the industry’s leading experts and executives.
[00:00:24] Daemon: Evgeniy,. Thank you for joining today. Now what I, I normally do when I have guests on, the podcast is I get them to provide a bit of a background of themselves and how they got to where they are in the industry. So I’ll pass it over to you. If you can give me a bit of a background of, how you got here, it would be much appreciated. Thanks .
[00:00:44] Evgeniy: Thank you. Very, very happy to be here, Daemon. Thank you for the invitation and for the new podcast as well. You mentioned 10,000 hours or 40,000. Someone calculated me and asked, like, Evgeniy, it’s impossible. Like, what do you mean? It should take you 40 years, something like this.
[00:01:01] Evgeniy: And we have this joke in the industry like “dog hours”? When you work for a reseller, for a VAR, for implementation and your doing basically integration work. You don’t really work eight hours a day. You work much more and sometimes you do long, long, nights. It’s quite easy or easier to get to 10,000 hours when you do weekends, nights, and not shift work, but quite a lot of hours helping customers.
[00:01:28] Evgeniy: You asked me how I got into the industry. So I came from a bit of a different, I guess non-traditional background. I didn’t join a company as an IT person and move on to security. I started in security. By doing QA, quality assurance of firewalls. So I was working at Check Point in Israel to basically test Check Point firewalls, and I had the pleasure to test Check Point’s, first UTM feature of a firewall.
[00:02:03] Evgeniy: It was R 57. Then later on we’ll become R-60. And this is one of the first, basically beginning of the idea of layer seven and integration and inspection of protocols. It was Palo Alto later on that called it a “Next Generation Firewall”. So I had a bit of background of IT and networking before, because I spent five years in the Navy where I was doing variety of stuff.
[00:02:28] Evgeniy: But my cybersecurity actually started in Check Point. So when I moved from Check Point from Israel to Canada in 2000, I joined the Herjavec Group as a firewall engineer to implement firewalls. And it was very interesting to start because basically two weeks after I joined the company, I was told here, here’s the customer go upgrade them.
[00:02:50] Evgeniy: Like what do you mean, go upgrade them? Yeah, that’s it. You’re done. Your onboarding is done. Here’s the customer. You know what you’re doing, you’ve been working with, check Point for a number of years. Like, yeah, but it was in the lab. It’s like, okay, so what’s the difference? Create a plan, show the customer the plan. Go execute the plan, but there’s live traffic there.
[00:03:06] Evgeniy: What if the stuff doesn’t work. It’s like, yeah, it’s called a risk. You need to have a good plan. You need to understand how to prepare yourself and then you gonna lower the risk. This was the first time when I actually heard the idea of risk. It took me a number of years to actually understand. That a lot of stuff in cybersecurity is risk involved, or around risk, and we always calculate the risk and understand what we’re trying to do.
[00:03:35] Evgeniy: And if there is no risk; there is probably nothing happening in the company or it isn’t moving anywhere. I spent five years, six years going between customers. Some of them are very, very big customers like Rogers, for example, here in Canada, to operate and design and architect firewalls. And as you probably know, firewalls are the first device people blame if something doesn’t work. It’s a, it’s a firewall. You guys made a change, and in many cases it was true. In many other cases it wasn’t. So it required me to learn how to prepare for work, how to understand what’s involved, what protocols are running through the firewall, what applications running through the firewall, what potentially may stop working after we do the change.
[00:04:22] Evgeniy: And it shaped my mind around design and architectural a lot. This was leading me to manage several teams in professional services in the Herjavec Group network security, endpoint security SIEM, a bit of cloud as well, and later on, I become the VP of architecture to do pre-sales work and design networks and security for big customers..
[00:04:47] Daemon: Thank you. I appreciate the background. One of the main things I want to talk to you about today is Zero Trust. And the, thing that I’ve come across is that zero trust seems to be a catchphrase for all sorts of things. And there’s been a number of developments in the industry in regards to that.
[00:05:05] Daemon: There’s Zero Trust Architecture (ZTA), and there’s zero trust network access (ZNTA). So first I’d like to talk a little bit about zero trust architecture. And I’d like to get your take on what organizations are doing with that. Now, I find that many have not even adopted the model yet.
[00:05:27] Daemon: They’re still using legacy models and they may be planning for modernization or they may not be. They’re just waiting for their old hardware to go end of life. And there’s a bit of a divide on where they are and how they need to get modernize their infrastructure. So what do you think they should do to prioritize their efforts to modernize, and why?
[00:05:56] Evgeniy: So if I may, let’s do a bit of step back and explain a bit like why it’s important for where it’s coming. The idea of zero trust mean that it’s not like, I don’t like Evgeniy or Daemon but I want to provide them access to where they need. So basically in case I have wide access and Evgeniy will find where he needs to access.
[00:06:16] Evgeniy: I’m only gonna give them access to the applications they need. If we go back 10 to 15 years, the majority of a company’s networks (…partially answering the question, but we’ll get there as well). Are flat. So there’s one subnet. Everybody can talk to each other. Oh, this is bad. Let’s divide the network. Let’s do something.
[00:06:37] Evgeniy: We’ll put servers on one network. Phones on different network, users on separate network, servers on separate networks and etc. Or maybe we even divide it, like – this is a marketing network, sales floors and how are we gonna do this? We’re gonna use the layer three switch router, basically to do this. Great. We now have subnetting, but can still Evgeniy go and access all the devices?
[00:07:01] Evgeniy: Yes, because there is no rules. Okay. Let’s put some acls on the route. Potentially it may change. This is kind of what you’re talking about. The Zero Trust journey. Because internally for companies, we’re not talking about cloud yet. We’re talking about the life of people who are in the office. Nobody pretty much worked from home, then.
[00:07:21] Evgeniy: All, all the people who spend time in the office to get access can go anywhere as they want. This was the beginning. So actually in the beginning of my days, the moment the next generation of firewall came in. Where we were able to create rules based on applications and users, and not just ports. We actually moved some customers to get an internal segmentation of the traffic where it says, Evgeniy, you can only access these particular servers and we’ll do it because we know who is Evgeniy.
[00:07:59] Evgeniy: This is the important part. We not just know from which IP Evgeniy is coming. We know who is Evgeniy. So if Evgeniy move different floors and every floor, it is a different subnet. It doesn’t matter. Cause I know who is Evgeniy and I will get access to Evgeniy where he needs. So if Evgeniy is in marketing, he’ll get access to marketing servers.
[00:08:19] Evgeniy: If Evgeniy is a dba, he is able to get to all the DB servers in the company. It requires definitely a couple of things and I’m partially answering several questions here. How you start, how can I provide Evgeniy access to database servers or the marketing servers, I need to know as they exist, the rule of thumb in my mind.
[00:08:45] Evgeniy: Asset management before you start down your trust journey. Actually, in my mind, this is the beginning of any good cybersecurity program. You need to know your assets. To talk about this, CIS talks about this, the center internet security and many other frameworks. So by creating new assets, creating new applications, you now need to, you can figure out and understand where you can access, but the zero trust doesn’t stop there.
[00:09:12] Evgeniy: We’ll talk about the remote part as well a bit later. And what if I need to segment server traffic so I can have micro segmentation that the servers in the server network were not able to talk to every server in the server network. I can create more micro segmentation where the application server will talk to the database, that part of the same application or the same app, but it’ll not talk to a different other servers.
[00:09:46] Evgeniy: It’ll require much more surgical approach cuz I cannot divide every server to a different subnet. But I can use some virtual segmentation using VMware for example. Or I can put [00:10:00] a piece of software, like almost like a mini firewall, software firewall on the server to determine where they can connect. Another one, I don’t wanna like mention vendors and brands that do this, people able to find this.
[00:10:14] Evgeniy: Cause there’s a different approach to the idea of zero trusts internally on the server side and on the user side. When you get out and you basically walk home or you does this answer the question?.
[00:10:28] Daemon: What I’m, thinking about is there’s many different parts , of Zero trust architecture. There’s, you know, the network segmentation, the micros segmentation.
[00:10:35] Daemon: There’s the, , the Im, all those different components. Each one of us has a certain cost that’s associated with them. So as organizations are modernizing, they have to think, where am I gonna put my money? Am I gonna focus on, IAM first? Am I gonna do microseg network seg? Where do you think that organizations , should focus?
[00:10:55] Evgeniy: Because we had a big shift from a hybrid environment and we work from home, and also many companies moved their internal infrastructure to a cloud or even became SaaS. I will first of all, nail the idea of IAM, but by IAM, I mean who’s Evgeniy, and where is he going to have access, It could be single sign on MFA and permission to Evgeniy. I think it’s fundamental to any program.
[00:11:22] Evgeniy: Unfortunately, if we look on the majority of the breaches that happened and hacks, they happen because somebody get access to a user not supposed to get or privileged user. This is almost not related to Zero trust, but it is that, okay, who are you? Who, what kind of access you, again, you have, and if you don’t need access, let’s remove this access.
[00:11:44] Evgeniy: And later on, because again, we moved to SaaS, we moved to. Maybe less on the internal segmentation, but depend on the company and then more on where you can get access, what you call ZTNA, zero trusts, network access, and it’s mainly related to remote access, which really replaced vpn, remote, traditional VPNs.
[00:12:07] Evgeniy: And there is a reason why the ZTNA approach is much better than traditional VPN.
[00:12:14] Daemon: Now for smaller organizations they can’t necessarily afford all the different layers of Zero trust architecture. Like maybe they can only afford an appliance to put on their on-prem environment.
[00:12:26] Daemon: And then that’s all that they have budget for. They can’t afford microseg. They can’t afford anything else. I still strongly recommend 2FA or MFA regardless. But for the organizations that have invested in a UTM appliance; is that still the best sort of strategy in terms of the cost / benefit from a security perspective?
[00:12:50] Evgeniy: You know, as we say, it depends in cybersecurity. If you are on-prem, I definitely think you need to have a UTM type next generation where we wanna call this device SASE. Sse. We have a lot of, a lot of names right now because a lot of your infrastructure is on-prem. Especially if you have devices or manufacturing or IT devices you need to protect it.
[00:13:16] Evgeniy: Doesn’t mean if you put a device OnPrem and you didn’t configure it, it’ll do magic for you. And unfortunately we still see these people buy a next generation firewall with UTM capabilities, but they’re not creating and configuring rules in layer seven . So buying the device by itself doesn’t help.
[00:13:37] Evgeniy: And in a way I don’t really care which device you’re gonna buy. It’s what you’re gonna do with the device is more matter. You can buy a Porsche or BMW and still don’t know how to park, put it in park. You can buy any car, for example, if you don’t know how to use it correctly. So the majority of the lead firewall brands right now provide similar capabilities. Some of them are better in one part or another, but how you configure it, are you gonna do SSL inspection? Are you gonna segment the network on the firewall? It’s up to you, but the moment you have the device, you can do the segmentations.
[00:14:14] Daemon: Now for users that are connecting remotely into the environment, historically, what they would do is they’d use some sort of a VPN to connect in, whether it’s an SSL, VPN or site to site VPN or something else like that.
[00:14:27] Daemon: Or have a device that would be in their home office that would connect them in. But that’s changing now with Zero Trust Network Access. Can you tell me what the difference is between ZTNA and traditional VPNs and why organizations should move to ZTNA?
[00:14:42] Evgeniy: Definitely and if people wants to learn more as part of architectural podcast, we actually have a full season about it.
https://www.security-architecture.org/episodes/s02e1-kickoff#
[00:14:49] Evgeniy: There’s more than 15 vendors we cover in season two to show how they have this approach because there’s a lot of vendors in the space there’s a couple of problems with traditional VPN, remote VPN devices, VPN aggregators and concentrators.. They’re usually, and most of the time exposed to the internet because you need to connect to them.
[00:15:11] Evgeniy: So the traffic flow is from a user to the device, and if there’s a vulnerability on the device, the bad guys will able to find it as well. Number, number of problems we solve with Juniper, Ciscos, and other manufacturers in this space. Because it’s exposed, it means the bad guys can do stuff. Is it already? So this is one of the problem two, when people, for example, moved to work from home, we needed to quickly understand how to scale these devices as well, because they’re not unlimited.
[00:15:45] Evgeniy: There is a physical limitations on this..
[00:15:49] Evgeniy: And it’s quite a problem. Third, traditionally they’re designed to provide you access and the majority of the cases, they just give you access to anywhere you want. [00:16:00] They connect to the environment and you can ping nmap and do whatever you think you want. So they’re not designed to give you access to an application.
[00:16:08] Evgeniy: As we spoke in the beginning, the design give you access to a network. Yes. What many companies did. Let people go in using remote VPN. They will land in the subnet. Then we’re gonna have a next generation firewall behind it and gonna block where you can connect instead of using ZTNA architecture when it give you access to only the things you need.
[00:16:29] Evgeniy: Now, how ZTNA works? You have a device inside your company that open almost like a reverse tunnel back to the cloud, and you as a user not connecting directly to your office, you connect. To the manufacturing cloud and there almost the two lines intersect and you can go back to the office. What does it mean?
[00:16:52] Evgeniy: The bad guys don’t know what device you have? There is no external IP. There is no vulnerability on this device because it doesn’t expose and the bad guy doesn’t even if they scan the environment, they will not find any external piece. So just the architecture part here is already superior on a different level. The other part, I’m creating rules in a cloud to where you can connect and you can only connect those applications back to asset management.
[00:17:21] Evgeniy: Understand the way , you can connect. And because I’m in a cloud, I can create rules to connect to applications on prem and also to applications into the cloud, just SaaS applications as well. So my access become much wider.
[00:17:39] Evgeniy: Majority of them also involve other checks, like posture check. Are you coming from a company device? Now, if you’ll be completely honest, the Junipers, the Cisco, the Fortinet the, the traditional remote VPNs, some of them also included the posture checks as well, but they’re also included in the new architecture.
[00:18:00] Evgeniy: And I think they’re fundamentally important because I can almost connect by design to remove the bad guys. If you are not part of my domain, if you don’t have the EDR I install, you’re not able to connect beside the factors that you gonna have. MFA. There is multiple checks to the extent of who you are.
[00:18:22] Evgeniy: Even I, if I captured Daemon and I took his password username and his MFA, but I don’t have his device, I’m not able to connect. So this is some of the, I think, benefits to do this. Is it perfect. No it’s not perfect because it may say, oh, now I depend on the provider. In the cloud you are dependent provider on the cloud because if they got forbid down, then you’d be down as well.
[00:18:48] Evgeniy: Versus with on-prem vpnn device, you can control the sla. The availability is very, very, There are some other constraints. There’s on the bandwidth part. For example, you’ll need to understand what is the bandwidth you can put through. Do you need multiple devices internally in your network? But now we’re kind of going very, very deep on the architecture and design.
[00:19:10] Evgeniy: If anybody has questions, I’m happy to connect with them later on and explain more, or watch the episodes. There is a lot of explanation about each vendor, how they tackle this particular problem and what they do. They are very, very interesting episodes. And season.
[00:19:25] Daemon: So, and one of the benefits from the user perspective, that I understand is that because you’re not bottlenecked by a single, , VPN concentrator, that you actually get better performance and lower latency to access things that, that may be in the cloud or services on-prem using ZTNA.
[00:19:42] Evgeniy: Yes and no. You are absolutely right. Because you are absolutely right when the company decide that they gonna force all the traffic to go back to the office. So they use an always-on VPN. As some of the vendors call it. Basically, from the moment you start using the device, it’s connected back to the environment.
[00:20:03] Evgeniy: And then yes, if I’m gonna go to Facebook, I’ll have to go back to the office and then out of the office. So first of all, we are also impacting the firewall in the office twice. We have to go in. And also if your firewall or VPN concentrator is located in, I don’t know, California, and we are in Ontario, Canada, we have to go all the way to California and come back.
[00:20:29] Evgeniy: If we’re asking a device here in Toronto, Canada, and if it’s in a cloud, I’m gonna have different pops, different locations. For the ZTNA architecture, I will be able to. To the closest pop here in Toronto or Montreal and get access much, much faster. So you’re absolutely right. Now, if the company didn’t create the policy, that you have to be always-on, then you’re going directly to the website, but then there is no inspection.
[00:20:53] Evgeniy: Yeah. This is where the other part of SASE / SSE you are entering cloud comes in.
[00:21:02] Daemon: Yeah. And that kind of leads into my next question is how does ZTNA fit into the larger SASE landscape?
[00:21:09] Evgeniy: SASE is a term also has been kind of very popular for the last couple of years. It’s a term that came to the Gartner, started in 2019, august 2019, secure Access Service Edge, and it’s basically an architecture framework that incorporated ZTNA, remote access, CASB Cloud Access Security Broker and security app, gateway / firewall service, and SDWAN
[00:21:34] Evgeniy: So we have three components that are security, and we have one component that is network and ZTNA is part of the framework. Later on in 2022 January, they released the first Gatner magic quadrant and they called it SSE Secure Service Edge, and they removed the old magic quadrants for CASB and Secure Web Gateway.
[00:21:56] Evgeniy: There was never a magic quadrant for ZTNA. So basically they almost painted. The way forward for the vendors and say, if you wanna be part of the Gartner Holy Grail Magic Quadrant, you need to have ZTNA, CASB and Secure Web Gateway under one umbrella called SSE. Now, they kind of removed SDWAN doesn’t means they don’t like it, it means SDWAN is more on the network side and everybody else on the security side.
[00:22:27] Evgeniy: So SDWAN is still important for people to connect remote offices. But they’re just a bit different right now. So ZTNA is definitely an important part of SASE and sse, and I think it’s important to add here. Remember how we spoke that if you wanna connect back to the office using ZTNA, and if you wanna go to Facebook, how do you connect to Facebook?
[00:22:50] Evgeniy: Do I go direct? Now if I’m using the secure web gateway, I may have rules. Your filtering rules. It’ll tell you where and how you can connect and what you can download and upload. So it makes very logical sense to have ZTNA and Secure Gateway under one umbrella, under one product. And CASB as well, we don’t want to talk about it.
[00:23:15] Evgeniy: We don’t have enough time to about everything. And the reason why, because if I use Secure Web Gateway with one vendor, ZTNA with the other vendor, they’re both in the cloud. Would I go first? Where is my. For which one? We’re creating extensions right now. There’s a lot of problems here on the architecture side.
[00:23:35] Evgeniy: This why it makes total sense to reason under one umbrella and also add AV malware protection there.
[00:23:44] Daemon: So when organizations are adopting this modern approach and leveraging SASE and ZTNA, what sort of differences should they consider, whether they are fully on prem or hybrid or a hundred percent in the cloud as they go to implement these strategies?
[00:24:03] Evgeniy: By Gartner, SASE. The idea is your SSE, you are actually in the cloud. So you started with the cloud. Does it mean you have to be everything in the cloud? No. It can also have an on-prem. This decision will really depend on your architecture and what you’re trying to achieve and the latency and potentially on your geographical location.
[00:24:26] Evgeniy: Because if you located in Toronto and there’s a POP (point of presence)to go to the cloud in Toronto, then it’s great. If it’s located in Nunavut. Or somewhere very removed. Where there is no POP for this vendor, you need to understand how your latency will be impacted and maybe you want the infrastructure on-prem because of this.
[00:24:46] Evgeniy: So latency and where the closest pop is very important. Also, some companys may have compliance requirements, whereas they need infrastructure on-prem they don’t want the data to be in the US, for example.. They want it to be in Canada or some other compliance requirements where they gonna force them to change their architecture.
[00:25:10] Evgeniy: This is one part that’s definitely, definitely important. The other one is features and what you’re trying to get. A lot of companies jumping on this frame and say, yeah, we’re gonna go with ZTNA and we’re gonna check this vendor, this vendor, this vendor. But they actually never created a success criteria.
[00:25:29] Evgeniy: What do they need for their company? And this is a very important part, not just from one kind of group in the company. Talk to network security, talk to endpoint security, understand what the other groups in the company need before you’re going and procuring and start that solution.
[00:25:48] Daemon: Okay. Well, thank you. It’s been great talking with you today.
[00:25:50] Daemon: Before we we go, is there anything that you would want to say, as a final note?
[00:25:58] Evgeniy: First of all, thank you. I’m happy that we [00:26:00] have many Canadian podcasts here in Canada that started recently. I’m grateful to always talk about architecture zero trust SASE SSE and many other topics cyber related.
[00:26:10] Evgeniy: And if you wanna learn more, please find me on LinkedIn. It’s quite easy to find. I know you’re gonna probably tap there as well and stay safe there and have fun. Okay,
https://www.linkedin.com/in/ekharam/
[00:26:20] Daemon: Great. Thank you very much.
Designing Risk in IT Infrastructure 