Cybersecurity experts share their experience and views regarding the Zero Trust model in a debate that concludes that this new cybersecurity is a philosophy that attempts to establish prevention measures.

Companies have undergone many changes lately, especially regarding cybersecurity , a key area in the entire transformation we are experiencing.

The keynote is to speak and debate about the current panorama of digital security in companies, especially in these times and with a focus on what is one of the main trends in the sector: the Zero Trust model . The fact that employees, devices, applications and data no longer have borders makes it more relevant than ever to review those cybersecurity strategies .

In this webinar, Mónica Valle, a journalist specialized in IT, has the participation of a group of industry experts who are willing to share their point of view and discuss the risks that are being lately facing cybersecurity and they will define precisely what is the already well-known Zero Trust.

Main risks faced

The situation we are experiencing has accelerated everything. According to Isaac Carreras, Director of Cybersecurity at IaaS365: “I consider that, as the main security risk, it would frame the speed at which the changes caused by this digital transformation are taking place. Some companies may accept these changes through, for example, telecommuting. ” And he adds: “The need has also made the adoption of cloud solutions an undeniable fact. But with all this, it is critical to understand the dangers that exist when we start that path towards the cloud, service and deployment models. «

«Manufacturers should offer a minimum of security in the development of their products.»

Are cybersecurity parameters changing?

Mario García, Country Manager of CheckPoint Spain , for his part, believes that «this pandemic has brought about the urgent need to put everyone to telework and companies were not ready». This has led to security, once again, being left in the background by having to put all employees to work remotely.

Insists that the mentality of who accesses our corporate information must be radically changed. The situation that surrounds us has made now easier than ever to attack any user ; Furthermore, there has been a massive increase in attacks on a personal level.

“The Zero Trust is a philosophy that comes to help enormously in how we can approach cybersecurity. You have to protect the information wherever you are, the perimeter is over, «added Isaac Perez.

Chesco Romero Ciborro, Director of Security at the Extremadura Health Service , defended that “in the current scenario, the idea that everything that remains within the control perimeter is not reliable and what is malicious outside. Now it is very important to take into account the number of devices that connect to the network, so that the exposure surface, and as a consequence, the attack surface has increased exponentially.

Fundamental principles on which the Zero Trust is based

Gabriel Moline, Security Director of Leroy Merlin Spain stated: “We are going to be unable to return to the model we had before. This is a reality that will accompany us from now on: we will have at least half of our remote workers. The Zero Trust philosophy is something new but it is a driver to be able to reach the business and be able to transmit the proportionality of security depending on what we want to protect. «

Trying to define, as precisely as possible, the Zero Trust model distinguishes three fundamental pillars : the users, the devices and the accesses that are assigned to the users. The possibility of connecting to any device is a reality that will remain.

“The challenge will be seen in SaaS services, we have new channels for sale, to communicate with new channels of users that two or three months ago we would not think we would need. It has not changed just from where we connect but how we connect, who acts as a gateway to our information, ”says Moline.

What challenges do you face from the Public Administration?

“The Zero Trust model does not stop coming to collect what we had before which is defense in depth. Don’t just think that having a layer of protection is enough and you don’t need anything else. You cannot trust the security of an asset to other layers that protect you, «explains Ignacio Pérez, CISO at Aragonesa de Servicios Telemáticos .

This model has a small intrinsic trap that administrators, when applying it, have to be aware of. “When someone believes that there is no perimeter, I see it as a fallacy. Of course there is a perimeter, only it is not rigid. It is dynamic «, added Ignacio Pérez.

“It is not a matter of confidence levels but of risk levels. The Zero trust is going to reduce exposure. ”

Isaac Pérez intervened to detail how important it is to internalize the concept that «the perimeter is not that it does not exist, it is that it is everywhere». And he added: «You have to explain how important it is to encrypt, it is something that should be adopted by default.»

«We have passed the phase of encrypting communications, we are going to pass to the phase of encrypting the data even if they are at rest and we take into account in development that the information must be protected when it is being processed».

Jorge Sanz, Cybsecurity Specialist in the automotive sector , wanted to clarify that the Zero Trust model is not going to be an impediment to the user at all, on the contrary, “it is going to be much more Uniform and more homogeneous way of connecting without forgetting that the user must always be involved so that they understand what they do, how they do it and how I could protect the company. «

«Awareness is very important, but not only to avoid an attack itself, but because it happens to all of us that when they set a standard for us if we do not understand it, it is much more difficult for us to abide by it. If users find a barrier and do not understand why it is there, they will try to jump it. And by jumping it, they are going to open a security hole much bigger than the one we were covering with that barrier, ”said Modesto Álvarez, an expert in cybersecurity at SERESCO.

«Security is not a product, it is a process»

“A lot of debate has been generated about everything in the environment, but internally it leads us to reflect on what we could improve. There has been a lot of debate about the end user, but it is our first defense mechanism, it is part of the Zero Trust. That’s why there’s that convey to the user that what we need in the car. If the security you are seeking to be intrusive, we’re going to make it non-intrusive: we’re going to put authentication factor or try to find clients, but if we explain why we do it and what engranamos in our infrastructure of business does not have why to cheat”, pointed Gabriel Moline, il.

what Zero Trust means not trusting the employees?

by way of conclusion and as of the closing of the panel discussion, José Manuel Rodríguez, CIO of the engineering sector, said that “the model of Zero Trust is not going not to trust the employees but not to delegate to them the responsibility for the security. In short, the way in which it has changed the way in which employees work experiencing a paradigm shift”.

“The first thing to do is to stop and see where we want to go, to see what road we need to travel. In the end there is that to think like the attacker, he only looks for a hole to enter. That’s precisely why we can not forget the vulnerability of the devices” matizaba Chesco Romero.

“The focus is on us, we have the responsibility of educating the user”.  

Zero Trust is going to have preventive measures, attempts to establish measures of prevention in order to avoid certain incidents. The problem of the technology is conceptual, we have the knowledge but the problem is to place the cyber-security within the management bodies.