The CSA Summit opened RSAC 2023 yesterday, with hundreds of attendees getting a head start to one of the world’s ultimate gatherings of cybersecurity professionals in San Francisco’s SOMA neighborhood.
The Cloud Security Alliance's one-day event is a time-honored tradition. It featured a morning keynote by Jay Chaudhry, founder and CEO of Zscaler, who served up the latest visionary perspective on zero trust architecture. He invited Boris Beuster, VP/Head of Governance, Risk & Compliance, at E.ON, and Fareed Mohammed, CISO, at Dow Chemical, to share stories about their organizations' cybersecurity modernization.
E.ON, the largest energy utility in Germany with 70 thousand employees and 50 million users, is on a zero trust journey as part of its ambition to become a cloud-native company. According to Beuster, the first phase of the journey centered on securing user access to the Internet and SaaS, whereas the second involved eliminating VPNs. In 2020, once the COVID-19 pandemic sent workers home, the company brought on Zscaler Private Access.
“Thanks to our good collaboration, we managed within a few weeks to ramp up and get 50,000 users on ZPA and enabled them working from home,” said Beuster.
This year the company is micro-segmenting apps, replacing legacy authentication, and bringing on a CNAPP (cloud-native application protection platform) as part of the move to a total transformation. According to Beuster, the outcomes of this transition include reduced cyber risk and improved user experience. He emphasized that standardization is vital if you move to the cloud while reducing your attack surface.
Next, Fareed Mohammed introduced Dow, explaining that the materials sciences company is going through a major transformation initiative. The 36,000-person enterprise has big innovation ambitions that are underpinned by digital technologies. “We have a rapidly expanding digital footprint, and we’re operating in a very interesting threat landscape.”
Mohammed said the organization is accelerating its journey on the zero trust path, with business drivers supporting remote and hybrid work environments.
“With the internet becoming the new perimeter, having a technology in place to validate identity and device health is fundamentally important for us,” he said. The following steps for Dow include adopting advanced data loss prevention techniques and consistent and centrally managed policies.
The final part of the keynote was a question-and-answer format. The first question was about SSL inspection. CISOs at American companies with a presence in EMEA often struggle with SSL traffic, but it can be done. Most European Zscaler customers, said Chaudhry, inspect but exclude personal finance, healthcare, and similar categories. At E.ON, a worker’s council has visibility into the activities.
Cultural and mindset change could be the most significant obstacle on the journey since zero trust challenges how network and security have been handled for the last 30 years. Company leaders need to set the tone. Mohammed advised, “Taking people along the journey and understanding the outcomes we're trying to drive towards.” He said he is working to extend the massive physical safety culture to cyber safety.
On that point, Chaudhry wrapped up the session, noting that networking and security teams, especially the architects, need to work together because network access fundamentally changes with zero trust.
“Don’t think lift and shift; think architectural change," said Chaudhry.
What to read next
Raising the bar for cybersecurity education: Announcing the new CSA Zero Trust Advancement Center
Zero trust a ‘blueprint’ for next version of the internet, says CSA’s Jim Reavis