Boyle and Ireland Discuss Zero-Trust at CyberTech Global Tel Aviv

The CyberTech Global Tel Aviv conference, which took place March 1-3, drew participation from NTT and NTT Research. A conference side event, titled “NTT, Your Gateway to Japan and the World” and sponsored by NTT Innovation Laboratory Israel (NTT Israel) took place on the afternoon of March 2. A panel on zero-trust strategy at the end of this program included NTT Research Cryptography & Information Security (CIS) Lab Senior Scientist Elette Boyle and NTT Research CIO and CISO Matt Ireland.

Also participating on the zero-trust panel were NTT Israel CTO Moshe Karako, who moderated the session, Counselor to the NTT CISO John Petrie, and former Director General, Israeli National Cyber Directorate (INCD) Yigal Unna. Zero-trust is an approach to cybersecurity that assumes that no user is trusted and that every point of access requires authorization. The strategy has gained currency amidst the rise of mobile and highly distributed networks and access points and the corresponding decline in the effectiveness of perimeter-based defense.

“Zero-trust is a goal. It is our North Star,” said NTT Deputy CISO Petrie. “But it is difficult to get there, especially when you talk about a company like NTT.” By explanation, he referred to NTT’s size and global expanse, which includes more than 900 related companies and approximately 320,000 employees. Petrie said his department reached a major milestone last year with the creation of a 187-page enterprise security architecture plan, which prominently features identity and access management (IAM), one of the “cornerstones” of zero-trust.

With fewer than 100 employees at NTT Research, Matt Ireland, who joined the organization full time a year ago, works on a much smaller scale than Petrie. But he has other challenges. One is wearing both CIO and CISO hats, a dual responsibility that he said sometimes leads to internal arguments. (To boost security, a CISO is often associated with increased costs and slower delivery; results that may be at odds with a CIO’s mandate.) Ireland also has the unique situation of serving a staff of scientists, including a lab of cryptographers, who to say the least, know something about information security.

Ireland said the zero-trust strategy itself requires a thoughtful approach. “Long before the technical challenges of zero-trust, we’ve got to transform the security team away from being the department of ‘no.’” he said. “I tell my peers that we need to be the department of ’k-n-o-w.’” By that he meant knowing such things as where the business risk is and how to gain the trust of business users, which he said comes from first establishing human relationships.

On the academic end of this panel was Dr. Boyle, who is also an associate professor in the Efi Arazi School of Computer Science and director of the Center for Research on Foundations and Applications of Cryptographic Theory (FACT) at Reichman University in Herzliya, Israel. She recently joined NTT Research. As a cryptographer, Boyle has focused on secure computation. She said this field is in-line with the mindset of zero-trust, primarily aiming to answer this basic though seemingly impossible question: “How can you protect data while you’re actually using it.”

“Somewhat surprisingly, there are solutions for this,” Boyle said. “Back in the 1980s, there was a beautiful line of feasibility results that actually show how to do it. Fast forward a few decades, what is the big challenge still out there is to make it so that these solutions are inexpensive enough so people can actually use them.” To that end, Boyle is working on a new approach to secure computation via a lighter-weight version of homomorphic encryption, allowing users to perform computations on secret data, but without the overhead traditionally associated with that approach.

CyberTech Global is part of a “moveable feast,” with upcoming events scheduled for Rome, Miami, Dubai, Indianapolis and Kigali (Rwanda). The series is neither purely academic nor focused only on practitioners, but something of a hybrid, with government stakeholders also engaged. Partnership was a prominent theme during this zero-trust session in Tel Aviv.

“When we talk about today’s global environment, it’s hard, maybe impossible, to differentiate between governments, NGOs (non-governmental organizations) and large corporates,” former INCD Director General Unna said. “Governments are still the regulators. They still call the shots – or try to call the shots – but governments understand…that it’s not about who’s stronger, who gets the upper hand, and who’s the stronger regulator. No, it’s about working together.”