What are the best practices for integrating encryption with zero-trust architecture? Why are end-to-end encryption, strong authentication, continuous monitoring and regular audits so important? SmartBrief turned to Galaxia Martin, SDI Presence’s Solutions Director, for answers to these questions and to discuss what the future holds for encryption and zero-trust architecture.
How do you see encryption evolving in today’s complex IT environments, especially with the rise of cloud computing and remote work?
Martin: Data protection across diverse environments. I am seeing a lot of data governance discussions on how to control and manage the data more effectively. I’m also seeing:
- End-to-end encryption is a big one for remote work.
- Audit trails are another aspect because there needs to be a clear level of compliance and accountability for regulations.
- Zero-trust architecture is making a comeback. It reinforces the need for strong encryption and key management.
- Quantum-resistant encryption is the most important topic right now because organizations need to find a future-proof solution for their data protection.
What impact is predictive AI having on zero trust? How is it enhancing threat detection?
Martin: Yes, it will allow more improved proactive threat detection. It is already showing fruitful signs of pairing AI in cybersecurity tools. It will also help improve security policies, too. One aspect of this is being able to have automated incident response once a threat is detected and prioritize alerts by predicting the likelihood of the threat actually coming to life.
How do you define zero trust’s core principles? What are the biggest challenges?
Martin: So the concept is never trust, always verify. With that comes a lot of due diligence and work. You start by implementing least privilege access and micro-segmentation. The goal here is that if you were breached, how far can a threat actor truly go? If you isolate access and resources, the paths become increasingly narrow, leaving the ability to have a reduced risk. Also, the ability to have strong user authentication mechanisms is critical and to have the visibility to monitor all activities in the environment. One thing that is often an afterthought is data security; many organizations are thinking about the outer layers of security in an infrastructure but forget about the data. It is the prime jewel for a threat actor, so ensuring you have a process to protect that data is key both at rest and in transit.
The challenges of adoption are sometimes just where to start and how hard the process can become if you don’t have all the right skilled resources. Budgets tend to be an issue at times, as well, because the thought process sometimes is “we haven’t been breached yet, so we must be okay.” Also, the complexity of the activities has to be a road map revisited and improved over a continuous time frame. It is never-ending.
What are the most common obstacles when integrating encryption into a security framework? How can they be mitigated?
Martin: This is really about who is the guard keeper of the keys. Key management challenges are so frequent because we now have various environments that have encryption keys, such as cloud, on-premises and applications. You can buy keys, bring your own keys or share keys. It is complex and I like to compare it to having too many keys on your car keychain and you have no idea what keys belong with what until you organize it. It is similar to that because whoever is handling key management, usually a team, needs to be responsible for rotation, distribution, retirement, etc.
The way to resolve this is to implement a centralized key management system, automate the processes and have clear policies and procedures in place to enforce the management process. Also, an important part of having a process is you have to frequently audit and tune it. You should never create a process and leave it be. It should always be adapted and improved throughout its lifecycle.
How can organizations ensure encryption and zero-trust architecture work together seamlessly to protect sensitive data and systems?
- Integrate encryption into the zero-trust framework – It is easy to have encryption included in the zero-trust framework so it never remains isolated from that
- End-to-end encryption
- Ensure strong authentication and controls
- Have key management
- Continuous monitoring and improvements
- Conduct regular audits and assessments
- Data classification and risk assessments are a must
- End-user training
- Policy development and enforcement
- Incident response planning
- Leverage automation and AI
Given the advancements in AI and quantum computing, what do you think the future holds for encryption standards?
Martin: So, without sharing too much, I am releasing a book this December about quantum computing and cybersecurity. As a certified ethical hacker and supported by the EC-Council as a mentor for Cybersecurity Professionals, this topic has been something I have researched for a few years now. It was a theory in the 1980s and had the first practical algorithms in the 1990s for breaking encryption. In 2011, there was a commercial quantum annealer. IBM made quantum computing available on IBM cloud in 2016, and now Google began breaking barriers with its quantum supremacy in 2019 and it is not slowing down. I talk about the journey of quantum computing in my book and I decided to spend my sleeping time writing a book for the last year and a half because I find this topic very fascinating, almost as exciting when I read about biomedical research studies, which I indulge in often. I think I learned more about the mRNA vaccine before COVID-19 was even born because I was reading about it a lot years ago for cancer treatments and the advancements it has made. Anyway, one of the major topics in my book is encryption from an ethical hacker’s perspective. Let’s just say it is very alarming that our encryption is in jeopardy, and we are running out of time to find a better way.
How do you see these impacting zero-trust strategies?
Martin: It’s simple, it offers barriers of defense and they are not going to be long-lasting ones. Here is an example, you have a house surrounded by a wildfire and the tools developed to help save your house aren’t helping. Piece by piece your house burns down and you did everything right to try to save your house. I feel like the zero-trust is just that, they are the right tools now to save from a breach but they are not the right tools when it comes to quantum computing and encryption failures. Breaking encryption keys can be challenging, yet sometimes easy wins when doing an ethical hacking engagement. It all depends on the time allotted and the thought process to cracking of the encryption. Now with quantum computing, I would say if I was able to use a quantum computing computer, I have a higher probability of breaking a lot of encryption within seconds compared to months. They say by 2030 it will be available to the vast market and cost-effective, so we have less than five years to figure out a solution.
Galaxia Martin is a seasoned IT and cybersecurity professional with extensive hands-on experience in implementing advanced security measures and infrastructure technologies. As SDI Presence’s Solutions Director, she serves as a subject matter expert in solution design, specializing in the development of complex technical solutions within a comprehensive IT managed services framework. Her expertise ensures the delivery of scalable, secure and high-performing IT solutions tailored to organizational needs.