Chief zero trust officer

(Source – Shutterstock)

Will 2023 see the death of passwords and rise of the Chief Zero Trust officer?

The last month of 2022 will always see tech companies offering predictions on their expectations for the industry in the new year. Oftentimes, most of these predictions tend to be on point, especially when it comes to issues regarding cybersecurity.

For most tech companies, the two main areas for 2023 predictions are focused on cloud adoption and cybersecurity. True enough, both these verticals continue to see heavy innovations every year, especially with more businesses embracing the cloud and cybersecurity issues becoming more rampant.

Interestingly, for John Engates, Field CTO at Cloudflare, there are four main areas in his 2023 predictions. Engates believes these four predictions would pretty much set the tone for organizations going forward, especially as they look to embrace more technology. This includes new takes on passwords, the cloud and even the establishment of a chief zero trust officer.

The rise of the Chief Zero Trust officer

In ‘The Journey to Zero Trust’ survey commissioned by Cloudflare, markets like Malaysia and Australia were found to have at least a 75% adoption of Zero Trust. When governments and organizations need to move quickly and cut across organizational boundaries, they often appoint a czar to take charge of a particular program and see it through to implementation or execution.

“As pressure to implement zero trust intensifies, I predict that a role analogous to a Chief Zero Trust Officer will emerge within some large organizations. This person will be the zero trust czar for the enterprise and will be the individual responsible for driving a company on its zero trust journey. Their job will be to bring together siloed organizations and vendors and ensure that all teams and departments are aligned and working toward the same goal.

If resistance is encountered, the zero trust czar should have the backing of senior leadership (CIO, CISO, CEO, Board of Directors) to make decisions quickly and cut across organizational boundaries to keep the process moving ahead. Whether the very bold title of Chief Zero Trust Officer becomes reality or not, an empowered individual with a clear mandate and a singular focus may just be the key to getting zero trust across the finish line in 2023,” explained Engates.

2023 sees the death of “The Password”

Phishing attacks continue to be a significant problem for companies around the world. Even with regular security awareness training, users will eventually click the wrong link and fall victim to an attack. And unfortunately, most cyber attacks begin with a phishing email.

Engates highlighted that Cloudflare itself was attacked this year by a sophisticated, targeted SMS-based phishing attack. A total of 76 Cloudflare employees received the phishing link in text messages on their phones. Three employees fell for the attack and clicked the link and entered their credentials.

“But unphishable, multi-factor authentication in the form of FIDO2-compliant security keys in conjunction with zero trust access prevented the attacker from breaching our systems. Other companies that used less secure time-based one-time passwords (TOTP) weren’t as lucky, and many were breached by the same attackers,” said Engates.

For Engates, username and password authentication even when combined with common forms of multi-factor authentication is just not enough anymore. Enterprises can enable stronger FIDO2-compliant security keys along with zero trust access today if they’re using a system like Cloudflare’s to make it much tougher on attackers.

“But the best way to protect most users and their credentials may be to remove the burden on the end-user altogether. The FIDO alliance envisions passwordless sign-in everywhere. Logins will use your face or fingerprint instead of the old username-password combo. A FIDO sign-in credential sometimes called a “passkey”, will make it easier on users and harder on the attackers. If there’s no password to steal, hackers won’t be able to harvest credentials to carry out their attacks. We predict many websites and applications will adopt passwordless login using the FIDO Alliance passkey standard beginning in 2023,” added Engates.

(Source – Shutterstock)

The cloud takes on compliance

With governments around the world rolling out new privacy regulations, companies must now understand and comply with this patchwork of regulations as they do business globally. As such, how can organizations hope to stay current and build compliance into their applications and IT systems?

“We believe the majority of cloud services will soon come with compliance features built in. The cloud itself should take the compliance burden off companies. Developers shouldn’t be required to know exactly how and where their data can be legally stored or processed. The burden of compliance should largely be handled by the cloud services and tools developers are building with. Networking services should route traffic efficiently and securely while complying with all data sovereignty laws. Storage services should inherently comply with data residency regulations. And processing should adhere to relevant data localization standards,” stated Engates.

Remote browsers resolve device complaints

Security policies, privacy laws, and regulations require all companies to protect their sensitive data; from where it’s stored and processed, to where it’s consumed in end-user applications. In the past, it was relatively straightforward to fully control end-user devices because they were often issued by and dedicated to company use only. But with the increasing use of personal smartphones and tablets, the bring-your-own-device (BYOD) trend has been picking up steam for several years and was even more readily embraced during the various stages of the global pandemic.

“Looking ahead, we believe that this pendulum of BYOD will swing back toward tighter security and more control by the IT organization. The need to consistently enforce security policies and privacy controls will begin to outweigh the sense of urgency and demand for convenience we encountered during the last few years. But because so much of our digital lives live in a web browser, this control may take a different form than in the past. This new form will mean more control for IT administrators AND a better user experience for employees,” Engates said.

Browser Isolation is a clever piece of technology that essentially provides security through physical isolation. This technique creates a “gap” between a user’s web browser and the endpoint device thereby protecting the device (and the enterprise network) from exploits and attacks. Remote browser isolation (RBI) takes this a step further by moving the browser to a remote service in the cloud. Cloud-based remote browsing isolates the end-user device from the enterprise’s network while fully enabling IT control and compliance solutions.

“Some say in this remote browsing model that “the browser is the device.” Instead of BYOD, it might be appropriate to call this “BYOB” or Bring Your Own Browser. Most companies are looking to better balance the security and privacy needs of the company with the user experience and convenience for employees. At Cloudflare, we use our remote browser isolation in conjunction with zero trust access to protect our users and devices. It’s completely transparent to users and strikes a perfect balance between security and user experience. We believe remote browser isolation will be embraced broadly as IT leaders become more aware of the benefit and just how well it works,” concluded Engates.