Raoul Hira: Zero Trust is not a strategic option, but a critical necessity
The main trend in cybersecurity in 2024 is zero trust. According to FedTech research, this fundamental concept of “always verify” is the most dynamically developing as systems become more complex and security is integrated into business strategies. This method implies that there is no perimeter within which network activity can be considered safe, as the threat landscape is constantly evolving. It is important to pay attention beyond the corporate network to the ecosystem of remote workers, partner organizations, and devices. Digital transformation of enterprises includes the use of cloud architecture, the introduction of remote work modes, the use of personal devices in workplaces, and the expanded use of cloud solutions as services. Traditional cybersecurity methods, such as system scaling, network segmentation, and multi-factor authentication, cannot solve the problem effectively. In contrast, zero trust assumes that any transaction, entity, or identity are not trusted until proven otherwise, and this trust must be continuously verified. This approach replaces the well-established notion that a network remains secure until the system is compromised.
We asked Raoul Hira, CISSP, an expert in cybersecurity with 20 years of experience in finance, energy, pharmaceuticals, life sciences, retail, and government, to comment on the effectiveness of the zero trust principle in practical application. Raoul has held technical and managerial positions responsible for developing cyber risk assessment methodologies, secure architecture, and cyber transformations. He has worked in over 15 countries as a cybersecurity consultant. His employers include Tech Mahindra, PricewaterhouseCoopers (PwC), and Vistra Corp.
- You are one of the creators of the first university course on cybersecurity in India and have worked in more than 15 countries as a cybersecurity and cyber strategy consultant. Based on your practical experience, what measures in this area are most effective today?
First of all, I would highlight the principles of zero trust. They help ensure deep protection while reducing risks associated, for example, with remote work. Digital landscapes are evolving, the workforce is dispersed for objective reasons, and therefore the need for the most reliable cybersecurity frameworks is increasing. Twenty years of work around the world allow me to assert that zero trust is no longer just a preventive measure; it is a critical necessity.
- Why has this critical necessity arisen?
In particular, due to the widespread transition to remote work. This has introduced vulnerabilities that were not previously common in controlled office environments. In remote work environments, strict security measures are traditionally almost non-existent, making them a prime target for fraudsters.
- How does zero trust minimize these risks?
Through several methods. First, strict authentication is introduced for secure remote access. In my practice, this helped in a critical situation when an employee in a technology organization tried to gain access from a compromised network. Second, regular device assessments for compliance with security standards before accessing the network are important. Once such a scheduled check is timely, it neutralizes an attempt by a malware-infected device to infiltrate critical infrastructure. Third, segmented access control is necessary, where employees receive access only based on specific needs, minimizing threats even within the local internal network. This helped us assist a client in a situation of a major data leak due to overly privileged access.
- You have developed a special framework for improving cyber hygiene and analyzing cyber maturity. What is meant by the latter?
Cyber maturity is the readiness of an organization to effectively manage cybersecurity and reduce its risks. Zero trust, in particular, contributes to increasing cyber maturity by employing strict access control mechanisms and continuous verification.
- How is this achieved?
For example, by minimizing the attack surface. If strict access control is introduced for authenticated and authorized users and devices, zero trust significantly reduces vulnerabilities. In my experience, we transitioned a client from a network prone to breaches to a zero trust architecture. As a result, security incidents decreased by more than 80 percent. Another parameter is improving visibility, where every action in the network is logged and monitored. The effectiveness of this measure was evident in the case of our client, a retail giant – an attempt to leak data from an innocuous-looking source was swiftly detected and neutralized.
- Your accomplishments include developing internal processes and guidelines for cybersecurity assessments that are used by many clients in North America and Europe. What specific challenges have you faced?
A few years ago, I led a team of 20 people responsible for the security of the main customer portal of one of the largest telecommunications providers in the United States. We had to identify critical security issues before the application went live. And none of the publicly disclosed cyber issues affected the applications we were responsible for.
- You have also helped many Fortune 500 organizations improve their cybersecurity levels and minimize the likelihood of attacks and data leaks. Has this experience allowed you to form a universal scheme of preventive measures?
Yes, I advocate for the implementation of deeply layered protection with zero trust. This strategy includes several levels of security control in addition to traditional perimeter protection. The first level is identity verification, requiring strict authentication for each access request, especially from remote workers. The second level is managing the security status of devices accessing the network. The third level is segmentation, limiting lateral movement within the network. The fourth is data protection through encryption and tokenization.
- It is known that you once led a comprehensive two-year cybersecurity transformation project at a children’s hospital after a major cybersecurity incident that brought major systems to a halt and private medical data was lost. Could you tell us more about how you managed to address the problem?
In the healthcare sector, there are generally more data breaches than in any other. In this case, it was a regional hospital with 400 beds and several local clinics that faced growing cyber threats. This happened due to the massive use of remote access and a network distributed across several buildings, and outdated, vulnerable operational technologies of medical devices also played a role. The hospital management adequately assessed the problem and approached me to strengthen cybersecurity. I proposed a zero-trust approach. First, we thoroughly assessed the existing infrastructure and implemented strict identity and access management protocols. Thus, only authenticated and authorized users now had access to confidential data and critical systems. Then, we checked every device connecting to the network, deployed antivirus software and encryption, and implemented compensatory controls for medical device operational technologies that could not be updated due to constant use and patient impact. We segmented the hospital network, isolating critical systems and sensitive data from less secure parts. And, of course, we continuously monitored and logged network activity, which allowed us to immediately detect and respond to any suspicious actions. In the process, we eliminated more than 2 million critical vulnerabilities. The situation was resolved in the best possible way, and the trust of patients and staff not only remained but also increased.
- Can we say that modern advancements like cloud services and remote work initially carry real and potential threats?
Yes. They need to be implemented gradually and applied constantly. Cybersecurity is no longer defined by the boundary or segments of the corporate network, and trust is not granted by default to any connection and is not based on physical or network location. However, with the principles of zero trust, you can not only protect against current cyber threats such as stopping ransomware from spreading, limiting lateral movement, makes it more difficult for Advanced persistent threats (APTs) to gain and maintain access,, but also adapt to future challenges including zero day vulnerabilities.