Exploring Zero Trust Networking in a Multi-Cloud Environment

Mohammad Ossaimee Transcript

Intro - 00: 00:01: Welcome to Beyond the Screen: An IONOS Podcast, where we share insights and tips to help you scale your business's online presence. Hosting genuine conversations with the best in the web and IT industry and exploring how the IONAS brand can help professionals and customers with their hosting and cloud issues. I'm your host, Joe Nash.

Joe- 00: 00:22: Welcome to another episode of Beyond the Screen: An IONOS Podcast. Joining us today is Mohammad Ossaimee, who for 20 years has been working in the IT industry across the Middle East and the USA. From Cairo to Riyadh to Michigan, Mohammad is currently a Senior Cloud Architect at CloudReach. He has a successful record of identifying key solution gaps, business and project impacts, and providing creative solutions to ensure delivery of projects on time and within budget, leading global IT infrastructure deployments. Today, he is here to talk about cloud security and how businesses can adapt to an ever-evolving threat. Welcome, Mohammad. Thank you so much for joining me today. How are you doing?

Mohammad - 00: 00:58: Thank you. Pleasure was mine.

Joe - 00: 01:00: I'm very excited to have you here with us today. You know, we've had a number of really interesting cybersecurity guests, but I think your experience is going to add a real new twist to this really important topic. So to dive in, we always like to ask our guests about their careers and what has brought them to the show and to this place. So can you start by telling us a little bit about your career to date and the kind of roles and responsibilities that you've had?

Mohammad - 00: 01:19: As you mentioned earlier about myself, I've been in the IT field over 25 years, and I worked in different roles, wearing different hats, working with different companies in different countries. I started as a computer engineer once I graduated, assembling PCs, selling those PCs to end users, and then moving to enterprise, building networks, then moving to operating systems, network operating systems, and go to virtual. I started as a computer engineer once I graduated, assembling PCs, selling those PCs to end users, and then moving to enterprise, building networks, and then moving to operating systems, network And the most important thing for them, how to secure their environment for the cloud, because it's out of their control. The other guys from the cloud service providers managing those environments. So the security is a big part of it. Concern. And now we are not talking about how to secure your PC. Now we have to secure your apps, your code, your access, your identity, your data. This is a very big change. And the chances is it will be complicated more and more once it's removed. Now we're moving to the AI and machine language. That's another factor that came to this world, to the World and bring a lot of questions about how can we show this is a real, not fake, how to separate, how to control the access. That's what I do.

Joe - 00: 02:57: Awesome. Perfect. You touched on a number of really important things, the general modal shift from owning your infrastructure to cloud. I think the AI one's really fascinating. I imagine, have you had to deal already with things like people deploying LLM driven apps and having prompt escapes and this kind of thing? Is that a security concern that started to creep into your horizon?

Mohammad - 00: 03:15: I'm not working deeply in the application area in the department. I'm from infrastructure and security, but I play some of those apps. But usually I'm looking from the outside. You have your app as X for me and my job, okay, who should access it? What is the output area that it can work? Which service that can contact with it or contact with? That's what I focus in. I'm built by design and sure to send it back to the customer.

Joe - 00: 03:48: Perfect! So ​you ​touched ​on ​a ​couple ​of ​ways ​that ​the ​technology ​and ​the ​industry ​has ​changed ​throughout ​your ​time ​in ​it. ​What ​do ​you ​think ​are ​the ​key ​shifts ​or ​the ​key ​benchmarks ​that ​realmark ​how ​the ​industry ​has ​changed ​in ​your ​time?

Mohammad - 00: 04:05: That's ​very ​important ​question ​and ​it's ​not ​easy ​to ​answer. ​But ​for ​myself, the ​key ​that ​moving ​the ​companies ​from ​one ​environment ​to ​another ​and ​keep ​developing ​is ​data. Data is the most important thing for user, for developer, and for companies. The days that someone to send you a virus to corrupt your system is over. Now everyone trying. To your data, to capture them, to impersonate yourself for other things, to sell it to other entities. So this is a key factor that companies invest more and more in the IT field, either on their data centers or moving to the cloud or building new ads, they were updating their ads. And those companies have one question, I'll be sure that my data is secure, no one can access it, And we... The only authorized people can see what they should see only, not more. You can see in the United States, we have some governance and compliance we applied, especially for healthcare, which could happen. Now in Europe, they have their own compliance, which is GDPR. No one should access this data outside the region. So more to come, new compliance applied, no complications requesting from us to build new things to adapt with those compliance. And all of them... around one thing, data.

Joe - 00: 05:47: Yeah, really. I mean, I should say it's a complicated question and an interesting answer. Like, you know, I asked you what's changed in technology, but of course you mentioned a piece of legislation there, GDPR, that is still relatively new. So it's not even just the technology that's changing, the legislation and compliance picture is a huge one. We spoke a little bit about your experience and how you bring that to these companies and for the design. So you have just renewed your Microsoft certification in cybersecurity architect expert. I mean, at the time of recording, by the time this comes out, it will not be quite as recent, but it's pretty recent as of now. Firstly, congratulations. And then secondly, what does it take to get that certification and to be a Microsoft certified cybersecurity architect expert?

Mohammad - 00: 06:27: You know, for myself, I figured that I can do this. It's not showing me like an expert. It's just I can discuss this technology with my customer. It should be my customer. I'm capable to do this. That's why companies like Microsoft, Amazon, Google and others keep updating their certs and forcing us to updating our cert annually. That's because new things coming to the technology, new terms, new design, new deployments that I must be aware about all these new client services. And going to update to my certificate. And this is a new technology. It's just something that proves that I'm aware about what's going on as a market.

Joe - 00: 07:19: Interesting. If I were to take the viewpoint of someone who's new to the cybersecurity industry, somebody who's getting their start in their career, you would recommend to them these certifications as a way to signal that they've got the knowledge necessary. Is that correct?

Mohammad - 00: 07:33: Yeah. How to differentiate you among the others? I know many people doesn't have a college degree and that is they are working on Google. Why? They had the knowledge and the technology. Like I said, everyone has a bachelor's degree. Everyone can get a master's degree. All of them are academic. But going out of the real field, you need to talk about something real. Okay, customer has a problem. Your role is to give a solution to solve this problem. So with a master, with a PhD, it will not be enough. Your certs. Can show to the customers that you are capable to give them a solution to solve their problem. What is their problem? I have my data. How can I protect my data? How can I access my data from anywhere? Most of companies now moving from outside to remote. So people work from remote locations, either from your garage or from your bedroom or a rental office. So how can I be sure the access is secure and the guy who's accessing my system is the guy who's working with me, not another person? All of them need certified people who has the knowledge and experience to give the solution and build the right environment for the right customer.

Joe - 00: 09:01: Fascinating. And the important certifications aside, I really like your emphasis on the bachelor's degrees and university degrees that have their place, but fundamentally theoretical, academic, and the practical vocational nature of certifications is showing real world experience is really, really useful. I really loved that point you made there about not just the shift in technology, not the shift in legislation, but the way we work. Like, you know, previously everyone's machines were in a secured office. They knew where it was. The company knew how to handle it. And now they could be anywhere. Has that impacted architecture? Has that impacted how you design systems for your clients?

Mohammad - 00: 09:35: The more the questions, the more... The more to complicate the process in my design. If you go back 10 years, where is somebody who have one data center, some servers, who make it with back-end storage, through fibers and network switches?

Joe- 00: 09:51: Now...

Mohammad - 00: 09:53: Now, you have more. You have a place to put your code. You don't need a complete server or complete laptop or computer to use it to build your code. It's just a code. Publish it on the cloud. Everyone can access it. If you want to sell something, you have websites, different websites that you build a complete website for you and start selling your product. You have a medical record. You can work with different hospitals. You go to the portal. You check for test results. You schedule your appointment. All this data is brought to you. How do you ensure that there is no one else? Can see those data except you. That is a big concern, and this make our design more difficult because we've got many things to consider about, not only the infrastructure, the components, the storage, the networks, the cable, no, we're looking outside. Who can access? From where he can access, he or she? And when he or she can access? Which area you can get? What report you can retrieve? All these problems we must consider in our design. Usually, it's a username and password. Most of the people, I'm on there, to save my username and password in the browser. This is not a good practice. What will happen if your laptop will be stolen? Or lost, someone will find it Crack your password, log into your browser, getting your password, and can do whatever you want. So how can you trace those activities? Sometimes when you just log into your browser from a strange place, we shouldn't be there. There is a product, a software, a monitoring tool to monitor this activity. I block it. Okay, you shouldn't be here. I need to get authorization to allow you to access. All of them added to my design, which will be bigger and bigger and bigger. If I would continue, I will not finish.

Joe- 00: 12:00: Yeah, ever-evolving complexities. I'm very glad to hear you say that saving passwords in the browser is not a good idea because I don't do that. And all my friends think I'm really paranoid for not doing it. So I'm going to say I'm on the right now. I'll be showing them this recording. Throughout our conversation so far, you've mentioned a lot of potential risks that businesses might face with their security set up in various levels. How do businesses start to identify these risks and potential risks in their architecture?

Mohammad - 00: 12:26: We can get an example for the airport. Once they start to do the check-in, the security check-in, when a breach happens, this is the same with the business, with the enterprises, companies. When a breach happens, they look to avoid it next time. This is the problem. It doesn't start with, okay, I want my system to be very secure up to down. Where is the half-up? The problem is they start to invest.

Joe- 00: 12:53: Sure. It's less about identifying potential risks in their current setup and more about mitigating the risks once they happen and working out how that risk is raised and being able to move forward and have that risk corrected. Is that right?

Mohammad - 00: 13:06: Well, you heard about Equifax experience and the breach happened and they installed it. Authorities tell them getting the case and to just get some compensation. I was in company. The experienced people. Why not offshore this unit to other third-party companies? I'll focus my core business. Most of the companies do this because, okay, I spent $1 to get $10. Why should I invest internally without getting anything from it? But once you come to the reality that there is a breach, there is a little loss, something can lose your reputation, your market share, your actual business, and that time, they will change their strategy. Without this, nothing would happen.

Joe- 00: 14:24: It's a sad picture, but I think you're right. I think that's definitely a pattern I've observed. A common piece of, I guess, wisdom that I hear a lot about security breaches is, you know, if a vendor that you use or a company that you use has a security breach, you shouldn't take that as a sign to change off of them immediately and to drop their business because the fact they've had one means that they will remedy it and it's now not a problem. And I guess that is kind of speaking to what you're saying here, right? Would you agree with that statement that you shouldn't initially jump ship?

Mohammad - 00: 14:54: Any problem is a new business opportunity for us. Is a lesson. Okay, we have a problem. Learn the format. How can I avoid it? How it happen? How we can fix it? Yeah.

Joe- 00: 15:08: So to change gears a little bit, we've been talking a lot about the current industry, how it's evolved and how people can avoid risks. One of the phrases that I see a lot nowadays as someone who's outside the cybersecurity field is this phrase, zero trust networking. Can you tell me a little bit about this, what it's about? And for folks who haven't heard that phrase before, what is it?

Mohammad - 00: 15:27: Zero trust networking, in a brief, for non-IT person, I will give you an example. You are working on a company. You have a username and password. You just plug them and you have access to everything. Applying Zero Trust Environment means, yes, you log in. But to access anything, you still need to also request for authentication and authorization. Nothing being inherited by your login. So if you want to log in to your HR, you need another credential or another way to log in, not to use your previous login. So every step needs to be checked to be known that you are who you are. And this is your credential. You need to check that you really have access to this.

Joe- 00: 16:16: Interesting. Okay. So that, I imagine, has various influences on how staff are working with the network, how they're working with the resources. From a technical standpoint, how do you, as a cloud architect, structure a business's network to provide for that facility?

Mohammad - 00: 16:33: There are different tools added to the system to apply the Zero Trust Environment. Okay, we have multiple environments. You have an LSAT (MCQ), which stores your identity access. Plus, you have multi-factor authentication. And multi-factor authentication is based on what you have, who you are, what do you know. So you maybe have a token. So once you log in, I ask you, what number you have in your token? If you give them this number, that means you are the guy who has this access, not others stole this access from the real one. Or you have a biometric, like your fingerprint, your biometric eyes, or just something related to you, whether you're born... When did you marry? What was your pet's name? Something that no one else knows except you. You enter this information with your credential. That means you are the guy who should access it. But you already entered. There is another layer of shit. This guy locked in at this time from this location. Is this a secure location or is it a public location? Like in a cafe or in an airport? So no, I can't block it. This is one of the layers we use in the zero cost. Okay, you're trying to access your email. Everyone has its email on the cloud. That's not a problem, but there is a payroll. There is other business applications that need another layer of security. So I couldn't inherit your access and just jump there. No, we need another layer to apply to be sure that you're still the guy who want to access. And you have the right access here. And what level of access? We have just to watch, to review, or to edit, or to have everything. Maybe you have a permission to delete. This is a big problem. Okay. This is the layers we added to deploy the concept of zero trust.

Joe- 00: 18:40: Okay, amazing. So the next question I had, specifically to zero trust, but I imagine it comes up a lot, is as you were setting up these security precautions with a company, there is a certain level of juggling and advocacy and trying to balance the friction to the workers with the needed precaution. How do you make the need for this and soften the blow of the friction that it will introduce for the workers and make it clear this is something that needs to be put in place and get through any concerns about, oh, I have to log in extra times and that's annoying to me as an employee. How do you manage that balancing act?

Mohammad - 00: 19:16: We can't have everything. You can't have just one button to click and get access to everything. That is not the right way. So I know adding different layers, a firewall, something called data loss provision, ADB, IDs, all of them add a latency. Latency means I'm logging, I'm still waiting a second to second, 10 seconds to access. That's frustrating users. You are taking about one to 10 to 1,000, the latency will increase. But at the end of the day, what is the importance? The security or the fast access? Now you must decide which factor you want to use as a main thing to fix it. So everything, everything comes with a price. So this is a problem. Okay, you have access to everything. As soon as this is your last day, what do you want to do? Yeah.

Joe- 00: 20:12: Yeah.

Mohammad - 00: 20:12: So this is a big concern for big companies. And if you can look for the reports, 80% from data breaches or hadn't come from internal data network, from the internal company network, not from outside. Someone, someone came to his girlfriend or boyfriend and bought some device connected to the network, with the wifi and keep tracking access and capture this packet so they can use it to access it. And someone to impersonate another one calling their ID, the ID, I forgot my password to be reset it. I'm the new guy, CFO guy here and be sure, okay, the username is like this. Okay. Giving them the information he needs. This is the way he can access something. Couldn't access it. So to apply the zero plus it would complicate the process, but you'll be sure data is secure and in safe. Like you go to the hospital every time you wait until the nurse can do you check for your blood. It's just like a general, which take almost 10 minutes. And okay, what should I do every time you check for my temperature? My eye, you have any problem? My eyes. I want to go to the doctor immediately to talk about my case, getting the right prescription and go back to work. Well, following this process can eliminate a lot of things.

Joe- 00: 21:45: That's a great metaphor. I like that a lot. So we've spoken a lot about, you know, the shift to the cloud and everyone's applications are in the cloud and you've got a million different cloud services going on for companies that have multiple cloud providers, or they might be using a SaaS service or a cloud service. So you've got a lot of cloud services that integrates with certain security things and certain ones that don't. Do you have any recommendations for businesses in that situation to make their cloud security consistent or to be able to have uniform guarantees across all their different services?

Mohammad - 00: 22:13: Actually, every cloud service provider has to manage their environment as a public cloud environment. Given to the customer, we know that most of the enterprise customer has more than one public cloud. Some of them has a cost saving, and storage has a fast access to the apps hosted on the cloud, has a strong security. So you can have one management tool to manage all these environment, plus your own premise data centers. It's one pane of glass. That is available to every public cloud. The competition is very high. If one cloud provides a service, the other must have it immediately. Otherwise, they will lose the market. So what do you prefer? What is the right approach? Do you use one public cloud or multiple cloud? There is no right or wrong answer. Because, okay, you're stuck with one cloud. Later on, you pay a lot of money. You want to get out of this public cloud. You will pay a lot of money to retrieve your data. This is a concern. And this is a problem because this is a business at the end of the day. So it's better to have multiple clouds. If there is a failure habit in one of them, you still have access to the others. So you can use one of them as a backup for the other. This is an approach we suggested to our customers. You have one public cloud using for your email, for identity. Another public cloud for your web apps, hosting those apps. And another one as a backup. This is the right approach.

Joe- 00: 23:53: Perfect. Cool. It's great to hear. So on the complete other end of that, for smaller companies who haven't yet got to that level of sophistication, for whom may just be starting their journey into properly budgeting for cybersecurity, what are your tips for them getting started? Like, you know, the small scrappy startup or just otherwise a small business that hasn't invested in this area yet. How should they get started?

Mohammad - 00: 24:17: First, define your goals. What do you actually need? What do you need for your business? And you can pick up one of those services on the cloud and start with. Every small and medium business needs to answer for a payroll or a payday. And you can also use it to sell an application to sell and to buy like coffee shops or just all the hosting apps that you can allow for online. So hosting as the cloud, define which user can access it, who can retrieve it, defining your supply chain, your store. So define your goals. What I want on the cloud. Should I put everything as a cloud? No, you don't need to do this. But start small and you can expand gradually. The beauty of using the cloud that gives you this option to expand as you need. Not like, okay, I pay for two servers, putting in my back end, any store in a room, a very small room to put my servers with my network. And I found that, oh, I need another server. Oh, I need another storage. Order it. It will take up to six months. It takes up to eight weeks. Now, when the cloud is just in a second, you can expand. So start small, define what you need exactly, and go from there.

Joe- 00: 25:43: Okay, that makes a lot of sense. So we've spoken earlier in the show about almost the inevitability of something happening and how companies wait until it happens to invest. Something is going to happen, that's an accepted fact. You should be ready for it. So on that topic, if the worst does happen and you have a security breach in some way, what should companies do about it? What should they think about as they're investigating that breach and making it known to customers?

Mohammad - 00: 26:10: First, you must have a backup plan. What I will do if a breach happens, I should have a backup, data stored in tapes or another public cloud that I can start my business on that, service provider, a different place to run my business, a process you documented and follow it in this case. In the cybersecurity, you learn about business continuity, disaster recovery. Those are two different. Business continuity, what should I do during the failure? Disaster recovery to recover in a different place when a failure happened. So it's two concepts, two different zones. So if a breach happened, I should have this backup plan, plan B, plan C. Without it, no one can help you. Sure. Absolutely.

Joe- 00: 27:07: Yeah, that makes a lot of sense. And you spoke about the risk earlier on of, you know, an incident has happened. What about my market share, et cetera? My perception again is this. And being outside the industry is that a lot of how your clients, your customers take that is down to the public response. You know, how fast do they communicate the breach? How do they communicate their resolution, et cetera? Do you have any tips for that communication part? You know, here's the formal post-mortem, I guess.

Joe - 00: 27:35: Very simple. First, you must have a backup plan. Second, you must test it. Don't wait for a breach. Then you start to check your backup plan. And you should have more than one backup plan. Most customers have one production and another area for a Dr. You must test the failover in any time, like a weekend, whatever. And they check access to the Dr from a bunch of users. So be sure the business will be continuous. Not to just stop. We are missed this. We don't have access to this. We didn't pay for that. You should have a backup. And you test that your backup is working. Not just, I remember 20 years ago, there was a government in the Middle East. It was a big problem. He has a very expensive system that has the data of all people looking for a job. And suddenly, the system stopped working. And we found later, we don't have the right administrator to manage this environment. Second, the last backup they had is six months before this was reliable. Now we need access to our database. Okay, you don't have the right people. You don't have a backup plan. The last backup you have six months ago, you asked three, four companies to jump in and try to start your database server. That's just one lot of work. Your data is lost. That's dark. Nothing we can help you. You should have a plan. It's not a good idea. I have a very expensive server with a big expensive storage and a big expensive network, a core stretches. And later on, I don't have the right people. I don't have a backup process. The last backup is six or one year and I didn't test it yet. So there is no solution.

Joe- 00: 29:37: That makes total sense. Yeah, I can think of a couple of key incidents in the last year with, you know, certain internet SaaS, which eventually turned out to come down to not testing their backups. I think that's really great advice.

Mohammad - 00: 29:47: I was a company in the Middle East. I have a friend there. Suddenly wake up and get a lot of calls. We have a problem. We couldn't access. I was served with a leaf out. This has been affected by ransomware. Ransomware, really simple. It's a virus that attack your setup and encrypt all your data. And the guy will come to you. Pay to me this amount to give you the key to decrypt it. So if you don't have a backup, you will have to pay him the money that he requested, he or she, to decrypt your data and allow your business to continue. So this case is really simple. You don't have a firewall. You don't have a right process for people to access. You don't have a VPN. You try to save money, but at the end of the day, once the ransomware attack you, you lose everything.

Joe- 00: 30:41: Right. That's very concrete advice and actual advice. So as we're getting towards the end of time here, I want to round out with a couple of questions about how you see the industry changing and how folks can get started. So to start with, what innovations do you think are coming up in the short to midterm, let's say over the next five years that you're looking forward to in cloud security?

Mohammad - 00: 31:01: My concern and one also, I consider as innovative for me, the AI. AI will be dominant in the upcoming five years. Maybe the downside for it, people will lose their jobs, especially which is considered to be routine jobs like supply chains, HR, people will just lose the process of filling papers. All of them will be replaced by AI. The concern I have can change the whole world. It can create war because we can fake data. Someone can manipulate with it. This is a big concern. I hope companies not to go for the election to rely completely on AI. They must use the human being. Because with the AI, a small error can change the whole setup and attract you as a right resource to do your business.

Joe- 00: 32:05: That is a common answer to that question we're getting in the moment. I think it's top of everyone's mind. Everyone's thinking about the various effects that the current AI moment will have on our industry and on our jobs. And so, yeah, from a security perspective, that's very interesting to hear. And on the other hand, so we spoke earlier on about certifications and about the value of showing that you're up to date. How do you stay up to date with everything that's happening in security? Do you have any books, websites, podcasts, people that you find really valuable to stay up to date on the latest developments in your industry?

Mohammad - 00: 32:36: That's a very good question. Very hard to answer. First of all, because I work in a certain area, I'm subscribed to vendors that are giving me updates as a cross-podcast for the new services and new technology and new subjects in this IT. Second, look for the materials to read and practice to keep my service up to date. Third, the projects. Customer came to us requesting something new. Now we are talking about data center. How can I protect data center? That's what we talked about 25 years ago. Now, oh, the cost of virtualization, very good. I can utilize more servers on one physical. We need to virtualize our data center. How can we do this virtualization? How to keep the virtual environment secure and expanded? Now we move to the cloud. The cloud is a big project. People go out of the local data center to do the virtualization. Paying for renting, electricity, cooling, now moving everything to the cloud, getting out of this hardware. I focus on my core business and my ads. Third, oh, every country and every continent has a different compliance. How can I be compliant with that? Otherwise, I will lose my market. After that, we get new terms, government cloud, sovereign cloud, data encryption, data masking, data localization, everything coming to, to this market as a request from customer, as a broadcast, as a post in the LinkedIn and other bloggers. You look, you read, you just get for the right resource, you learn. It's not an easy way. It's a very tough way. But this is the process I use day to day.

Joe- 00: 34:24: Yeah, I think it's a great process, especially the trying and finding projects around what you want to keep up to date with. I think that's a great recommendation. Well, thank you so much, Mohammad. This has been super illuminating for me. And I hope for our listeners, thank you for joining us today.

Mohammad - 00: 34:37: Thank you.

Outro - 00: 34:39: Beyond the Screen: An IONOS podcast. To find out more about IONOS and how we're the go-to source for cutting edge solutions in web development, visit ionis.com and then make sure to search for IONOS in Apple Podcasts, Spotify, and Google Podcasts or anywhere else podcasts are found. Don't forget to click subscribe so you don't miss any future episodes. On behalf of the team here at IONOS, thanks for listening.