This week we had the pleasure to interview Dr. Wendy Ng, Cloud Security Architect Lead at OneWeb and discuss zero trust, software vulnerabilities and security practices. Dr. Wendy Ng will be a speaker on our next ‘Zero-Trust Security Approach‘ online Summit this week.

Hi Wendy, thanks for this interview. Could you explain what is Zero Trust approach and how does it differ from conventional cybersecurity practices? 

Zero Trust, as its name implies, is a concept of not implicitly trusting anyone or anything. In the past, organizations defined a network perimeter, inside of which is deemed ‘secure’. Security controls are concentrated at the perimeter, but once inside, access to assets and resources are relatively unrestricted. With Zero Trust, the ‘perimeter’ is at the asset or resource, access to which will require authentication and authorization.

New technical security implementations on the horizon?

Thus far, technical security implementations have been directed through software. The Meltdown and Spectre family of vulnerabilities highlighted the importance of CPU architecture for security. Implementation at the hardware level will always be more efficient than at software. There is a tremendous investment and innovation in chip design, and I expect some of these will involve novel architectures which can address security concerns, especially in the cloud computing era.

For further reading: Attack of the Speculators’

As an example, can you briefly explain what your company OneWeb does, and how it deploys zero trust? 

OneWeb was founded in 2012 and we are the pioneer in using Low Earth Orbit satellites (LEOs) to deliver Internet connectivity to everyone, everywhere. The Internet is a crucial platform for the delivery of information and services, even for developed nations, access can be patchy, our goal is to change that. We are also a commercial organization, so we don’t shy away from using tried and tested methods, including commoditized support solutions with ‘fine grain’ access control through Zero Trust.

Any suggestions for those starting out – what should they focus on and how should they begin?

If an organization is starting out on their Zero Trust journey, the first and perhaps most important part of their journey is to centralize their identity access management (IAM), followed by multi-factor authentication (MFA). MFA could also be a challenging step culturally, as it would involve behavioral change. However, verification is the foundation of Zero Trust and ensuring corporate assets are only available to those who need them.

As they move forward,  what are the major obstacles and challenges to consider?

The main difficulty with Zero Trust is the mindset change. In traditional corporate on-prem networks, assets are often assigned to different zones, for example, the untrusted Internet, the DMZ, trusted internal network. This has been established practice which assumes perimeter security, is familiar to many professionals in the industry. As is the layered defence concept, which advocates progressively more restrictive access and that the most sensitive assets are protected by additional layers of defence. With Zero Trust, the layered defence model is modified, so that the ‘layers’ include additional controls for verification, for example, the use of multifactor authentication, additional monitoring and metrics.

Watch Dr. Wendy Ng and other Zero Trust experts in our Zero Trust Approach Summit

Dr. Wendy Ng is OneWeb’s Cloud Security Architect Lead and SME. OneWeb is a satellites communications company, leveraging Leo Earth Orbit (LEO) satellites for egalitarian broadband connectivity for all. She defined the strategy for Experian’s global DevSecOps transformation initiative. With a background in infrastructure and cloud security, she is a thought leader with over 60 articles. Wendy honed her technical consulting skills from experiences in a number of industries, including aerospace, healthcare, financial services, telecommunications, transport logistics, and critical national infrastructure. She started her career as a technical consultant at Cisco, before experiences at PwC and Deloitte. A trained medical and data scientist, with practical experience in statistics, machine learning and AI algorithms. Wendy completed her doctoral studies at the University of Oxford in medical genetics and has contributed to the scientific community through peer-reviewed publications.