What shape will cybersecurity take in the future? Peter Stoll knows the answers and explains a complex issue in terms we can all understand.
Peter Stoll heads up the department Siemens Next Generation Security Infrastructure Security, working in the field of Cybersecurity. He is also in charge of the Zero Trust program. Alongside his job of making Siemens a little more secure day by day, he has taken up another cause: “I’m the cybersecurity ‘explainer bear’ and want to support all Siemens employees with incorporating this complex matter into their everyday lives.” His special role is named after the “Erklär-Bär,” a comedy character on a weekly German sketch show whose job is to couch convoluted news stories in simple terms. After all, cybersecurity affects us all.
Peter, you head up the Zero Trust program. What exactly is it?
Peter Stoll: Zero Trust means “never trust, always verify.” It’s something we do every day in our personal lives. For example, we verify whether the voice on the phone is actually the friend we wanted to speak to. Zero Trust uses technology to put that into practice. It creates a trust level between you as a person, and a particular device. For instance, when you request access to confidential data, the system checks that you are you who say you are, and whether the device you’re using is “clean” and its software up-to-date. The system verifies these required parameters and brings them together at a decision point. If all the information matches and everything is secure, you’re granted access.
It sounds like a lot of work goes on in the background without me as an end user even being aware of it.
PS: That’s exactly right. A lot of security processes are being executed automatically. And going forward we want to make things even easier for users. The process is a bit like unlocking your door at home. The user has the key in their hand and can unlock the house, i.e. you gain access to internal websites and confidential documentation. But once inside there are other doors that lead to e-mail programs, or to the corporate directory for example. In future, instead of asking the user for the key every time like we do today, it will only happen occasionally. That becomes feasible when the relevant systems can use the specified trust level to learn something new and to identify parallels.
Does that change the security level?
PS: No, absolutely not. Future security will be behavior-driven. People and devices are active on the internet, so it makes no difference whether you’re at home, in a hotel room or at the beach. It’s the decision point that matters, meaning the point where all relevant information is collected and verified. We also feed threat intelligence information into the system to make it extra secure. Suspicious travel is the watchword here, because when someone logs in from, say, Berlin, and five minutes later from Korea, something’s wrong!
Does Zero Trust only apply to people using computers?
PS: Zero Trust will go beyond IT alone. For example, it will apply to trains as well. Let’s say that they send us ongoing information such as maintenance due dates. In the new normal, they need an identity that the Zero Trust program can verify in order to ensure a secure communication channel. The data can then be sent without any issues.
What an exciting project! How does it relate to your second remit at Next Generation Infrastructure Security?
PS: Actually that’s also about identities and public key infrastructure, PKI for short. But not only that – the cloud is high on the agenda too. Plus the term “Next Generation,” which is all about how we can move strictly confidential information to the cloud in the new normal, so during a time when many of us work from home. This is a complex matter there’s a whole raft of requirements involved. That’s where data encryption via new, complex algorithms plays a major role. In turn, innovative options like artificial intelligence and machine learning can support us to intercept cyberattacks in this new work environment. Additionally, they enable us to decide which digital communication channel is best in the respective situation. More flexibility in our way of working results in the need for even more flexibility and immediate reactions at cybersecurity as well. At the moment the cybersecurity workflow is still very inflexible in many companies: firewalls and specified digital communication channels are two examples.
Your job certainly covers a lot of different topics. Does that present a lot of challenges, too?
PS: Challenges go with the territory. It can be hard to change the way employees think. Everyday security as we know it is going to change drastically, not least because of the coronavirus pandemic. That’s been a major driver because we had to enable tens of thousands of people to work from home at very short notice. We want to make things easier for users by moving away from constantly asking them for their virtual keys. With that, our top priority is to ensure the same security level. So obviously the question is how can we adapt cybersecurity and always be one step ahead of attackers?
Good question. So, what cybersecurity trends are we expecting to see?
PS: Many employees will continue to appreciate the advantages of flexible working, so Siemens Cybersecurity has adjusted to these circumstances. So we’re moving away from static security and toward a dynamic approach. Our attack surface has changed. The office used to be like a well-fortified castle and our attack surface was the castle wall. Now each one of us has to be a mini-castle. We’re all more vulnerable to attacks now because a laptop is constantly open to hacking. That’s forcing us to make our security more autonomous. Another trend is data-centric security, which is where security depends on the data itself – such as confidential documents – and not just on the castle. Product security is also becoming more and more important as a mark of quality and in customers’ selection procedures. This is where Zero Trust can help us. It puts Siemens up with the front-runners in that respect.
Peter, many thanks for such a compelling insight into your work. Finally, I’d like to ask a personal question: What motivates you to work in cybersecurity?
PS: I want to make Siemens a little more secure every day. If I achieve that by the time I go home, I’ve had a good day.