Jordan Avnaim, CISO at Entrust, shares his extensive experience in cybersecurity, emphasizing the importance of Zero Trust frameworks and advanced authentication in today’s digital landscape during a recent interview with SafetyDetectives. Entrust, a leader in digital security, tackles challenges like remote workforce security, AI-related threats, and complex cybersecurity regulations. Jordan highlights the urgency of adapting to post-quantum cryptography and combating sophisticated phishing scams with multi-factor authentication. His insights reveal the critical need for organizations to evolve their cybersecurity strategies to protect against the rapidly changing array of digital threats.
What is your background and your current role as CISO at Entrust?
Over the course of my 20-year career in the security and risk management space, I’ve taken a specific focus in the financial services industries. In my past roles, I was responsible for leading various information security, technology risk and technology audit functions, as well as delivering specialized security and risk consultative services to C-suite executives and clients across the globe.
I am thrilled to join Entrust as Chief Information Security Officer (CISO). As CISO, I am responsible for leading information and cybersecurity across our global organization, spanning more than 2,800 colleagues, a network of global partners, and customers in over 150 countries. I will continue to strengthen the company’s security posture and assist in the delivery of exceptional security solutions to our clients.
What are the flagship services that Entrust provides?
Entrust is a company that is essential to how the world runs. For almost every aspect of digital life, Entrust provides the ability to build trust into it. Entrust secures the future for enterprises, governments, customers, and citizens by protecting identities, payments, and data to keep the world moving safely.
In today’s increasingly digital world, we’re working to provide organizations with the solutions they need to ensure that their digital and physical security keeps their most sensitive data secure. To accomplish this, we offer a wide breadth of solutions that are critical to enabling trust for multi-cloud deployments, mobile identities, hybrid work, machine identity, electronic signatures, encryption and more. These solutions include identity verification, financial issuance and post-quantum cryptography to help organizations in industries such as finance, government and education bolster their security.
This year, we announced new capabilities to help our customers enhance their Zero Trust framework. With advancements in Code Signing as a Service, Data Security with Key Management and Cloud Security Posture Management (CSPM) for Virtual Environments, customers can now extend protections, visibility, and governance over virtual infrastructures, code and application development, and cryptographic key management.
Our recent launch of the Entrust Verified Signing solution allows organizations to integrate identity verification and access management (IAM) with digital signatures to identify and authenticate people on both sides of digital transactions. With this solution, organizations can deploy seamless, secure and trusted electronic signature workflows into existing environments to help support compliance. Verified Signing places identity and security at the core of e-signatures, giving businesses confidence in their security posture by mitigating fraud and increasing operational efficiency. These are just a few of the solutions our clients have access to fit a wide range of their business needs.
What are the top cybersecurity challenges you see organizations facing in the current digital landscape?
As the world becomes increasingly digital, organizations must adapt to a wide range of evolving threats. Some of these key challenges include:
- Enabling (and onboarding) a fully remote workforce securely. Due to remote work, attack vectors have greatly expanded. Frequently, employees are having difficulties with network access issues and leaders cite home internet security and leakage of sensitive company data among their top security challenges.
- Allowing safe experimentation with generative AI while also protecting against its potential threats. We have seen the potential AI has to completely change the way we work and live. That also comes with potential threats. Commonly available AI tools can be utilized to craft more sophisticated phishing attacks, including vishing (voice phishing) and smishing (SMS phishing) scams, and defraud customers/companies by creating/utilizing synthetic identities. With the rapid development of these threats, security teams now have to be more nimble and alert than ever to ensure their organization’s data is protected while also giving room for experimentation when it comes to the development of AI technologies.
- The increase in cybersecurity (and privacy) regulations at a time when security budgets are being continually scrutinized. In recent months, there has been an uptick in government guidance that should help create a blueprint for businesses to navigate rising challenges and security threats. But understanding and complying with the anticipated patchwork of regulations and regional legislation may pose a challenge for businesses, especially those operating across borders. In the U.S. alone, at least five more state privacy laws will go into effect in 2024, including those in Washington, Oregon, Texas, Florida, and Montana. These regulations pose a threat to organizations as cybersecurity budgets are stretched thin. Security teams continue to be asked to do more with increasingly fewer resources.
While these concerns can be intimidating, there are ways to mitigate these threats and adapt to the evolving threat landscape by leveraging strategies such as Zero Trust and advanced authentication to protect organizations.
Can you discuss the concept of “zero trust” security and its relevance in today’s cybersecurity strategies?
While Zero Trust has become a buzzword in the industry, it is now more essential than ever as we continue to see organizations fall victim to costly cyberattacks. These attacks come in a variety of forms. However, it has become increasingly easy for individuals to fall victim to them with the rise in generative AI (genAI). By leveraging genAI, bad actors can make near-perfect imitations of emails, messages and even phone calls, making a Zero Trust strategy a necessity. Between employees, systems and devices, there are an increasingly large number of identities moving through an organization, making it easier for attackers to gain access to the information they want. When organizations develop a Zero Trust framework, they are adopting a new mindset of “never trust, always verify.”
Based on the principle of “never trust, always verify,” there are three key tenets of Zero Trust:
- Verify explicitly: Establish trusted identities through the use of continuous authentication and authorization that includes evaluating context-aware risk signals.
- Least-privilege access: Limit access to only authorized users, machines, and devices, and enforce permissions to limit access based on a user’s role and responsibilities to secure data without hindering productivity.
- Assume breach: With inevitable breaches, it’s critical to minimize the blast radius during a cyberattack through strong encryption and segmentation of users, devices, and networks. Knowing all organizations should expect to experience a data breach at some point or another, they should do everything in their power to limit damage ahead of time and reduce cyber risk.
While Zero Trust maturity may look like a daunting project, organizations are investing in a strategy and framework that will save them money in the long run and ensure that breaches are less disruptive which is essential in today’s threat landscape.
What specific challenges do organizations face when it comes to identity and security in the digital realm?
Remote and hybrid work has had a drastic impact on security protocols for organizations, not only for onboarding new hires but for current employees as well. While onboarding fully remote employees, it’s challenging to validate their identity and ensure you are hiring the person you believe you are hiring. How do we know the person on the other end of the computer, whom we have never met in person, is actually the person performing the job? Regarding current staff, ensuring employees are knowledgeable of best security practices is essential so that they can’t, even by mistake, hand over their credentials to an attacker. On the technology side, organizations should look to identity verification as a service (IDVaaS) to implement remote verification. This process leverages smartphone reading and validation of electronic machine readable travel documents (ePassports or eIDs) and combines them with the ability to remotely access the trusted biometrics for comparison with a live, current facial biometric. By utilizing this technology, organizations can remove the stress associated with the uncertainty of remote hiring and offer the verification needed for a secure transaction.
Remote verification builds up a Zero Trust model, which has become a necessity for businesses. Limited access and continuous identity verification ensure that no employee has any more access than they need at any given moment. Remote work only expands the attack surface bad actors can exploit, so it is the organization’s responsibility to ensure that its Zero Trust strategy is a top priority.
It may not seem like an imminent threat, but organizations also need to start preparing now for the post-quantum era. We are quickly approaching a time when quantum computing can decrypt present-day encryption algorithms, leaving countless organizations vulnerable to attacks. Banks, governments and financial institutions, as well as the personal information of individuals, will all be exposed due to quantum computers breaking the cryptography we universally use for data and IT infrastructure protection. Organizations need to start adopting new cryptographic algorithms now to ensure the safety of their data and networks. Rather than a backburner project, C-suites and boards should prioritize post-quantum preparedness and inventory and categorize data, as well as the cryptographic material that protects that data, to ensure the safety of their information.
In your experience, what are the common misconceptions about cybersecurity that organizations should be aware of?
Of course, software vulnerabilities and misconfigurations remain a prime target for attackers, however end users are the much easier targets. Why would an attacker spend a lot of time looking for an often obscure way into the “castle” when they can be easily invited in by someone on the inside who already has access? We have seen this time and time again as major corporations fall victim to attacks through “simple” phishing scams via email or even a LinkedIn message.
These kinds of phishing scams may seem basic. However, cybercriminals are making them increasingly sophisticated through generative AI to create near-perfect replicas of emails and messages from coworkers. The traditional scams from random emails asking for large sums of money are long gone. Now, employees may receive emails from someone they assume is their boss asking for something as simple as a password. Phishing-resistant multi-factor authentication remains one of the strongest mechanisms to ensure users are not being deceived by attackers into handing over their credentials. Employees need to be up-to-date on the security threats such as phishing so that they not only can identify the threat but also know the proper course of action.