Skip to content
InTechnology Podcast

5G Zero Trust and AI Usages (190)

In this episode of InTechnology, Camille gets into zero trust and AI for 5G with Ken Urquhart, Global Vice President of 5G Strategy at Zscaler. The conversation covers an overview of 5G and how it works, the uses for AI with 5G and 6G, and how zero-trust practices are making 5G networks more secure.

To find the transcription of this podcast, scroll to the bottom of the page.

To find more episodes of InTechnology, visit our homepage. To read more about cybersecurity, sustainability, and technology topics, visit our blog.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

Follow our host Camille @morhardt.

Learn more about Intel Cybersecurity and the Intel Compute Life Cycle (CLA).

Overview of 5G and How It Works

Ken begins by defining 5G as the ability to wirelessly transmit at fiber-optic speeds, with much more complexities under the surface. He explains how the goals of 5G are to reduce how much power is consumed by wireless networks, to get many more devices talking to each other and sharing the network at the same time, and to provide a much more secure network. The era of 5G will better enable things like smart cities and autonomous driving vehicles. And while Ken says there’s nothing stopping companies from setting up their own private 5G networks, the process is more involved compared to setting up Wi-Fi. He adds that setting up your own network is essentially going into the private Telco business and how sharing Telco frequencies is highly regulated by the FCC. When it comes to the next level of 6G and beyond, there are some physical barriers to consider, making it ideal for smaller distances like eliminating wires in a building or creating FEMA emergency communication systems at fiber-optic speeds.

5G and 6G AI Uses

The goal after 5G is to transmit more efficiently with 6G, but that requires getting into sub-terahertz frequencies and better tuning antennas. Ken notes that one way to tune antennas is with software-defined radios, but another faster and more efficient way is with AI. The downside, however, is the hackability of the AI, which can be corrupted by using just the data it’s fed. This is an area Ken stresses should be investigated. Solutions would be to fall back on predefined parameters or to switch up the AI being used. Ultimately, he says this shouldn’t stop the use of AI with 5G networks, but rather it’s just something that we’ll have to get used to and get better at securing.

Zero Trust for 5G Networks

Finally, Ken and Camille get into zero trust in the context of 5G networks. He reminds listeners of the definition of zero trust being the ability to operate securely in an environment that you can’t verify is secure. Pointing to the NIST idea of zero trust, Ken outlines the five things that must be protected: the user, the device, the network, the application, and the data. 5G networks are much more secure than 4G, but the network is only one part of the system that needs to be protected. That’s where authentication methods, governance, encrypted data exchange, orchestration and automation, and real-time monitoring come together to create zero-trust practices. Ken says ultimately zero trust was designed to not let attacks happen in the first place.

Ken Urquhart, Global Vice President of 5G Strategy at Zscaler

Ken Urquhart 5G zero trust AI

Ken Urquhart is currently Global Vice President of 5G Strategy at Zscaler, one of the top leading cloud security platforms. He is also an Industrial Fellow at the Krach Institute for Tech Diplomacy at Purdue. Ken has more than 40 years of experience in tech, particularly focusing on 5G, cybersecurity, AI, and engineering. His previous roles include 5G Lead & Chief Data Alchemist at Luxoft, Founder and CTO of QBIC, and 13 years of senior leadership at Microsoft. Ken has a Ph.D. in Experimental and Computational Physics from Simon Fraser University, and he has been a Post Doctoral Researcher in Experimental and Computational Physics at The University of Tokyo.

Share on social:


Camille Morhardt  00:30

I’m really excited for this conversation today.  I’m Camille Morhardt, host of InTechnology podcast and I have with me Ken Urquhart from Zscaler. He’s Global VP of 5G and strategy and knows a ton of things about cybersecurity, as well as Telco as well as holds three physics degrees. So welcome, Ken.

Ken Urquhart  00:50

Well, thank you, Camille, good to be here. And thank you for inviting me.

Camille Morhardt  00:54

I just want to pick your brain all about 5G. I want to hit zero trust, because it’s a big buzzword. Although I think people are relatively familiar with what it means. I want to dig a little deeper and understand what that means with respect to protecting Telco networks. I want to know what 5G is. I did a podcast, I think about a year ago with Lee Phillips, where he described 5G and kind of walked through it, but it’s been a while. So I want to know, you know, what’s new, how’s it evolve? What are we thinking kind of moving forward? What kinds of use cases are we seeing? And how do we trust 5G? Or should we trust 5G? So that’s a big mishmash of everything, but maybe we can, you know, start with you giving us kind of an overview of what it is.

Ken Urquhart  01:47

To boil it down, the simple thing is fiber optic speeds transmitted wirelessly. But there’s a whole lot more going on underneath. Typically, when you go from 4G was really about high quality audio streaming, and really high quality pictures. Now that enabled the Spotifys of the world that enabled the AirBnBs of the world, where for the first time, I think you had a Telco generation, disrupting businesses. Because of these what seemed like nice innovations actually drove quite a bit of disruption while generating multibillion dollar new industries. And we’re trying to do this again to go to 5G. But there’s a lot of stuff going on under the hood, too, that are there to make this happen. One is a desire to cut down the amount of power consumed. 4G consumes a lot of power in comparison to 5G.  5G’s target was to try to get the power consumption of devices to run the antennas down by as much as a factor of ten. I’m not sure we’re seeing that, but at least it was to get the power levels down to make sure you could do things like power up a device using a 10-year lithium ion battery, which indeed, we’re now seeing.  Things like vibration sensors, Flow Meters, with a 5G antenna and a 10-year lithium ion battery buried in the ground with new piping with a small antenna sticking up to make sure it’s not clogged or doesn’t have a leak. You know, these things exist today. One of the reasons is that we’re going to have a lot more devices talking to each other.

So there’s this other thing to talk about 5G, which is it wasn’t designed for us. It was designed for things. It was designed for IoT, Internet of Things, for smart cities; it was designed so a lot of different devices moving in real time can coordinate their activity without harming people. So that’s another aspect of it. And as far as security, it was designed to be much more secure than you currently have with 4G and earlier based on what we can do to secure the network. That’s also important.

With 5G, the promise is the network itself is more secure against hacking and snooping. You’re still on your own with your device and the workloads that device may connect to. So there’s a shared security model.

Camille Morhardt  04:14

You’re gonna have to say more about that. So I understand like my device could be hacked, or maybe the database or whatever that I’m connecting to.

Ken Urquhart  04:23

But your communication of your hack device back to the hacker is very secure.

Camille Morhardt  04:29


Ken Urquhart  04:31

I know a silly way to look at it. But yeah, that’s what you’re promising.

Camille Morhardt  04:36

But are you saying that networks were a primary attack surface previously and now the network itself will be much harder to penetrate with 5G?

Ken Urquhart  04:45

Exactly. If you go back and look, there was instances where in previous generation Telco networks, hackers could lurk, watch the traffic, see what you were doing, steal your bandwidth, spoofing who you were on a foreign Telco network–they’d say, “Oh, I’m really this person in America, and I’m operating somewhere in Europe. And treat me like I’m that person.” Suffice it to say a lot of efforts were made to make the transmission of your data more secure against snooping, more secure against the network being compromised.

When you’re talking about saying, “Oh, I’m going to put a million devices per square kilometer and I’m going to have smart cities and I’m going to control robots and autonomously guided vehicles where people are around,” you probably don’t want them hackable through the network and then set on something they’re not intended to do. Because that’s another thing with 5G. The desire was to really, really increase the number of devices that could sit on an antenna.  With 5G They’re talking about when they’re set up in a square kilometer, you could put a million devices, and also, more importantly, not see a lot of degradation in how much bandwidth you had or the speed of transmission. That’s a big step forward. And then coupling that with lower power, you’re onto something. You enable all the vehicles to talk to each other, you enable people to understand where they are, how they are. With the antennas in 5G, you need more of them, because they typically, the higher speed means you transmit over a shorter distance. So by placing a lot more antennas in an urban area, you can get better triangulation of where you are. So they can also do things like tell her every device is down two centimeters, instead of meters, or, you know, down two inches instead of three feet.

Camille Morhardt  06:43

You know, I can see how that could be important when you’re navigating, again, like autonomous vehicles. What does that do to the amount of frequency that’s floating around us all the time? And what does that mean? Kind of from a privacy perspective, if I can now be triangulated? Down to the exact longitude, latitude where I’m standing in near real time?

Ken Urquhart  07:08

Well, that’s a feature, knowing where you are. We do this every day. How many people navigate with GPS? The whole success of that, of navigation, depends on knowing where you are. When you talk about navigating inside a building, knowing where you are is going to be really important. Finding things being guided to things. It’s a trade-off that you enable by using the device. Now with privacy rules, depending on the country you’re in, you can say things like, “Don’t track me. Throw that data away.” And there are rules in place that says to Telcos who are one of the most highly regulated industries on the planet, is “okay, we’re gonna throw that data away, because that’s what you as the owner of that SIM want.”

Camille Morhardt  07:54

What do you think about when it comes to 5G because you’ve looked at all of these standards, or are you already just looking at 6G now? Are you done thinking about 5G?

Ken Urquhart  08:03

Well, for one thing, we’ve kind of hit 5G. And just to remind people, 4G LTE, is actually kind of between 3g and 4G. So we’ve never quite got to what we would call full 4G. And yet a lot of people benefit from it. 5G, we’re mostly 5G, we’re also now talking about 5G advanced, which is also now called 5.5G. And we’re talking about 6G. And you say, “Well, so is it going to be radically different?” And the answer is no, it’s going to be an evolution. And actually not as big an evolution is going from 4G to 5G.

4G to 5G had a lot of things under the hood, people don’t see things like a complete redesign of how the Telco software that switches all your data packets, the architecture was improved, factored so you had rather than large monolithic chunks of code, you have modules that interoperate with each other over well-defined interfaces, to make it easier to manage easier to deploy easier to scale; the shift from bare metal servers in a data center to the ability to use cloud. So you can now put what are called Telco cores, think of it as the thing that switches all your packets and gets them from one device to another or from a device to a workload that now looks more like a typical IT cloud workload, where before they were very carefully crafted monolithic chunks of code sitting on Telco-owned servers. So in theory, this all makes it easier to secure, easier to maintain, easier to provide scale services.

Camille Morhardt  09:53

Does that also mean that non Telco providers can provide or create sort of networks whereas they couldn’t previously, realistically?

Ken Urquhart  10:04

Yep, it used to be you had to go to a Telco to get a 4G LTE network–you would rent one and you get a private one, which would be a piece of their larger network. Now, there’s nothing to stop you setting up an entirely private 5G network. Your IT department can, in theory, set up a private 5G network within your company to take full advantage. You own the SIMs, you own the bandwidth, you own the antennas, you own what is called the 5G core–the big switch that moves all your packets around wirelessly. Then again, you’ve got to now have people on your IT staff who kind of know a lot about Telco—antennas, frequencies, deployments. It’s not like Wi Fi, you can’t just set up a bunch of antennas, turn them on, plug them in to your local intranet, and everything works. There’s a little more to it than that.

Camille Morhardt  11:00

Are there going to be as part of 5G more like distributed servers kind of closer to endpoints that then communicate or process information?

Ken Urquhart  11:11

Yes, and no, there’s still the idea of the big switch, the core can sit possibly in another state, but you have is the data flows over something, the user plane.  One thing they did in 4G and 5G is separate control signals from the customer data so it makes it much harder to attack and makes it much easier to manage. So while the control signals when you dial a number, when you want to connect to an app somewhere in the world, that can happen not in real time; it can take several seconds to establish that connection, nobody gets upset. It’s fast enough. When the data starts flowing you want your app to be really responsive. You want your change of information to happen quickly. And so the data can stay local while the control setup, billing, everything else can sit, you know, several states away.

Camille Morhardt  12:11

So our company is going to fundamentally use Telco differently. Now, do you think a bunch of companies are going to set up their networks?

Ken Urquhart  12:16

Well, remember, when you set it up, you’re essentially going into the private Telco business; you have to hire people who understand even as consultants or even as subcontractors, the deployment of your antennas, the placement of them, the tuning of your antennas. How many people ever had to tune their Wi Fi setup, you just keep adding Wi Fi repeaters until you get enough signal. There’s also because we’re sharing Telco frequency now and Telco frequencies in most countries are highly regulated– meaning you’ve got to use your allocated bands, you can’t go outside them, you can’t interfere with others–so much so when you’re deploying the 5G antenna privately in a business, you have to get a specific frequency range for it, you have to actually set up a small device that interacts with the antenna and talks in America talks to the Federal Communications Commission, the FCC, and reports that that antenna is up and running, its GPS location, and what frequency band it’s using. And the FCC databases have to give you permission. Even if you’re using what’s called the Citizens Band Radio Spectrum, or CBRS, which is portrayed as the WiFi of Telco. When have you had to plug in your WiFi base station and have a talk to a federal agency to get permission to begin operating? Well, this is part of the world we live in.

Camille Morhardt  13:41

And why is that?

Ken Urquhart  13:43

Because there’s frequency is all divided up and parceled out. You can’t just fire up an antenna and start operating because you can interfere with someone else. Do you want to interfere with the police? Do you want to interfere with fire department? You want to not have a first responder able to locate you because your broadcast someone of your neighbors are broadcasting with an antenna in a frequency band they’re not allowed to?

Camille Morhardt  14:07

Just to jump back a little, why would a company or an organization want to set up their own private 5G network?

Ken Urquhart  14:15

Let’s talk about a factory right now I run wires. Now those wires, Ethernet cabling contain low voltage. What does that mean? Well, in a factory when it’s high voltage and can kill someone, those cables are really tough–you can run over them, you can step on them, you can drop an axe on them and they’re designed not to be damaged because if they are, there is a lot of risk to human life.

Enter IP cabling, network cabling, low power not going to hurt you. So it gets a little plastic shell around it, and they run it everywhere you step on it, you drop something on it, you can damage it, they put them in in piping, they tried to do cable runs, but they still have to go everywhere, easily damaged. Sometimes when you want to get a sensor to a running device–like a temperature sensor, motion sensor, vibration sensor to tell if it’s accurate turbines acting properly–you’ve got to have people finding their way to move the cables and walking in areas that are dangerous to be in. And they still have to do it. The other option is “well shut the factory down, we’ll wire it up. And if we make a mistake we’ll have to shut it down again and try to fix it.” Mostly they try to do it while it’s running. Again, more danger to the individuals who have to work there.

If you go wireless, you can do things like find the safest way to get to some place, slap on the device. It’s got a 10-year battery, you’re done. And it’s on the air with wireless. Private 5G is meant to be inherently more secure. So you know, one of the biggest drivers for why would you want these private 5G compared to anything else is security. Number one reason, the belief that the network is more secure, who’s going to decide to go to private 5G?  60% of the decisions were made by the IT department, not the R&D department, not the executives. But the IT department will make that decision. Who’s going to do it? Two thirds of the projected business in private 5G for the next couple of years is supposed to be just three sectors: manufacturing, transport and logistics and resources. Could be anything from energy exploration to mining, digging stuff out of the ground…

Camille Morhardt  16:31

Natural resource extraction.

Ken Urquhart  16:33

I think what we call primary and secondary industry. So again, because it’s a large dangerous place with a lot of equipment over perhaps a large area or relatively large area, you need to know where your stuff is. You need to know how it’s behaving. You need to know if your people are okay; you need to be alerted if there’s a problem. I mean, things like using drones to navigate large pipelines over huge distances, when you don’t have to send people out to do it. The ability to be able to tell if the temperature is okay over long stretches of water conduit, piping and water. I mean, there’s so many aquifers piping channels through the deserts in the Southwest supplying much needed water. And how do you tell if everything’s okay? You’ve got to go out and manually inspect. You could have an autonomous drone, 5G antennas, microwave links, they can extend up to 300 miles, and you can have machines running AI constantly just flipping back and forth, watching what’s going on. When it senses the trips, you can find out what’s going on without having to without having to dispatch people in vehicles when it’s 120 degrees. It’s just a lot safer.

Camille Morhardt  17:47

Makes sense.  So how full are the airwaves now and has 5G Like substantially increased the amount of waves of frequency that are floating all around us?

Ken Urquhart  17:58

Think of it this way.  We have in this country, you can go find this on the FCC website, it’ll show you the allocation of frequency spectrum for government, state and local, personal, industrial, and it’s all carefully sliced up. Telcos spend a lot of money to obtain licenses to preferred frequencies. This is why one of the private 5G approaches is you’ve licensed spectrum from a Telco for your private use. And then they say, “well, we’re not going to use it. You’ve got exclusive access” to give you enough bandwidth, enough throughput.

And there’s things like part of the spectrum was borrowed from others. So 5G was borrowed to a chunk of spectrum from what’s used by space-to-ground satellites, and you say, well, what could happen there? Well, satellites transmit relatively weak signals to big antennas on the ground, you’ve seen these giant dishes. So they’re very, very weak signal that they would then pick up. And it would always go from space to ground, with a little bit of traffic going back up from other antennas. What’s wrong with that? Well, right beside it, we had part of the spectrum allocated to commercial jets, and they used it to determine how close they are to the ground by bouncing the signal off. Okay, now we give it over to 5G. Those devices in the aircraft assume there would only be weak satellite signals falling and wouldn’t cause any interference. When we allocated those bands to 5G, suddenly, the antennas are broadcasting at much stronger frequencies that these little devices on aircraft weren’t designed to handle and the potential for interference, which is why you got this news report about 5G towers around airports had to be turned down or turned off or aimed differently, because they didn’t know what it would do to the aircraft.

Camille Morhardt  19:54

What did it result in? What happened?

Ken Urquhart  19:57

You had to replace the devices on the aircraft with devices more finely tuned to avoid the interference. It wasn’t a big deal in the end. But there was a fight between the FAA and the FCC, a lot of discussion, a lot of people saying “hey, you know, this is a problem.” But it did mean that a lot of aircraft had to have a vital component replaced.

Camille Morhardt  20:19

So talk to me about a little bit more about what we expect in the future ground-to-satellite, satellite-to-ground, satellite-to-satellite, off-Earth transmission.

Ken Urquhart  20:29

Well remember right now, you can buy, I believe, an iPhone 13 or an iPhone 14, and it will communicate with satellites; you can send an SOS from a remote location right now.  You’ve got antennas in orbit strong enough to pick up a iPhone’s 5G antenna in orbit and establish a communication line to it. That’s nothing short of amazing.

Camille Morhardt  20:57

That is pretty stunning.

Ken Urquhart  20:59

And there is in fact, Satellite 5G, which is a variant of the 5G, I guess definition. And that’s also being rolled out as a standard, which means that it, there’s a sufficient description that everyone’s agreed on who makes antennas to enable you to communicate with satellites. And that’s happening right now with 5G, you don’t need to wait till 6G. 6G will maybe use different frequencies. Which brings us to another interesting point, there’s an idea that the higher G you go, the faster the connection, the better the connection, the more data you can push over the connection. And that means the higher frequency because if you want to push more data, you go to a higher frequency of signals so you can push more bits at any given length of time–you do that by going to physically higher frequency. There is this little problem when you go up too high, you start hitting what’s called the terahertz frequency range. But here’s the fun thing about terahertz. Yes, you can push a lot of data over it. Fog can block the signal. Moisture in the air can block.

Camille Morhardt  22:04

So long San Francisco! (laughs)

Ken Urquhart  22:07

It’s not just but you can say things like “I can do terahertz over a couple of feet.” All right, what does that mean? It means that in a building, I can eliminate all the wires. If I have to take a FEMA emergency communications system, I can haul it out in the woods, fire it up. I don’t have to say “did everyone bring all the fiber optic cables? Do I have all the Ethernet connections? Where’s the copper that I need to connect these components?” You forget it, take them out, power them up, turn them on, they find each other, you’re happening. And you’re happening at fiber optic speeds. That’s really interesting.

Camille Morhardt  22:40

And that is 6G you’re saying? One aspect.

Ken Urquhart  22:42

It’s one– you sort of get this this idea that that’s what 6G is all it means I’m going to go up and higher frequency. Well, there is a plan to get into the sub-terahertz frequencies. Yes, that’ll give us much higher transmissions again, over shorter distances, subject to a certain amount of potential interference. But the other thing 6G’s trying to do is use what you got more efficiently. You tune the antennas better. Right now you want a different frequency band on your antenna, you buy a different antenna unit. And you swap it in and you have to tune all the parameters that communicate from that piece of hardware back to your Telco core. It’s a lot of work. We have software-defined radios, which theoretically let you retune your antennas on the fly to different frequency bands. And that’s one of the things they’re investigating. The other one is using AI. Because if you can use AI to retune components of your system, instead of right now having to manually tune them by trial and error–which takes a long time–there, you’ve got a much better system for communication. And when you’re using systems that communicate over Ethernet with best-effort delivery, instead of dedicated connections, you have to do more optimization. And again, AI is your friend. That said, the AI they’re going to use is incredibly hackable.

Camille Morhardt  24:19

Huh? Why is it incredibly hackable?

Ken Urquhart  24:22

Oh, did you know that with today’s AI, say, just talk with this bash on neural networks for a bit, you can sit there with a perfectly programmed neural network. I mean, there are no bugs in it. Then you can corrupt it, using only the data fed into it. Case in point: we have the antennas that they’re experimenting with in 5G, where you are using AI to optimize certain parameters. Like, how do you behave when I’ve got a lot of devices coming on suddenly? How do I change things to accommodate that most effectively? Well, they tried with an AI. Then an experimentalist group took another AI and used it to modify the signal from a cell phone going to that tower and convinced the tower was overloaded and shut it down, when there is only the single antenna talking to it. There’s nothing wrong with the AI, it was how the data was being manipulated, and sent into it. And nobody had to experiment, they just let the AI run till it figured out how to shut the tower down. Really easy.

So yeah, you can poison AI. Or you can poison the training data if you have the database containing the training data, you can do things like manipulate the AI and install backdoors activated by certain inputs. It is a large area that needs to be investigated. And while you say “Oh, does that make it really hard to use AI?” Well, yes, and no. You can also watch your AI and determine when it’s acting funny–results that you don’t, aren’t useful to you. And you can swap the AI out in real time to a different kind of AI, which has different ways of being hacked. And you can just stay one step ahead of the head of the attacker just by swapping out the AI back and forth. I mean, that is one quick way of doing it. And eventually, if all else fails, fall back on pre-defined parameters that let you keep operating–maybe not optimally–but let’s keep operating. So it’s not insurmountable. But there are some tricky ways of using AI against you.

Camille Morhardt  26:32

Just to summarize the way that AI can be utilized by 5G or 6G—6G I guess what we’re talking about–would be helping say a network or a machine quickly switch as opposed to me going to my cell phone and deciding like, is it Bluetooth? Or is it Wi Fi right now? Or am I going to cellular which is going to be the fastest way or the best way to get a connection? And now we’re probably talking more machine-to-machine anyway. But the device would be able to just figure that out on its own using AI software?

Ken Urquhart  27:04

Well, devices figured that out on their own today without the need for AI. AI is more of what happens when you’ve got a lot of people wanting to use your antenna at the same time. How do you accommodate it? How do you retune and accommodate as many as possible? Because when you use an antenna, your phone negotiates with the antenna and the antenna says “okay, you’re going to stick to this little tiny slice of frequency compared to everyone else, and we’re going to talk over that little finely tuned slice. And the phone beside you is going to get a slightly different finely tuned slice of frequency to talk to the antenna.” And that works great when you’ve got you know, ten, a hundred, 1,000 devices. What happens when you’re at the stadium and everybody fires up their phone to look at stats at the same time or tries to make a call? You know with 4G today you go to the stadium with, what, 10,000 of your closest friends, and if everybody tries to make a call, not everyone’s gonna get signal; not everyone’s gonna get call complete. You know 5G, 6G would like to use AI in the radios to try to accommodate many, many more people than we currently can with how we do it today.

Camille Morhardt  28:17

Okay, but the downside being you have essentially provided yet another surface area for attack.

Ken Urquhart  28:25

When you add software, how do you not do that? It can be taken care of. It’s just going to require some more thought and consideration and trade-offs. How do you handle it if you get attacked and you recognize that the AI is being messed with, what do you fall back on? This is no different than having multiple redundant systems to protect against other things. We’re making our solutions trickier. And that’s great. Because, you know, there’s that old saying–I believe Steve Jobs said it—”that I will make my software at Apple arbitrarily more complex in order to provide my customers with the easiest possible user experience.” So, that’s what we’re trying to do: a better experience. And if that causes us to make it a lot more complex with AI, if it works, we’ll do it. And if it means that someone can attack me in different ways, fine, you just have to deal with it.

Camille Morhardt  29:22

Hmm.  So you look at AI and cybersecurity as a kind of a trade-off. I don’t know if you’re saying a trade-off, but it sounds like you’re saying the more we use AI on our network, the greater the potential for cyber threats.

Ken Urquhart  29:40

Just different.

Camille Morhardt  29:41


Ken Urquhart  29:42

Look, if you don’t want to be hacked, turn all your devices off and cancel all your online subscriptions. You won’t be hacked. At least not directly; someone you deal with who uses them may be hacked, and then you’re indirectly affected. It’s how much risk do you want to take on? You know identities are stolen in the millions every month. And for most people, it doesn’t affect you anymore. You may get a new credit card, you may get a new bank account number, but for most people, it’s an inconvenience, not an insurmountable destruction of their personal wealth or their family. It’s not as bad as it could be now. I’m not saying it’s nothing to worry about. But it’s certainly a lot easier to handle. We all are kind of attuned to it. You’re gonna get hacked. Okay, how fast do I recover? And it’s pretty darn fast compared to how it used to be.

Camille Morhardt  30:43

Right. So resiliency has been dialed up sort of as we learn more about it, and the likelihood of it goes up.  Ken, what is zero trust? Can you define that?

Ken Urquhart  30:53

Yeah, it’s being able to operate securely in an environment you can’t verify is secure.

Camille Morhardt  30:58

You basically can’t verify any environment is secure, right?

Ken Urquhart  31:02

Well, again, it’s how much effort you want to put into it. And in this day and age, we outsource, we partner,we get things from third parties all the time. And can you go and verify to your satisfaction your partner’s secure? You know, there was a famous hack at a large organization, I believe their HVAC person brought a laptop in and said, “Hey, can I connect your local Wi Fi, so I can do some reporting.” And they said, “Sure.” And he went on there. And he you know, uploaded the virus across the big companies, networks and ransomware. When you have zero trust, the idea is you can hook up your stuff, you can have partners hook up their stuff, and you’re not going to cross infect one another; you can operate securely. And even when you’re communicating with your partner, the information exchange can proceed without the fear of cross contamination. You cross multiple networks to do almost any business today. And you can’t verify their secure. It really is down to everybody looking at each other. It’s like “no, no, no, I’m okay. Trust me.”

NIST, National Institute of Science and Technology has published this idea of what does zero trust me. And it means basically five things based on three foundations, the five things mere what we want to do, which is me, the user want to connect my device, let’s say this laptop, we’re talking to each other on over some number of networks, to connect to a workload to do something useful to me. So there’s me, there’s my device, there’s my network, there’s my app, and there’s my data. Five things. Before anything happens. The idea was, are you who you say you are, who decides who you say you are the enterprise, the government agency, it says, “I’m going to make you authenticate. I’m gonna make you verify your identity. And I’m going to pick what you need to do.” User ID and password, sure. Multifactor, fine. Facial recognition, voice analysis, other biometrics, fine.  The enterprise picks, and you have to do those things before I’ll say, “Okay, I kind of trust that you’re you.” And I may ask you at any time in the future to do the same thing again, if I do something that looks odd, or I just decide to do it to you, that’s the price of admission.

Okay, so I’ve now verified that you, Camille, are a user. Now what about your device? I also monitor your device. Let’s say I issue you the device, and it’s a Windows laptop from a certain manufacturer? Is that what’s on the network? Is it running Windows? Is it running the version of Windows I expect you to have? Is the patch level where it’s supposed to be? And again, I set the rules. And if those are satisfied, I say, “Okay, where do you want to go?” And you say, “I want to go to that app.” And you don’t care what network you’re going over? And I say, “Okay, fine.” I’m gonna go take a look at the app.” Is that app what you think it is? If you said, “I want to go talk to this Oracle database,” I go, “Okay, fine.” Do you have the right to talk to that database to do your job? If you don’t, you don’t get connected. Oh, and I report you.

If you’re allowed, you through that device are allowed to talk to that Oracle Database. At this time of day when you’re doing it from the physical location we think you’re at, we look at the database and say, “okay, so are you really an Oracle database? If you are, you’re going to behave a certain way; you’re going to have certain ports open, you’re going to exchange data with certain protocols, and you’re only going to talk to certain individuals that we allow you to.” If you’re in the Finance Department, the finance Oracle Database should not be trying to poke at the Engineering GitHub and try to copy source code. That’s kind of an indication there’s something funny going on. So let’s say “okay, you’re behaving like an Oracle database, Camille’s allowed to talk to it.” All right, we connect you, we choose the network connection. And we stitch together a special kind of connection so it looks to you and your device, like there’s just you, the Oracle database on a private, isolated network, and you talk to it, and you exchange the data you need to exchange it. When it’s done, that connection is severed. That’s a lot of work.

So there’s these three foundations. One is the governance that says, “are you with that device, allowed to talk to that workload to do certain things.” So we have a governance layer, a lot of rules, that alone solves a lot of problems; it means you as an individual can’t go poking around at other stuff. We can only see the things we as a company, believe you should see.  If you’re in finance, Yep, got access to these finance systems, you’re not going to see the engineering database, you’re not going to see any of the build systems. If you’re an engineer, you’re not going to look at the HR systems except the ones you’re allowed to look at defined and possibly modify data about yourself. And then the data exchange that’s gonna be fully encrypted and we’re gonna look at 100% of the packets to see that nothing bad is getting out, or nothing good is getting out like personal information, company secrets, but nothing bad, like ransomware is getting in.

And then if you’ve got the governance layer, you have the orchestration and automation layer, because all this is a lot of work. And it can’t be so you, as a user have to do all this; we do it for you. I’m talking to you right now, over my company’s cybersecurity solution, which is zero trust, and I don’t notice it, you don’t notice it, you didn’t have to do anything to notice it. And yet all of our traffic’s being inspected. So my laptop is not trying to send secret company information out, and you’re not trying to send me ransomware.

Camille Morhardt  36:51

And you’re in a hotel, and I’m at home. So, we’re, neither one of us is behind the perimeter or through access.

Ken Urquhart  36:57

Oh, and that’s the whole point. Who’s behind a perimeter anymore? Where’s the data center? Answer is there’s a lot of them, but you don’t necessarily own any of them, you’re renting space. And the final thing on the three foundations is monitoring. Because you got to collect all that data and look at it in real time.  My company’s system parses up to one trillion pieces of metadata per day to make sure everything is going okay.

Camille Morhardt  37:25

Yeah, tell me a little bit about how Zscaler does this you have a something called a Zero Trust Exchange? How does that work?

Ken Urquhart  37:38

That’s the thing, that says, “Are you allowed to do what you want to do?” but it’s also the global network that watches and makes all connections for you.  You know at its simplest, think of it like it’s the old world where you would have a switchboard operator. Long, long ago, you had to pick up your phone, and it would connect you to a human, who had asked you who you were calling, and what number you were calling. And they would manually patch a connection for you to the other person, and then their other person’s phone would ring and they’d pick it up, and the connection would complete. And when it was done, it’d be taken down. And this is what we do now.

We have machinery that will verify who you are based on the customer–the enterprise or the government and you being the user–will verify it’s you, will then verify your device is behaving like your device should be, that possibly you’re geographically where you should be. Or if you’re not to say you’re on a business trip, you’re doing this, you’re doing this. Again, this is the enterprise our customers decide what’s going to be checked on. We’re like this very obedient guard dog. You tell us what you want done, we’ll do it. You tell us the rules you want, you tell us how strict you want to be, we’ll take care of it and as invisibly as possible to the users and to the customers and to the partners.

The average company, who is using the older ways often has I think I saw a number 70 or more individual solutions all inter-operating to provide cybersecurity. That means 70+ patch levels, watching 70+ different fees, configuring 70+ different devices, making sure they interoperate and a patch could kill the interoperability along a chain where you’re passing all your data through to make sure it’s safe. It’s the old world. And the other one is this implicit assumption: We will detect an attack after it’s happened and then remediate, which is the most expensive way to do it, rather than stopping it from happening in the first place. My company Zscaler took the approach of stopping it before it happens, not building this entire machinery designed to catch it after it’s happened and fix it.

So we have one oil and gas customer who had up to 300 ransomware attacks a week; they were caught, they were prevented from proceeding, but they had to reimage the laptops. And that means you had people busy across this entire global organization, doing nothing but re-imaging laptops–you know, putting in a FedEx shipper, shipping it back to corporate or some location, it gets erased, reimage tested, put back together, sent back by courier and someone was able to operate again. We dropped that number to almost zero when we were installed. Why? Our approaches don’t let it happen in the first place.

Camille Morhardt  40:45

Right. Especially because we hear now that people have been hacked for like a couple of years, I think is the average, before they’re even aware of it.

Ken Urquhart  40:52

So yeah, that’s just it. Oh, not even at all 18 months. Sometimes in mission critical could be, you know, nine months. Yeah, that’s way better than 18 months. But how long do you have, let’s say if you’re at a military installation, and they say “yeah, well, if we get hacked by foreign power, nine months. Woohoo!” It’s like, you don’t want it to happen in the first place. And that’s really what zero trust was designed to do. Don’t let it happen in the first place.

Camille Morhardt  41:23

Well, Ken Urquhart, Global Vice President of 5G and Strategy at Zscaler, thank you for explaining zero trust, 5G, how it’s moving to 6G, how it uses AI, some of the cybersecurity risks that we’re going to be seeing because of that and that we hopefully are able to overcome, and explaining how Zscaler Zero Trust Exchange works at a high level. Really appreciate the conversation and your time.

Ken Urquhart  41:48

Oh, thank you Camille.

The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

More From