Hi, I'm Severin de Wit, host of the TrustTalk podcast, where we dive deep into the fascinating world of trust. With a genuine passion for understanding the foundations and nuances of trust, I am dedicated to uncovering its secrets and sharing compelling stories that illuminate its profound impact. Join me on this captivating journey as we explore the transformative power of trust. Subscribe now and become part of the TrustTalk community
Hi, I'm Severin de Wit, host of the TrustTalk podcast, where we dive deep into the fascinating world of trust. With a genuine passion for understanding the foundations and nuances of trust, I am dedicated to uncovering its secrets and sharing compelling stories that illuminate its profound impact. Join me on this captivating journey as we explore the transformative power of trust. Subscribe now and become part of the TrustTalk community
Paul Timmers does a lot of thinking about our digital future. Many are worried about their future and the future of their children. Are they going to be squeezed in a world dominated by big money digital platforms and by geopolitical conflicts of the great powers, the USA and China? Or do we keep trust in keeping a say about our future, in democracy, society, and economy? Our digital future is all about our strategic autonomy and sovereignty. Paul is a former EU policymaker, an academic, and an entrepreneur.
EU and Cybersecurity
Paul: “Historically in the European Commission, topics like cybersecurity were more technical topics in the sense that European policy was about investing in research and innovation and then developing new technologies. But that kind of technical view has really shifted to a very, very political view. And the reason for that is I think that digital is now pervasive in society and economy and democracy everywhere. And that is also what comes with it, some of the threats, like cybersecurity-related or data protection, have become very political. They touch the foundations of our economy, society, and democracy. And so you see that trust and cybersecurity have risen to the top of the agenda as the Germans would say it’s a “Chefsache”.”
And you have to be aware that you’re starting to do this in an ever more complex environment. So we go to 5G. What they call the attack surface is increasing massively because with 5G, you can connect everything and the network will be managed by partners that are less experienced in security. So you are expanding your vulnerability landscape and therefore Zero Trust is not a one-off type of thing. I also need to say ultimately in Zero Trust, there are still elements that you do need to trust. So let’s take again the SolarWinds example. The NSA has recommended that after that, the only way to ultimately deal with the supply chain attacks is if you use hardware security modules and these are trusted pieces of hardware. And there it’s kind of you have to trust your supplier. So the ones that are building the hardware security modules, you better know really very well which companies these are, because these are the ones that you need to trust, perhaps without you being able to inspect everything. So Zero Trust, great principle, very important because it’s an approach for security by design. Be aware it also has its challenges and its cost.
Paul: “There is a volunteers organization in the Netherlands called the DIVD, and they found a weakness in software from a company called Kaseya. And while they were finding this and sorting out what the vulnerability was, there was in the meantime, there were hackers that started to attack. So they were actually very careful, these people of DIVD not to start shouting, crying wolf too soon. But in the meantime, the hacker started to attack. So your information sharing is absolutely essential. But the real world goes very fast, and to make it a bit sharper, some of the attacks we can only follow with the help of artificial intelligence because they go so fast that we need artificial intelligence to follow the pattern of attacks and how they are shifting. And so we will have artificial intelligence talking to artificial intelligence somewhere else, telling, you know, it looks like there is an attack going on here. So we are starting to put our autonomy in the hands of artificial intelligence.”
“So you need to think about how do you deal with getting your bits and pieces from all across the world? And basically, I study this topic a lot, there are basically three approaches to that. You can kind of do your best. It’s a risk management approach. You muddle through and you keep your fingers crossed that it goes well. And this is actually probably 90 percent of the time what we do. Then you can say I only work with those parties that really trust my like-minded parties, and you could build coalitions in that, and that’s increasingly popular. And then you could say, Well, but perhaps this problem of these attacks is such a problem that we need to collectively, at a global scale, deal with it, take the stability of the core of the internet. The internet is of everybody. Perhaps we have to jointly manage the domain name system as we do internationally. We do that and Icann. So that is a core issue of trust, and we did find some way with all its pitfalls, but it works to manage the stability of the internet as a global system, as really in a global collaboration with the private and public sector. So we need to think about the approach that you follow, risk management, strategic partnerships, or doing it as a global common good and you need to also think about it where would you then do that?”
In the interview, famous cyberattacks are discussed, like SolarWinds and ransomware WannaCry.
Other subjects covered in the interview: cyberattacks on SolarWinds, Kaseya, and ransomware WannaCry, about the Digital Markets Act, 5G, Zero Trust, DVID, the Dutch Institute for Vulnerability Disclosure, Debunking Strategic Autonomy, and a lot more.
For the full podcast, listen on the TrustTalk podcast channel or go to your favorite podcast platform, like
In the new episode of the TrustTalk podcast, we interview Jacoba Sieders. She is one of Europe’s experts in identity access management, digital identity, cybersecurity, digital payment services, and privacy.
Listen to the podcast on all major podcast platforms, on: https://podfollow.com/trusttalk or just via “podcasts” in the main menu of this blog post. Some quotes:
Safe data
“Data used to be safe and secure within a company, within a parameter and we could trust that if the data is in our own servers where we as a company are working with, and where we have our boundaries and our parameter safe, we could trust data in there and we could trust the devices and the users inside because we’ve all checked them. Today, when data is all the time in transit, is connected to a lot of partners across the network, outside of our own company, people are working from home and people access data from a lot of types of devices and this big distribution of data in transit is everywhere. We have Zero Trust. And Zero Trust, this is the way, it’s what stands for the protection of data in this type of setting. How can we make sure that the data is still safe and secure, although we have Zero Trust in the location or devices or environment where that data is residing or where it’s used to. So no matter the location, even inside, we don’t trust anything. So we need new types of protection, new types of architecture, and access management to make sure that still, we can work safely.”
Payment Services Directives I and II
“The idea for setting up Payment Services Directive II, the Directive I was setting up the single European payment area. So within Europe, we could all easily make payments across Europe. That was the number one Payment Service Directive, and then number II, it expands on that. The idea was that there are banks and they sit on a lot of customer data and they know all these transactions. And that’s a big wealth, big value to have all this data. And there are payment service providers, and today we have about seven hundred of them. Think about paying PayPal and all the other, Adyen, those that provide payments, that’s their service, but they’re not really like banks. And there should be more equality between the two types of financial institutions, the Payment Service Providers, they should also have a right to get to the data and to use the trust and data that banks have gathered to make the world more equal. Make more, now, so the idea was that if we let these payment service providers access the same data that these banks own and possess and gather, they could also have some good use. They could benefit from that. So the Payment Services Directive II prescribes that every regular bank, account service provider, with a real bank account, should open up their back office, so a Payment Service Provider could access the customer’s data, the transaction data of customers, if the customers give consent and if there is a strong customer authentication, it has to be secure back door. So the Payment Service Provider could use that data and leverage on that or find new business models. And then there are two types of three types of services. The one is that accessing the customer’s data and a second one is also originating a real payment within the bank, done by PayPal, and the third one is confirming that a customer really has enough funds, when we talk about credit cards. That there is that it’s backed by a bank account that has enough funds, these three services. Now, of course, it means that we are as a bank, you are keeping the front door very safe and your audited three , twice per year and really, really strict, strict, strict evidence, blah, blah, but a payment service provider can go through the back door and get that data or look at that data and what happens with that data when it’s there, with PayPal? I can’t secure it any longer.”
To improve organizational security, many businesses are implementing tools aligned with so-called “zero trust”— a security strategy based on the concept “never trust; always verify.” The Zero trust concept was the brainchild of former Forrester Research analyst John Kindervag. In 2010, he published a paper that introduced the concept to the IT world. The philosophy of Zero Trust networks comes from an unconventional idea: that the party requesting access to a network originates from the start receives “zero trust”: his network gets zero trust as an indicator of security; in fact, it can give a false sense of security that can cause a company’s security operations center to trust traffic that would normally raise a red flag, just because the user is behind a firewall or VPN network.
Zero Trust governs trusted access, depending on the user, location, and other access details. If the security status of an endpoint cannot be verified, it will not authenticate, whether the identity entering any domain is a customer, a partner, or an employee.
The role of Zero Trust is even more relevant in the work-from-home situation we are now in with the corona virus pandemic. By nature, employees’ home environments are more vulnerable with a higher likelihood of compromise. Working from home has only heightened interest in this identity-based approach to security.
The goal of a Zero Trust Approach is to reduce risk by implementing granular access policies that allow organizations to control, down to the individual resource level, what communications are permitted between different access points on the network. This prevents attackers from entering enterprise infrastructure — whether in the cloud, on-premises, or a mix of both — and moving laterally. Many enterprises establish control of access for two critical starting points on their zero trust security journey. First, they focus on remote applications because they are the foundation of how many distributed enterprises operate today. Next, they concentrate on web access (including email) because it is one of the primary attack vectors for cyberthreats.
The biggest hurdle facing the enterprise is maintaining privacy, protection, and security while keeping resources available so employees can stay productive. The number of remote users and devices requiring access is not going to decrease anytime soon. To that end, the internet of things (IoT) can also be problematic for Zero Trust implementations.
78% of IT security teams are looking to embrace zero-trust network access in the future. 19% are actively implementing zero trust, and 15% already have zero trust in place. At the same time, about half of enterprise IT security teams (47%) lack confidence in their ability to provide zero trust with their current security technology.
The highest security priority for application access is privileged account management of users and multi-factor authentication (68%). This is followed by detection of, and response to, anomalous activity (61%) and securing access from personal, unmanaged devices (57%).
Sixty-two percent of organizations say their biggest application security challenge is securing access to private apps that are distributed across datacenter and cloud environments. This is followed by minimizing exposure of private apps to the internet (50%), tied with gaining visibility into user activity (50%).
When asked about the benefits of zero trust, two-thirds of IT security professionals (66%) say they are most excited about zero trust’s ability to deliver the least privileged access to protect private apps. This is followed by apps no longer being exposed to unauthorized users or the Internet (55%), and access to private apps no longer requiring network access (44%).
Zero Trust implementation is a gradual process. Defining a big-bang sprint project to move to Zero Trust is unlikely to be successful. Any organization with existing security capabilities should migrate gradually to the Zero Trust model.
“Gone are the days where we can trust a user or machine. Just because an employee is using a corporate-issued laptop does not mean they should have access to my critical infrastructure.”
Tamer Baker, Global Principal Systems Engineer for ForeScout Technologies, a device visibility and control provider
In the podcast interview Rick Schmitz of LTO Network he explains what LTO does and how it differs from companies that collect data.
LTO Network provides a two-layer approach. In the first layer, you can basically send each other the data through life contracts and automate the tasks that you feel comfortable with. But if there are manual tasks that need to be handled, you can do it with manual input. The problem with that is, is that a blockchain only allows for automated tasks. You cannot do something, you cannot do a click of a button to trigger something in a blockchain. It can only leverage automated communication and verification of data. So our role in this is combining the two layers. The layer one you can put artificial intelligence in. It is you can even use it centralized. But we use layer 2 as basically a notarization of a transaction. Did something take place within that layer 1? So if you’re sending a piece of data between you and me or me and a company or putting my credentials in there of my passport, you can verify that because you have the data. But if you would delete data or you won’t have it anymore or I would alter the data, then yeah, well, we could go into court and say, OK, “this is the copy I have” and I say “this to copy I have”. They are not the same. It’s your word against mine, but putting a blockchain underneath that, gives you that sense of trust, because if that data is anchored, you can prove always with a copy of the data that with that timestamp and that piece of data, actually the transaction took place in a certain time. And that’s the trust blockchain is giving you.
Listen to the full interview on the TrustTalk podcast, or go on the menu of this site to “podcasts” and then to the Interview with Rick Schmitz (where you can also find the transcript of the interview)
