In a recent interview with SafetyDetectives, Susanto Irwan, Co-Founder and SVP of Engineering at Xage Security, delved into the intricacies of the company’s zero-trust identity and access management approach, setting it apart from traditional cybersecurity methods. Xage Security’s unique approach addresses the escalating security challenges within Operational Technology (OT) and Internet of Things (IoT) frameworks, focusing on identity-based asset protection to thwart cyberattacks effectively. As organizations increasingly adopt the zero-trust model, aligning with industry frameworks like NIST, Irwan’s insights provide a roadmap for bolstering security measures and communicating the tangible benefits of zero-trust security to key stakeholders.
Prior to Xage, Susanto held senior engineering and product development roles at Shape Security and Arxan Technologies (acquired by TA Associates). Susanto has over 16 years of experience in security, protecting desktop, mobile, web, and embedded applications against tampering, fraud, and reverse engineering across industries including financial services, mobile payments, healthcare, automotive, gaming, and entertainment. Susanto holds a Bachelor’s in Computer Science from Purdue University.
I’m with Susanto Irwan of Xage Security. Thank you for your time today. Can you talk a little about your journey and what led you to co-founding Xage Security?
Thanks for having me! My passion for computer science and technology started back in middle school. I had a love for computers and video games and was always looking for ways to crack video games. This interest never faded and led to me receiving my BSc in Computer Science from Purdue University.
Fast forward, and I have now been in cybersecurity for over 20 years. I started my career at Arxan Technologies (acquired by Digital.ai) and was the Senior Director of Engineering and Product Architect for their flagship product. I joined Shape Security (acquired by F5) in 2014 as its Senior Director of Engineering and was a key engineering leader to build large scale cyber defense systems to protect against malicious automated cyber-attacks on web and mobile applications.
I have been following the dark web activities and trends for quite a few years before I founded Xage and saw the increased hacking activities into IoT devices such as surveillance cameras, WiFi routers, and temperature sensors. I ideated on an approach that is different from existing perimeter-based cybersecurity solutions to help operational enterprises protect millions of IoT and OT devices without having to rely on connectivity to a central site or cloud. This led to my core principle of founding Xage in August 2016 to innovate on distributed cybersecurity services and I was delighted to partner with my co-founder Roman Arutyunov later on to help me figure out the product market fit. Our efforts resulted in Xage Fabric – a highly distributed, highly scalable, and resilient cybersecurity mesh that can protect enormous sizes of IoT and OT deployments, whether they are isolated or interconnected to IT and cloud.
How does Xage’s zero-trust identity and access management approach differ from traditional cybersecurity methods?
Unlike other identity & access management solutions (IAM), Xage identity-based access management assures that you control every interaction across OT, IT, and Cloud. Companies no longer have to tolerate risky implicit trust zones, shared accounts, and separate, costly credential and privilege access management tools. With Xage, they can defend modern and legacy assets with or without their own credentials or built-in security, all using a single, browser-based console.
The Xage Fabric delivers complete control over who has access to critical assets, what they can do, when, and for how long. The Fabric is highly available and resilient, so policy enforcement continues locally even if one site loses network connectivity to the others. Xage offers greater capabilities than traditional IAM/ICAM and PAM solutions while remaining simpler to deploy, manage, and use.
In the context of OT and IoT security, what specific challenges does zero-trust security address, and how can it protect critical industrial assets?
Too often, access control in operational technology systems is an all-or-nothing proposition. Once a user or an attacker is inside the network, they can access any device without further authentication. Furthermore, access from device to device is not controlled, making lateral movement easy for an attacker who compromises a single device. A new approach to access control is required to minimize the attack surface and secure today’s interconnected OT, IT, and Cloud environments. Zero trust can provide identity-based asset protection and is a game changer to block cyberattacks before those attacks become breaches.
How does zero-trust security align with industry frameworks and standards, such as NIST Cybersecurity Framework or CIS Controls?
Zero trust principles are closely aligned with industry frameworks for cybersecurity, including the NIST Cybersecurity Framework (CSF). The NIST CSF comprises five functions: Identify, Protect, Detect, Respond, and Recover. The first two functions, Identify and Protect, heavily incorporate zero trust concepts, with the Protect function strongly emphasizing the principle of least privilege, and achieving it through identity and access management, authentication and authorization, remote access management, protection of data in transit and at rest, granular segmentation of assets, and more. NIST has also issued a separate document, Special Publication 800-207, covering their recommendations for Zero Trust Architecture in detail.
Additionally, the most current version of the CIS controls, version 8, last updated in 2021, specifically includes zero trust language and concepts such as least privilege. CIS also released a chart explicitly mapping CIS Controls version 8 to the NIST Tenets of Zero Trust.
Overall, since 2020, the principles of zero trust have been increasingly promoted by NIST and CIS. The U.S. government has also embraced Zero Trust, with the Department of Defense going all-in and issuing their own Zero Trust strategy and roadmap.
Can you provide insights into how the implementation of multi-layer identity-based access management enhances security measures to protect critical infrastructure against cyber attacks?
Since stolen credentials are often cybercriminals’ key weapon of choice, companies must make it their top priority to defend against this attack vector. Secure IAM is the first step in any modern approach to defense in depth. There have been great advancements in the field of IAM, including multi-factor authentication (MFA) and passwordless login, but these are only part of the picture for an identity-first defense in-depth strategy. By controlling, at a granular level, the access that each individual has, you limit the damage that can be done even if one of those credentials is compromised.
Xage’s Multi-layer Access Management enables organizations to eliminate attacks on their critical infrastructure by delivering defense-in-depth security for their environments, orchestrating protection across multiple Identity providers, Active Directory instances, network security levels, and locations. Customers can reduce complexity in their access management flow, improve user experience, and block attacks thanks to these unique capabilities:
- Multi-IdP/AD Support
- Controlled asset visibility
- On-site authentication
- Passwordless authentication
- Multi-hop access
What are some best practices for effectively communicating the benefits of zero-trust security to key stakeholders within an organization?
Focus on the identity-centric cyber hardening that zero trust strategy can bring to an organization. Zero trust means so many things these days, but at the core of it is how identity-centric and explicit trust approach to access management, remote access, and data security can reduce attack surface and improve an organization’s cybersecurity posture. It is also important to articulate that not all zero trust cybersecurity solutions are the same – some solutions do require network re-architecture like microsegmentation, but there are other solutions where an overlay approach can be taken to minimize disruption to existing networks and assets. Lastly make sure to formally document the zero trust goals, including a phased approach to get buy-in from all stakeholders.