Understanding What Zero Trust Is (w/ Junaid Islam, Co-Founder of XQ Message)

A growing hybrid workforce environment and organizations increasingly migrating to the cloud have posed significant challenges in cybersecurity. Organizations need to adopt a new security model to protect their clients, teams, data, and applications effectively. 

XQ adopts a Zero Trust Model, which helps organizations identify and respond to the growing number of sophisticated cyber attacks by enforcing policies and processes to inspect, authenticate, and validate all users and devices before ‘trust’ is granted. 

XQ is a clean sheet approach to cybersecurity. Our patented technology creates Zero Trust Data enabling companies to define who, when, and where data can be read. With this preventive approach, XQ provides data-centric protection and support for data in transit on-prem to the cloud and throughout its lifecycle.

On a Cyber Security Matters episode, hosts Dominic Vogel and Christian Redshaw joined Junaid Islam, Co-Founder of XQ Message, the leader in data-centric digital trust. Providing frictionless zero-trust data protection.

Junaid has 30 years of experience in secure communications. His protocols, algorithms, and architectures are incorporated into a broad range of commercial and US national security networks. 

This podcast covers the following topics: 

• Understanding what zero trust is 

• What businesses need to understand about the war in the Ukraine and the impact it has on cyberspace

• Why it is critical for SMBs to have proper cyber security in place

• Three easy steps you can take today to start protecting your business

Protect organizations immediately from growing cyber threats. See how we protect data from smart cities to enterprises, migration to the cloud, and workplace messaging.

https://xqmsg.co/zero-trust-smart-cities

Learn how you can protect your data, teams, and customers today: https://xqmsg.co/contact-us

Read the following excerpt from the transcript of the Cyber Security Matters episode, featuring Junaid Islam, Co-Founder and Board Member of XQ Message, Dominic Vogel, and Christian Redshaw:

Dominic Vogel:  Hello, everyone. Welcome to another fantastic edition of the Cybersecurity Matters Podcast. I'm your co-host Dominic Vogel, and joining me as always is Mr. Christian Redshaw. Christian, how are you doing today?

Christian Redshaw: I am good. A little bit tired, but that is the same old middle-aged male whine that I always have. How are you doing?

Dominic Vogel: Yeah. I think you and I have been tired since the day we met. 

Christian Redshaw:  But hopefully, this episode gets us a little bit energized here once we get it started.

Dominic Vogel: I am looking forward to today's guest. It is Junaid Islam from XQ Message. Never heard of the company before, but I'm really interested to learn more about Junaid and tap into his insights. So we will take a momentary pause here, and we will bring Junaid.

Dominic Vogel: Junaid, thank you so much for taking time out of your busy day to join us in the Cybersecurity Matters Podcast. How are you doing today?

Junaid Islam: Great. Great. Thank you for inviting me. I'm excited to be here at Cybersecurity Matters.

Dominic Vogel: Thank you so much for joining us, and it's always nice to have a fellow Canadian on the show, even one that is a dual citizen. But you're still Canadians.

Junaid Islam: Don't hold it against me.

Dominic Vogel: Yeah. I was wondering if maybe we could just start for just a minute or two, just for you to maybe introduce yourself to our listeners and viewers just so they can learn a little bit more about your career history.

Junaid Islam: Great. Well, I grew up in Toronto. So I am pronouncing it the right way as a Toronto person. There's no T in the word Toronto. I graduated from school at the University of Toronto in 1989. I was quickly hired to support actually Canadian Foreign Services who were supporting the United States DEA in South America. So I did get deployed to effectively everywhere the Columbian cartel is working to set up an X.25 network. Then the Gulf War started around 1998, and I got shipped from Bogota, Columbia to the Middle East and actually set up what became known as Operation Desert Shield. So this was the precursor. So Canadians should be very proud of our role in global national security. There were a lot of Canadians in both South America and in the Middle East supporting all of these coalition networking events.

Junaid Islam: After that, I switched to a much more safe career. I basically got into protocol design. I helped create something called MLPP, which is used in weapons control systems. It's that red button to launch a rocket. I did not do the rocker panel or anything like the rocket launch. That's more important. I just pressed the button. So just the red button. Think about me. After that, I did MPLS routing at Cisco then mobile IPv6 at the Department of Defense at net-centric warfare. Then most recently, I was a contractor to the US intelligence community to help create something called Zero Trust, and now I am working on the commercialization of zero trust. But I also advise different groups. I am on the NASA Lunar Network Team. So I'm working on new algorithms to route traffic between the lunar telescope and earth and a small advisory role at the Department of Defense on procurement.

Christian Redshaw: There's a lot in that. It kind of rolls off your tongue, all of the projects that you were involved in. Most of those will go right over our heads. But you mentioned Zero Trust. With the growing remote workforce and migration to the Cloud, can you tell us, just at a really layman level, what Zero Trust is, what a Zero Trust environment is and why?

Junaid Islam: Sure. So actually, the word zero trust is actually from the US intelligence community, and it's actually a word from counter intelligence and they use that word when they have zero trust in people. So for example, when I was very young, and I was off in South Latin America, setting up networks for Canadian embassy personnel and US embassy personnel. I was installing X.25 devices with encryption. I said, "Why am I doing this?" I mean, I'm just a kid, really, out of University Toronto. And it was because they had zero trust in the phone company because the phone company had been paid off by drug dealers and they were tapping into phone lines.

Junaid Islam: So the way to think about the word zero trust is just to think of it as a plain English term. It's about what's the greatest risk to you, as in what do you have zero trust in because you don't know anything about it? The heart of Zero Trust networking is the notion that we take the idea that we don't know about something, and that thing we don't know about may be used by an adversary or an enemy coming after us. We need to take care of that.

Junaid Islam: So one of the things that confuses people when they hear about Zero Trust security, or Zero Trust architecture, they think it's about a box or a protocol. It's actually about a philosophy and the philosophy's about a risk-based approach. So I know that's really confusing to people and I wish they hadn't called it Zero Trust because I can see why people are confused. But if you know about the history, where it came from, which is counterintelligence, then it's easier to use because you also know how to use it in an English sentence as in, "Oh, I have zero trust in whatever."

Junaid Islam: Now in the cyber world, it could be a web service I don't know about, or I have zero trust in this email that I got from somebody and I don't know who they are. So if you use it in that context, it makes a lot more sense.

Christian Redshaw: Mm-hmm. No, that does make sense.

Dominic Vogel: I would like to learn or get your thoughts on sort of what we're seeing in the geopolitical sense with the innovation in Ukraine, and this being one of the first wars where we could be seeing broader cyber war, cyber attacks happening in the war context. What are you expecting to see, both from a geopolitical perspective, but also are there ramifications for businesses that they should be thinking about as well?

Junaid Islam: That's a great question. So one of the things that makes Russia and also China unique as global superpowers, and we should respect them for what they are, they are true military superpowers, is they use cyber as a way to enforce or extend foreign policy. That idea does not exist in the Canadian or American context. But in the Russian context, for them to shut off someone's email because you emailed something and you got them all angry is totally...

Junaid Islam: So one of the hard things for Canadians to understand, just because Canadians are such damn nice people, and I say that with sincerity because I've spent a lot of time protecting really nice Canadians. It's very hard for Canadians in the Canadian context, and you would understand this, especially if you're talking about Canadians from the suburbs, have no notion why somebody would attack Canada? I think what Canada needs to understand is A, the philosophy of Russia is totally different from our own philosophy as Canadians and Americans. I mean, we just don't shut off things in other places. When Canada or the United States acts outside their territory, it is only for one reason, and one reason only: to save human life. We don't deploy Canadian forces just to project power. Canadian forces are well known and respected in our world, and I think all Canadians should be proud of that, always to save people.

Junaid Islam: In the Russian context, they will go after you just because you said something and wipe out your data. I think one of the things we have to realize, just their philosophy. For example, this Russian cyber war is not new. I actually was asked by the government of Ukraine at that time to help investigate the 2017 attack. What we found is Russians were using something called laterally moving malware. So you've all heard about that thing about you getting an email and you click. Well, this malware is so smart you don't actually have to click. Once it gets into anyone's machine, it just moves by itself and deletes data. So they call it like wipe ware, basically.

Junaid Islam: So Russians not only use cyber attacks, they actually have cyber weapons, which is as terrible and terrifying as it sounds. I think in terms of the audience for why cybersecurity matters. Cybersecurity really matters now when we're talking about a country that not only has very sophisticated cyber tools like malware that moves itself, self-propagating malware, but is also ready to use it, and ready to use it not just for political gains, ready to use it for someone in Canada who might say, "Hey, I support democracy in Ukraine," and all of a sudden you're a target. You'd be like, "I didn't even say anything wrong." But a very different philosophy. I think we need to really take this seriously as much as we can.

Christian Redshaw: Considering all of this is true, imagine yourself as not as technically smart of a person, and imagine that you are running a small business in Canada or the United States. Transport yourself into that desk. What are you going to do to start off with to protect yourself from these types of cyber attacks? Like, I don't necessarily think that it's the state-sponsored cyber attacks that are maybe a threat to small and medium-sized businesses, but nonetheless, the main attacks that are happening out there to SMBs they're no respecter of persons. They are still at risk. Often, they're in this supply chain of bigger companies. So there's a lot at stake for them, potentially even like an existential threat, cyber risks. What are your first steps going to be? And what's your approach going to be?

Junaid Islam: Sure. So before I get into steps, I just want to touch on something you just said. You might be working with a small business who says, "I'm not involved in national security. I'm not involved in protecting Canada. I'm not at risk." That's often a big mistake. What you find is you might be selling to somebody else who is supplying our national defense or CISA. Number one.

Junaid Islam: Number two, you might be living in a small town in the middle of nowhere, but there's a Canadian Armed Forces based in your small town. And you don't think about it because you see them decade after decade. But somebody will be going after that Canadian base, and they will hit everybody in that small town. So I think first of all, you should really re-look at your risk because even though you might not view yourself as a target because you're either small or living in a small town, who are you really working with? Who's your neighbor? Is there a military base in your small town? So that's one thing I'd ask all people to think about.

Junaid Islam: The second thing is there are some simple things you can do, I would say today, in fact, right after this podcast, that will change your risk profile significantly. First, most email systems and systems connecting to application servers all have multi-factor authentication. It's really a free feature on just about everything we have today. Turn it on. You've got nothing to lose because it's free. Number one. It's very easy to do, it takes 10 minutes. Of course, you'll get some people complaining, "Hey, why am I getting a text on the phone?" And you just explain it. So MFA's one of the simplest things everybody can do. Costs nothing.

Junaid Islam: Beyond that, once you've done that, and hopefully you've done that right after this podcast, the second thing you should do is think about backing up your systems. One of the things we see that Russia does a lot of is not only ransomware attacks, but they don't even bother stealing your data. They just go wipe it out. This is happening in Ukraine daily, if you see. So the last thing you want to do is to have your data wiped out. You could be a company selling furniture or food, and you'd say, "There's no risk," but you know what? Maybe the food you're selling is going to someone else, and it's ending up at an Armed Forces Base. And lo and behold, they'll find your email in someone else's system, and then they'll come wipe you out, because the way the malware works is it actually searches and looks for emails, and then it automatically propagates.

Junaid Islam: So it's not like someone has to, in a foreign country, make this decision to wipe you out. It's actually an automated process once they launch. So I would say backup your data. Again, it only takes a few hours. Most people have data backup and they never use it. If you don't have it, there's an infinite number of online services, Cloud services that I'm sure your users are familiar with, that I would say, go use it. It's very inexpensive. The afternoon or the one or two days you'll spend backing up is well worth it because if you get hit by accident or not accident it can take months to rebuild your business once they corrupt your database.

Junaid Islam: The third thing, a little bit more sophisticated, so do number one; MFA takes 10 minutes. You have nothing to lose. Do number two, do disaster recovery. Then start looking at securing your email and other things after you've done the first two, ongoing best practices. Sadly in this world, I don't think geopolitical tensions are going to reduce no matter what happens in Ukraine. I think it's going to be with us. So I think all companies, no matter how small they are, start to look at things like secure email and chat, just to protect themselves, their employees and their business partners.

Dominic Vogel: Junaid, we really appreciate the insights, the wisdom, and the terrific practical guidance that I do hope that our viewers and listeners take to heart and do right away after completing this podcast. But thank you so much for spending part of your day with us today. We really, really appreciate it. That was a fantastic conversation.

Junaid Islam: Thank you. Thank you. And no, thank you for the work you're doing as you know, from my perspective, cybersecurity does matter-

Dominic Vogel: Thank you.

Junaid Islam: especially in today's political world. So thanks for having me and I hope your members immediately go turn on MFA. Sign in right after this.

Dominic Vogel: Wise words to heed indeed. Christian and I will be right back to wrap up today's episode.

Dominic Vogel: That was a really insightful conversation with Junaid. Gosh, I'm not sure where to start. What was your key takeaway?

Christian Redshaw: Well, his background, much of which I couldn't even keep track of because it moved so quickly there, is super impressive. I'll save the middle bit for you, so you can comment on that. But the end bit is about the three steps, which I take notes on. So MFA, backup your data, and secure your email and your chat. Very practical.

Dominic Vogel: Good, actionable advice there. It was really, again, good, insightful wisdom, what he was saying there, and especially in an age as more and more, not just companies and organizations, but from a geopolitical perspective, countries are using cyber war as a part of the traditional weaponry. It's important like Junaid was saying there, that organizations take heed and recognize that that is something that some countries use maliciously and are willing to use right off the bat, while others may not use them right off the bat. So it was very, very interesting listening to him, especially of some of his experience, who's supported the Canadian-US military in different operations. So that was very insightful. So we really appreciate Junaid coming on the show today.

Dominic Vogel: As always, we thank our loyal listeners and viewers for taking time out of their day to either listen and/or watch today's podcast. If you missed the previous version, do be sure to check out the old episodes at the Cybersecurity Matters YouTube page or on your favorite podcasting platform. But until next time, be well, be safe, and we'll catch you again on the Cybersecurity Matters Podcast.

Christian Redshaw: I'll see you next week.