Zero Trust Decoded

Jim: Maybe you could back us up a few years, where everybody started saying, I need to pay attention to Zero Trust. Where did that come from?

Chris: Yeah. Don’t be tired of Zero Trust. And I know that it, it does seem like it’s, the center square of buzzword bingo for everybody lately and there’s not a whole lot I could do about that. I promise you, if you’re going to RSA here in a few weeks, you will be hearing about Zero Trust. So just, brace yourself, it’s going to happen. But it’s a good thing. And finally, the reason that we’re hearing so much about it lately is that the government is finally really taking steps forward to improve everybody else’s security. This started out as a concept from some of the o other analyst firms. And it, it was looked at then not looked at. It has always been in the government space as an interesting thing an interesting journey that kind of is a summary journey of a lot of security best practices. But at the end of the day people, summarize Zero Trust by “trust nobody”. And I guess at the essence that’s true as the guy who coined the term Zero Trust is a gentleman by the name of John Kindervag. And he’ll tell you that we as a community in general, have made it overly complicated and it’s something that’s relatively simple and that is, really taking and having, a good handle on all the different aspects of your infrastructure, the security aspects of that infrastructure and how those different parts all interact with each other and all have to be understood and documented and trusted to come up with an overall security picture.

Yeah. And that, that’s the idea behind it and that you’re hearing a lot about it now because again a lot of different companies are seeing the value of it. A lot of different organizations are seeing the value of it. The government is seeing the value of it. And it’s really starting to gain some legs as being a trajectory, a journey to improve your overall security within your organization.

Jim: Is Zero Trust a Passed Down Compliance?

Chris: Yeah. You’re going to start seeing some of the latest regulations and executive orders come down. Zero Trust is going to be pretty much mandated at in the fed space. All those three letter acronyms are going to have some. Iteration and some kind of implementation of Zero Trust. But the good or bad news, depending on your perspective is that you’re going to end up getting Passed Down Compliance as well.

I term I coined the term Passed Down Compliance a long time ago, and it’s the idea that if you’re doing business with some vendor up top, that the compliance regulations that they are having to comply with get passed down to the vendors that they work with. So, if you are a government contractor, the government is obviously going to do it, if you’re a government contractor, well, they’re going to expect that you’re going to have a Zero Trust implementation if you’re doing business with that government contractor as a subcontractor, likely that you’re going to have to be doing that kind of implementation as well. So again, not necessarily a bad thing. Here in the security space the idea that more people are going to be more secure is not bad. That’s again, that, that’s good. We like that. That’s better.

Jim: Can you tell us about this concept of visibility in relation to Zero Trust?

Chris: Yeah. I think that to, to echo what you said we are making this way too complicated, and I’ll just give you a strawman example.

You figure that for any Zero Trust journey, it’s not a project, by the way let’s get rid of that term too, this is, this is something that is a strategy, it is a journey, it is something that is going to be multifaceted and multi-pieced, and it’s not something that you’re going to likely accomplish overnight.

But let’s just hypothetically say that your Zero Trust journey includes, I don’t know, 30 different components. Right now, in your organization, you likely have a certain number of those, and that number could be as many as 10. If you’re super mature, that could be as many as 20, but you don’t likely have all 30. And maybe you don’t even need all 30 when it’s all said and done. But, it doesn’t negate the fact that the 20 that you have done, the 10 that you have done, the, even the three that you have done, are steps in the right direction to make your organization more secure.

So let’s talk about visibility for a moment. That’s a key one, right? You probably have some management tool out there that you’re using a SEIM ,an XDR solution, EDR solution, what, whatever that might be. And that has visibility into your user space. It might have visibility into your networking, it might have visibility into your applications like you mentioned.

And those are all parts and pieces of trying to understand how you’re going to not only recognize them in your infrastructure, but then how you’re going to secure them. It’s very difficult to secure things that you don’t know that you have. And so understanding and gaining visibility into those different parts and pieces from users to applications to, machines itself to networks, that is a critical component that you have to start with. So visibility is critically important.

Jim: You ARE multi-cloud whether you realize it or not. That’s where observability helps.

Chris: you could be totally an AWS shop, we’re all AWS but you’re still using Office, right? Yeah. You’re using Office for something and so you’re using Office 365, which is in some cloud by itself. You’re using Salesforce, it takes in and has a cloud in and of itself. You’re using some kind of analytics engine; it’s using some kind of Google analytics or whatever have you. So, you are multi-cloud, everybody’s multi-cloud to a degree. Embrace the horror, but that’s what’s happening, right?

Jim: I love it. You said it. I didn’t have to say it. I say that a lot. People go, “no we’re not.” I’m like, okay, put your head in the sand, but the reality is, you are. So, as we start moving into the cloud, because people listening to this are in different parts of their journey, right? Some people are listening to this going, we’ve already been there, we’ve done that. We have some people that are saying, I’m just dipping my toe. And so a lot of people start looking at and going I’m in the cloud, can’t I just use the tools that the vendor and the cloud provides? And the first thing I shake my head and go that’s great if you only live in one cloud, but we just established you don’t.

So, getting visibility into these environments has never been more important. What does North-South, East-West, mean to you from a Zero Trust perspective?

Chris: Yeah. Boy, that’s a great question. That’s a podcast in and of itself. So let me go back for a second and say that it’s imperative that, depending on the maturity and the size of your business, never reject help from others. So, if your cloud provider or your host is going to offer you tools that give you observability and manageability into your environment. You should take that help all day. It isn’t the end all, be all. Think of it as the, quite bluntly, and I don’t mean to disparage any of the providers or “hosters” out there, but it’s gonna be the bare minimum. They’re going to give you the tools that allow you to do at least some of the things that you need to do to be able to manage.

Jim: it. I like to use, I like to use the word good enough.

Chris: Yeah, it is, right? And maybe it is, right? Maybe if you are a very immature environment and this stuff is all freaking you out to no end, maybe you start with that. And then the next step in your journey is to take and get some kind of aggregation visibility solution that can span multiple clouds to give you visibility into all those instances. How they interact with each other, the risk associated with each of them depending on what you’re doing, so on and so forth.

It is a matter of maturity Yes.

Jim: What is the importance of visibility in Zero Trust environments?

Chris: To come back to your question the answer is that you have to start somewhere, and if you think that you have everything nailed down with the tools that you’re currently using, now let’s take it to the next step and look at how can we aggregate all that visibility into one pane of glass that gives me a true, at the moment report of what’s going on in my overall ecosystem. Not an easy thing to do, and it’s one of those things where there’s a lot of connectors from an East-West perspective. As you go up and down the sack, there’s things that you have to be aware of. There are things that you have to connect to. There are things that I promise that you’re going to forget.

And where your tool comes in is do they help you remember the things that you’re going to forget? Do they give you visibility on the things that are not documented? Do they give you a sense of understanding of, I am going to deploy this tool; it’s going to give me visibility on the things that I know about, but it’s also going to give me ideas of things that I wasn’t thinking about as well. That’s where that real value comes in. I always use the term “phone a friend”, right? That’s where that value comes in. Being able to phone a friend saying, we’ve been down this road. Let us help you go down this road together and we’ll come up better when it’s all said and done.

Jim: I think one of the things that I keep hearing quite often, and you just said it, is the stuff you don’t know. I know I’m, stating and obvious, but I think what’s interesting when we move to the cloud is the ability to just spin up compute and spin up different VNets and VPCs just at will. If you don’t have real time view into that traffic, you won’t know it happened until days, weeks, months.

Chris: Let’s give a simple example and unfortunately this example is all too real. But we were talking a minute ago about how you were multi-cloud. You are multi-cloud, whether you know it or not. And another perfect example is all the shadow IT that’s going on, right? You are completely a Microsoft Azure shop, except the developer who stood up his S3 bucket to do some testing on what he thought was scrubbed data, which actually happens to be the crown jewels of your company. And you have no visibility into that that’s very scary. Especially how it’s being used, where it’s being stored, how it’s being configured, whatever have you.

And they don’t think they’re doing anything wrong; they’re just trying to get their job done. But that’s one of those things, again, you are multi-cloud, whether you realize it or not. And the solutions that you have that provide that amount of visibility will at least give you another chance that you’re going to find everything that you think that you need to be looking for.

Jim: Yeah. I agree with you. I think that one of the differences of using the stuff they give you versus some of the stuff more advanced as you get more mature, is that ability to start seeing stuff in real time versus relying on stuff that’s legacy.

Jim: We can’t just accept the packets. We can’t just accept the logs. We need to do enrichments. We need to enhance ours. Is that where you go with that?

Chris: It is. I’ll even take it a step further than that too. Is that you can’t be point in time, right? And so no matter how you look at it, logs are a point in time, right? I can tell you what happened on yesterday at 2:47 PM and Jim logged in to this computer doing these kinds of things. Great, that’s wonderful, tell me what Jim’s doing right now okay? I can go back to a log and say Jim is logged into this computer doing this thing. Okay. But I still need to know what Jim is doing right now.

And so you want to have something that’s more point in time and I’m not even necessarily talking about aggregating because we can do some of that as well, but it needs to be something real time. I need to understand if Jim is doing these kinds of things and all of a sudden he’s logging in from North Korea, something is probably not right. And so I need a better understanding of what he does, what he’s going to do, to be able to make real-time decisions based on what Jim does as a person and how our organization views his role at the company being able to do X, Y, and Z and what kind of data that he has access to.

And so again, quite frankly, Jim shouldn’t be taking and accessing, corporate HR data from North Korea. That doesn’t make any sense. So, we’re going to have a system in place that basically prevents him from doing that. That’s really what makes sense. If Jim is in a coffee shop, we think that’s probably okay, but because it’s not a protected network, maybe we’re going to limit the amount of data that he has access to where if his Jim is in our black box, skiff somewhere, he can have access to everything because that’s what his job is. So, it really has to be contextual. It really has to be real time. It can’t be this trending, and so on and so forth. It needs, you really do need to understand the identity of Jim, what his responsibilities are and what things are outside of the realm of normal.

You can even take it to another step from there. You can add a data component to that. Data has its own identity as well. Can data be accessed in certain places or another? Can it be accessed by certain people or another? Can it be encrypted in certain ways or another? You can even add another component, one that I’m working on that’s particularly interesting, is application identity. Is an application an entity in and of itself, should an application be accessing this kind of data? Should an application be accessed by this kind of person? Should this application be accessed by this kind of device? And those are all parts of it that make this bigger picture, that makes up your whole Zero Trust picture that it becomes very interesting. From those decisions now you can take and really do some interesting security related things that really improve the overall security posture of your company.

Jim: All right, so let me just through, go through everything you just said. It was a lot. But I wanna piece these together. Know, you can’t boil the ocean. There is no way that, boy, that’s a small cup of coffee there! Yeah, it’s not coffee, it’s vodka. Ugh. So, from what we just talked about, I heard identity, I heard a risk-based approach. I heard UBA, user behavioral analytics. Yep. I heard real-time visibility. Yep. I heard observability. Yep. I heard contextual, which means I have to know where my crown jewels are because if I don’t have an inventory of where my assets live, I can’t answer the question, how bad is it, so I don’t have the context around it. But then I also have the portion where I have to be ready to find new stuff that I didn’t know even existed. So, all of that is what I just heard in everything you just said. So I, yes, we’re running out of time here.

Chris: The last one is the deal breaker too, by the way.

Jim: What’s that?

Chris: So, finding all the new stuff is always the part where we fall down. Because I can take, again, a point in time, I can say everything is all secure all at once, right? I know this because I only have three people and I know what they’re doing and I know where they are and I know what computers they’re using, and I know what devices they’re using, know what applications they’re using, and we’re good right?

Jim: Three minutes ago.

Chris: Yeah, but now what’s happening right now? Jim is still not in North Korea, and I just set up this new, storage somewhere else and how does that integrate with all of this? And then I added a new application, or I added updates to an application or whatever have you.

So, it’s that continually evolving infrastructure and that has to be addressed somehow.

Jim: Yes. And I think automation is key. I think we need to start looking at how can we automate some of this recognizing when those new instances are stood up through automation. I think one of the other things that’s often overlooked is we look at infrastructure as code as norm nowadays.

Getting those developers on board, getting them involved in the process sooner rather than trying to apply a Zero Trust to them after the fact. I think that’s important to educate them. We are out of time here, so I’m gonna step back. We talked about a lot of stuff, and I think when we got to that big ideal world scenario you gave us, that’s for somebody who’s a little more advanced and we’ve got to dip our toe, right?

Jim: Starting your Zero Trust journey, what do I do?

Chris: So, I’m not gonna say CSA, I can say CSA and you should go look at CSA, but I will tell you, quite frankly, look at the project plans and the budget that you have for the remainder of 2023, if that’s what you’re looking at.

And then start looking at the vendors that are in that space and just try to understand what their Zero Trust approach is. Not their solution, not the end all be all. Just try to understand how that particular vendor believes and looks at Zero Trust. And they’re all different. And again, I’m not trying to promote anybody over, anybody, over anybody.

Take a look at ’em. They all have their benefits; they all have things that are less good. And try to understand how that’s going to integrate with your journey, with your company, how you want to approach things. Don’t try to eat the elephant all at once, you will not win.

Take and do it piecemeal. Try to understand how you can take and gain some traction in networking. Then take and look at how you can gain some traction in identity. Then look at how you can gain some traction in data. And then after a certain amount of time, you’re going to find that, yes, I’m implementing these projects. These projects are gonna take nine to 18 months to implement anyway. But when we’re all said and done, we’re gonna actually make real headway. But I promise you it’s not gonna happen overnight.

And so have a strategic approach of how you would like to take and approach these different projects based on what your priorities and your budgets are already. I will also tell you that your compliance and your risk team likely have a say on how those monies are being deployed and talk with them as to what the priorities are too. Get an understanding of what the priorities of the business are and align that to what your Zero Trust goals are going to be.

That way you ensure that you have success. It is, it’s, and I hate to say it this way, it’s likely to be a multi-generational project. It’s going to be something that is going to start with one executive and may even wrap up with another executive. But understand that and understand that the pieces in and of themselves are progress, and then you’ll have success.