CSO Perspectives (public) 6.5.23
Ep 83 | 6.5.23

Zero trust in an app centric world with Okta.


Rick Howard: We've spent a lot of time these past three years in this podcast talking about Zero Trust as a strategy in our cybersecurity first-principle thinking. We've talked about the history and the philosophy of it, but we've also talked about how the security vendor community has overhyped the concept so much that all of us are sick of hearing about it. Even so, Zero Trust as a first-principle strategy is still an impactful way to buy down cyber risk. But it's likely you'll never reach the end of your Zero Trust journey because it's more of a mindset, a filter to use to judge your ever-changing digital environment. And although your Zero Trust infrastructure can be quite complex, it doesn't have to be. You can get a long way down the road by using the people/process/technology triad you already have in place, something I like to call a "meat and potatoes approach" to Zero Trust. We've also talked about the various Zero Trust tactics to consider, like logical and micro-segmentation, vulnerability management, software bill of materials, SBOMs, identity management, single sign-on, two-factor authentication, and my favorite, software-defined perimeter. But while we've been working our way through that, the target of our Zero Trust efforts has been shifting. Originally, like back in 2010, we talked about limiting access to our employees and contractors based on a need to know. By 2013 or so, when we all started to allow employees to use their personal devices to do work by tablets, laptops, and phones, we started thinking about how to limit device access, too. And just this year, the U.S. National Cybersecurity Center of Excellence announced its research on data classification processes, a brand name for the aspirational idea of being able to apply the same kinds of internal Zero Trust controls that you use within your own digital infrastructure to data that leaves your organizations, like email and files stored in public repositories by Dropbox and Amazon S3 buckets. We just published a CyberWire-X podcast on that very subject called "What is Data-Centric Security, and Why Should Anyone Care?" The links are in the show notes, and you should definitely check it out. But in 2020, when we all re-learned what a supply chain attack was, when the hackers behind the APT29 attack campaign compromised solar winds, and in 2021, when the community discovered the Log4j vulnerability and the risk of open source software, we started to get serious about applying Zero Trust rules to commercial applications that we buy, software that we build ourselves, and open source code libraries that are used by everybody. And that's what we're going to talk about today, Zero Trust in an app-centric world. So hold on to your butts.

Speaker 1: Hold on to your butts, butts, butts.

Rick Howard: This is going to be fun.

My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good ol' US of A, and you're listening to "CSO Perspectives," my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.

Christopher Niggel: My name is Christopher Niggel, or Chris Niggel.

Rick Howard: I met Chris Niggel for the first time in person at the 2023 RSA Conference.

Christopher Niggel: I am the Regional CSO of the Americas at Okta. I've been with Okta for eight years as an employee and four years before that as a customer.

Rick Howard: And he and I got to talking about Okta's latest white paper called "Business at Work 2023," where using the metadata from its own customers, Okta was able to highlight some trends and applications used this past year, and it looks like COVID is really over since the use of business travel apps is way, way up, 43% year over year. They have this fantastic chart that proves the point. On the x axis is year-over-year growth by number of customers. On the y axis is year-over-year growth by numbers of unique users, and all the application categories like content, collaboration, security, banking, etc., are grouped in the middle of the grid, except one lone entry high and to the right of the chart, all by its lonesome, that represents travel applications. I started out by asking Chris about the graphics.

Christopher Niggel: So this information is collected through the use of the Okta application. Because we serve as the identity front door for over 17,000 customers globally, we have an incredible amount of anonymized information about cloud adoption as well as adoption of security controls and how the industry is changing.

Rick Howard: So the way you collect this information for this report is your customers who configure your product to provide identity and access management services, that's how you know that they're connecting to, say, Salesforce or, you know, Gmail, or whatever it is. That's where you're getting this information.

Christopher Niggel: That's right. We have visibility into the types of applications, the growth of those applications, and being able to draw inferences across different segments of the industry, again, through the use of anonymized data. So we're never able to associate specific usage patterns or report on specific usage patterns in this report through that resource.

Rick Howard: So you're not able to do that, but you're able to characterize, like, the most popular applications, how many users are using them, those kinds of things, you know, kind of metadata, right?

Christopher Niggel: Yes, exactly.

Rick Howard: The big strategy that everybody has been pursuing for the past five years is Zero Trust, and the originator of the white paper, John Kindervag, is quick to mention that identity management is not Zero Trust, but it is absolutely a key and essential piece. You can't do Zero Trust without it, and that's what caught my attention from your report, as the last five years have made all of us wake up to the potential attacks from third-party software applications, and your report seems to identify most of the applications that organizations are using around the world.

Christopher Niggel: You're absolutely correct, Rick. Identity is not, on its own, Zero Trust, and Zero Trust is a journey. It's not a destination. So what we run into is we see a lot of organizations who are trying to approach Zero Trust as something they can purchase and implement when the fact is that Zero Trust is that journey, and identity is the first step in that journey.

Rick Howard: In the report, Okta tracks the top 50 most popular apps and highlights a few that have gained the most ground, like Figma, a cloud-based collaborative design tool that Adobe purchased in 2022 for $20 billion. I even used it myself to build the mockup of the "Cybersecurity First Principle" book webpage, links in the show notes. Last year, Figma boasted a chart-topping 81% year-over-year growth by number of customers, and one of the fastest-growing apps in 2022 was Palo Alto Networks' Prisma Access, their SASE offering, Secure Access Service Edge. The app grew 109% year over year by number of customers, which is one indicator supporting --

If you'd like to hear the rest of this discussion, subscribe now to "CyberWire Pro." Here's what you get. This interview in its entirety, but also all shows in the "CSO Perspectives" podcast series in total, the quarterly analyst call that I host, along with every podcast in the CyberWire network ad-free, and you all know that's my favorite part. To subscribe, surf over to thecyberwire, all one word, dotcom/pro. That's thecyberwire.com/pro, and if you're interested in one container that holds all the ideas discussed so far in the "CSO Perspectives" podcast, you can buy my book at Amazon or wherever you buy your books from. It's called "Cybersecurity First Principles, a Reboot of Strategy and Tactics."