Zero trust in an app centric world with Okta.
Rick Howard: We've spent a lot of time these past few three years in this podcast talking about zero trust as a strategy in our cybersecurity first principle thinking. We've talked about the history and the philosophy of it, but we've also talked about how the security vendor community has overhyped the concept so much that all of us are sick of hearing about it. Even so, zero trust as a first principle strategy is still an impactful way to buy down cyber risk. But it's likely you'll never reach the end of your zero trust journey because it's more of a mindset, a filter to use to judge your ever-changing digital environment. And although your zero trust infrastructure can be quite complex, it doesn't have to be. You can get a long way down the road by using the people-process-technology triad you already have in place, something I like to call a meat and potatoes approach to zero trust. We've also talked about the various zero trust tactics to consider, like logical and microsegmentation, vulnerability management, software bill of materials -- SBoMs, identity management, single sign-on, two factor authentication, and -- my favorite -- software-defined perimeter. But while we've been working our way through that, the target of our zero trust efforts has been shifting. Originally, like back in 2010, we talked about limiting access to our employees and contractors based on a need to know. By 2013 or so, when we've all started to allow employees to use their personal devices to do work, like tablets, laptops, and phones, we started thinking about how to limit device access, too. And just this year, the U.S. National Cybersecurity Center of Excellence announced its research on data classification processes, a brand name for the aspirational idea of being able to apply the same kinds of internal zero trust controls that you use within your own digital infrastructure to data that leaves your organizations, like email and files stored in public repositories like Dropbox and Amazon S3 buckets. We just published a CyberWire-X podcast on that very subject called "What is data centric security and why should anyone care?" The links are in the show notes and you should definitely check it out. But in 2020 when we all relearned what a supply chain attack was, when the hackers behind the APT29 attack campaign compromised SolarWinds, and in 2021 when the community discovered the Log4j vulnerability and the risk of open-source software, we started to get serious about applying zero trust rules to commercial applications that we buy, software that we build ourselves, and open-source code libraries that are used by everybody. And that's what we're going to talk about today -- zero trust in an app centric world. So hold onto your butts --
Hold onto your butts -- butts -- butts --
Rick Howard: -- this is going to be fun.
My name is Rick Howard and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.
[ Drums, Silence ]
Chris Niggel: My name is Christopher Niggel, or Chris Niggel.
Rick Howard: I met Chris Niggel for the first time in person at the 2023 RSA Conference.
Chris Niggel: I am the Regional CSO of the Americas at Okta. I've been with Okta for eight years as an employee, and four years before that as a customer.
Rick Howard: And he and I got to talking about Okta's latest white paper called "Business at Work 2023" where, using the metadata from its own customers, Okta was able to highlight some trends in applications used this past year. And it looks like COVID is really over since the use of business travel apps is way, way up -- 43% year over year. They have this fantastic chart that proves the point. On the x-axis is year-over-year growth by numbers of customers. On the y-axis is year-over-year growth by numbers of unique users. And all the application categories, like content collaboration, security, banking, etc., are grouped in the middle of the grid except one lone entry, high and to the right of the chart -- all by its lonesome -- that represents travel applications. I started out by asking Chris about the graphics.
Chris Niggel: So this information is collected through the use of the Okta application. Because we serve as the identity front door for over 17,000 customers globally, we have an incredible amount of anonymized information about cloud adoption, as well as adoption of security controls, and how the industry is changing.
Rick Howard: So the way you collect this information for this report is your customers who configure your product to provide identity and access management services, that's how you know that they're connecting to, say, Salesforce or, you know, Gmail or whatever it is. That's -- that's where you're getting this information.
Chris Niggel: That's right. We have the visibility into the types of applications, the growth of those applications, and being able to draw inferences across different segments of the industry, again through the use of -- of anonymized data. So we're never able to associate specific usage patterns or report on specific usage patterns in this report through that -- through that resource.
Rick Howard: So you're not able to do that, but you're able to characterize, like, the most popular applications, the -- how users are using them, those kinds of things. You know, kind of metadata. Right?
Chris Niggel: Yes, exactly.
Rick Howard: The big strategy that everybody has been pursuing for the past five years is zero trust, and the originator of the white paper, John Kindervag, is quick to mention that identity management is not zero trust, but it is absolutely a key and essential piece -- you can't do zero trust without it. And that's what caught my attention for your report, as the last five years have made all of us wake up to the potential attacks from third party software applications. And your report seems to identify most of the applications that organizations are using around the world.
Chris Niggel: You're absolutely correct, Rick. Identity is not, on its own, zero trust. And zero trust is a journey, it's not a destination. So I -- what we run into is we see a lot of organizations who are trying to approach zero trust as something they can purchase and implement, when the fact is that zero trust is that -- is that journey. And identity is the first step in that journey.
Rick Howard: In the report, Okta tracks the top fifty most popular apps and highlights a few that have gained the most ground like Figma, a cloud-based collaborative design tool that Adobe purchased in 2022 for $20 billion. I even used it myself to build the mockup of the Cybersecurity First Principles book web page, links in the show notes. Last year, Figma boasted a chart-topping 81% year-over-year growth by number of customers. And one of the fastest-growing apps in 2022 was Palo Alto Networks' Prisma Access, their SASE offering -- Secure Access Service Edge. The app grew 109% year over year by number of customers, which is one indicator supporting my thesis that SASE architectures are in the future. The very first episode of this podcast way back in 2020 explains why I think that and, of course, the links are in the show notes.
Etay Maor: Hi, my name is Etay Maor. I'm the Senior Director of Security Strategy at Cato Networks.
Rick Howard: Etay is a regular contributor here at the CyberWire hash table. He and I bonded at the 2022 RSA Conference a year ago now over our passion for SASE and love of PC gaming.
Tim Allen as Tim Taylor: Oh, yeah -- ha, ha, ha!
Rick Howard: If you run into him, ask him about XCOM 2, his obsession, I would say, and one of my favorite PC games. I'm horrible at it, but it sure is fun. We got to talking about how most IT and security people, the network defenders of the world, have this implicit trust of popular applications like Trillo, Google Drive, and Box. I asked him to outline how the bad guys are taking advantage of this inherent trust of applications today, and how we all might use our meat and potatoes approach to zero trust to help buy down the risk.
Etay Maor: And when it comes to zero trust, I would like to focus on an area that we've been seeing targeted by nation-state actors such as Cozy Bear APT 29, and Wicked Panda APT 41, and that is the abuse of the trust that organizations have, specifically in cloud services. And they use legitimate cloud services such as Trillo, Google Drive, Box, and others to control malware and bots on the organizations' networks because those organizations trust these different cloud services. And so there's, unfortunately, an inherited -- inherent trust there in these services. Not only that, a lot of employees are dependent up -- upon these for day-to-day businesses, and not just for their businesses but sometimes for their personal needs. And what we have seen is these nation-state actors -- and there's a lot of actually very good reports from multiple security companies out there that analyze these types of attacks -- where communication is done over these channels. So a threat-actor, for example, can open a Google Drive account or a Trillo account and use them as the command and control server and communication server, the drop server, and even as an update server, for bots inside organizations' networks. So how do you fight back? Well, you really want to be able to take a look at these applications and approach them in multiple levels, kind of like a strategic, operational, and tactical approach. So on a strategic level, you can say, okay, my organization does not use Google Drive. I will always block it. That's an option. You can go a little bit more granular and say -- and let's take on the operational level -- okay, so I will allow Google but I will look into the different tenants, right? I will only allow my -- anybody from my network to use the specific Google Drive that the organization uses. And you could go another level of granularity, which is the tactical level where you say, okay, I have -- will allow Google or Trillo. I will allow all the tenants, but I will restrict certain actions. For example, I will not allow users to upload data to Google Drive because that's -- that might be a little bit sensitive. That might be a malware that's trying to exfiltrate data out. You can even go deeper, of course, with solutions like CASB and DLP and go into the specific data. So you say, okay, I allow Google. I will allow all tenants. I will allow all actions including, for example, upload of data, but if I see that specific data is being uploaded, then I will stop it right there and then. And you can go even more granular with different heuristics to identify malicious intent by different actions on your network. All in all, this is a good approach to applying zero trust on cloud-based applications using a SASE solution that is able --
[ Music ]
Rick Howard: Let me give you a chance, Chris, to wrap up two things. Give us your current view of zero trust in the current landscape for cybersecurity. And then tell me what your big takeaway is from the report we were just talking about before.
Chris Niggel: Yeah, so zero trust has really gained a lot of ground over the last four years and, as we see, is -- is here to stay. Just four years ago, 16% of companies that we surveyed had a zero trust initiative in place, or were planning on starting one in the coming year. And in our most recent report, that number is now 97%.
Rick Howard: Wow!
Chris Niggel: So organizations --
Rick Howard: Ninety-seven percent! Wow! That's your customers -- that's done that?
Chris Niggel: Those are Okta customers as well as other CSOs that Okta has surveyed.
Rick Howard: Okay.
Chris Niggel: So zero trust is here. It is the direction that organ -- that security organizations are taking.
Rick Howard: So -- give me a takeaway from the report.
Chris Niggel: So I think my big takeaway from the report is how best-of-breed adoption is also accelerating. When we look at zero trust, it enables us as security and IT professionals to allow our employees to use the tools that they want to use, as opposed to being locked into specific vendor ecosystems.
Rick Howard: Hmm.
Chris Niggel: And we're seeing this with our customers as well. Forty-two percent of Microsoft 365 customers also use Google Workspace, for example. So we have to give our employees access to the tools they want to use to do their jobs and to be productive. And when we approach zero trust from that platform-agnostic way, we can use it as a capability to not only improve security, but also improve employee productivity.
Rick Howard: So in -- in the past when employees would use some third-party app that wasn't officially sanctioned by the company, all the security people would frown heavily on that person because we didn't know anything about it. But what I hear you saying, and see if you can confirm this, is that if you do identity and access management properly, if you do zero trust properly for the apps, you can let users use a weird app that no one has ever heard before because you can restrict what they can do with it.
Chris Niggel: That's correct. It allows security teams to no longer be the team that says 'no,' and allows us to become the team that says 'yes and' --
Rick Howard: Yeah.
Chris Niggel: -- giving employees the ability to use the tools they want to use, and giving us the visibility we need to keep company data safe.
Rick Howard: And that's a wrap. Don't forget you can buy copies of my new book, Cybersecurity First Principles: A Reboot of Strategy and Tactics. You can order it now at Amazon or wherever you buy your books from. Also, we'd love to know what you think of this podcast. Send email to cyberwire@N2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like "CSO Perspectives" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment -- people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our producers are Liz Irvin and senior producer Jennifer Eiben. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I'm Rick Howard. Thanks for listening.