Zeroing in on zero trust.
Dave Bittner: Hello, everyone, and welcome to CyberWire-X, a series of specials where we highlight important security topics affecting organizations worldwide. I'm Dave Bittner. Today's episode is titled: Zeroing in on Zero Trust. The Zero Trust security model asserts that organizations should not trust anything within its perimeter, and, instead, must inspect all traffic and verify anything connecting to its systems before granting access. While Zero Trust is generating a lot of buzz in the cyber world, it's often hard to determine the implications of this security model. In this program, we're going to do our best to cut through the hype and discuss what you really need to know to design, implement and monitor an effective Zero Trust approach. A program note: each CyberWire-X special features two segments. In the first part of the show, we'll hear from industry experts on the topic at hand; and in the second part, we'll hear from our show sponsor for their point of view. And, speaking of sponsors, here's a word from our sponsor, ExtraHop.
Dave Bittner: Let's face it, cyber criminals have the upper hand, and the most advanced ones have already made it past your defenses. When advanced threats like SolarWinds SUNBURST compromises your business, you need a strategy. Tune in to ExtraHop session: Building a CISO Response Strategy to Advanced Threats, at the RSA Conference on May 19th, and learn real applicable strategies to build resilience against advanced threats. Find session details and learn more about ExtraHop's presence at the 2021 RSA Conference at ExtraHop.com/rsac21. That's extra h-o-p dot com slash rsac21. And we thank ExtraHop for sponsoring our show.
Dave Bittner: To start things off, my CyberWire colleague, Rick Howard, speaks with John Kindervag, the creator of Zero Trust, from ON2IT cybersecurity, and later in the show, my conversation with Tom Clavel, director of Product Marketing, at our show sponsors, ExtraHop, and Kapil Raina of CrowdStrike.
Dave Bittner: Here's Rick Howard.
Rick Howard: I had the chance to sit down at the CyberWire hash table with an honest to goodness internet celebrity. His name is John Kindervag, currently the senior vice-president of Cybersecurity Strategy and Group Fellow, at the ON2IT Group. He's also an old friend of mine, and colleague. We both worked at Palo Alto Networks together for about five years. But more importantly, he's the guy that wrote the original White Paper on Zero Trust, back in 2010, that we all base our Zero Trust appointments on today. The paper's called: No More Chewy Centers, introducing the Zero Trust model of information security, and he wrote it when he was working for Forrester, a cybersecurity research and consulting firm. In that paper, he became the first person to say that we should all just assume that our networks were already compromised by the likes of FIN7, Wicked Panda, and Cozy Bear, and that we should design them accordingly to reduce the probability of material impact. To be fair, John didn't originate the Zero Trust idea. After all, the concept started kicking around security circles in the early 2000s.
Rick Howard: The Jericho Forum started talking about de-perimeterization as far back as 2004. The problem they were trying to solve was that most of us install an electronic perimeter: a wall that bars access to our digital assets. But once you have legitimately logged in, you have access to everything inside the electronic wall. By de-perimeterization, the Jericho Forum meant that verifying identity and granting access authorization would happen away from all of our digital assets. In other words, it would happen outside the electronic wall. Once granted, a user would get access to the asset they needed; not all the assets within the perimeter. The US Military incorporated some of these ideas into their black core initiative in 2007. Somewhere between then and 2010, the community started to refer to de-perimeterization as Software Defined Perimeter or SDP. In 2010, John Kindervag, working for Forrester, published his essential Zero Trust White Paper, that solidified the concept and expanded upon it.
Rick Howard: That same year, because Google got hit by a massive Chinese cyber espionage attack, coined Operation Aurora, their site reliability engineers rolled out an internal version of SDP as part of a network redesign. A few years later, about the same time that the Cloud Security Alliance adopted SDP as a best practice, Google launched a commercial offering of their internal SDP architecture, called BeyondCorp. But let me be clear. SDP is not a complete Zero Trust solution, as John Kindervag would likely point out. There are many things you can do to improve your Zero Trust posture. But, if you deployed an SDP architecture, you would be a long way down the road on your Zero Trust journey. John would disagree with that. He really is annoyed with vendors who claim that their SDP solution is a Zero Trust solution. And he would be right. At best, they give you a framework to hang your Zero Trust policy on. At worst, they are a collection of new and shiny tools that security practitioners would have to deploy and maintain, and we already have too many of those we are responsible for. I, personally, like the frame idea, but that's just me. Regardless, since I had John at the Hash Table, I asked him what drove him to write the original paper in the first place.
John Kindervag: I had been a security engineer and architect prior to becoming to Forrester in 2008, and I had always been frustrated with this idea of trust in digital systems. Because when you install old-school firewalls, which is still true today, but, you know, worse back then, you had to assign an arbitrary trust level to various interfaces in order to get traffic to flow, because that was what policy was based upon. And, in fact, if you were going from an internal interface that had the highest trust level, 100, to an external interface that had the lowest trust level, zero, you wouldn't have to have a outbound rule on it at all, which I found to be just scary. Why don't we put outbound rules on this? Well, because we just don't. We don't have to, because we're going from trusted to untrusted. I thought that was silliness, and then I started to investigate trust and met some people who have thought about it a lot, and started explained the differences between, say, direct trust, I know you for a long time, so I trust you. And, then, you have a friend who you tell me about, and you say he's a good guy. That's transitive trust. And I understood it at a human level, but I realized those concepts didn't translate well into the digital world.
Rick Howard: The poster children for why we all need a robustly deployed Zero Trust posture are Edward Snowden and Chelsea Manning. Because according to John, these two government whistleblowers proved that identity is not sufficient to prevent data leaks.
John Kindervag: Well, Snowden and Manning are still the two most famous because they're the Beyoncé and Madonna of cybersecurity. They were trusted users on trusted devices; they had the right patch level, the right anti-virus. But nobody looked at their packets post-authentication. They're still the two best use cases because it automatically shuts down this idea that Zero Trust equals identity. I've proven to you with two words – Snowden, Manning – that Zero Trust does not equal identity, because the identity of those packets, what user they were tied to, was not in question on those networks. Just, no one looked at them; no one cared. They had way open access.
Rick Howard: Remember, John wrote the original paper over a decade ago. He also wrote a bunch of follow-up papers after, but the Forrester leadership team decided to hide all of that behind a paywall. As such, most of us have never read them, including me, and I'm one of John's friends. The result is that there has been a void in pushing the idea forward. Other authors and researchers have jumped in to fill the vacuum and put their own spin on the idea. Evan Gilman and Doug Barth published their own book on the subject, called Zero Trust Networks: Building Secure Systems in Untrusted Networks, and security vendors have begun claiming that all of their products provide a Zero Trust solution, which, as you might imagine, has caused some confusion amongst us practitioners. And that annoys John to no end. And rightfully so.
John Kindervag: Trust is a human emotion that's been injected into digital systems for absolutely no reason. All data breaches are caused by trust because it's a vulnerability. And it's exploited by malicious actors who just get on your network. So, the whole goal of Zero Trust was to eliminate this silly word, "trust", from our vocabulary when we think about systems. Because once you have a word like that, it causes you to do a lot of bad things: open up your network because we trust somebody. It has huge ramifications. Language has value. I know it's a misunderstanding of the word trust. You don't need trust. There's no trust flag in TCP. Trust, again, is a human emotion. You don't need to have any trust. You might have to have a high degree of validity on the assertions being made by the packet. But at the binary level, trust is of no value, and people get that. When I say trust is a vulnerability, that is how you must think about it. It is a vulnerability that you must mitigate in your organization because it is always bad.
John Kindervag: But the other thing I would say, Rick, is that there are multiple definitions of Zero Trust. There's a single definition of Zero Trust; I wrote it down in 2010 in a report called, No More Chewy Centers. But what we've had here with people who have always said, "well, there's all these different interpretations." No, there is not. "Yes, there's different meanings." No, there is not. You are just intellectually dishonest because you haven't gone back to the primary source and taken into account prior art, which is what any good researcher would do. Researchers go back to prior art, go back to the original source, and learn about what it actually means from that, instead of making it up on the playground with their friends, playing a game of telephone.
Rick Howard: Over the years, John has traveled around the world explaining his Zero Trust philosophy. And he uses a literary homage to help people understand the basic concepts.
John Kindervag: This is called the Kipling method. Rudyard Kipling gave us the idea of who, what, when, where, why and how, in a poem in 1902.
Rick Howard: He's talking about Kipling's poem called, I Keep Six Honest Serving Men, about his young daughter's endless curiosity, and how, as we all get older, we tend to lose that sense of wonder. Here is Jonathan Jones, reciting this short, but lovely, poem.
Jonathan Jones: I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.
I send them over land and sea,
I send them east and west;
But after they have worked for me,
I give them all a rest.
I let them rest from nine till five,
For I am busy then,
As well as breakfast, lunch, and tea,
For they are hungry men.
But different folk have different views;
I know a person small.
She keeps ten million serving-men,
Who get no rest at all!
She sends 'em abroad on her own affairs,
From the second she opens her eyes.
One million Hows, two million Wheres,
And seven million Whys!
John Kindervag: And, so, there's my personal homage to him because who, what, when, where, why and how. I'm trying to determine "who" should be allowed to access a resource. Here's a way to write the policy, because, ultimately, Zero Trust is a Layer 7 policy statement when it's implemented. Who should be accessing a resource? That's the asserted user identity. It's been validated by something like multi-factor authentication or some other authenticator, so it's highly validated. "Where" statement is: where is it located? "When" statement is: when does this rule need to be turned on? There's a lot of rules that should be turned off at various times because no one typically uses them. We need a lot more time delimited rules. The "why" statement is: because this is mission-critical data. It's highly classified, top secret. That's where we can tie classification levels into the policy. We have a "how" statement: what kind of processes are we going to put to the packet?
John Kindervag: At Palo Alto Networks, you'll remember, we delivered all of our high-level services as Cloud-delivered service. So, instead of having a separate product, you would just turn on that content ID; you'd turn on IPS or Sandbox, either SSL Decryption or DLP, for each individual rule. I made this very granular, easy to understand, easy to create, and easy to audit policy statement where we can instantiate Zero Trust in an easy, simple way, without touching on concepts like trust. What application should have access to that protect surface? The protect surface, of course, is the shrinking down of the attack surface, orders to magnitude to something that is small and knowable. We put a data type or a single application or a single asset, or a single service inside of a protect surface, break it down into a very small chunk, so that we can solve that one problem and move on to another. The "what" statement is the application, typically, that you're accessing.
Rick Howard: The "what" from Kipling's poem, and from John's homage, is probably the most important piece to the Zero Trust puzzle.
John Kindervag: The people who had this attack happen to them and, and then they had the bad stuff happen, you've got to wonder what they were protecting. They were protecting, probably, their end points and their users, but it doesn't appear they were protecting the keys to the kingdom. I had a CEO, when I was doing some work for him, he said, "we accidentally caught malicious actors trying to exfilour source code." And I asked the IT and security people, how could this even happen? "Oh, we don't put controls around that." Well, why not? "Well, we just care about users and endpoints." And he said, "but you realize that 100% of our revenue comes from this software product." And they were like, "oh, no, no, that's not how you do security; you do security on, on endpoints. That's where security goes." And he was like, "no, that doesn't make any sense." If you even understand what you need to protect, which most organizations don't, you're way ahead of the game versus your peers, because everybody else is thinking about old concepts like defense and death, which my friend, Rick Holland, when he was at Forrester, coined the term, expense and death.
Jonathan Jones: You spend money you don't have on things you don't need, because you don't know what you're supposed to protect in the first place. That's half the battle, because the thing you are protecting will tell you how it needs to be protected, based upon a whole lot of attributes. But, you'll find a threshold where you say, that information, that data, that asset, isn't sensitive enough to be protected that way. Wherever it is right now is fine. We don't care if somebody gets it because we're trying to get him to download this document. So, we don't care. And, so, you have to determine that too. Zero Trust focuses on what you need to protect, and most people don't know the answer to that. I'm always amazed when I ask that question: what do you need to protect? And they go, "oh, hmm."
Rick Howard: Zero Trust is one strategy that practitioners can use to accomplish a cybersecurity first-principle goal. John and I disagree slightly about exactly what that first-principle goal should be. He thinks that it should be to stop all data breaches. I prefer a much more forgiving goal of reducing the probability of material impact due to a cyber attack. Regardless, understanding what we are trying to protect is essential to both goals.
John Kindervag: Well, they can think about it as a strategy, because it focuses on a grand strategic goal which is stopping data breaches. Zero Trust is designed to stop data breaches because it focuses on what needs to be protected, not all the things that are trying to get into your system. It starts at the protect surface. What do we need to protect? That's the fundamental question. Everybody else is working on the edge of all this stuff, and saying, here, my widget goes here, my widget goes there. And I've been on a lot of calls. I was on one for government not too long ago, and all these vendors were trying to position their product as a Zero Trust product, and you need to use it here, here or here. And, finally, I just said, so, what are you guys trying to protect? And the whole call just ground to a halt, because no one had ever thought about that. So, Zero Trust is about protecting things that matter. I've always defined Zero Trust within our grand strategy tactics and operations framework, and I define the grand strategy of cybersecurity is to stop data breaches because data breaches are the only thing that can get us fired.
Rick Howard: John is one of the cybersecurity community's great thinkers. His original White Paper on Zero Trust, and his continued evangelism about the idea has propelled the industry forward to a much more robust security posture. You can keep track of what John will be doing next on Twitter. His handle is: @Kindervag, and we thank John for being on the show.
Dave Bittner: Next up, is my conversation with Tom Clavel, director of product marketing at our show sponsors, ExtraHop, and Kapil Raina of CrowdStrike.
Dave Bittner: Why don't I start with you, Kapil. How do you define Zero Trust. If you're explaining it to someone who really doesn't know much about it, what do you say?
Kapil Raina: That's a great question. From a layman's perspective, we think about Zero Trust simply like this. You have a person or an application that wants access to another resource. And all Zero Trust says is, at any moment in time, and that person or human wants to get access to a resource, you always in continuous fashion, real time, monitor and say, should they have access to that resource at this very moment in time? So, you look at risk, you look at other factors, and then make a decision: yes or no? And, so, the tricky part aboutZero Trust is, you have to do that in real time, and you cannot assume that because you were trusted at one point, that you'll be trusted again, hence the term, Zero Trust.
Dave Bittner: Tom, anything to add there?
Tom Clavel: Yes, absolutely. And I completely agree with what Kapil was saying about Zero Trust. I would add that Zero Trust is an evolution in security framework. At Zero Trust, really, the response to the fact that enterprise networks tend to now have more and more remote users, and they're bringing their own devices, there are a lot of cloud-based assets that are not located within the enterprise owned network boundaries. So Zero Trust, it really comes from the fact that we no longer control the perimeter of the network. So, having a perimeter approach to security doesn't make sense anymore. And, and that's the reason why we have to have comprehensive inspections, comprehensive visibility into the packets, into what's going on, on the network, because we can't control what's getting connected and where the network is extending.
Dave Bittner: Can you give us some insights? What is the transition like when an organization decides to adopt a Zero Trust approach? How does that work? How do they get started?
Kapil Raina: From the CrowdStrikeperspective, that's a great question. There was a Forrester survey done at the end of last year. they found about 82% of all enterprises said they absolutely need Zero Trust, and less than half have actually started initiative. So, this idea of transforming security to match what we're seeing in the digital information. And, so, the challenge has been, when we think about Zero Trust, what are the components you need? And we followed the NIST 800-207 standards at CrowdStrike, so,an industry standard. And that way, it's easier for customers to build best of breed. And, so, based on that, we've found, when we talk to customers, there's basically three phases. And Tom alluded to one of them here. So, visualize. You want to understand the entire context of, what are you trying to protect, and what is the information you need? Mitigate. You eventually want to take that real time action, both in terms of understanding security and applying policy. And, so, the third maturity phase is really optimization. We're really thinking about extending protection to things like staff apps, legacy apps, and really thinking about the user experience as well, to make it as least disruptive as possible. So, when we think about Zero Trust, we think of these three stages. And depending on where an organization is – they may be at the visualization stage, mitigate or optimize stage – and, based on that, they can then tailor assertive implementation of their framework.
Dave Bittner: Tom, when you're talking to folks, are there any particular things that, that make them hold back? That, that are sort of roadblocks – either perceived or real – to keep them from moving forward?
Tom Clavel: Absolutely. There are some perceived roadblocks. I don't think they're entirely real, but they are still in the perception. And one of them is the fact that Zero Trust is often seen as something very complex to implement. Inspecting all the packet, inspecting all the traffic, is very often perceived as a complex process. And really it's not. Another roadblock is mandates, and the fact that some industries are lacking the mandates to move to Zero Trust, and therefore they don't see an urgency to doing it. But the answer to that is, first of all, we provide complete visibility of your Zero Trust architecture, and that is a very simple solution to get. You get extra help, and you get that visibility. The second thing that we provide that is very simple and easy to implement, to address, is real time detection of disruptive threats to Zero Trust safeguards. So we can detect those things. And the third element that is very important to Zero Trust, which we also provide, is intelligent response.
Tom Clavel: With extra help you can respond in real time, to events happening, and we can also integrate with other environments, such as CrowdStrike, to provide a more comprehensive response to these events. So, in a word, Zero Trust is actually a very simple thing to implement when you rely on the key vendors such as CrowdStrike and ExtraHop.
Kapil Raina: One of the reasons Zero Trust is complex is there's a perception of all or nothing. I have to implement components. So, give me an idea, and you can pick your favorite vendor. There's anywhere from 15 to 30 different components these vendors typically require in the reference architecture to playZero Trust. So this is between hardware and software hybrid environments, things like that. So, that's a lot of pieces just to provide additional security in this model. The reason that we're having this conversation is because in digital transformation, things are moving to a cognitiveenvironment. So, if you have a cognitive environment to begin with, like we do at CrowdStrike, you basically need two components. You need a component potentially at the endpoint or the identity of the workload there etc. And then what we have is a security cloud that does a lot of the processing analysis and enforcements.
Kapil Raina: And, so, by simplifying that down to a few components, it does alleviate the issue of complexity that we find in Zero Trust implementation so far. Only a few months ago you might have seen the NSA and the CISA put out a notice saying, because of all the recent supply chain and other breaches, that agencies must use Zero Trust. And they went through their own journey, mapping an explanation there. And, again, it goes back to, if you're going to do it, and even if you have a mandate, the complexity, if you don't have a cognitive solution, still remains.
Tom Clavel: While, while we're focusing on the, the elements that are preventing people from moving to Zero Trust, what we do see in the market today is an acceleration towards Zero Trust. And, and we see five factors, five very important factors, that are driving that acceleration. And those factors are very dependent on, on the current context. We think they are going to last over, over time, even, even after that current context is over.
Tom Clavel: We mentioned the mandates, and there are more and more mandates on IT departments for modernization efforts. We see, also, a lot of growing remote and distributed workforce. I think it's very obvious right now. But it's going to continue over time. And we see, also, its additional interdependencies and better sharing between enterprises, vendors, third parties and so on. And so networks are becoming much more complex with more people interacting on that network. And fourth, we see an increasing reliance on contractors and partners. And the fifth factor that we see accelerating the adoption of Zero Trust is the accelerated adoption of Internet of Things, and automation.
Dave Bittner: What is it like when folks are on the other side, after they've made the transition and they have an effective Zero Trust program up and running? What sort of feedback do you hear from them?
Kapil Raina: From CrowdStrike's perspective, when we talk to customers – and we've actually done analysis around this – for them, they just have a basic understanding of what are the attack paths and the blind spots, across their hybrid environments. An example is, you have all these applications running. Service accounts which are used to access other applications on behalf of user apps, how many service accounts do you have? Who owns it? And, typically, it's the business owner, not IT, that manages it. So, that become a big blind spot. And as we've seen, again, in the recent attacks, that's been a big issue. And as you move into the maturity along those lines, what we found was that there is an actual material return on investment. And that return on investment is what we at CrowdStrike call frictionless. So, yes, for the users, there's definitely a return on investment because they're not calling the help desk asoften and because you're trying to do a passive reset or some other issue.
Kapil Raina: And we've found that organizations have saved quite a number of hours per user, especially when they're contractors or field workers. Other areas we've found benefits in, is frictionless for both IT and security. In a typical system today you have a scenario where you don't have a yes, you don't have a no. It's kind of in the middle. So, what do you do today? You have to send it to a SOC analyst and they have to look at it. Or you stop productivity altogether. With a proper Zero Trust implementation, you can then decide when the risk level's in that middle. You can go back and challenge that user. And only interrupt them then, perhaps with an MFA, and then, basically, take out the false positive. So, it doesn't even have to go to the SOC operator. So, we have actually seen return on investment benefits in either their early stage or a later stage.
Dave Bittner: Tom, how about you?
Tom Clavel: I, I agree with everything that Kapil said. Better integration, I would say. And I would add to that the simplicity of Zero Trust. While, while Zero Trust might be perceived as something complex, it actually leads to a very simple architecture; a simple architecture to monitor and to secure. We see streamlined operations from all integrated workflow, for cyber and network corporations, cloud and SecOpsteams. We are able now to detect the activity that is happening anywhere on the network. So, ease of visibility, and pervasive visibility into the network. And so that simplicity leads to more security, because once things are simple to manage, simple to secure, you increase the level of security of your network.
Dave Bittner: Is there any question in, in either of your minds that this is the future, that this is the direction that not only things are going, but it really has to go this way?
Kapil Raina: Well, Dave, if all the marketing is any indication, then it must be the right thing and the right direction. So, I think, for us the tipping point really was these last six months: the supply chain breach and the attacks on Active Directory, and even Microsoft saying, don't maintain AD on prem; go to the Cloud, because Microsoft themselves can secure it better. That really became a fundamental shift because it went from saying, your trust is a framework which, by all accounts, has been around for quite a number of years, to, this has to happen. And that acceleration, I think, was the tipping point. So, even though the workforce has been shifting for the last year plus, for Covid, it is a tipping point where everyone realized, we have to do Zero Trust; it's no longer just an option. And the real question, the counterpoint, is, how do you simplify so that people can, can really implement it? So, I think it's, it's here now, and it's definitely going to keep growing. And you're starting to see a lot of interesting ideas and innovations, building upon the basic framework of Zero Trust in the market today.
Tom Clavel: I would add that there's no, there's no turning back. I think the, the time that we were securing the network on a perimeter-based model or, or on a point-based model is over. And we now have the perception, and the reality is that there's no way we can build walls on the network, even in specific and located areas. We know that threats are coming from everywhere and anywhere. And so Zero Trust is really the way to secure the network. But also to simplify, to make it easy to manage that security. Without the Zero Trust model, things become much more complex, very quickly. I don't think the industry is coming back from the Zero Trust model. I see the next model building upon the Zero Trust model, but not the other way.
Dave Bittner: On behalf of my colleague, Rick Howard, our thanks to John Kindervag for sharing his expertize, and to Tom Clavel and Kapil Raina for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the start-up studios of Data Tribe, where they're co-building the next generation of cybersecurity start-ups and technologies. Our senior producer is Jennifer Eiben; our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.