Zero Trust for cloud assets: Identity authentication and authorization.
Rick Howard: Hey everyone, and welcome to Cyberwire-X, a series of specials where we highlight the important security topics affecting security professionals worldwide. I'm Rick Howard, the Chief Security Officer, Chief Analyst and Senior Fellow at the Cyberwire. And today's episode is titled "Zero Trust For Cloud Assets, Identity Authentication and Authorization." Applying zero trust principles to access rights can be tricky, Amazon's Lambda functions, Google's Cloud functions and Microsoft's Azure functions, multiply the volume of identities to manage. These cloud services often have excessive permissions to access sensitive data and can become a potential entry point for an attacker. In today's show we will consider the pros and cons of different approaches to enforcing least privileges in the cloud. A program note, each Cyberwire-X special features two segments, in the first part of the show we will hear from industry experts on the topic in hand, and, in the second part, we will hear from our show's sponsor for their point of view. Here's a word from today's sponsor, Sysdig.
Rick Howard: Back in the day, when I was just starting, call it the late 1990s, securing networks was relatively easy compared to what we're trying today. We didn't think so at the time, but after 20 years, our networks have just become more complex. Back then we had something called Perimeter Defense, which meant that we stored all the digital organizational assets behind an electronic wall, a firewall usually. Today though, we have material data scattered all over the place, on cloud services, like softwares as a service, infrastructure as a service, and platform as a service, on multiple platforms, like phones, tablets and laptops, and we still have the traditional perimeter in our data centers and in our office buildings. I call these things data islands. And they have exponentially increased the complexity of securing our environment. How on earth can we manage things like identity and authorization on all of these data islands? But, especially in the cloud.
Rick Howard: To see if I could provide some clarity to the issue, I invited Scott Farber, their principle cyber architect and internal zero trust technical lead at MITRE to the Cyberwire hash table to talk about where the rubber meets the road when pursuing a least privileged or zero trust strategy in the cloud. And I started out by asking him if he thought identity and authorization on these data islands is complex compared to what we used to have back in the day.
Scott Farber: I would agree with that. I would actually say it's even more challenging, right? So, when you mix in and you start to look at Azure Stack or AWS Outposts, those boundaries get very vague, because now you can seamlessly shift data back and forth, and so where does that boundary lie? That's something all organizations have to answer for themselves based on their risk analysis, but, those hard perimeters that I think we're used to looking at, the islands are flexible, right? Is it high tide or is it low tide? Is it one island or two?
Rick Howard: Yeah, if you talk to most security professionals, by now have at least a single cloud provider and many, many consider that to be ludicrous, they wouldn't just put all their eggs in one basket, they're going to have multiple cloud providers, so, it just adds complexity to the entire conversation. We were having trouble enough doing zero trust when we were all in one spot behind the perimeter, now we're scattered hither and yon, which you would be thinking about when we try to deploy zero trust across all those data islands.
Scott Farber: My takeaway, over the last, like I said, 18 months, is zero trust fundamentally is, you know, this may be a controversial statement, but, it's not a technical issue. Zero trust, really, for most people, is a cultural shift. For those of us in the security field, we look at it and we say, oh, we have to do the right thing, we have to protect our data, we have to protect our crown jewels, we have to figure out what those crown jewels really are, you know. What we feel is valuable and needs protecting may or may not be what the adversaries, you know, are targeting. But, at the same time, we have to be condescent of how our enterprises work, and so, for MITRE, because we're engaged in solving so many whole of nation problems, right, and w-- we have a lot of researchers doing different things, so they're tackling interesting problems, and there, there is no homogeneous environment, so we have to be able to protect things safely and, and sanely, and, at the same time, not get in front of those work programs and, and create additional friction.
Rick Howard: Well, let's try to come to some common terms, because every time I talk to somebody about zero trust they think about it differently than I do. So, tell me what your-- how would you describe zero trust in a Twitter line? So that even my grandma can understoo-- understand it.
Scott Farber: I'm a bit old school, and then I'll say, zero trust, at heart, really goes back to those old principles about least access, right? Least privilege access.
Rick Howard: So that is from the original paper from Kindervag, you know, he wrote that back in 2010, and I agree with you that zero trust is not a technology per se, we can use technology to implement some of this, or at least move us further along the journey, but it's really a strategy, it's really a, what you said, a culture, and it's been a culture shift, because the perimeter fence has been the model forever, this zero trust idea is completely different. Do you have trouble conveying that to leadership in the organization because they're not used to this idea?
Scott Farber: So, our leadership's actually been very supportive, and, and that's one of the great things about working at MITRE is we've had support from the CEO on down. Everybody has recognized that between the White House Executive Order, as well as just looking at it saying it's the right thing to do, so we've had immense support. The key thing, I think, is understanding that if you're embarking on a large scale enterprise migration to a zero trust architecture, having a sound communication strategy and helping people manage change, to borrow the phrase, right, everybody's cheese is getting moved, helping the other technologists in the organization, they have work to do, right? You have developers, you have engineers, you have researchers, and how do you enable them to pivot with causing a minimal disruption? And so, a lot of it boils down to, again, personal change management, that's one of the big secrets.
Rick Howard: Most of us have technology in place that could do some of this, probably not a perfect zero trust implementation, but you could get a long way down the road by just using some of the technology you have. What you mentioned was that, if this is really a change in policy, right, it's a people in process thing, we have to decide, as an organization, that we're going to resource this idea.
Scott Farber: Absolutely. So, lining up the executive support, you know, why is zero trust important? There are things that zero trust can bring to a large organization, we're very much used to those traditional islands as, as you alluded to earlier, right, we all have our data in pockets in different places. What starts to happen when you work your way through these things is, those traditional pockets can become less important, you now have the ability to, again, assuming you've done all your, you know, homework, and planning, is you can now start to say, hey, I, I want to, in a targeted fashion, expose a resource in a way that wasn't possible before.
Scott Farber: Let's use an example. Most organizations have data serve, and that data serve may span, on prem or to the cloud. We also tend to have developers or engineers, or people doing interesting things, and people want to take that resource and they want to share it, maybe you've got customers, maybe you've got partner companies, maybe you're working with university or academic researchers, and you need to expose that service, right? So, the promise of the cloud has always been that we can operate in a more agile fashion, and I would argue that zero trust is starting to do some of the same things. We can, through use of very carefully planned security decisions, we can start to create content and expose that content to our peer organizations in that same sort of agile fashion, because, you now have a much tighter end to end security policy. So, I, I think there's some really good stuff there, and when people start to see those business add-ons and those business values, we start to take security, and we turn security from a cost center into a business enabler.
Rick Howard: So, one of my push-backs to, you know, I was reading through the, the NIST Zero Trust Architecture document, they just released an update like in August of 2020 I think, and everything they say in there is really good, if you want to learn about what zero trust is, I recommend everybody reading it, but, their diagram for what a zero trust architecture looks like, is a bunch of black boxes that not many of us have, and most of us don't have the resources to build ourselves, and I kind of push back against that a little bit. I don't think you need to throw out everything and start over with a bunch of brand new technology. Like we said, zero trust is a strategy. My question to you, Scott, is, what are you telling your customers, internal to MITRE and external, about how do you start without having to spend a lot of money and, you know, taking five years to design the darned thing?
Scott Farber: I, I hate to give you the can't answer, but it all comes down to the basics, you know, it been-- it's the same things we've all been preaching, right? For, for--
Rick Howard: The basics? The basics? Come on, really?
Scott Farber: The basics, right? Right? So, so to use an analogy in music, right, what separates a virtuoso performer from the amateur hacking away at their violin, right? That virtuoso has practiced the basics ad nauseam.
Rick Howard: What's a basic that you'd need to get right to get zero trust moving in your environment?
Scott Farber: Okay, so, a real world example, identity systems. When you really start to peel apart identity, I'm going to speak generically here, you know, a lot of people have built great identity systems that do a binary function, is it Rick or is it not? Is he in or is he out? Have you taken the time to delve into your identity system and figure out are you set up to handle roles? And, and what do those roles look like? Let's use Active Directory as an example, right? So, your average corporation, bob.com, comes in and rolls out their AD, and they have all of their AD groups baked in that say Scott's team can do X and Rick's team can do Y. Well, what happens if you have a matrixed organization? And you now have permissions based on the-- those matrices, like, you're building a dynamic project team with resources from all across the organization, a lot of folks forget that you have to have an identity system that can handle that.
Scott Farber: So, some of it is just peeling those things apart, and, and everybody wants to start zero trust activities with, they think about it in terms of like firewall policies, and really, where you have to start is thinking about identity, because identity has to be baked in end to end to everything to really do it the right way.
Rick Howard: Totally agree with you, that identity is a key and essential part to zero trust, if you don't know who the people are or the machines are that are connecting to your systems you can't do zero trust. And the part that I think most people forget is the authorization piece, it's one thing to know that it's Scott, okay, and I'm sure it's Scott, but, do you know all the things that Scott is allowed to touch? That's a more difficult problem, we've been able to do the identity piece with Actor Directory for-- since the 90s, the authorization piece is the hard part.
Scott Farber: It does depend on your business environment. This is where it gets interesting when you dive in, there's an amazing amount of things out there, so, when we move into a zero trust world I think we would like to believe, as security folks, that we're focusing on identity and posture checks and all those cool things that, right, new technology has brought us over the last ten years, right? There's vendors are doing really interesting things with that. The reality is, when you get into it, you're going to find a ton of things out there that are still relying on subnet based authentication, right? Hey, before I let you into my system, are you coming from your corporation's public internet pool, right, whatever that, whether you're doing it at the network or the firewall level, or SaaS services do this increasingly, hey, we need to validate that you're coming from your corporation, so put in that slash 24 into the access list, and that's how we're going to let you in.
Scott Farber: Except, golly gee, we just sent our entire workforces across the country because of Covid, and you're now telling us that we have to back haul all that traffic to our corporate data center to pick up on that? Can you still do the other things on top of that? Can you still do posture checks and hip checks and all that? Well sure, of course you can, except you've now built such a sub-optimal data flow to access those applications, what you run into the risk of doing is, going back to the business value statement, you're now going to go to your executives and say, hey, I, I bought this latest, greatest zero trust widget, right, I've enabled my enterprise, and your monitoring folks are sitting there looking at user experience and transaction times and going, boy, everything just got worse by a factor of 3X.
Rick Howard: So, Scott, you and I could talk about zero trust issues for the next 20,000 hours I think, because, you know, it's how much of the geeks that you and are both are, right, but, we're at the end of this. So, give me your overall summary of what people should be thinking about in terms of zero trust? What's the thing that should be keeping forefront on their radar screens?
Scott Farber: You know, one of the more interesting trends, you know, i-- I've seen is, some companies are starting to do, you know, and say, hey, your inventory management is actually a cyber position, right? So, knowing your assets, what are your assets. I would say, for most of us, for most people, we have to take that to the next level and say, if we're going to move to a zero trust environment, it's not just knowing what's on the network now, you have to know how everything talks to each other, and it's a, I think, an unfortunate reality that we hit where most applications don't have documented taxonomies, right, so, it's not-- it's know the flow, if you want a catchphrase, right, you have to know your flows, and it's not just in your data center but it's also what your end users are doing. If you know that and you have a sound identity system, you can get pretty far down the path going back and implementing all those basics that you've always wanted to implement but didn't have the business justification to do before.
Rick Howard: So, key and essential things, before you can even think about a zero trust program, is to know exactly who's on your network and what they're talking to, and know the devices that are talking to each other, and what those flows are. I would call that, you know, layer seven zero trust, you know, application layer zero trust, but that's kind of where we are, is that what you're saying?
Scott Farber: Yeah, it really is. And, and you know, the other thing is, I think, for a lot of folks, you have to use-- I'll use the dreaded agile world, word, right, and I know that's-- that gets people, you know, sometimes there's bad connotations there, but, zero trust is a new enough thing, and there's challenges, right, when you dive into it, don't be afraid to experiment, right, and, at the same time, you want to approach this as a learning organization, for myself, we've been very fortunate at MITRE that because of our broad executive support, we have folks that are out working with NIST, and, and the various sponsors, right, and they're looking at, you know, every government agency has its own architectural framework, that, that fits their business model, right? And, at the same time, we've got a lot of different vendors out there that are directly proposing technical solutions. So, we've been able to jump in and say, okay, how do we marry those two together? And, and what actually works and what doesn't?
Scott Farber: So, I think for, for folks that are looking at diving in and, you know, of course you're going to have you're a-- account manager showing up and everybody's going to pitch a solution, don't be afraid to experiment, but, also don't be afraid to pivot. Understanding that business model, like we talked about, knowing your flow, knowing, knowing what's on your network, knowing who's talking to what, that is really going to inform any product decisions you make down the road, and, to a certain extent, there's, there's some things we can do in zero trust, and if you kind of go back to the 18-20 rule, right, there's a lot of basic things we can do that are going to mitigate the vast majority of our risks, right, none of us are going to be perfect, right, we can, we can go back to your, your famous risk management talks from a few years ago. But, if we really get to understand what we're doing, the selections and choices people make with technology, become much more self evident.
Rick Howard: Well, we're going to have to leave it at that, Scott, that's good stuff. Every time we get together I learn more about things, so I appreciate you coming on the show, I want to do it more, thanks a lot for doing this.
Scott Farber: Rick, thank you very much for having me, it's great talking to you, as always.
Rick Howard: That was Scott Farber, the Principle Cyber Architect And Zero Trust Technical Lead at MITRE. Next up is my conversation with Maor Goldberg, the Vice President of Secure Product Management at Sysdig.
Rick Howard: Maor, thanks for coming on the show. You've been thinking and working on infrastructures, code and DevSecOps type things for a while now in your career, why is it so difficult for people like me, you know, a Chief Security Officer, to deploy identity and access management in the Cloud? Is it so much different in the Cloudy space than it is back in the traditional on prem networks?
Maor Goldberg: Great question, Rick, and I'm happy to be here. So, I, I think identity and access was, you know, realistically always a challenge.
Rick Howard: It's always been hard, I, I made it sound like it was easy back on prem, it never was, but now that we're in the cloud it seems even harder.
Maor Goldberg: Yes, so I think it, it never was, and, traditionally, on the on prem environment, it took organizations years to get to a point where they deploy mature tools and processes to address identity and access management life cycle, and, over time, we go to compliance requirements and so forth. I think cloud introduced, in a way, a new frontier for identity and access and creates new challenges, because cloud typically moves faster in a way than traditional environments, typically, with traditional environments on prem data center, you have pretty structured processes to introduce new services, to deploy new applications. So, in these processes you can take care of identity, use your provisioning systems and so forth and so on. With cloud you want to move much faster, typically those traditional tools are not there to meet the challenge or help provision users and access and so forth and so on. So, you don't want to delay anything, you don't want to introduce anything or any bottle necks that will delay your pace of innovation, so things move much quicker on the cloud, so, I think this is one area that introduced a new set of challenges.
Maor Goldberg: But then, also, in my mind, the way the new type of roles or new type of people are coming into the cloud and sharing some of the responsibilities that are traditionally IT and security team's own, and I'm talking about DevOps and DevSecOps, also introduces a challenge, because now, essentially, more people can introduce and make changes to your cloud environment, and things are getting a little bit of-- out of control from an IT and security perspective.
Rick Howard: So you're saying the cloud has made it easier for non-IT people, or non-security people, just to throw a work load up in the cloud and make it go for them, so, we kind of lose sight of all that, is that what you're saying?
Maor Goldberg: I think so, and, and some of it I think is by design, because you're moving to the cloud, you're adopting Kubernetes and containerized work loads, you're moving your developers to think about micro services, you want basically, as an organization, to introduce new digital services, new work loads, new business applications, you want to do that as quickly as possible, so you distribute the responsibility, you're giving smaller teams ownership of their environments, so the teams can span up work loads, they define their infrastructure, they decide how they want to go about building and employing your services, so a lot of that innovation drives significant increase in pace of investments, and then pace of changes, so it's getting a little bit out of control for an IT and Security perspective, yes.
Rick Howard: It seems to me like you're describing a problem in just visibility, all the employees that have to connect, not only to the on prem stuff, but your cloud deployments too, and many organizations of any size are into multiple clouds. Here at the Cyberwire, you know, we're just a small start up, but we have over 50 SaaS application that we're having to deal with, and so just having visibility of all that, and that's a challenge. So, what's your recommendation? How do you kind of get your hand around just seeing what needs to be identified and authorized?
Maor Goldberg: Yes, absolutely. I think this is probably the key challenge we're seeing as well. First and foremost it's about visibility, the organization needs to understand who are the different individuals that can access their cloud infrastructure, typically we're talking about privileged identities, right? So this will be individuals who have relatively high sets of entitlements, the admins and so forth and so on, so you want to understand who can access your different services. Many organizations use multiple cloud accounts across multiple cloud providers, so you want to get a good picture of who connects with your cloud environment, who is doing what in your cloud environments, and, at the end of the day, you want to leverage that visibility to make sure that you are driving better security decisions, because, at the end of the day, the end goal will be to make sure that only the right individuals can, and actually do, what you expect them to do as a business.
Maor Goldberg: But I agree 100%, visibility is the first challenge that you are looking to solve.
Rick Howard: And I think what's happened too, as we all race to the cloud is, there's been this exponential growth in, like, non-human identities, you know, if you think about cloud functions, like Lambda functions, right, and they-- those seem to be outgrowing just adding people to this, so, can you explain what non-human identity is? And how we can deal with that?
Maor Goldberg: I think you're absolutely correct. So, when we're looking at identity, typically we think about a person, so, this will be an individual that can do, has permissions and can do a certain set of activities, but, we need to remember that software is running with a context of identity as well, and every software component that we are running has an assigned identity, an assigned permissions or entitlement for that software to operate. As we move to smaller sized work loads, micro services, serverless functions and so forth, what we are also seeing is a significant increase in the amount of these software identities, and, of course, by themselves, they are creating another challenge for visibility, so you want to understand how the different software identities can interact with other software identities, and your infrastructure as well, and then you make-- you want to make sure that each software identity is running in the right security context. This is actually one of the things that later, will later on contribute to significant security risks like lateral movement and so forth.
Rick Howard: So, what we're really talking about here is, you know, preparing the digital space to deploy our zero trust strategies, right, or least privilege strategies, is there a different approach to do zero trust in the cloud versus back on prem? Or is it basically the same?
Maor Goldberg: I think the goal is the same goal, definitely, you want to get to a point where you c-- when you can make sure that every specific identity in the cloud, human or not, can do exactly what you expect that particular identity to do. I think cloud introduces two challenges that potentially are not there when it comes to traditional on prem environments, one will be scale, so we're talking about significantly more identities, especially on the work load, non-human side. And then, the process by which you govern and control these identities. With cloud, and modern software development processes, you see a lot of these infrastructure identities and work loads created by using infrastructure of code technologies, things like Terraform and so forth and so on, and there, it's not just about controlling the end result, the identity and access entitlements on the production environment, it's actually understanding the flow first to production, so, you don't want just to have that lens of looking at my identities on my cloud account, but, instead, you want to understand the process that creates and governs and changes these identities, and you want to be embedded in that process end to end.
Maor Goldberg: So, when there's a new infrastructure code manifest that is creating a new infrastructure with identity and access and so forth, you want to be there in the right point in time to highlight issues as early as possible, and avoid potentially introducing risk to your production environment, but, also, again, doing that too late at a point in time where you will need to delay deploying new services and delay the business and so forth.
Rick Howard: I want to go back to something you said earlier, is that typically anything we're doing in the cloud is moving so fast, compared to what we used to do on prem, but, if you didn't have a robust change management process back on prem, you're not going to do it now in the cloud, you're going go-- it's going to be difficult to catch up.
Maor Goldberg: What we are seeing with cloud adoption is that many organizations rushed, for very good reasons, to adopt cloud technologies, because, they identified an opportunity to leverage cloud technologies for their-- whatever business goals they have and, and we talk about, a lot, about how software is accelerating business, and how businesses are using software to advance their businesses and outmaneuver the competition and so forth and so on, so, that rush, you know, quote, unquote, to adopt cloud technology is, for many organizations, spearheaded the later process to go back, look at our processes from the way we do change management, for instance, on prem, it's the same for compliance and other security processes, and getting to a point where we now need to apply the same type of thinking and the same type of structure on our cloud environments.
Maor Goldberg: With that, many of these processes will have to change, because on prem environments, where differently the way security and IT teams work with developers in some cases, is happening differently on prem relative to how software is being build and deployed on the cloud. So, these processes, while the same in, in goal and, and looking to achieve the same end result, will have to slightly change as organizations adopt them to the cloud, and again, just the way we use infrastructure as code technologies and, and the ability to meet developers as early on in the process is different, relative to more traditional development processes. What we see more is organizations that had processes, or still have processes on prem, and want to adopt these processes for the cloud, and I think that's the most common case in my mind.
Rick Howard: When I tried to do this in previous jobs, identity and access management, you know, it kind of spanned across the entire organization, and the question that always came up is, is who owns this? Who is the logical organization that should own the steps to establish identity and access management? And then, the next step would be, who's going to decide what zero trust controls to put in place for the various groups that are out there? Who's-- who typically does it? And maybe who should be owning it?
Maor Goldberg: So, I think a lot of what we're seeing on prem is happening on the cloud as well, where you have, in a way, three, at least three key contributors to identity initiatives. First and foremost, for many organizations, especially the larger ones, you have the identity teams, the teams who are responsible to look at the broader identity initiatives and make sure that identities are managed and governed in a structured way, across the organization, both on prem and in the cloud. And then, increasingly, you will see security teams, and in particular, today, cloud security teams, who are looking to make sure their cloud environments are as secure as possible, and when they look at their security challenges, identity is definitely top of mind for cloud security and security teams.
Maor Goldberg: And then, last but not least, an important part of that triangle, in a way, will be the application owners, because at the end of the day, when you're, you're looking to establish this zero trust or this privilege for you applications, you want to make sure that the developers and application owners are a part of this conversation, because, at the end of the day, they will be the teams who will create and manage these identities, and they are an important part in defining and understanding what these identities should and shouldn't be doing.
Rick Howard: So, I agree that all those players should be at the table, but, when the CEO says, "Who's in charge of this?" Is it the CISO? Is it the HR person? Is it the CIO? Who, who would you recommend?
Maor Goldberg: It's a great question, I think it's, it's likely to be--
Rick Howard: I put you on the hot plate there.
Maor Goldberg: Well, I think it's, it's likely to be different from one organization to another.
Rick Howard: I hate that answer, but it's so true, it depends, but go ahead, I interrupted you.
Maor Goldberg: That's, that's fine. I think it's most, you know, it's more important to establish who is leading the effort in all the different teams that contribute to that effort, than who specifically is owning or leading the initiative. As long as there is a clear understanding of who owns the processes, who helps the organizations steer identity and access management thinking into the right direction, it's fine, it could be identity leadership in some organizations that are lucky to have identity leadership, in some other cases it will be security. And, you know, in some cases I've seen compliance driven efforts to lead identity initiatives as well. So, it doesn't matter who, less important who, it's more important to establish that there is someone who is thinking and helping their organization be more structured when it comes to identity and access. In particular in the cloud.
Rick Howard: Some good stuff Maor, and we're going to have to leave it there. Any last thoughts about identity and zero trust on the cloud before we let you go?
Maor Goldberg: No, thanks again for your time, I just think, again, that as organizations transition to the cloud and adopt cloud technologies, identity from our findings, and it's not surprising that over 80% of users today in the cloud have access permissions and entitlements, and I think this is something to consider as organizations adopt cloud technologies as they mature their cloud, overall cloud security practices, identity is definitely something that needs to be top of mind.
Rick Howard: We'd like to thank Scott Farber, their Principle Cyber Architect and Zero Trust Technical Lead at MITRE, and Maor Goldberg, the VP of Product Management at Sysdig, for joining us. Cyberwire-X is a production of the Cyberwire, and is proudly produced in Maryland at the start up studios of DataTribe, where they are co-building the next generation of cyber security start ups and technologies. Our senior producer is Jennifer Eiben, our executive editor is Peter Kilpe, and I am Rick Howard. Thanks for listening.