Zero trust: a change in mindset.
Rick Howard: Hey, all, Rick Howard here. In this CyberWire Special Edition, I have a treat for you. As you all know, I'm a huge advocate for zero trust as a first principle strategy that will help us reduce the probability of material impact due to a cyber event. It turns out I'm not the only one.
Rick Howard: I've been doing some basic research on zero trust architectures when I ran into some material written by Lenny Zeltzer, the CISO for Axonius, a cybersecurity company that provides asset management services. I found his take on zero trust refreshing and forward thinking, and since Axonius is a relatively young company, I asked Lenny what it was like to build a zero trust program, essentially from scratch, especially during the pandemic.
Lenny Zeltser: I've been a CISO at Axonius for just under a year and we're building and formalizing a relatively new security program and I don't have to carry the burden of what many would consider legacy environments. And therefore, we designed our security processes that now all employees have to be able to work remotely. We can no longer assume that people are in the same office connected to the same network that we might consider trusted, and therefore we can no longer grant special privileges just on the basis of the network that people are coming from,
Rick Howard: Especially for newer and smaller companies. Their entire world is SaaS applications, and that new landscape is ripe for zero trust architecture.
Lenny Zeltser: We as enterprises are very, very quickly moving towards SaaS provided applications, which means that you've got your data to which you need to control access sprinkled all over the place. And the reason why I bring that up is because now we have no choice. We have no choice but to consider these zero trust design patterns because we no longer have this network where our business applications reside, the firewall that sits in front of it that we control, that just doesn't exist anymore. Everything is SaaS. And what that means is that even if the CISO like the idea of zero trust architecture but couldn't really gain support of the organization to consider what cultural or technological changes need to happen, now is the time to bring up the need to use zero trust today because you've got the support of everybody else. Everybody else wants to use these SaaS applications. They have no choice.
Rick Howard: Soon after the pandemic started, I started saying that all those technical hurdles that stopped us in the past from supporting a mostly work from home employee base didn't seem as difficult today. But Lenny says that the problems were never technical. They were political.
Lenny Zeltser: It's not that it turned out to be easier than we thought. It's just that it became easier than what it could have been, because now we have the support of the rest of the organization. We're looking at this COVID-19 crisis through which we're all clearly still living. There's a lot of very bad things happening that are very difficult for everybody involved. But when you look at how this crisis really sped up our movement towards modern security and IT design principles, that's perhaps one silver lining of this very difficult and challenging situation for us, that we got that political and other non-technical support to move forward with some of the security initiatives that perhaps we wanted to have all along.
Rick Howard: The idea of zero trust has been around for well over a decade now. And if you look at the latest Gartner Hype Cycle published in November 2020, their researchers have the concept well past the peak of inflated expectations and buried deep in the trough of disillusionment. Lenny tries to stay away from all of that to focus on what is important.
Lenny Zeltser: There is a lot of opinions on what is zero trust and what is not. And you get the purists and you get people who try to stretch the definition of the term to its limit. So I'm just going to tell you what it means to me and what it means to me, What it means to me is this idea beyond the buzzword that I don't want to rely on the user being on a specific network that I might traditionally consider trusted when deciding whether to get access to particular information resource. So for us, that meant starting with the users identity as the root of decision making.
Rick Howard: Lenny says that the thing that drove him to zero trust was his pursuit of single sign-on for his customers and for his employees.
Lenny Zeltser: Before we even got to thinking about zero trust, we started off with thinking about single sign-on. As we discussed earlier here, we just like many other organizations nowadays, rely on software-as-a-service applications quite a bit. So most SaaS providers will support SAML based single sign-on, which means that you can have your users identity defined in a single place and then integrate the identity-related information into all of the applications that your employees might need to use.
Lenny Zeltser: Who is this person? Because access rights are tied to the individual. So should this person have access to, I don't know, AWS or G Suite or Salesforce? That depends on the user's identity, which is tied to the person's role in the organization. And then even once you have the user authenticated to a given SaaS application, then what privileges that person has within that application should also be tied to that identity.
Rick Howard: One of the nagging problems about implementing a zero trust program is that in order to do it right, you have to understand that the system has to be dynamic. You can't set it up and forget about it. People change jobs, they get fired, they get promoted. Whatever you build has to accommodate that change.
Lenny Zeltser: People come and go. People's responsibilities change. Their roles get redefined, and the access that they need keeps changing. So for us that the key to implementing single sign-on so that it's useful was making sure that we can have automation and how access rights are granted. So in our case, we integrated our single sign-on provider with what we consider to be the source of trust regarding users identity and role, which is our H.R. system. So the data is kept in its definitive form in the H.R. system regarding who the person is and what their role is within the organization, then it's automatically provided to our single sign-on provider where we're able to define rules based on, for example, the person's department, what applications and what functions within that application should be granted to the user. This way, when the person's role or employment status changes in the H.R. system, that information is automatically propagated into the SSO system and therefore it gets automatically reflected in how the decisions are made for authenticating and authorizing the user to the SaaS applications.
Rick Howard: Since I started in the biz, Microsoft's Active Directory has been the tool that most of us use for identity management. But Microsoft rolled it out in the 1990s, and Lenny thinks that it might be time to label it legacy and move on to something newer. He acknowledges that Microsoft is aware of that and is currently offering Azure Active Directory, their are federated and cloud delivered identity management system that works closely with on-prem Active Directory.
Lenny Zeltser: It's worth rethinking what role Active Directory has in this future in which we now find ourselves. Because when I think about Active Directory, I think of, what soon I think will be called a legacy approach to identity management, because Active Directory, as it was initially originally designed, was meant to be kind of an on premise directory and information store, which is very hard to access when your employees are distributed and remote. So instead, Microsoft is making a big push into Microsoft-hosted version of the Active Directory product under their Azure umbrella.
Rick Howard: But whatever you use for your identity management system, you will need to automate the process in a DevSecOps kind of way.
Lenny Zeltser: Now, once you have this integration between whatever it is, your route of trust for identity is and your single sign-on provider, then you look for a way to automate the assignment of roles and an access privileges. And then you can start thinking about how do I integrate single sign-on with all of the applications that my employees are using.
Rick Howard: But buyer beware, it seems that many SaaS vendors use a similar-tiered buying model that many of us use and hate in the States for our cable TV subscriptions. You have to buy the super duper supreme option just to get access to that one show you can't live without. For me, it's Lovecraft Country on HBO Max. But then you are saddled with a bunch of TV shows that you wouldn't watch if your life depended on it. I'm looking at you, The Great Poetry Throwdown.
Lenny Zeltser: I do want to point out that don't assume that your SaaS application provider will allow you to enable SAML-based SSO integration without charging you money for it. Look, I work for a company that sells security products. We we value the product that we make and our customers pay us money to to get it. So I am all for the idea that you should be charging your customers if you're providing something useful to them. The challenge that I have with many popular SaaS vendors is that they don't allow their customers to just buy the SSO integration option. In many cases, the only way to get SAML-based SSO integration is to buy the most expensive product bundle that many of these vendors call enterprise. Many small companies don't need that product bundle and either have to choose to not have SSO integration or buy a whole lot of add-ons at a very, very expensive price point and not use those features.
Rick Howard: When we talk about zero trust concepts, we normally describe the capability in two different buckets, logical segmentation, those decisions we make about the identity of the person or process and the workload they are trying to access, and micro segmentation by doing the same checks with devices, but also checking that the device meets some sort of configuration standard. Lenny says that the best place to do micro segmentation is on the endpoint where you can check if the operating system is current and has installed all the right patches, you know, that kind of thing.
Lenny Zeltser: The one critical piece that we did not yet talk about is the role of the endpoint, the state of the system from which the user is trying to access the resource, because I think that is a major component of a zero trust architecture. We used to think about security oftentimes from a network-centric perspective. We deployed network firewalls and deployed network segmentation. Now we're talking about zero trust and thinking about the problem from the perspective of the user's identity. Who is this person? Are they authorized to log in or take actions they're trying to take? But another part of the decision is becoming, yes, maybe I authorized this user. They are accessing a finance application. They are in the finance group. But do I trust the device from which they have successfully authenticated? That's another part of the decision that I think is useful to consider, the state of the endpoint. How trustworthy is it and how can you decide whether to grant access in part based on the state of the endpoint?
Lenny Zeltser: Much of what we were trying to do was oriented around the user's identity, but also it involved this the state of the end point. And when I look at many ways in which people describe zero trust, they do include the endpoint as one of the elements to discuss as part of the zero trust architecture. One way to do it, for example, is to integrate whatever security or IT agent you have on the endpoint with your single sign-on provider. A single sign-on provider will perhaps first authenticate the user, see if the user has access to the resources they're trying to access. But before deciding to grant that access there, SSO provider will then check with your endpoint agent and ask the agent about the state of the endpoint to see whether the state of the endpoint is acceptable.
Rick Howard: Lenny believes that zero trust is the future for all of us, and I do too.
Lenny Zeltser: I think most of us will realize that we will be going towards some form of a zero trust-based architecture and we just need to be realistic regarding how quickly we can get there. If you have a young organization, if it's already distributed, perhaps due to COVID-19, then you can get there very fast. But be realistic so that you don't get discouraged if the move does not happen overnight, it's a hard journey. It requires not just technological changes, but also a change in how people think about deploying resources. Understand what's realistic for your organization, understand what your goal is, and come up with a plan that moves you in the right direction, but is also realistic about the challenges that you'll face along the way.
Rick Howard: That's Lenny Zeltser, the CISO of Axonius.