the cyberwire logoMay 18, 2020
CyberWire Live: Practical steps on your zero trust journey. A CyberWire Pro Briefing by Rick Howard.

The Zero Trust strategy assumes that your network is already compromised and compels you to design it to reduce the probability of material impact to your organization if you experience either a trusted insider attack or an invading outsider who has bypassed your security controls to attain the same status. In other words, trust nobody and only allow employees enough access to the organization's resources to get their jobs done, but nothing further. You may think that designing and building that type of network is 180 degrees away from what you have right now. You would be wrong. You can get a long way down the Zero Trust path by using the equipment you already own in your current architecture. The thing that has to change is people and process. This CyberWire Pro online briefing will discuss what Zero Trust is, how to think about it in terms of your own environments, and the practical steps you can take right now with equipment you already have that will move you along that journey. This will be a vendor-neutral briefing by the CyberWire's CSO and Chief Analyst, Rick Howard, which will also provide some history and context for those looking to implement Zero Trust solutions. This briefing was given on May 18th, 2020 in partnership with the Maryland Innovation & Security Institute (MISI).

Transcript:

Armando Seay: [00:00:01] Good afternoon. My name is Armando Seay, and I'm coming to you live from our DreamPort facility in Columbia, Maryland. Forty thousand square feet of innovation and energy. And even during a pandemic, we're still innovating. We're still getting stuff done.

Armando Seay: [00:00:17] Interestingly enough, today, our discussion is going to be about zero trust with the CSO for the CyberWire, Rick Howard. Rick recently joined the CyberWire organization, bringing his considerable experience and talent to the conversation on CyberWire. If you're not a member of CyberWire, I encourage you to do that. I listen to their podcast, their CyberWire Pro, and their feeds that you get every morning. They really do a great job of aggregating the current news on cybersecurity, as well as talking and communicating and outreach to a lot of the top cybersecurity leaders in the country. So, I again recommend that you guys go out and definitely subscribe to the CyberWire. You'd be shocked at the types of people all over industry and senior leaders of our government agencies that listen to the CyberWire to get their news and to also communicate with the industry.

Armando Seay: [00:01:10] So, today's topic is zero trust. Almost ten years since the introduction of zero trust architecture during Forrester and John Kindervag – a lot of people consider him the father of zero trust – introduced it. We see our nation continuing to progress forward. The pandemic has definitely put us in a position where we are looking at zero trust now for all this work-from-home stuff that's going on. A great example is the NIST recently released a draft of their Publication 800-207, which is Zero Trust Architecture, which is chock full of recommendations and best practices, and basically from a zero-trust architecture implementation perspective.

Armando Seay: [00:01:57] Another interesting development is the Department of Defense, with their Continuous Diagnostics and Mitigation – their CDM platform – which is making a lot of news right now, where they're aggregating vulnerabilities and threats associated with the agencies into a single platform. Interestingly enough, we're doing the same thing here at DreamPort with one of our platforms in terms of the defense industrial base. But let me continue. So, the Department of Homeland Security and their CDM platform is aggregating information, and they're implementing zero trust principles as well.

Armando Seay: [00:02:28] We've been looking at zero trust here at DreamPort since two years ago, when we first opened up our facility, where we're working with a number of agencies of the Department of Defense regarding prototyping architectures. Zero trust, at least in the beginning, was considered very monolithic and just a huge thing to implement. We've been working on getting zero trust to an agile, easier-to-implement, not trying to take the whole elephant apart or implement the whole thing all in one big project.

Armando Seay: [00:02:58] So, we're excited to have Rick Howard to educate us, to talk to us about this exciting, exciting new technology. Many of you went to RSA – not this year, but the year before – you would recall that it was a very zero trust centric RSA conference in San Francisco. So, with this, I'd like to turn it over to Rick Howard from CyberWire, the new CSO for CyberWire, to talk to us about zero trust. Rick, so glad that you agreed to do this with us, and our partnership with CyberWire is amazing, and we love the journey that we're going on together as we educate industry on topics such as zero trust. With that, I'd like to turn over to the CyberWire CSO, Rick Howard. Thank you, Rick.

Rick Howard: [00:03:43] Thanks, Armando, for those kind words. And, you know, as Armando said, I've been kicking around the cybersecurity industry since the dinosaur days, and I was an early fan of podcasts before they even had a name. It was basically radio for the Internet age. And by the way, if you haven't found these little things yet, these podcasts, you're really missing out. They're little containers of entertainment and information on pretty much any subject that you might be interested in. If you have an odd interest in how shipping containers are made or whatever happened to pizza at McDonald's, or how do you make pretzels in the state of Milwaukee, I guarantee you that there is a podcast about it – mostly because I just Googled most obscure podcasts and these were the first three that came up. And there are literally hundreds of cybersecurity podcasts out there. But the two I've been listening to regularly for the last ten years – one is from Australia, it's a weekly news podcast called Risky Business, and the other one has been a daily news podcast called the CyberWire. So when I got a chance to work for the CyberWire, I jumped on it.

Rick Howard: [00:04:48] But today, I want to talk to you about zero trust. And here's the key – if you take nothing else away from this webinar, take this: implementing an impactful zero trust program within your organization is not going to be as hard as you might think.

Rick Howard: [00:05:05] So, this presentation is taken from a much larger deck that I'd put together over the years about strategies, tools, technologies, and platforms that the network defender community has embraced over time. Because for me, it's hard to understand how we got to where we are without understanding how we got here. So in terms of strategies, these are what I see as the major ideas that have emerged since the entire thing started back in the 1990s. Defense-in-depth started back then, 1991. Cyber hygiene was coined by the famous Vint Cerf, the famous Internet founding father. He was speaking to Congress when he told them about cyber hygiene in 2000. Intrusion kill chains and zero trust both created in the same year, which I find fascinating. These are the two strategies that are completely driving us today, and the papers released were released in the same year – fantastic. Resilience, we started talking about that in 2012. And then a new idea, piggybacking off of intrusion kill chains, is adversary playbooks.

Rick Howard: [00:06:09] For tools, you all know that there are literally hundreds of tools that the network defender community uses, but I tried to capture here the ones that most of us have, like, you know, intrusion detection systems, antivirus, and firewalls. 

Rick Howard: [00:06:21] For technologies, these are a category where I wouldn't classify them as a single tool, but more like an idea, or several ideas coalescing around a capability. You can definitely buy these things when they pop up, but at the time, they weren't mature enough to be considered stable platforms. Speaking of platforms, here are the ones I think are the mature platforms that already do the integration and orchestration for you. Platforms like SaaS and IaaS and next-generation firewall – these are all good examples of mature platforms.

Rick Howard: [00:06:54] And here's the entire graphic that you'd want to put on your wall – it is gorgeous, and my boss, Peter Kilpe, he built this, so you should ask him if maybe you could use it and hang it on your wall. As you move left, though, across this graphic, left to right, you can see that our technology landscape has become very complicated. And that's kind of the world we live in these days. But today, I want to focus on this one important milestone in 2010, and that's the idea of zero trust.

Rick Howard: [00:07:21] Zero trust ideas have been bouncing around the industry since the early 2000s, but John Kindervag – he published the essential paper that solidified the concept back in 2010. Like I said, he based his thesis on how the military and the intelligence communities think about protecting secrets. Essentially, treat all information as need-to-know. In other words, if you don't require the information to do your job, you shouldn't have access to it. This is really the principle of least privilege, an idea that emerged in the design of fault-tolerance systems as far back as 1972. But in the digital world, it means that when we are considering giving employees privileges to access company resources, we have to make the decision to explicitly grant them, and not give them carte blanche to everything just because they logged on to their laptop.

Rick Howard: [00:08:11] So, to achieve a zero-trust posture, then, network architects make the assumption that their digital environments are already compromised, and design them to reduce the probability of material impact to the company if it turns out to be true. Now, that's a powerful idea, and completely radical to the prevailing idea at the time, which was perimeter defense. So, take a look at that graphic in the bottom right. That is a graphic straight out of an Army field manual that shows the design of a tactical operation center, or TOC, in the field. Those gray boxes, they indicate foxholes where soldiers would sit, armed with weapons pointing out of the circle to protect the TOC from all avenues of attack around three-hundred and sixty degrees of that circle. And that looks formidable. But you can see that if the enemy ever got past those foxholes, the TOC would be as good as compromised. 

Rick Howard: [00:09:03] With perimeter defense in the digital world, we did the same thing. We built a strong outer protection barrier, but once the attackers got in, they had access to everything. We called this the hard and crunchy on the outside, soft and gooey on the inside network design. And John put it in the title of his paper. My own name for this is the M&M network design – hard candy shell on the outside, soft chocolate on the inside – so soft that the inner network melts inside the hackers' mouths as they consume your digital assets. How 'bout that for a metaphor?

Rick Howard: [00:09:35] This guy, Edward Snowden, he's the poster child for zero trust. Sometime before 2013, he purchased a web crawler from the Dark Web for about a hundred dollars, and he turned it loose on the US intelligence agencies' JWICS network. JWICS stands for the Joint Worldwide Intelligence Communication System, and it is where the American spies store their super-secret information. Snowden collected over a million highly classified documents, walked out the door them, and well, let's just say, created quite an international incident.

Rick Howard: [00:10:07] The crazy thing is that once he legitimately logged on to JWICS, he had authorized access to almost everything stored there. He basically web-surfed the JWICS network to see what he could find. I guess it didn't hurt either that he had system administrator credentials for many of those systems. When Snowden did what he did, the JWICS network engineers had not deployed a zero-trust network. And the irony doesn't escape me that John Kindervag based his zero trust thesis on how the intelligence community typically compartmentalizes its secrets, and then we discover that Snowden was successful – at least in part – because the NSA didn't compartmentalize its secrets on its most secure network. All right, but let's be fair – back in 2013, nobody anticipated that a highly vetted contractor like Snowden would do such a thing on a super-secret network. In hindsight, it seems obvious that somebody would try, but back then, the controls that the NSA had in place to vet these workers seemed adequate.

Rick Howard: [00:11:04] The Snowden incident caused the NSA, and many network defenders like us, to rethink their network designs. For the infosec community, it moved Kindervag's theoretical paper from an interesting idea to a key design principle that we should all be following. Zero trust was how we were going to build networks moving forward, and we're going to do that by trusting nobody and only grudgingly giving permission to access company resources once you've logged in.

Rick Howard: [00:11:32] OK, so I've talked to many network defenders over the years about the zero trust architecture. My takeaway from those discussions is that most missed the point. They don't seem to understand that zero trust is not a destination – it's a journey. And take a look at that graphic, Journey, right? That's right off the album cover. You don't climb a mountain and reach your destination and then slap high fives with your colleagues, mission accomplished. You know, it doesn't work that way. Zero trust is a philosophy. It's a strategy. It's a way of thinking. That's the bad news. The pursuit of the zero-trust journey is never-ending. There are a million things you can do technically and process-wise that will improve your zero trust posture. And there is not enough time in the day to even get to half of those things. So that's the bad news.

Rick Howard: [00:12:19] The good news is that the things you can do right now – there are things you can do right now that can get you eighty percent of the way there, using technology and equipment that most of you already have deployed. Once you get that done, you can decide if the remaining twenty percent is worth doing. That twenty percent, by the way, it's the really hard stuff, the things you are never going to finish completely.

Rick Howard: [00:12:43] So, the question you're asking yourselves is, how do I do it? If this is so easy, Rick, what should we do first? Well, I'm here to help you. I'm going to talk about two ways to think about zero trust in your current environment.

Rick Howard: [00:12:57] And the first one is logical segmentation. I know it seems obvious that if we're going to limit access to employees based on need-to-know, the first thing that we need to do a segment that network somehow where the data is stored, and set up some kind of rule system that allows one set of employees access and keeps others out. Now, like I said, I've been hanging around the industry for a long time – I've tried to do this in a lot of different ways and it failed miserably each time. I once tried to physically separate the networks by putting groups on their own fiber, but that doesn't scale very much. I also tried to do it with VLANs, and that is fine, but VLANs, you know, the rules are very complicated, even more than firewall rules. And if your VLAN guy gets hit by a bus, nobody will be able to figure that out once he's gone.

Rick Howard: [00:13:40] So, let's have an easier solution. That brings us to logical segmentation. And the technology that you have already installed is something called "next-generation firewalls." They became commercially available in 2007. All the major firewall vendor products do next-generation things, and if you're a medium-to-large scale business, you probably already have a boatload of them deployed in your networks. And we're going to use them to get eighty percent of the way on our zero-trust journey. 

Rick Howard: [00:14:09] So, the firewall has been a staple of the generic security stack since the first commercial offerings back in the 1990s. But when I say firewall, most of us are thinking about the old staple inspection firewalls invented around the same time. They were basically fancy routers that allowed us to block incoming and outgoing traffic based on ports, protocols, and IP addresses. And we deployed them at the boundary between our digital organizations and the Internet. The next-generation firewall, as compared to the old staple inspection firewall, that's a paradigm shift. You block network traffic based on applications tied to the authenticated user. Let that sink in for a second. Instead of a layer-three firewall that operates on ports, protocols, and IP addresses, the next-generation firewall is a layer-seven firewall. It operates on applications tied to the authenticated user. If you're concerned about your employees visiting Facebook during the workday, you could try blocking their traffic at layer three by not allowing them access to a raft of IP addresses that Facebook manages and continuously changes – that's a never-ending task, by the way – or, you can write a next-generation firewall rule, a layer-seven firewall rule that says something like, the marketing department can go to Facebook, but nobody else can. Done. And you never have to touch it again. 

Rick Howard: [00:15:31] In a next-generation firewall world, everything is an application. Using Salesforce? That's an application. Have an internally deployed Exchange server? Use of that? That's an application. Accessing the dev code library? Application. Pinging a host on your network? Application. Reading the Washington Post? You got it – that's an application. Being able to block applications based on the employee groups that use them provide the infosec team the means to start down the zero-trust journey without having to completely redesign their network. They may have to supplement a bit, but they don't have to start from scratch. For the first time in my career, I can segment my network based on the role – only this time, I'm logically segmenting it at the firewall. And that is how I'm going to get my organization down the zero-trust journey to about eighty percent, and reduce the probability of an Edward-Snowden-type insider threat attack from being material to your organization. 

Rick Howard: [00:16:30] A second way to do zero trust – the harder way, because you can't just use existing, deployed next-gen firewalls, you're gonna have to do a little bit extra here. We're gonna call this "micro-segmentation." Again, we're going to use the next-gen firewalls that you already have deployed in your digital landscape, but instead of simply writing rules connecting our employees to applications, we're going to tie our employees to their devices they use. Like, the finance department employees can use their iPhone to connect to the mergers and acquisitions database server, or the DevOps team can connect their laptops to the docs library server, or the engineering group can connect to the network management server, or the marketing team can connect to the company's staging web server.

Rick Howard: [00:17:14] We do that by creating zones in the next-gen firewall that match those functions, and then tie those zones to unique device names, like permanent IP addresses or machine certificates deployed on every device, that the firewall can interrogate. And then you tie the authenticated users to those devices, and create rules that say something like, the DevOps folks, engineering, and marketing – they can't connect to the financial group's mergers and acquisitions server – only the finance team can. And that is micro-segmentation. Devices to authenticated users. If you got the logical segmentation program running – applications to authenticated users – the next thing you would do is micro-segmentation – devices to authenticated users.

Rick Howard: [00:17:59] Okay, so you're thinking, I'm not completely buying what Rick is selling here, but I'm intrigued. If I'm going to do this, how do I start? And how do I measure my progress? Well, you start with a maturity model. Now, this is not an official maturity model out of the government or some community group trying to figure out how to do things – this is Rick's idea, right? This is what I did at my last job to track my progress building my zero trust program.

Rick Howard: [00:18:24] So, you start by identifying all the applications running through your deployed firewalls. Next-gen firewalls are really good at that – that's what they were designed for. And then you tie your next-gen firewall to your authentication system so that you can see who is using which applications. You decide which users go into which functional buckets, like finance, DevOps, marketing, legal. And don't go crazy here – this should be about ten to fifteen major functions within your organization. You can add more later if you want, but let's not make it too complicated from the start. Then decide which functional groups can use which applications, and then deploy the policy to match those pairings in the next-gen firewall – on all of your data islands, by the way, behind the perimeter, on your mobile devices, in your data centers, in your SaaS applications, and in your hybrid cloud deployments. If you get all of that done, you're about eighty percent down your zero-trust journey, just by deploying logical segmentation – the thing that next-generation firewalls were designed to do.

Rick Howard: [00:19:25] Once you get that done, you can pursue micro-segmentation, and the process is similar. You identify all the devices on the network as they run through the firewall for all of your data islands. You put those devices into the functional groups, you choose which device functional buckets can talk to each other, and then deploy the rule sets to the firewalls on all the data islands. And you are ninety percent of the way there. And if you get all that done, you can do the last ten percent – the really hard stuff that is left on the list of infinite things to do on your zero-trust journey. But I want to make an argument here – I think that eighty percent is probably enough to have an impact on reducing the probability of a material cyber event on your organization because of an insider threat. Do the other twenty percent if you have the resources, but this first eighty percent – it's probably sufficient.

Rick Howard: [00:20:14] All right, so, I hear you saying to yourself, if this is so easy, why aren't more organizations bragging about it? Okay, ten years after Kindervag published his milestone paper, why are there more success stories out there? In other words, why do zero trust projects fail? Well, I just explained the two tactical methods to use with technology that most of us already have – micro-segmentation and logical segmentation – so it's puzzling that there is so much zero trust failure out there. So here's the reason why: security leaders have failed to account for the fact that our networks and our organizations are dynamic. There is new equipment moving in and out of service all the time. There are people moving in and out of jobs, too, and moving laterally to take new jobs and new responsibilities. The problem is not that we don't have the right technology in place. The problem is that we don't have the right amount of people in process to make a go. 

Rick Howard: [00:21:08] At worst, some of us think that we can flip a switch and the system will manage itself. Hmm, let me count how many times that strategy has worked for me in my lifetime – that would be zero. At best, we use the two-guys-and-a-dog management approach. You know, this team of crack IT management experts operate our routers, our security stack, our printers, and they get coffee for the CEO in the morning. Now we want them to manage the zero trust strategy inside our next-generation firewalls. They barely have time to check their email in the morning, and now we had this task to their plate. That is a train wreck in the making. And clearly, it doesn't scale. That just adds to the technical debt pile that we are already not addressing. And besides, deciding which employees get access to which company resources is not a decision we want sitting with the vaunted two-guys-and-a-dog team. That is a decision that should be addressed in policy at the senior levels of our organization.

Rick Howard: [00:22:01] So, you already had the tech for this. What you don't have is the people and process. If zero trust is a key design principle for your network, surely it is important enough to build a team to manage it. We need a team to create the processes for bringing new employees in and deciding which zero trust functional buckets they will belong to initially. The team will also decide how to change employee access when they move laterally, within the organization, to new jobs, and new responsibilities. The team will further design the processes for when employees leave the organization by removing their access from the system. And finally, we're going to need an entirely different team focused on automating these procedures, so that the team managing it doesn't fat-finger the configuration changes.

Rick Howard: [00:22:44] Okay, I'm at the end here. So here's what we talked about. Zero trust is a journey, not a destination. You do this by assuming the network is already compromised and you grant employee access on a need-to-know basis. You use two tactics to do this: logical segmentation and micro-segmentation. And we've discovered that initiatives fail not because the technology doesn't work, but because we don't have the proper people and process in place to manage it. This thing manages the insider threat, and Snowden is the poster child for it. All right, so that's it. It's time to turn it back to Armando for questions and answers. Go ahead, Armando.

Armando Seay: [00:23:25] Absolutely, Rick. So, we are going to open it up for questions. If you have any for Rick, just type it in on your screen and we'll see them. And I'm happy to ask Rick the question and get you an answer.

Armando Seay: [00:23:40] So, Rick, while we're waiting and see if we have any questions, one of things I have for you – one the questions I have for you is, in this work-from-home culture, what's your experience? Do you have any advice for agencies or customers that are trying to implement zero trust in a work-from-home culture?

Rick Howard: [00:23:57] Well, that's a really interesting question, because the organizations who resisted work from home, you know, before the pandemic, I think they're going to find at the end of the pandemic that all of those reasons are kind of going away, right? So I think we're demonstrating that people can do this, so that's one positive outcome of all this. The one thing you need to consider, though, when you're thinking about zero trust, is are you covering all the places that your data sits? And what I mean by that is, you know, I count like – I call these places data islands, and that's really what you're trying to protect, is the data. So we have data behind the traditional perimeter that's back in the office, you know, on the servers back there. You have data that your employees use on their mobile devices. You have data in your data centers – you know, the ones you built yourselves. You have data in the SaaS applications that you're using, like Salesforce and Gmail and those kinds of things. And now, more and more, all of us, or many of us, are using hybrid cloud deployments for workloads. So we have data out there. So whatever you're doing to protect all those data islands, as we're in this pandemic now, those policies should be easy to move through and cover all of that. Is that what you're seeing when you're talking your customers out there?

Armando Seay: [00:25:22] Yeah, absolutely. They're rapidly assessing where the access points are – when I say access points, in terms of the endpoints, you know, the networks that are associated with it, and where the data that is more sensitive, that they are trying to protect and ensure that there's proper authorized access to that information. So there's a big rush to evaluate different technologies for authentication. The other thing is the variety of devices. Some companies were well-prepared because they were always working from home – doesn't necessarily mean they were implementing zero-trust concepts – but with the number of vulnerabilities that have entered the marketplace, associated with the fact that the adversaries out there in the world that are trying to do harm are realizing that, you have a lot of very senior and very technical and the folks are doing finance and accounting and all those kinds of things for a lot of corporations are sitting at home. They are trying to take advantage. So in reverse, some of the CISOs that I've been in touch with are now trying to harden that situation with the audience, with the folks that are at home trying to rush to implement technology. 

Armando Seay: [00:26:34] We have a question, and it actually talks about that – about just what we're talking about, the types of technologies that are that are involved. I know we have some experience here with the DoD team that we worked with, who evaluated and continue to evaluate technologies for zero trust. And I know we looked at things like VMware, and we looked at some things that CenturyLink had, VMware, and Splunk, Cisco, for instance – they all had some sort of zero-trust technology that we looked at in terms of designing various prototype frameworks that the government could use to evaluate how to make it more – in a more agile way. But the question that we have for you is, do you have any recommendations on a technology used to implement this? I mean, from your experience, obviously, you were at Palo Alto. Palo Alto was actually one of the participants here on some of the technology. In fact, I think they were definitely part of the stack that we looked at. But what about any other suggestions in terms of technology?

Rick Howard: [00:27:30] Yeah, I will tell you that every firewall vendor that you have does next-generation firewall things – meaning they do zero trust things. All that stuff I talked about in the slide presentation – making rules for identifying applications and who's using those applications – every major firewall vendor has that capability. All right, so if you've not tapped into that capability yet, my recommendation is call your sales engineers for that company and have them come in and show you how to do it, because even I know how to do it, and it's not – you know, if I could figure it out, other people can do.

Armando Seay: [00:28:06] Rick, another question that we have for you – what are some good resources to learn about zero trust? I know when we had started out with the government at our facility on the journey to understand zero trust, one of the first things that they did was they kind of walked in and they had books – like, I have a photograph of all the zero trust books on the table... 

Rick Howard: [00:28:30] (Laughs)

Armando Seay: [00:28:30] ...And they started out there. And then eventually, we brought in John Kindervag. I think we brought him in virtually, initially, to come in and chat with the folks and get them started on the process. But where can you – where are some places where you can get information to learn about how to approach this?

Rick Howard: [00:28:52] Yeah, thanks, that was a nice setup. So, first I'd go back and read John's paper. Okay, John's – it's not that technical and you can figure out, you know, where he's coming from with that entire thing. The second thing is I'd go read the NIST document that just came out in February of 2020, about zero-trust architecture. And don't let that document scare you, all right? NIST's function is to identify innovative things and how we might set standards for those innovative things so that we can all build them. So, it looks like what they present in the NIST paper is something that doesn't exist, you know, and there's no commercial product for it, and it's too big for us to build – don't let that scare you away. Their job is just kind of find the edges of the problem and tell everybody what we need. But the NIST document is absolutely technically correct about how to think about zero trust and the things that we're going to need in place to get all that done. So, go read those things. Also, Google's written a bunch of stuff about their BeyondCorp stuff and how they think about zero trust. These are all free resources that are available to you. And if I didn't scare you away from everything I talked about today, the CyberWire pro piece of what we do at the CyberWire. Okay. I just finished writing a very long – not a long essay – but a deep dive on zero trust, and the podcast we released this week is on that topic too. So there's lots of things you can go see to get up to speed on zero trust.

Armando Seay: [00:30:33] So, another question – is zero trust sort of an enterprise, sort of large-business effort that the tools and the assets that are used to implement it at a cost structure and level that only large companies, or can small- and medium-sized companies also implement zero trust? And if that's the case, you know, do you have any experience in sort of more agile, smaller sort of things? One of the rubs against zero trust, initially, as you're probably aware of, was that it was such a big undertaking, right? People tried to take the whole enterprise and do it from zero all the way to infinity in terms of understanding all of the trust levels.

Rick Howard: [00:31:14] Yeah, I think you're right about that. We tried to make it too complicated. I really do think that. And you're right, and I like to think about size of organizations in terms of, you know, Fortune 500 companies who have lots of resources and people to do things, and then medium-sized businesses, and small businesses. But to answer your question – absolutely, all three of those size of businesses or organizations can do zero-trust things, because it's not a technology you buy – it is a way of life. It is a philosophy. It is a strategy. And like I said at the beginning of my presentation, there are a million things that you can do to implement zero trust, and you just keep chipping away at it. And what I tried to convey here is that most of us are using some version of a next-generation firewall in our security stack, regardless of the size that you have. So just – if you are doing that, then that is the thing you should look at first to see if you can implement some of these rules.

Armando Seay: [00:32:20] So, one of the questions that we have is also cloud – you know, implementing it in the cloud. A lot of folks, with this work-from-home strategy, are using more and more of cloud infrastructure to deploy assets there, as a way to more quickly harden their environments, create single points of access. Zero trust – it applies to the cloud environment as well?

Rick Howard: [00:32:46] Absolutely. Just because you're in the cloud does not change trying to restrict access to things you shouldn't have access to. Ask your cloud provider about how they handle zero trust rules – you know, these applications tied to firewalls, right? If you're a Google user, look into BeyondCorp to see what they're doing, to see if that can help you. So, they've already offered that service as a zero-trust service. The cloud providers themselves, they have cloud, you know, virtual firewalls, basically. Or you can go to all the firewall vendors. They also have virtual firewalls that you can stick into your cloud deployments and get the same policies that you would have, you know, behind the perimeter and in your data center. So, it is absolutely possible to use the same technology in all your data islands.

Armando Seay: [00:33:40] So, Rick, another question is, how does zero trust apply to mobile technology? Is there technology that's applicable to the mobile user? Particularly in the commercial sector, you have a lot of companies that are working off of apps – you know, the banking industry, the tech industry. So there's a lot of access. And as you know, with the NIST, as well as the impending CMMC roll out – Cyber Security Maturity Models certification – controlling your endpoints and knowing about those endpoints is a really important part of the process of complying. Any advice for the folks out there on mobile and zero trust?

Rick Howard: [00:34:22] Yeah, mobile devices are another data island that you should be – that should follow the same policy. I want to be clear, too – the places your data sits are data centers, behind the perimeter, mobile devices, SaaS app deployments, and IaaS deployments. The policies that you set up in your zero-trust program need to apply to all of those, and if you don't, then that's how a Snowden-type event happens, because you're not covered the whole way. So, the way to think about your mobile devices, then, you have to make sure that your mobile devices run through your security stack at some point. There's lots of different ways to do that. The first hop could be a VPN through a virtual firewall that has all the right policies, or it could be a VPN back to your data centers where the firewalls are, or this new technology called "SASE" is out there – it's not ready for prime time yet, but that might be a different way to do it. All I'm saying is make sure that your mobile devices go through the security stack before they get out to the Internet somewhere. And when you do that, you benefit from your zero-trust policy that you have inside that security stack.

Armando Seay: [00:35:34] That's a great answer, because that's a question that we get here a lot. Even government, particularly in the civilian sector, has a lot of thinking about how to secure those endpoints, as they had to deploy not just their government employees, but contractors in allowing them to continue to keep mission, execution, resiliency during this pandemic. One of the questions is from a name I recognize – Peter Kilpe – and the question from Peter is, how should organizations... 

Rick Howard: [00:36:03] (Laughs) Hey, wait, he's my boss, he's not allowed to ask me questions.

Armando Seay: [00:36:06] Yeah, how 'bout that? (Laughs) So we better answer this one. 

Rick Howard: [00:36:06] Yeah. (Laughs). 

Armando Seay: [00:36:10] How should your organization think about scaling their teams to start their zero-trust journey? I guess Peter's asking, you know, what kinds of investments and additional resources need to be brought into the environment to do that?

Rick Howard: [00:36:22] Yeah, that's a great question, and Peter and I were talking about this before. And it goes back to some of the pieces I was talking about in the slide presentation. I think that's where zero trust initiatives fail, right? Is we decide that we're gonna do it, and we think we can do it with just technology. And I think the bulk of this really is people and process. Someone has to figure out what the policy is going to be for, does marketing get to go to Facebook and nobody else? Or is there some other rule set that we need to have? So, if you're serious about a zero-trust program, don't skimp on the people and process part. So that's the first thing.

Rick Howard: [00:37:01] The second thing is, don't skimp on automating those processes once you figure out what those are. Because you can still come up with the policy and try to deploy it, but if you make a configuration error, when you deploy that policy, then you're still in the same problem – you know, a Snowden-type event. Now, it's easy for me to say, you know, just throw people at it, Rick. That's easy. You know, and we all have so many extra people hanging around. All right, especially for a small startup, you know, with ten to fifteen people in the company, there's not a lot of extra resources there to throw at developing these policies. I totally get that. What I'm telling you is that zero trust should be one of the key stakes in the ground for your security program. And if it is, it should get as much attention in terms of people and process as any of the other key things that makes your company go. So you kind of have to frame it in that mind.

Armando Seay: [00:38:01] Yeah, I know here, when our zero-trust project started in support of the various government agencies that were working here, it seemed like an army of people who that started. I mean, whiteboards everywhere and breaking out into different breakout sessions and things. But a lot of it initially started with different vertical technology expertise. You know, maybe someone had virtualization and, you know, someone had network experience, and they finally broke off into, you know, I guess architecture teams to work on their areas of specialty and evaluate the technologies that were within their areas of specialty. And they came back together to put the various pieces together. And then once that was done, what I noticed was as we were helping facilitate and accelerate those prototypes, was they needed that technical talent to get that zero-trust framework actually implemented so that they could test it – you know, the actual hands on keyboards and things like that. So that's kind of where we saw the journey. First understanding it, then obviously architecting it, and then implementing it, and then inserting technologies in and out as they were testing things. 

Rick Howard: [00:39:08] And I'll just piggyback on what you said. You're absolutely right. Figure out what you want to do first, and then you can worry about how to technically implement it. And the takeaway from my presentation here is once you figure out what you want to do, you can do a lot of that work with technology that you already have. So just keep that in mind.

Armando Seay: [00:39:27] Yeah, I think that's another great point. We have something here that we call the technology pantry. So, thanks to all the generous partners that we get an opportunity to work with here, there's a lot of technology here. So, one of the first things, once they determined what they were doing, or how they were gonna get started, rather, it was trying to determine what were the kinds of things that were common within their respective enterprises that we had here that they could begin to look at in a zero-trust context. So, you know, we started out with a lot of things that weren't brand new, new-fangled things, right? Just existing technologies that are used everyday throughout commercial enterprises and the government. And those things were re-envisioned in a zero-trust sort of model. Then after they figured that out, as they figured out what kinds of things they were missing, depending on what the objectives were and how quickly they wanted to close on those objectives from a technological perspective.

Armando Seay: [00:40:23] So one of the questions that we also have here is from Quentin Hodgson (ph), and the question is, how do you develop insights into the business functions to be able to really understand what they need to use and how? Is that a result of having to talk to people in those units? Or can you do it based on what you learn from a next-gen firewall survey?

Rick Howard: [00:40:46] Oh, wow, that's a great question. And you've hit on the crux of it all. I mean, we can turn on those firewall rules and it will tell you, you know, the applications being used inside the organization and which users are using them. But as a CISO, it's my experience as a CISO, you need to now go talk to all the business leaders and say, this is what I see happening, okay? That this group of folks are going to this kind of resource, and is that OK? Is that OK for a risk – in terms of a risk posture for the organization? Quentin's question is absolutely right on target. The CISO's job is at least half going around talking to business leaders about how their business runs, what are they worried about, what are the other risks of the business besides cyber? So that that leader can make decisions and weigh all those things together, right? And it may turn out, after you talk to all those folks, that the zero-trust program that we need may not need to be as complicated as you might think.

Armando Seay: [00:41:52] Yeah, so this is an interesting question, and this is something I see seen a lot of the documents that we get to see and we get to work with here. So, is zero trust kind of based on the – how does it correlate, actually, to the model that says assume you've already been compromised, there's already adversaries on the network? How does zero trust start with that particular assumption? Right, so you have an environment that's already been operational and may already be compromised, and now you're starting to do to zero trust architecture. Does zero trust do anything to elucidate what may already be within the network, or is that just a whole separate kind of discipline while the folks that are going to be on the zero-trust architecture and implementation journey are working on those things?

Rick Howard: [00:42:38] Yeah, I look at it as reducing the attack surface, right? And if I want to put it into normal terms that everybody can understand, think of it like trying to secure your house from a burglar. You can spend lots of money on surveillance equipment and alarms and things on your house, but when you go out in the evening, if you forget to lock the doors and the windows, all that stuff is not going to be that useful to you. So the question then, is what is the equivalent of doors and locks in the digital environment? And it turns out there's lots of things that we leave open all the time if we're not paying attention. And the one that always comes up that you see in the news every day is all the Amazon S3 bucket breaches. And I say "breaches" with air quotes because they weren't really breaches – they were just – they've always been misconfigurations, right? It wasn't that a bad guy hacked into the S3 bucket and stole all the information – they went through an open window because the administrator did not configure it properly. And that's not an admonition on the administrator, because it's really hard to do this correctly, but that's just one example of an open door that bad guys take advantage of. And so, zero trust is assuming that the bad guys are already in, and then closing all the doors and the windows and locking, so while they're wandering around in the hallways trying to find something interesting to steal, they don't get access to all of those things. Does that analogy hold any water with you?

Armando Seay: [00:44:11] Yeah, sounds interesting. So what you're saying is, as you're implementing zero trust, and the adversary is already in, you're basically starting to lock doors, or they're wandering around the house, but as they're testing different doors, those doors are beginning to close and they can no longer get in there. And obviously, as you continue to implement, you will discover who's already on, that kind of thing, and you can figure out what to do about them. But you're basically locking the doors inside the house as you're progressing along the journey. Is that kind of what you're thinking about?

Rick Howard: [00:44:39] Yeah, you lock the doors, you lock the cabinets, you chain the TV to the wall. You know, those kinds of things. So that even if a bad guy is in there, they might be able to put some stuff in their pockets, but whatever they take out is not going to be material to your organization.

Armando Seay: [00:44:58] So, here's a great question on federation. And the question comes from a man by the name of David Harris. Thanks, David, for the question. What is the best approach to federation? With multi-organizational supply chains, cloud environments mapped through those, in addition to on-prem solutions, what do you think is the most effective orchestration? Again, that's a question from David Harris. David, thank you for joining us today and thank you for the question.

Rick Howard: [00:45:22] So if I understand the question of a federation is like, for example, at the CyberWire, we are one of several companies underneath an umbrella of a larger company – is that what you think this means?

Armando Seay: [00:45:33] Yeah, it means, basically, how do you basically take the architecture and federating it across the enterprise, right? If you have multiple locations, you know, you can have offices in Europe, you know, offices around the country. How do you take that and federate it across that environment?

Rick Howard: [00:45:49] Yeah, so I think the mistake that we've all made – and I've done this to myself in my past and I've regretted it – is that we try to implement different security policies with different technology at different locations in the digital world. And there's lots of good reasons for that, but it just makes our whole world more complicated. So, what I'm trying to do is reduce that problem set. I'm trying to use one solution across all those data islands and all those locations. And this violates one of the early best practices that we all came up with back in the '90s, which is, we're never going to use the same vendor for everything because we don't trust those guys, right? So we're going to have multiple vendors within our – inside our security stack. Well, I'm telling you, that situation has got us into the situation we're in right now. Our security stacks are too complicated to manage. So, I can make a pretty strong argument that the risk is a lot less if I double down on a single vendor that I can use at all of those data locations, that federated space that Dave was asking about, right? That it's easier to manage and less likely for me to make a mistake there. Does that make sense?

Armando Seay: [00:47:07] Yeah, makes sense. One of the last questions as we close – we have about three minutes – the question focuses on DevOps. Where does DevOps fit in? I think you had a slide. The questioner I think is James McGowan (ph), asked this question about where this DevOps fit in?

Rick Howard: [00:47:27] I believe that DevOps is the savior for not only the security community, but for the IT community, right? Many of these mistakes – I mentioned the S3 bucket one – it's because people are fat-fingering the configuration errors on a system they know how to use. They made a mistake. But if you can automate how you make changes, then whatever changes you make are going to be the same down the road. So, DevSecOps and SecOps are the way we're gonna get better at this. And by the way, that's how we're gonna get more efficient. I had an old boss of mine tell me that, as a metric for my security operations, he said if the number of people you're using goes up every year because it's that complex, you're going the wrong way. You should be reducing the staff, and the way you reduce the staff is you automate all the level-one and level-two processes. And that's what DevSecOps is. I will recommend a book for everybody on the call, if they're looking to get into DevSecOps – it's The Phoenix Project, and it's a novel, so it's easy to read, but it gives you all the main points to it. And you can start your DevOps journey there.

Armando Seay: [00:48:47] One last question as we close – we got about a minute – actually, probably even recognize the name of this guy. Someone that I used to work with, very talented Apple engineer. We used to manage Apple Networks together for the military, which was a rare skill about six or seven years, maybe eight years ago, where people just didn't know how to handle Macs within a government context. In fact, we saw Macs being banned in certain government operations just because they just didn't understand. It was like why are you guys buying Macs? But anyway, Andrew Taylor is asking, I noticed that Rick is presenting from a Mac computer. Does he believe using modem – modern, I'm sorry, endpoint frameworks like Apple's MDM framework helps to lead the way to zero-trust device deployment.

Rick Howard: [00:49:32] Yeah, I am technology – I forget the word, I can't think of the word. I don't really care what technology it is – it can be Windows, it can be Linux boxes, it can be Macintosh. That's not the problem. It's not that one is better than the other, and every one of those vendors has things that can aid us in our zero-trust journey. But I'm trying to raise the conversation up to think of zero trust as a strategy, because you're going to have all those elements inside your organization at some point, and your strategy can't crumble just because we bring in a new kind of technology into the organization. So, to answer your question specifically, yes, the Apple MDM stuff could be useful in your zero trust environments. But I think that the other vendors have other interesting things too.

Armando Seay: [00:50:25] Well, Rick, it is three o'clock and we've come to the end of our session with you. Zero trust is an exciting technology that's been taking shape for the last ten years. As we continue to progress on the zero-trust journey, as the adversaries become smarter and slicker in their ways to basically do damage to our society and by taking advantage of all the different threat vectors that are available to them, zero trust I think will continue to be important. Your knowledge has been amazing. You know, your joining the CyberWire is also a good thing. You're gonna be an excellent resource, I think, for the world at large with all of the significant content that the CyberWire produces. Again, this is Rick Howard, CSO for the CyberWire. You just recently joined them. And as you can tell, he's a wealth of knowledge regarding the zero-trust architecture. I'm sure he's got a lot of other topics that Rick can address. Those of you who have not participated on any of the CyberWire podcast or other things, I would encourage you to check out the CyberWire and CyberWire Pro. It is a resource that you just can't do without. You know, I listen to a lot of things, but the CyberWire has definitely got the methodology down pat relative to getting you good cybersecurity information in a really concentrated way and in multiple formats that are easily digestible. So they're a great, great, great resource. And I want to take the CyberWire for the partnership. I want to thank Rick, thank you for joining us. I'm getting a lot of questions about the slides. I will circle back, but I think, Rick, we can make the slides available, do you think? 

Rick Howard: [00:52:02] Yep, absolutely.

Armando Seay: [00:52:02] So, there you go. Slides will be available. Again, thank you for joining us. We've got a lot more stuff coming as we go forward here at DreamPort. And also, again, pay attention to the CyberWire – they have a lot of good content coming as well. Just dreamport.tech – pay attention to our website, we're always announcing great topics, great speakers. And we've got some exciting things coming up real, real soon from some very senior folks. We are even going overseas. So, even with a pandemic, we're going to virtually travel overseas, we're going to bring in some of our partners from the international side of the world over to the US to talk about what they're seeing from a cybersecurity perspective, COVID-19, and how they're going to continue to go forward. Again, thank you for joining us. This is Armando Seay, over at DreamPort, right here, and the Maryland Innovation and Security Institute. Thank you for joining us. Thank you very much. Stay safe.