CyberWire Daily - Zero trust: a change in mindset. [Special Editions]
Episode Date: May 31, 2021Guest Lenny Zeltser, CISO of Axonius, sits down with the CyberWire's CSO and Chief Analyst Rick Howard to discuss one of Rick's favorite topics, zero trust. Lenny shares his views on this cybersecurit...y first principle, taking into account changes in mindsets during the COVID-19 pandemic that have necessitated many to move toward zero trust. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Hey all, Rick Howard here.
In this CyberWire special edition, I have a treat for you.
As you all know, I'm a huge advocate for zero trust as a first principle strategy that will help us reduce the probability of material impact due to a cyber event.
It turns out, I'm not the only one.
due to a cyber event. It turns out, I'm not the only one.
I've been doing some basic research on Zero Trust architectures when I ran into some material written by Lenny Zeltser, the CISO for Exonius, a cybersecurity company that provides asset
management services. I found his take on Zero Trust refreshing and forward-thinking. And since
Exonius is a relatively young company, I asked Lenny what it was like to build a Zero Trust
program essentially from scratch, especially during the pandemic. I've been a CISO at Exonius
for just under a year, and we're building and formalizing a relatively new security program,
and I don't have to carry the burden
of what many would consider legacy environments.
And therefore, we designed our security processes
that now all employees have to be able to work remotely.
We can no longer assume that people are in the same office,
connected to the same network that we might consider trusted,
and therefore we can no longer grant special privileges just on the basis of the network that people are coming from.
Especially for newer and smaller companies, their entire world is SaaS applications,
and that new landscape is ripe for zero-trust architecture.
We, as enterprises, are very, very quickly moving towards SaaS-provided applications,
which means that you've got your data to which you need to control access sprinkled all over the place. And the reason why I bring that up is because now we have no choice.
We have no choice but to consider these zero trust design patterns because we no longer have this
network where our business applications reside, the firewall that sits in front of it that we
control, right? That just doesn't exist anymore. Everything is SaaS. And what that means is that even if the CISO liked the idea of a zero trust architecture,
but couldn't really gain support of the organization to consider what cultural or technological
changes need to happen, now is the time to bring up the need to use zero trust today because you've got the support of everybody else.
Everybody else wants to use these SaaS applications.
They have no choice.
Soon after the pandemic started, I started saying that all of those technical hurdles that stopped us in the past from supporting a mostly work-from-home employee base didn't seem as difficult today.
But Lenny says that the problems were never technical.
They were political.
It's not that it turned out to be easier than we thought.
It's just that it became easier than what it could have been
because now we have the support of the rest of the organization.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
We're looking at this COVID-19 crisis through which we're all clearly still living.
There's a lot of very bad things happening that are very difficult for everybody involved.
But when you look at how this crisis really sped up our movement towards modern security and IT design principles,
that's perhaps one silver lining of this very difficult
and challenging situation for us,
that we got that political and other non-technical support
to move forward with some of the security initiatives
that perhaps we wanted to have all along.
The idea of zero trust has been around for well over a decade now.
And if you look at the latest Gartner Hype Cycle
published in November 2020, their researchers have the concept well past the peak of inflated
expectations and buried deep in the trough of disillusionment. Lenny tries to stay away from
all of that to focus on what is important. There is a lot of opinions on what is zero trust and
what is not, and you get the purists and you get people who try to stretch the definition of the term to its limits. So I'm just going to tell you what it
means to me. And what it means to me is this idea beyond the buzzword that I don't want to rely
on the user being on a specific network that I might traditionally consider trusted when deciding
whether to get access to a particular information resource. So for us, that meant starting with the
user's identity as the root of decision making. Lenny says that the thing that drove him to Zero
Trust was his pursuit of single sign-on for his customers
and for his employees. Before we even got to thinking about Zero Trust, we started off with
thinking about single sign-on. As we discussed earlier here, we, just like many other organizations
nowadays, rely on software-as-a-service applications quite a bit. So most SaaS providers will support SAML-based single sign-on,
which means that you can have your user's identity defined in a single place and then integrate the
identity-related information into all of the applications that your employees might need to use. Who is this person? Because access rights are tied to the
individual. So should this person have access to, I don't know, AWS or G Suite or Salesforce? That
depends on the user's identity, which is tied to the person's role in the organization. And then
even once you have the user authenticated to a given SaaS application, then what privileges that person has within that application should also be tied to that identity.
One of the nagging problems about implementing a zero-trust program is that in order to do it right, you have to understand that the system has to be dynamic.
You can't set it up and forget about it.
People change jobs, they get fired, they get promoted. Whatever you build has to be dynamic. You can't set it up and forget about it. People change jobs, they get
fired, they get promoted. Whatever you build has to accommodate that change. People come and go,
people's responsibilities change, their roles get redefined, and the access that they need
keeps changing. So for us, the key to implementing single sign-on so that it's useful was making sure that we can have automation
in how access rights are granted. So in our case, we integrated our single sign-on provider
with what we consider to be the source of trust regarding users' identity and role,
which is our HR system. So the data is kept in its definitive form in the HR system regarding who the person is
and what their role is within the organization. Then it's automatically provided to our single
sign-on provider where we're able to define rules based on, for example, the person's department,
what applications and what functions within that application should be granted to the user.
This way, when the person's role or employment status changes in the HR system, that information is automatically propagated into this SSO system and therefore gets automatically reflected in how
the decisions are made for authenticating and authorizing the user to the SaaS applications.
Since I started in the biz, Microsoft's Active Directory has been the tool
that most of us use for identity management.
But Microsoft rolled it out in the 1990s,
and Lenny thinks that it might be time to label it legacy
and move on to something newer.
He acknowledges that Microsoft is aware of that
and is currently offering Azure Active Directory,
their federated and cloud-delivered identity management system
that works closely with on-prem Active Directory. It's worth rethinking what role Active Directory
has in this future in which we now find ourselves. Because when I think about Active Directory,
I think of what soon I think will be called a legacy approach to identity management,
because Active Directory, as it was originally designed, was meant to be kind of an on-premise what soon I think will be called a legacy approach to identity management
because Active Directory, as it was originally designed,
was meant to be kind of an on-premise directory and information store,
which is very hard to access when your employees are distributed and remote.
So instead, Microsoft is making a big push
into a Microsoft-hosted version of the Active Directory product under their Azure umbrella.
But whatever you use for your identity management system, you will need to automate the process in a DevSecOps kind of way.
Now, once you have this integration between whatever it is your root of trust for identity is and your single sign-on provider,
then you look for a way to
automate the assignment of roles and access privileges. And then you can start thinking
about how do I integrate single sign-on with all of the applications that my employees are using.
But buyer beware. It seems that many SaaS vendors use a similar tiered buying model that many of us use and hate in the States for our cable TV subscriptions.
You have to buy the super-duper supreme option just to get access to that one show you can't live without.
For me, it's Lovecraft Country on HBO Max.
But then you are saddled with a bunch of TV shows that you wouldn't watch if your life depended on it.
I'm looking at you, the great poetry throwdown.
that you wouldn't watch if your life depended on it.
I'm looking at you, the great poetry throwdown.
I do want to point out that don't assume that your SaaS application provider will allow you to enable SAML-based SSO integration without charging you money for it.
Look, I work for a company that sells security products.
We value the product that we make, and our customers pay us money to get it. So I'm all
for the idea that you should be charging your customers if you're providing something useful
to them. The challenge that I have with many popular SaaS vendors is that they don't allow
their customers to just buy the SSO integration option. In many cases, the only way to get SAML-based SSO integration
is to buy the most expensive product bundle
that many of these vendors call enterprise.
Many small companies don't need that product bundle
and either have to choose to not have SSO integration
or buy a whole lot of add-ons at a very, very expensive price point
and not use those features. When we talk about zero trust concepts, we normally describe the
capability in two different buckets. Logical segmentation, those decisions we make about
the identity of the person or process and the workload they are trying to access. And
micro-segmentation, about doing the same checks with devices,
but also checking that the device meets some sort of configuration standard.
Lenny says that the best place to do micro-segmentation is on the endpoint,
where you can check if the operating system is current and has installed all the right patches.
You know, that kind of thing.
The one critical piece that we did not yet talk about is the role of the endpoint, the state of the system from which the user is trying to access the resource.
Because I think that is a major component of a zero-trust architecture.
We used to think about security oftentimes from a network-centric perspective.
We deployed network firewalls
and deployed network segmentation. Now we're talking about zero trust and thinking about the
problem from the perspective of the user's identity. Who is this person? Are they authorized
to log in or take actions they're trying to take? But another part of the decision is becoming,
yes, maybe I authorized this user.
They are accessing a finance application.
They are in the finance group.
But do I trust the device from which they have successfully authenticated?
That's another part of the decision that I think is useful to consider.
The state of the endpoint, how trustworthy is it, and how can you decide whether to grant access in part based on the state of the endpoint, how trustworthy is it, and how can you decide whether to grant access
in part based on the state of the endpoint. Much of what we were trying to do was oriented around
the user's identity, but also it involved the state of the endpoint. And when I look at many
ways in which people describe zero trust, they do include the endpoint as one of the elements
to discuss as part of the zero trust architecture. One way to do it, for example, is to integrate
whatever security or IT agent you have on the endpoint with your single sign-on provider.
A single sign-on provider will perhaps first authenticate the user,
see if the user has access to the resource they're trying to access. But before deciding
to grant that access, the SSO provider will then check with your endpoint agent and ask the agent
about the state of the endpoint to see whether the state of the endpoint is acceptable.
Lenny believes that zero trust is the future for all of us, and I do too.
I think most of us will realize that we will be going towards some form of a zero trust-based
architecture, and we just need to be realistic regarding how quickly we can get there.
If you have a young organization, if it's already distributed, perhaps due to COVID-19, then you can get there very fast. But be realistic so that you don't
get discouraged if the move does not happen overnight. It's a hard journey. It requires
not just technological changes, but also a change in how people think about deploying resources,
understand what's realistic for your organization,
understand what your goal is,
and come up with a plan that moves you in the right direction
that is also realistic about the challenges that you'll face along the way.
That's Lenny Zeltser, the CISO of Exonius. Thank you.