Host Adrian Vernon, VP of Product Managment Chris Goettl, and Chief Security Officer Daniel Spicer talk about the hottest buzzword in security right now: Zero Trust! The conversation includes:
Host Adrian Vernon, VP of Product Managment Chris Goettl, and Chief Security Officer Daniel Spicer talk about the hottest buzzword in security right now: Zero Trust! The conversation includes:
Adrian: Well hi everyone, welcome to another episode of Ivanti Insights, Adrian Vernon here, and I'm joined today by one of our VPs of product management, Chris Goettl in the house!
Chris: Hey, thanks Adrian, always great to be here.
Adrian: And of course, none other than our Chief Security Officer here at Ivanti, Daniel Spicer.
Daniel: Hey, happy to be here.
Adrian: All right, good to have you guys here today. Today we're talking Zero Trust, one of the hottest buzzwords in security at the moment, but don't let that make you think it's just marketing fluff. Zero Trust is gaining popularity as a way to secure networks devices and people. Even the federal government is adopting this framework. In fact, everyone might've heard back in May that president Biden issued an executive order to overhaul cybersecurity within government agencies to ensure that baseline security practices are in place and Zero Trust plays a big role in that plan. Now fast forward a bit, and we're on the last day to provide public comments to the office of management and budget on the federal Zero Trust strategy. Now don't worry if you didn't get your comments in on this because CISA, and that's the cybersecurity and infrastructure security agency, is accepting public feedback on the Zero Trust model and cloud security technical reference architecture, that's a mouthful, until Friday, October 1st, a couple of weeks out. So gentlemen, let's get into it. First off Daniel, there seems to be a lot of confusion around just what exactly is Zero Trust. Is it a technology, a product or a solution? What are the benefits?
Daniel: So first, Zero Trust is actually none of those things, Zero Trust is a strategy. It's one that organizations can utilize to protect their networks, their devices, and most importantly, their users and customers. It basically eliminates the concept of holding the trust into a single thing or having implicit trusts built into your architecture. Instead, every time you utilize a resource, you have to go back and re-validate the identity, re-validate the device that you're working with. It's never trust, always verify. So in short, Zero Trust is not a product, it's a strategy or a bit more accurately, a reference architecture. And the benefits are really that it reduces the business and organizational risk. By not trusting and always verifying your users and devices, you are inherently reducing your risk right out of the gate. So Zero Trust can significantly reduce the risk of a data breach and importantly it also, when you have a data breach reduces how far that data breach can actually expand. And finally, Zero Trust actually helps a lot with the compliance of your organization, with the different regulatory and business certifications you can get.
Adrian: Okay, well I think that clears it up a little bit. So Zero Trust it's not a technology or product or a solution, it is a strategy. Now Chris, let's turn to you. We mentioned just a couple of minutes ago that the US government is getting more involved in security, what have we seen so far?
Chris: Yeah so like he said, the Biden administration executive order that came out in May, it heavily referenced the NIST special publication 800-207, this framework really talked a lot about what Zero Trust. So it's a great example of how this architecture actually works, the collection of concepts and ideas designed to actually reduce uncertainty in enforcing accurate and per request, access decisions. What are the next steps from this? If you want to find the location where you can find all of these documents that are still open for comment at the moment, you can go to zerotrust.cyber.gov. There are three documents you're going to see out there, and this is that next step that we're kind of all waiting on at the moment. There's a document called the Federal Zero Trust Strategy, this is the goals of how to accelerate agencies toward that shared baseline of Zero Trust maturity. So that's the strategy level document. Then there's the maturity model, think of this as your roadmap to executing this, no agency is going to be starting from the same point on this, they're all going to be very different. This is trying to frame up and help them identify where they are and how to progress on each of their journeys towards implementing this type of effective Zero Trust model. And the last one is the cloud security technical reference, this is more of a guide for agencies to leverage when migrating over to the cloud, obviously happening a lot lately. More and more organizations are transitioning from on-premise technologies to cloud technologies, we need to enable our users in different ways. This is trying to outline, guide, and bring up considerations that you need to understand for providing these types of shared services, how to migrate to the cloud, and maintain that cloud environment once it's there. So these are the three documents that are currently out there open for comments.
Adrian: All right, and the second one, the middle one of those three documents you just mentioned, it's this maturity model, the Zero Trust maturity model. Daniel let's have you dive into that a little bit more.
Daniel: Zero Trust doesn't have to be overly complicated. In fact, a lot of organizations already have some initial building pieces or some components in their environment. So your journey really starts by taking inventory of what you have and trying to build on it. There are a lot of offerings and products that you can bring into your environment to work with and improve and continue to move forward, but definitely start by taking stock of what you have and then proceed from there. Try to improve those technologies and put them into that Zero Trust model. And in fact, there's just a lot of references Adrian out there on how to build on some of these technologies. Whether that's changes to your Microsoft active directory configuration or making changes to your firewall, that help you slowly move into a more mature state in the Zero Trust framework.
Adrian: Okay, and so Chris, a little more specifically, how does an organization start moving to Zero Trust, how do they even begin that journey? What does that process look like?
Chris: Yeah, so a lot of it comes down to having to self-assess and figure out how do you stack up against these different areas. They break down into a number of areas about the user identity, about the devices in your environment, about the applications in your environment and specifically around request specifically. And then the ability to continuously observe and act on that information. So you have to look at each of the parts of that strategy, and from there really start to back into do we actually have a grasp on everything we need to discover. If we don't have that, we can't even get to the point of properly assessing access requests because we don't even know which things we should be granting or which ones we shouldn't. Again, each organization will be a little bit different, but it's kind of a starting from the standpoint of do we know who all of our users, what they should have access to. Do we know all the devices that should be accessing our environments and are they meeting good cybersecurity hygiene baselines? If we don't have those things well understood, we've got an overall discovery concern that we've got to solve first. So each of these overlap each other quite a bit. Again, one of the best ways to do this is going to be to dig in and start to really look at this, and even reaching out to, and getting services. There's going to be I would expect plenty of MSPs that'll be focusing on helping organizations to manage, and try to identify what their journey should look like. Again, after the comments cycle is done here, and companies start to need to execute on this, that'll become more clear, and I think some companies will need that external assistance. Others will be able to kind of step through this journey on their own.
Adrian: You know it's clear this is becoming critical to organizations everywhere, and we've talked about how to implement a Zero Trust framework. I've got a two part question for you both, I have you both tag team this if that's okay. So are there some missing elements to the Biden administration, executive order, and then secondly, what are some challenges that organizations may run into when implementing Zero Trust? Daniel, why don't you kick us off?
Daniel: Yeah, I'd actually like to start by picking on the maturity model just a tad bit here. It's actually very well-designed from a rubric standpoint, where you could kind of assess where you are and move through the maturity model, but that's an assessment, that's not practical testing. And so there's nothing in here about how to tie a penetration test or some kind of more active exercise in order to actually test your maturity, and I really feel like that's missing. This is something that you can see quite a bit more in the European countries and some of the models that they've been coming out with. The other thing that I found really interesting here is that threat hunting is touched on very briefly in a few of these documents, but they don't really talk more about how that ties into the strategy here. And it would be really great to understand how your threat hunting gets better or the expectation of your [inaudible 9:30] so that you can perform threat hunting improves with the transition into a Zero Trust framework. So I felt like that was missing. Just a couple other things that I think we should talk about is this, we talk about identification and classification of your assets, your resources, and we talk about classification, identification of your data, but they're very separate in this. And a lot of times your data sits on particular resources or is computed by particular resources. So I wish there was a little bit better synergy there and guidance about how to track that because that's very difficult for a lot of organizations to map out their data flows and make sure that they are classifying and protecting those resources appropriately. You know there's some really great guidance here that's recently coming out for cloud and how to move to cloud, but it doesn't talk about maintaining a hybrid infrastructure. And I think that's a position that a lot of companies will be in for a very long time. And just from personal experience, it's very easy to get that wrong. Responded to a lot of events in the past where there was a gap between how they trusted their on-prem resources to their cloud, how the identities actually authenticated and transitioned data. That's where a lot of people get into trouble, so I really wish there was a little bit more technical guidance there.
Chris: One of the ones that I'm wondering about, and we've seen this different ways in different types of regulations and policies and regulatory frameworks over the years. Is there going to be an adequate level of guidance to truly get companies there? So if I look back, when I started my career, I was working for a nonprofit agency and HIPAA just came out not too long after that, you know, it was very vague. It said oh hey, you need to secure things like providing strong passwords. Okay, what is a strong password? Are there going to be adequate definitions to these things? A more recent example, GDPR for those of you who have had to deal with GDPR in depths, Article 32 talks about making sure that you've implemented the appropriate technical and organizational measures to ensure the level of security appropriate to the risk basically, that has been taken. So some of these things can be open for interpretation. Are there going to be clear enough definitions of how somebody should be identifying users within your environment and securing them? Is there going to be enough information about what meets a good kind of cyber-device hygiene level within your organization? That I think is one of the things that has this gotten to enough depth as companies are actually implementing all of these areas? Or are they going to reach these kind of gaps where to Daniel's point around things like pen testing or those types of internal assessments? Is there good enough information to help an organization figure out from there what actions should we be taking and in what time frames, and how does that level of detail help organizations on each of their journeys?
Adrian: All right Daniel, let me ask you what's next, what do you think we may or may not see from the US government in the near future, as it relates to Zero Trust?
Daniel: That's a good question. I think we're still kind of in a holding pattern at the moment. We need to wait to see what happens after the public comment period passes. Those comments are incorporated and see the final revision of these documents. However, once the period is over, we'll start seeing these concrete plans being released and hopefully the adoption of Zero Trust really ramp up and obviously this starts in the federal space. But it starts moving very quickly to government contractors and then their vendors and then their vendors. So this is something that we'll see start as a government initiative and move out across the public sector from there.
Adrian: All right. Well, we're winding down gents, so I'm going to toss it over to you for final parting thoughts. Chris, anything we didn't hit upon that you want to leave listeners with as a takeaway today?
Chris: Yeah, so a lot of what makes up Zero Trust aren't net new concepts. A lot of these things have existed already in pockets within many different security frameworks. I think the biggest thing as companies are looking to the future of this and starting to implement these is again, it's going to be a journey. You may have parts of this already done, so that kind of initial self-assessment and figuring out where you are on each part of this guidance is going to be very important. And then moving forward, making sure that you keep in mind the experience. One thing that I've seen with a lot of technologies that try to do a level of access enforcement like this, you know Knack is a very good example. It met with a very strong barrier in the market because of user adoption, you have to make sure you've provided a good efficient experience, so your employees can continue to get their work done. If you hit that barrier, that's going to be one of the strongest barriers to getting a fast adoption on this. If people can't get work done, if they can't get access when they need it, that's going to be a challenge. That is one of the most important parts I think of the Zero Trust strategy is the fact that it takes into account, you need to make sure the devices you're managing are known and that they're meeting good security baselines. You need to know who your users are, what they should have access to, and even understanding a little bit of when and how they should be accessing it. If you've done a lot of those things well, then the access part of it becomes much more simple. On first request, you should be able to grant access because your devices are well-managed, your users are well understood. If those things aren't done, that access requests can be very difficult and it's going to delay the user's access to be able to get what they need and get their job done. So that would be the top thing that I think Zero Trust execution is going to be reminded on, is that experience.
Adrian: Nice takeaway there, thank you Chris. All right Daniel, take us home, final parting pearl of wisdom on your end.
Daniel: More than a Pearl of wisdom, I kind of just want to point out something that had me a bit excited when I saw the OMB strategy, which actually says that the government has to support fishing resistant MFA for public users for us, the constituents of their resources. And I think that's very exciting and a really clear direction for other people to follow suit, so very excited to see that.
Adrian: And certainly so much to do around this, so much more to come. Guys, really appreciate you sharing your thoughts today. Everyone, thanks for joining us today. For Chris, for Daniel, I'm Adrian, and as we say, be safe, stay secure and keep smiling. We'll see you next time.