ZERO Trust @ RSA 2019
A few certainties surround the RSA Cybersecurity Conference this week: attendance will increase over last year, new exhibitor booths will expand, and hotel rates in San Francisco will reach unconscionable levels.
The cyber industries must attend show includes sessions around the The Zero Trust Model. One of the presenters will be Dr. Chase Cunningham, a Principal Analyst at Forrester Research. His expertise guides client initiatives related to security operations center (SOC) planning and optimization, counter-threat operations, encryption, network security, and Zero Trust concepts and implementation. Aside from numerous industry roles, Chase is a retired U.S. Navy chief with 19 years’ experience in cyberforensic and cyberanalytic operations. He has past operations experience within the NSA, CIA, FBI, and other government agencies. I had an opportunity to interview Chase and get a professional’s perspective on Zero Trust.
My layman’s understanding of Zero Trust implies the defacto standard is to “deny all and suspect everyone and everything”. This includes people, sensors, applications and data. One rational for the Zero Trust Model is that the network perimeter is nonexistent in today’s remote mobile access and Cloud environments. Zero Trust asks, “Who are you?” and “What do you want”? – essentially, why should you be granted access. It also asks these questions repeatedly, as opposed to Virtual Private Networks (VPN’s) that authenticate your identity once, and then opens the network doors to other connected devices. VPN’s work very well in a closed environment, but that is a far cry from remote access and the various Cloud architectures industry is rapidly deploying today. Also, traditional network security practice tends to play into an adversary’s hands when it comes to lateral movement and data extraction. In a Zero Trust Model no device can access multiple networked resources, so an attacker’s lateral movement to other platforms like servers, routers, video cameras, etc. is eliminated, and this fact improves security by reducing business risk.
1. How did the Zero Trust Model evolve?
The origin of Zero Trust came from the mind of former Forrester Analyst, John Kindervag (now Field CTO at Palo Alto Networks). His concept of Zero Trust recognized that networks were inherently flawed and set up for failure and exploitation. John had the vision to recognize that the implied trust that organizations had built into connected systems was the main reason that collectively we kept (and continue) to fail at cyber security. He pioneered the concept of micro-segmentation and was the leading voice making the industry aware of the failure point that implied trust introduced into systems.
- Micro-segmentation reduces the number of users and devices on a given network segment, thereby reducing potential damage.
2. Why is the Zero Trust Model critical to the future of cybersecurity?
We have spent the last 30 years cobbling together infrastructure based on the human concept of implied trust, aka "you have access via some method and therefore I trust you" and "this network is internal to a highly walled perimeter and therefore anything internal can be trusted to connect." This is a fail point for our future, as the house of cards that is built on trust is easy to topple over.
3. How do you explain the Zero Trust Model in layman's terms, given the fact that board members and SME owners may not be Zero Trust literate.
No default configurations, multi factor authentication everywhere, and segmentation of components on a granular level. Simplicity is key to doing security right. The wordier one gets with describing the approach the more that gets lost in translation.
4. What companies do you feel are best positioned to execute the Zero Trust Model?
In truth, any of them. It's not about the technology, it's about how you use it.I know you can build Zero Trust with little cost, I have done it. In reality, all of the vendors at RSA can enable Zero Trust, but the ownership on deploying Zero Trust is on the organization that is engaged in this practice strategically.
5. How has the acceptance level of the general industry been over the last few years? Are there specific verticals that are more actively engaging the Zero Trust Model?
Ever since we focused a bit more on the pragmatic approach to getting to Zero Trust it has been moving pretty fast. So far, the verticals that are most motivated for Zero Trust seem to be the federal space and in midsize enterprises where they have a dedicated CISO. I would suggest that most large enterprises are able to engage their own version of this strategy and are pretty far down their own rabbit hole on their particular versions of ZT.
6. What do you see as the future of the Zero Trust Model moving forward?
Personally, I think it's along this method that we are employing for designing Zero Trust systems using virtual tools. I call the methodology DART (Design, Adapt, Revise, Transition). And I think that by employing this method and applying it to the ZTX framework allows an organization to interactively grow into a Zero Trust infrastructure.
Zero Trust makes all the sense in the world given the realities of our working environments, and the fact that cyber breaches continue unabated year after year. If history is any indicator, then what we are currently doing security posture wise, needs an overdue overhaul. The Zero Trust Model looks like the answer.