Join us today on CyberSound for an informative episode with the team on what zero trust is and building a strategy to fit it into your plan.
Zero Trust: What is it & How Can I Utilize it?
Listen to this episode on
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl, Steven Maresca and Matt Fusaro.Jason Pufahl 00:13
Welcome to CyberSound. I’m your host, Jason Pufahl, joined today by Matt Fusaro and Steve Maresca. Hey, guys.Matt Fusaro 00:19
Steven Maresca 00:20
Jason Pufahl 00:21
So I don’t know that this topic needs tremendous introduction, I think if we just say we’re going to talk about zero trust. It’s a buzzword that I think everybody, certainly everybody’s hearing in the cybersecurity space today, right? I mean, it is, it’s akin to AI. Really, right. And similar to AI, I think there’s a lot of people who say, well, what is zero trust? You know, what does it actually mean? Why do I need to be doing it? You know, why? Why are we even talking about it? So, I mean, I think the first thing we have to do is simply try and define a little bit what zero trust is to anchor it for people, so they can start to determine what their path forward might be.
Matt Fusaro 01:04
Yeah, I think it’s important to also recognize that zero trust isn’t necessarily a product you can buy, right? It’s almost just a feature of a solution, right? Zero trust is a new security architecture. And new I mean, this was really around 5 to 10 years ago, right? Hasn’t really caught up. Products didn’t really catch up to it until recently, right? Where we have the ability to do all these identity and context aware things now. And that’s why you’re hearing the buzzword all of a sudden, we have the ability to do it now.
Steven Maresca 01:37
And, you know, to address the elephant in the room, people are thinking about it, because people work from home for two years. You know, they had many incidents caused by loosening, you know, network access, and things of that sort. That’s the type of thing that zero trust, as an architecture at least, has historically been described to address.
Matt Fusaro 01:56
Right. So Zero Trust Network Access is what is driving the conversation right now, ZTNA, you’ll probably see that in a lot of marketing material as well.
Jason Pufahl 02:06
And so what does that mean?
Matt Fusaro 02:10
Right, so you’re putting three different things together, usually, when you’re talking about network access, you want to know identity, right? We know, we want to make sure that you are the person you say you are when you’re connecting to a network, whether it’s inside the network or outside of the network, right? Next, you want some context, where are you coming from? What devices are you coming from? You know, should you be allowed to access these applications, this data, etc, whatever the scenario is, right? And then you’ll want to do some type of posture checking, right? Is this device safe? So things like making sure certain software is installed such as endpoint security, OS patches maybe, there’s quite a big list, right? It really depends on the vendor solution, or what you want to evaluate before a person actually comes into a network and interacts with data or applications.
Steven Maresca 03:05
Yeah, and the truth is that, you know, many organizations have shifted to this hybrid environment where they have some on prem resources, they have some cloud resources, the very notion of inside the network or outside the network is far squishier than it used to be, it’s uncertain.
Matt Fusaro 03:22
Yeah, we talk about it all the time how identity has become the firewall, right? You no longer have a boundary anymore. And this is an attempt to solve that problem by using those three things I just talked about to identify if that person should be accessing what they’re accessing.
Jason Pufahl 03:39
So the models, right, I think you see, you certainly seize Bender products, from the network base, no doubt. And I’d say you see applications, suggesting that there is zero trust application. And say naively, as we’ve moved to more of a sort of hybrid environment and where people really aren’t in the office, how do you deploy some of those network, those network zero trust capabilities? Do they require that traditional VPN? Are there other creative ways that these are being addressed?
Steven Maresca 04:12
I think it’s my opinion that the more network biased, zero trust solutions are built for organizations that are still broadly on prem. Because they are in a transitionary phase between, you know, local offices, where they have a boatload of users, a lot of devices and their key data, and a shift to a far more fluid cloud provider SAS type of environment. So if you’re an organization that meets that type of description, you might be interested in a zero trust networking type of model.
Matt Fusaro 04:46
Yeah. And, you know, on the other side of that, too, is organizations that have moved to the cloud, they want to make sure that the way you’re accessing those things isn’t on, you know, the Wi-Fi at Starbucks, right? They want to make sure that you’re, if you’re on that network that you have a secure tunnel to do to access those things, encrypt your traffic. So that if there is things in plain text for some reason or session information, that stuff is protected from the endpoint all the way to the application.
Steven Maresca 05:16
Common challenges in that environment; at least things that I encountered regularly include provisioning software from, you know, a traditional model where endpoints contact an on prem server that’s behind a firewall, not accessible to the world, to the other model where they’re roaming in the cafe, at home. You know, that’s a huge hurdle for some organizations.
Matt Fusaro 05:40
Yeah, I think identifying what groups of people should be accessing things becomes more difficult, right? That’s always been a challenge for all organizations, but it’s at the core of this type of deployment. So you have to have a really good idea of who should have access to what and under what circumstances now as well, right? That’s that context and device posture policy that you’re going to have to deploy in order for this to be effective. So it’s a lot of discovering, what types of policies should I be adhering to at an organizational level, and then from a security level, etc, it’s going to be a decent amount of work to get to where you want to be.
Jason Pufahl 06:18
But in large part, a lot of these solutions do require, on the network side, either tunneling back to a central location for policy management, or maybe being physically present in a central location. If you’re doing a network based zero trust solution, ultimately, you have to apply a policy somewhere. So you’re gonna you’re gonna move traffic somehow to a central location. Is that a fair assumption?
Matt Fusaro 06:39
Yeah, that’s kind of the allure of a lot of these solutions is that they dynamically set up these tunnels for you, right, so application A, application B, they each have their own tunnels, their own sessions, that they go through a central point, or, you know, I believe the technical term for it is a trust broker that manages the connections and manages saying, who can do what, but all that is kind of abstracted away from the administrators and the users so that they can just access applications in a secure manner.
Jason Pufahl 07:09
Right, okay, so how about maybe the flip side, which is, we’re going to move away from that network based model, and maybe try to deploy technologies that protect local resources, a workstation for an individual, right? Because there’s definitely software out there that would say, we’re going to whitelist applications, deny everything by default, do a whole variety of application based controls, and I think that oftentimes they’ll call themselves sort of zero trust solutions. Is that a model that is legitimate that some companies might need to look at?
Matt Fusaro 07:46
Yeah, I think it’s totally fair to say that you’re zero trust at that point, that’s part of the model, right, always assuming compromised, and always assuming that you shouldn’t have access to it, until someone says you should, right.
Steven Maresca 08:00
I think the distinction is that the historical model applied security policy at the edges, at the boundaries, zero trust is setting policy at some central location, likely cloud accessible, and then applying as close as utterly possible to where that data is used, or the endpoint is actually executing. That’s the key distinction. I think that it means a lot when talking about oval out listing applications, for example, because it’s a scenario where it comes down to the actual running of a tool. Whereas, you know, in a different environment, it might be more applied with, you know, who is allowed to install the application, or what applications are permitted to be installed to different model entirely.
Matt Fusaro 08:46
Yeah, this whole model helps from an attack standpoint, and that you can’t just abuse an identity so easily anymore, right? You have to be in the right place, accessing the right applications, sometimes at the right times, etc. So all that put together is now granting you access or denying you access instead of well, I’m this user, and it might be a compromised user, at that point, I can get access to whatever data that person had access to. Now, that’s not true anymore, right, so it makes it more difficult for an attacker.
Jason Pufahl 09:19
It, I think, Steve, you made a good point at the beginning, which is, why is there so much discussion about this? And certainly, I think the last couple of years have had a big effect on that, right, that transition of people out of the office. Because the concept isn’t that new, you know, without a doubt, the idea of zero trust or whitelisting things that are permissible, you know, sort of restricting or blacklisting everything else, has been around for a long time, but it’s really difficult to pull back from your users access that they’re used to having. And I think that’s one of the challenges for implementation. You know, telling people well, yeah, you used to be able to do this but now you can’t and their workflows, there’s your general sort of business practices don’t necessarily support that that well, you know, they’re not easy to do, and it positions, a lot of times your security professionals or your IT folks, as kind of the bad guys implementing these.
Steven Maresca 10:15
It’s interesting in some respects, because I think it does, to your point, and in a broader sense, it turns it on its head. For organizations that are not necessarily, they don’t have a heavy capital flow at the moment, their revenues are down. They’re at their next harbor refresh cycle, potentially. 2020 till now, certainly emphasize personally owned devices. That was the case prior to 2020 for newer organizations that aren’t, you know, necessarily flush and building out hundreds of workstations. That I think, is part of this. It enables zero trust and related architectural decisions enable leaner operation to some degree, because your users can bring whatever they prefer, your users can bring whatever they can afford. And as long as they have internet connection, they’re able to function, that that’s the appeal. There are plenty of our customers that are coping a lot with office space constraints. Leases are higher, landlords are imposing higher restrictions, physical management of people, just in that raw sense, it is something that is also a major driver. And if you don’t have to pay for the endpoint hardware anymore, yeah, you’re saving money in general, but it causes a shift in the way the policy is applied because it means that, you know, it’s not owned.
Jason Pufahl 11:47
Well, but I want to be careful. So it’s not just bring your own device and everything secure. It’s bring your own device that then perhaps has software in it or policy applied so that you can validate that it’s secure.
Steven Maresca 11:59
It’s just it’s a shift towards imposing agents, imposing posture checks. Because if you can’t do those things, then that device is not allowed to access.
Jason Pufahl 12:11
And you know, so you can easily turn this into a benefit to employees, because there are frankly, there’s a lot of people who say, I’ve already got a laptop, I’m content to use that, can you just let me use this, so I don’t have to carry multiple of these things around or try to separate as much as we do. Like, you know, some of these things are real benefits to people being able to have fewer devices, in some cases, if you can validate, of course that the device is secured and you know, and their teenager isn’t running, you know, Steam, or who knows what else on these things.
Matt Fusaro 12:40
You would only ever in the past have one chance to determine if that laptop is good or not. Is it configured properly? Does it have endpoint security on it? And then you send them on their way. Now you can continuously evaluate, at access time at every axis that those things are in place.
Jason Pufahl 13:02
Any reason that people shouldn’t be thinking about zero trust? There’s certainly plenty of chatter about it, and it seems reasonable.
Matt Fusaro 13:10
I’d say if you don’t have a good handle on, you know, who should be accessing what, you don’t have a good inventory on your applications and access restrictions, policies, etc. That stuff has to be in place before you can even move into a zero trust type of architecture. Otherwise, you’ll have the technology in there, you just won’t know what to do with it.
Jason Pufahl 13:31
So actually, I got a comment about that, which is a lot of the products that you see will suggest that you run them in what they’ll call a learning mode, for some period of time to try to try to address exactly what you just described, which is, hey, we don’t know anything about what people are running, run these things open, but in learning mode for a few weeks or a month, or whatever it is, get your inventory. And then once you think you’re reasonably comfortable with that, lock it all down and deal with a few problems that come out of it. I mean, that’s a model a lot of these folks recommend.
Steven Maresca 13:59
It is, and there’s nothing wrong with approaching it that way, right, there’s another potentially alternative model, or more complementary model, I suppose. We would just data centric, if businesses are in a regulated environment, they know that they have to meet minimum protection guarantees for consumer data, for private information, things of that variety. If a company can build a robust data inventory to understand whether their truly sensitive information resides and the users that need to interact with it when, this is a much easier conversation. Because rather than, I don’t know who said it a moment ago, lock it all down. You don’t have to lock it all down if somebody doesn’t have the data. It makes it a far more pleasant user experience for, you know, the end users that don’t require that type of robust security and potentially cheaper from a licensing standpoint overall.
Jason Pufahl 14:57
So it might be an interesting conversation if we went down the path of how many people actually have a robust data inventory?
Steven Maresca 15:04
Jason Pufahl 15:05
And that’s the challenge, right?
Steven Maresca 15:06
But that’s okay.
Matt Fusaro 15:07
But that’s the trade off. If you don’t have it, then you’re probably going to be restricting people that,
Steven Maresca 15:12
Or, understand that it might be more expensive upfront, but you can reduce cost by gaining that visibility over time.
Jason Pufahl 15:20
And that’s why everybody builds on that idea of that learning opportunity in there, right, because frankly, all of the vendors know that it is a percent of businesses out there that really understand where their data is, or what it is, rather than regulated or not, right it’s just a reality.
Matt Fusaro 15:36
Yeah, even with the learning capabilities of a lot of those things, one thing that I personally don’t think you’ll ever get any benefit on is the identity piece, right? If you have a poorly constructed identity system, or you’re sharing accounts, it’s gonna be really tough to implement something like this. From a zero trust of applications, that’s fine. But when you’re talking about things that require identity to be part of the solution, then you’re gonna have to get that correct first.
Jason Pufahl 16:08
Yeah, that’s totally reasonable. Is there, I mean, I feel like we talked about, you know, so the network, I guess, the network space for zero trust, you know, probably that application space for zero trust. There’s a lot of vendors out there. There’s a lot of approaches, really, so explore the space, based on the way that your business is constructed today, the way your employees are coming to the office or not, right, there’s a variety of ways that you can look at this. Man, I feel like we all recommend, though, that people do explore products in the space and the viability of their business move in that direction, right. Because it’s difficult, it’s really difficult to protect people in our traditional sort of network fashion, things are absolutely moving and shifting, and people need to pay attention to that.
Steven Maresca 16:19
I think just in passing thought, for me, the key foundational technologies that are critical, if like, if you don’t have these in place, you’re not ready for zero trust, you need multi-factor authentication, you need some sort of client provisioning and deprovisioning that’s cloud based, or at least cloud capable. You need identity federation, that takes a lot of different forms. But it means synchronizing your identities in an externally usable way from potentially on prem to Azure to Google to third party services so that you can work with cloud apps,
Matt Fusaro 17:36
And make sure the third parties that you’re working with actually support this too. There’s still third parties out there that won’t authenticate against your directories. Look elsewhere, in my opinion.
Steven Maresca 17:48
I’m mentioning these at this point, just because zero trust is a great target for organizational trajectory. But if you’re not at those earlier parts, if you don’t have those technologies in place, you’re just not ready to to move toward that direction yet, and it needs to be part of the strategy.
Jason Pufahl 18:04
I feel like you could overview that me that would that was the goal of this you know just define with zero trust is a little bit I think tried to take a little bit of that confusion away from the space or maybe educate a bit. What options are, that are out there. Certainly, we recommend people looking at it. And as always, you know, if people want to have a more in-depth discussion about the nuance that is zero trust, we’re happy to have that, reach out to us at Vancord on LinkedIn, we can continue the conversation from there. As always, we hope you got some value out of this, got you thinking a little bit and we appreciate you listening.
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.