For some, the definition of zero trust has expanded from how we grant access to networks, applications, and data to how we trust individuals in the real world. Are we taking zero trust too far?
Check out this post for the discussions that are the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Thomas Doughty, CISO, Prudential Financial.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, NetFoundry
[David Spark] For some, the definition of zero trust has expanded from how we grant access to networks, applications, and data to how we trust individuals in the real world. Are we taking zero trust too far?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series and joining me for this very episode is Geoff Belknap, also known as the CISO of LinkedIn. Geoff, your voice often sounds like?
[Geoff Belknap] This is my voice, and this is what I sound like. Good morning, David.
[David Spark] And your voice is your password, correct?
[Geoff Belknap] Please verify me.
[David Spark] You know what? Many people, I think, are taking that little sound clip and then trying to log into services that you have, Geoff.
[Geoff Belknap] I encourage the creativity and resourcefulness but also wonder – who’s using voice authentication for logins? That’s a very sneakers, 1984 approach.
[David Spark] Well, usually it’s a second factor, I believe.
[Geoff Belknap] Ah. Well, I again, encourage you. And please, if you log into my email, could you respond to some of them? That would be really helpful.
[David Spark] [Laughter] Our sponsor for today’s episode is NetFoundry – build zero trust between applications. So, since we’re going to be talking about zero trust, they have more zero-trust work that they’re doing or work that’s built on zero-trust elements but it’s application-to-application communications. And we’re not going to be talking about that specifically on this, but they will later in the show. So, first, how are we defining zero trust in terms of people and machines? Dan Lohrman, field CISO at Presidio, questioned the pushing of the term “zero trust” to the people we actually hire. Is it taking the term too far? To build an effective cybersecurity program, where do we have to trust and where do we have to implement zero-trust principles? Geoff, set us up.
[Geoff Belknap] I think this is a great post. I think Dan sets us up well to have a great conversation about what exactly does zero trust mean and where have we taken it too far. I think – spoiler alert – we have taken it a bit too far and it’s probably time to get back to the basics about this. And our guest is the perfect person to have this conversation with.
[David Spark] Very thrilled to have him on. We’ve talked to him before; we’re going to talk to him again. He is the CISO over at Prudential Financial, Thomas Doughty. Tom, thank you so much for joining us.
[Thomas Doughty] Thanks for having me.
What’s going on?
[David Spark] Ken Morris at KnectIQ said, “While ‘zero trust’ has become a term of art for digital environments, the colloquial understanding of trust is vital to efficiently operating relationships, be they human or marketplace.” And Vlad K. of SixThirty CYBER said, “It is about continuous assessment of a specific state, and then making a specific decision based on the context, and it can be applied in digital or human space.” So, there is a human element to zero trust because we kind of do this in our real life. Where does zero trust make sense in human life and where does it not make sense? Geoff?
[Geoff Belknap] I think trust makes a lot of sense in the things that we do. Not granting trust by default to systems is definitely the right way to go. I do think to a certain extent you have to extend a minimal amount of trust to humans that you have just met and certainly that you’re working with, you have to build up that trust. So, I think it might be a bit overboard to immediately approach every human relationship or coworker relationship with this thinking of like, “Well, even though I just met Thomas in the Green Room here before this, I’m going to completely distrust everything he says in this show.” I don’t think that would be super productive. But when we’re talking about connecting systems, that does seem like a relatively smart way to go because we are not dealing with that person as an in-person thing. You are making a judgment about whether you should grant access to that system or that person’s connection at the moment, every moment. And I think that’s where we have to really sort of draw the line, whether we’re talking about people or whether we’re talking about computers.
[David Spark] Tom, your take on this sort of… This term “zero trust” has kind of turned into a misnomer because trust has to exist at some point at some time, correct?
[Thomas Doughty] It has to exist at some point and some time, but it has gone too far in terms of looking for a buzz phrase and calling it “zero trust.” So, I think that’s correct, the line Geoff is going down, that you want to implicitly start from a safe place, but it’s not about zero trust as an objective. It’s about what you trust and why and defining that residual. It’s about understanding conditional access, which is a term I prefer over zero trust, and what are your conditions, what are your objectives, what are you protecting, why, where do you want to be, and how do you get there.
[David Spark] Conditional access because that is what zero trust is saying. It’s based on the conditions that I see here at this given time, am I allowing this person in? And honestly, haven’t we been doing this for a long time prior to the term “zero trust”?
[Geoff Belknap] Yeah, look, we’ve been calling things “least privileged” for ages, which is a big part of zero trust. We have been explicitly verifying whether someone has access when they grant it, that’s not new. And we’ve sort of, I think over the last five or so years, we’ve been verifying and assuming that there might be a breach here and understanding what would granting them access mean. The difference here, and I think Tom’s perfectly framing this, is conditional access is we’re going, “What else can we base this decision on?” Not just username and password, but what are the other factors we can base the grant of this access on. And that’s great, it’s a perfect sort of evolution of where we started.
[Thomas Doughty] I think that’s right and I think that what helps us get there and what allows us now to evolve from, for instance, absolutely we’ve been doing things like least privileged for as long as we’ve been doing this, but we have much more flexibility, we have better tools in the shed, so to speak, to define and then also act upon those conditions we want. So, we can do things like conditionally separate what we make of identity stores and secrets management platforms and decouple them from device dependencies. The trick there is it’s not just as simple as chasing those tools, it’s how does your application stack, your user behavior, your business flows fit into those toolsets, it’s not justa buy and deploy.
What is everyone complaining about?
[David Spark] Joe Pride of NextEra Energy said, “The heart of security is people. The goal of zero trust is to add a layer of security around machines, not to enable hiring zero-trustworthy people.” Good point. And Alan Shark of CompTIAA said, “Yes, we must differentiate between ones and zeros and humans. In the past, I have worked in “no-trust” environments, and they are neither fun nor productive.” Tom, have you by the way worked ina zero-trust environment with actual humans? Has that ever happened?
[Thomas Doughty] When I find one that’s actually zero trust, I’d say yes. Let’s put it this way – there are absolutely situations and people that you enter, and you don’t have very much trust in so the idea of zero-trustworthy people, let’s not drive and build our strategy around that. But if we look at the question of who’s complaining – other than saying me, I’m always complaining about everything, it’s what I’m here for as a cybersecurity pessimist, of course – I think that our user base is complaining based upon our present state and with good reason.
Why do I say that? It’s because we really haven’t finished, I think, asa community doing those things that I refer to as connective tissue, maybe even at the application or experience level, to take advantage of conditional access and being able to differentiate between levels of trust in a way that’s more transparent to the end user. So, if end users are working within applications and interfaces, particularly in larger enterprises that have a legacy footprint that are technically debt-ridden, but we’re trying to get them to a mobile-enabled, cloud-enabled, at-modernization state that isn’t quite done yet, they have a foot in each camp. And that’s a less than optimal user experience that we will work through, but we have a ways to go, I think, until they have a foot solidly in the conditional access camp and, by the way, don’t even know it, which is going to be the real end state we’re at.
[Geoff Belknap] I don’t think that’s wrong. In fact, I think that’s definitely a big contributing factor to why people are feeling friction here. I think the other thing that I lean on, probably more so than that line of thinking, is there’s this interesting thing that happens when we talk about cyber and cybersecurity. We always try to draw an analog between some kinetic thing like cyber warfare and talk about cyber in the context of military action or something like that. And it rarely works because you can’t really apply kinetic analogs to the cyber domain. But I think this is one of those rare cases where we have seen a lot of value talking about zero trust in this cyber information security space, and now we have people going the opposite way trying to pull this into the physical world. It doesn’t work. You can’t operate with humans in a society without trust. We are social animals, that has to exist. So, I think this is one of those cases where we might have taken it a little bit too far and saw a little bit too much success and tried to apply it to everything. And I think the point Tom and I are both trying to make is that’s not realistic, although I like the optimism and I like the energy here, but we have to find things that work well in each of the spaces that we operate.
[David Spark] I want to go to this one comment that Joe Pride made saying we’re not trying to enable hiring zero-trustworthy people. Not mentioned, really, in Dan’s comment. But Tom, are there techniques you use to determine whether you can trust a person you’re hiring?
[Thomas Doughty] To the point of the question, obviously, that’s not a machine-based question or one that lends itself adequately to a technical analysis sometimes. Certainly, you can put people in situational conversations and see where they would go with defining outcomes and I think that’s a really important way to look at it. In order to achieve outcomes such as how do you achieve conditional access with so many more, you want people who are objective and outcome-oriented and not task-oriented. So, you can try to feel that out. I was able to have the opportunity the other night to have an audience with the great screenwriter Aaron Sorkin and he talked about this a little bit. He was defining for us what constitutes drama, what’s his formula for writing successful drama. And we all have drama in our technical lives and in our nontechnical lives and figuring out where an appropriate degree of trust might define itself as drama, right? His formula – and Aaron, if you’re listening, I certainly hope you are, my apologies if I don’t get this precisely right – but…
[David Spark] He listens to all of our cybersecurity podcasts.
[Geoff Belknap] You should see the comments he leaves on the podcasts.
[Thomas Doughty] But his formula of drama equals the intersection of intention and obstacle. So, good characters, good drama, you have an intention, you have an end state, and you have impediments to getting you there, and how does the character overcome them to achieve the end state. I think putting people in theoretical situations, and then once you get to know them maybe some growing in magnitude real situations to see how are they going to meet the intent and overcome obstacles for the sake of the organizational goals, not the individual goals. Not a perfect technique but it’s one that’s really interesting to try.
[Geoff Belknap] I think it’s also important that we as CISOs spend more time fast-talking in loops around mock White House sets. I feel like that would be the right way for us to balance that drama as well.
Sponsor – NetFoundry
[Galeal Zino] The greatest vulnerability for CISOs and security professionals is actually not found on any CBE list. The greatest vulnerability is the network.
[Steve Prentice] This is Galeal Zino, founder and CEO of NetFoundry. His message is that in a digitally transformed, hyperconnected world, bolted-on security is no longer good enough.
[Galeal Zino] When you remove the LAN and you remove this kind of bolted-on infrastructure paradigm, you take the infrastructure or the hardware, the proprietary systems. When you take that out of the equation, you enable the builders, and you enable the operators. A developer using a NetFoundry SDK based on our open source Ziti software can embed zero-trust networking into the process space of their application. So, if you are a large SaaS or ISV provider and you want to provide applications to businesses across the planet, no longer do you need to rely on the security of their WAN or the security of their internet. No longer do you need to offer private networking connectivity options. Instead, with literally a few lines of code, you can build secure networking, zero-trust networking into your application such that wherever it goes, across any network, any cloud, it’s natively secure. That’s the other game-changer of NetFoundry and the open source Ziti software.
[Steve Prentice] For more information, visit netfoundry.io.
What are they looking for?
[David Spark] Kristen Bianchi of Threatrix said, “It isn’t about trusting the individual. It’s about accepting that human error is the number one cause of all cyber attacks. We should trust this
statistic and respond accordingly. Trust is an emotional state, not just an expectation of behavior.” So, this kind of goes to what you said, Tom. It’s not sort of a ones and zeros decision being made. Kristen goes on to say, “Emotions need to be taken out of the decision-making process to protect our companies.” Geoff, I will throw this to you first. Yeah, there’s a lot of emotion around trust and you can’t let that get in the way, can you?
[Geoff Belknap] You can’t. This is a great example of where, with humans, the emotion and sort of the social aspect of your relationship with a human always gets in the way of that trust decision. And the beautiful thing about computers is that there’s rarely any emotion or the emotion is very angry at this computer right now for it doing exactly what I told it to but not being the outcome I wanted. You can usually remove the emotion from a calculated conditional access or authorization decision, but you can’t remove it from humans. And Kristen’s got a great point. We have to take that into consideration when we work with our coworkers and our colleagues that are just trying to get work done. And it’s a really important thing to keep in mind but it’s also important to keep in mind that people will make the wrong decision or frequently make a decision that they didn’t realize was wrong at the time when emotion is brought into it. And we had another podcast where we talked about how to scam people and how to do social engineering and almost every one of those scenarios where you’re going to be successful, you are triggering an emotional response in your subject to get the answer you, the scammer or hacker, wanted out of that person.
[David Spark] We’ve also found that phishing emails that very much target emotions do extraordinarily well.
[Geoff Belknap] Absolutely.
[David Spark] Tom, how do you sort of control the emotion in a trustmaking decision?
[Thomas Doughty] I think part of the objective is to confront that, confront that issue of emotion, without confronting the person but you got to smoke it out ahead of time. So, even if we’re trying to think about implementation of conditional access frameworks and residuals, in our environment anyway, you can really readily tie that to what’s already important between the ears of a business stakeholder or a PNL holder, etc. So, you can make it really easy for them so that they don’t even notice but you might be increasing the likelihood of a very emotional event for them later on, and not just maximizing the idea of on that micro-conversation up front, there’s emotion involved in, “Why do I see these identity management steps?” So, to a degree, emotion is reality. I think Geoff’s right, it’s there, you cannot make a decision without acknowledging it and it’s probably better to proactively acknowledge it and proceed down an exploratory path and go, “What’s going to generate emotion?” Not only during the decision-making process, but in terms of the results of that decision, as opposed to, “Let’s make an easy decision that no one’s getting emotional about now and wait.”
[Geoff Belknap] I think this is a great point because this is also a really important thing for security teams to pay attention to, not just in the zero-trust domain. But in the space of anytime you’re implementing a control, think about how this is emotionally going to make the end users, the people that are faced with this control, feel. And how are they going to make decisions that you would want them to make or not make based on how this control works, right? It’s the old saying of user experience matters far more than people pay attention to and it’s all about this response, it’s this emotional response. It’s a great point, Tom.
[Thomas Doughty] I think it’s worth adding that if you’re thinking about zero trust and its implementation and you’re not thinking about it as an integral part of the workforce strategy and workforce implementation, then it’s too granular a view.
Where are we falling short?
[David Spark] Alexander Mulnick ofTruist said, “Zero trust is being taken too far and too literally. IT practitioners tend to haveall or nothing approach, but that’s really not practical nor
cost-effective.” And Rich Lindberg, CISO over at JAMS said, “Trust is not binary,” like what you were saying, Tom, “We constantly crave a single magical answer to our problems. It is only natural, but it isn’t realistic, as much as we want it to be. Business and technical risk are a sliding scale. Zero trust, like so many ‘solutions’, is not a silver bullet to manage a business.” And lastly, Robert Hodges of Global Learning Systems said, “It is our nature to want a silver bullet fix,” just like what Rich said, “And anytime we find something new that ‘works’ to any extent, humanity tends to immediately assume it will cure all that ails you.” So, Tom, Geoff, I’m going to say to both of you – we would love a silver bullet fix, but we know that’s not going to happen. And I would say when a vendor comes to you with a silver bullet fix, I’m sure your warning lights go off. Yes, Geoff?
[Geoff Belknap] Oh, absolutely. I think we all have a very busy job, there’s a lot going on. We all would really like to be tactically lazy and strategically clever. But the reality is there are very few solutions that allow us to just go, “Okay. This is the one thing I’m doing and I’m doing it this way for everything that is a problem that looks this way.” And the reality is there’s a reason our job is hard and it’s because we can’t always take the easy way out and we have to apply different solutions, even when the problems look similar. Like in this case, like Andrew is saying, you can’t apply zero trust to everything, different things require different controls.
[Thomas Doughty] Yeah. And I would say that zero trust, or let me catch myself and say conditional access, is not an implementation question or a tool question, it’s an architecture question. So, I think where we fall short, and I think it falls in a consistent way with the things you’re talking about, where we as a community might be falling short is that it’s looked at in some cases as, “I need a zero-trust implementation.” And if you think that way, it becomes a veneer in many cases over a technically debt-ridden legacy infrastructure or app structure, so it doesn’t really work at that point. If it’s looked at end to end as part of an architectural journey, then those tools become enablers but they’re not destinations.
[David Spark] And correct me if I’m wrong here – isn’t any tool out there that is somehow involved in the identification process, whether it’s identifying machines or identifying people, can be a tool that’s used in the zero-trust architecture. Yes, Tom?
[Thomas Doughty] I don’t know about any tool, but the interesting part is there are a lot of tools out there in terms of it and I think that secrets management is a great example or identity stores as examples. And if you really decouple them from each other, they’re not even necessarily marketed, and that’s a good thing, as “zero-trust solutions.” So, it’s a long way of saying yes, I agree with your statement. It’s about how you weave them together, that mosaic of technical opportunities.
[David Spark] Right. And that’s the architecture.
[Thomas Doughty] Right.
[David Spark] Geoff, I’m sure you’re constantly hammered with zero-trust solutions from vendors. Yes?
[Geoff Belknap] Oh, yeah. Look, everybody’s got a zero-trust networking solution or something that contributes to zero trust in the space. It definitely is one of those things wetalk about a lot where changing up your marketing just to sort of fit whatever is hot today certainly makes it very confusing to understand where your product or service might fit in my world.
[David Spark] But I’m going to throw it – I don’t think it’s necessarily bad to throw that zero-trust moniker on for just this reason. Like what you said, Tom, saying that zero trust is not a silver bullet, it’s not a one-time fix kind of a thing, but it’s an architecture. But like you’re building a house, I just need to know all the pieces that go into a house, “Oh, these are house-building elements.” “Okay, I’ll take a look at it, it’s a house-building element.” I kind of look at it that way, like to put “zero trust” on your product is saying this is a product you may want to consider if you’re building a zero-trust architecture. Would that be a good way to look at it?
[Geoff Belknap] That would be fantastic. The problem comes that that is not the way that it usually is presented. And I know, because we have lots of friends of the podcast that are in the security solutions space, I know that is not the intent.
[David Spark] And they’re selling zero-trust solutions. By the way, our sponsor today is doing something like that as well.
[Geoff Belknap] Yeah, like I said, I know that is not the intent, but sometimes that’s how it comes across. I think one of the things we obviously don’t talk enough about but one of the great ways to adjust your approach if you’re selling one of these solutions is to be clear – “This fits into a zero-trust ecosystem or a zero-trust architecture and here’s how it fits.” That would be a lifesaver because usually when we engage with these vendors, that is what my engineers are doing. They’re trying to figure out like, “Oh, okay. Is this granting just-in-time access? Is this sort of interrogating or understanding the device that’s involved? Are we trying to understand the state of it? Is this something about limiting the scope of access or like blast radius? Where does this fit into sort of the three big buckets we might be looking for solution architecture in?” And once we’ve gotten that down, then we know is this going to add value to a problem set that we have, what problems do we have in each of those sort of, like I said, major buckets of problem spaces that we have for zero-trust architecture.
Where it’s unhelpful is if you’re selling a VPN and now you say, “Well, this isn’t a VPN. It’s a zero-trust networking solution.” It’s going to be tough for me to take that very seriously and like you’re a serious security solution. The good news is that most people are approaching it the way that I described previously, that, “Here’s how we fit into the ecosystem. We could do a whole solution but here’s the parts that we’re really good at.” And I think that’s really positive. Thankfully, I have yet to run into a single vendor that’s telling me this is the solution to manage my computers and the solution by which to manage my relationships with humans.
[David Spark] I haven’t seen that either.
[Geoff Belknap] Yeah, right? I think this is a good problem for us to be talking about and I love Tom’s take on this. But thankfully, I’m not experiencing this as a problem, where in my sphere of influence, people are abusing the thought process overly much here.
[Thomas Doughty] I would generally agree with that. I mean, the landscape varies in terms of what kind of pitches you have, and some are more credible than others. But generally speaking, here’s why it’s not a problem – because if you’re a practitioner with end states in mind and you have an architectural view and you’re in close partnership with your CTO and your lead architect and your app dev stream experts, then you’re reading the back of that can of soup, so to speak. You understand where it fits, where it doesn’t, and you can have a meaningful discussion about how it may work, how it might not work, what the sequencing is, to what degree you want to include that in your own recipe. In other words, it’s not how the menu reads, it’s how you digested it, and I think we can all, to Geoff’s point, read that menu in an effective and constructive way.
[David Spark] Excellent point.
[David Spark] And now we come to the part of the show where I ask which of these quotes is your favorite and why? Tom, I will start with you. Which quote’s your favorite and why?
[Thomas Doughty] I’ll have to go with Ray Pessick’s [Phonetic 00:24:51]quote, “People make honest mistakes. They get rushed, they’re fatigued, they’re distracted, etc.” You know, that’s absolutely true. I’ve probably made seven or eight honest mistakes during the recording of this show, so I apologize to all the listeners for all of them.
[Geoff Belknap] But thank you to our editors.
[David Spark] Our listeners will never know.
[Thomas Doughty] In any case, yeah, people make honest mistakes. They’re fatigued, they’re distracted, and especially now, it’s important to remember in all of this, talent is key to accomplishing these end states. Talent is key to understanding what your architecture is and how you execute against it. And particularly now, we’ve said for years, and it’s always been true that continual learning is an imperative for anybody, IT professionals especially, security professionals especially. And as we’re in this window of accelerated reskilling, the deliverables don’t slow down. So, yes, people will make honest mistakes. Absolutely have to understand your risk tolerance and safety net yourself and have guardrails. But the temptation to say that I’m not going to act and I’m not going to cold trigger some decisions with the best information we have at the time we have it, that is a pitfall. The risk of inaction, in most cases, still exceeds the risk of well-considered action and willingness to, within reasonable guardrails again, fail fast and learn fast and adjust quickly. That’s where people can continually make honest mistakes, or you build upon honest mistakes.
[David Spark] All right, Geoff. Your favorite quote and why.
[Geoff Belknap] I’m going to go with Joe Pride from NextEra Energy, “The heart of security is people. The goal of zero trust is to add a layer of security around machines, not to enable hiring zero-trustworthy people.” I think this is a great point, I know Tom has been hitting this all throughout the recording. We’re trying to solve a problem about trust of our systems and building trustworthy architecture and find a way to build into that architecture a way to make sure that we’re not just trusting it. But you know what it takes to operate and build that infrastructure? Humans. And you have to trust that humans have the best interests, our best interests at heart when they’re doing their job. Now, is there an entire practice of security that sort of looks into when they maybe don’t have that best interest at heart? Yes. Do we need to use the same solution we usefor all of the ways that we treat computers to treat humans? No, and we shouldn’t be even considering that.
[David Spark] And I think we book-ended this nicely. We didn’t believe that we’re not going to trust people. We do have to. And with closing, to confirm you have to trust someone at some point. All right. Final words. Tom, I let you have the final word, any plea you would like to make or summary on the topic or specifically, I always ask, are you hiring, so make sure you have an answer for that. Geoff, I always speak for that he is always hiring, you do want to work for Geoff. And if you don’t want to work for Geoff, again, I point out that is a horrible mistake. There are other jobs on LinkedIn that can be had. Geoff, any other words?
[Geoff Belknap] No, I’ll just point out we hire people that we trust, we don’t apply zero-trust practices to everybody that we interview, so give it a shot.
[David Spark] All right. Tom, are you hiring?
[Thomas Doughty] We are absolutely hiring.
[David Spark] And you’re hiring trustworthy people, correct?
[Thomas Doughty] We’re hiring trustworthy people, but we want people who feel decision-enabled within their role, and we want people who are thinkers, objective-oriented, not task-oriented, problem-solvers, absolutely agile methodologies being applied here at Prudential. And if you want to be a part of something like that, come find us and we’ll find you.
[David Spark] And if they were to drop the name saying, “I heard you on Defense in Depth,” would that get them to the top of the pile maybe?
[Thomas Doughty] That would get them to the pinnacle of the pile, absolutely.
[David Spark] Pinnacle. Beyond the top. All right. Thank you very much, Tom. Thank you very much, Geoff. And as always, to our audience, and I do not mean this lightheartedly, I truly mean it – we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode.If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOSeries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link, we’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thanks for listening to Defense in Depth.