Why is everyone obsessed with Zero Trust? Is it just a marketing ploy that vendors are using to sell their products? Or, is it truly a methodology that provides better security, especially in today’s environment.

Subscribe to CISO Series Podcasts - Defense in Depth

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host, Geoff Belknap (@geoffbelknap), CISO LinkedIn, and Melody Hildebrandt (@mhil1), evp, product & engineering and CISO, Fox.

Thanks to this week’s podcast sponsor, Code42

Redefine data security standards for the hybrid workforce. Check out Code42.

Got feedback? Join the conversation on LinkedIn.

Full transcript

David Spark

If you are listening to this episode, on Thursday, the day this episode drops, tomorrow, April 23rd, we are having another one of our awesome CISO Series Video Chats. The topic is Hacking Distractions. An hour of critical thinking of what we should stop paying attention to in security. If you haven’t participated in one of these, well, you’re missing out, because it’s a chance to connect with other professionals, cyber security professionals in the industry and at the end of the hour we do these really fun one-on-one meet ups where you get to have a five minute meeting with another cyber professional. So, please join us. We would love to have you there. This is going to be a really fun topic, because the topic of distractions is many varied, if you will.

Anyways, join us this Friday, 10:00 am Pacific, 1:00 pm Eastern. Hope to see you there.

David Spark

Why is everyone obsessed with zero trust? Is it just a marketing ploy the vendors are using to sell their products or is it truly a methodology that provides better security, especially in today’s environment.

Voiceover

You’re listening to Defense In Depth.

David Spark

Welcome to Defense In Depth. My name is David Spark. I am the Producer of the CISO Series. Joining me for this episode is my co-host Geoff Belknap. CISO of LinkedIn. Geoff, we all love to hear the sound of your voice. Prove it.

Geoff Belknap

Hi friends.

David Spark

That’s the sound of his voice. Our sponsor for today’s episode is Code42. I should also mention that if you’re not familiar with our website, we’re available at cisoseries.com. We’re at the Subreddit CISO Series, and our topic today is about zero trust. But more, why people are obsessed with this? And it comes from a discussion Geoff, that Gregory Bednarski, the Chief of Cyber Security Policy and Strategy over at the NSA, posted on LinkedIn. He’s not a fan of the term “zero trust” since it obscures the core principles it’s supposed to serve, but, at the same time, Gregory knows we shouldn’t ignore those principles, such as focusing on security basics, of comprehensive monitoring, granular access control, security automation and least privilege. Geoff, my question to you: is zero trust the same thing as security fundamentals or is it something else?

Geoff Belknap

It’s not the same thing as security fundamentals and I get where Gregory is coming from. Certainly, the way people talk about zero trust now and the way people talk about a lot of things in security, it makes you think that you need to forget everything you should be working on and do this new thing. I do think there’s a lot of benefit to zero trust but I think, like most things, you have to dig past the marketing lingo and get to what it really means. Then again, in this case, what it can really mean is you’re extending the security fundamentals. You’re building new fundamentals to live alongside everything else you need to do.

David Spark

A good point. And we’re going to get into people who are pro and detractors of zero trust on this episode. Our guest today is the Executive Vice President of Product and Engineering and CISO over at Fox, Melody Hildebrandt. Melody, thank you so much for joining us.

Melody Hildebrandt

A pleasure to be here.

Can there ever be agreement on this?

00:03:21:05

David Spark

Jatinder Singh of Informatica said, “Zero trust, to me, means you move beyond the traditional trust relationship based on your password, IP, network and approach,” and Abhishek Singh of Araali Network said “The concept was so powerful that everyone today claims zero trust, maligning a perfectly proper movement towards deperimeterization.” All right, I throw this to you, Geoff. Is zero trust really just a new name for the way we are not looking at the perimeter as a sort of a security barrier, if you will?

Geoff Belknap

Yeah, I think it’s intended to be this concept – and I’m gonna steal this 25 cent word from Abhishek – of deperimeterization. It really is thinking about your infrastructure in a way that you should not grant anyone or anything any inherent trust, just based on where it lives in the network or its IP address or the fact that it’s coming from your own laptop, but instead assume that shouldn’t trust anything and act accordingly. I think – and I’m glad Mel’s here, because I know we’ve talked about this a fair bit – that’s really all this is. There’s a lot of marketing hype around it, but it really is a really interesting methodology to approach your environment.

David Spark

All right. Mel, how do you think? Do you think, again, this is just sort of a way of not looking at security as, I guess, a walled garden? A very old, I know, antiquated approach.

Melody Hildebrandt

I think that is going to be a central concept. It’s a drawing act. I like what Geoff said earlier, kind of describing fundamentals not being equivalent to zero trust, but zero trust instead kind of defining kind of a new set of fundamentals in terms of how you architect a network or, generally, how you think about application access. So that, to me, is the essential principle – how do you think about application access? – and, like Geoff said, that should not be granted based upon network proximity, but rather should be based on user identity. I think, many people would include potentially also device security in that, but it’s not about network proximity, certainly. I think the other piece that’s interesting to me is, thinking about ensuring that the traffic between the two two end points – the user and the resource they’re looking to access – is encrypted in transit and you ensure that you have that path established. So, those two pieces, to me, both again, getting rid of this concept as you describe as like a perimeter which, I think, really just says,like, it’s not about network proximity, it’s about you as an individual, and then ensuring that the traffic, once you’ve established that the user is good, establishing that the traffic is going to be encrypted, those are the basics and that can then be a new set of fundamentals and a new set of principles that you can design into your security program.

David Spark

Are there authentication methods that you, in this zero trust world, have found work better than others towards this? To either of you. Geoff? Melody?

Geoff Belknap

Yeah, well, I think the whole point is not to focus on one methodology for authentication. I think you can use whatever works for you. If you’re using Active Directory, you can certainly use Azure Active Directory. But the idea is bring conditional access, or something like conditional access to that, so that you’re making a decision about what this individual or this machine should have access to, like Mel said, not based on where they are or the fact that they’re connected to the VPN, but the fact that, contextually you’re coming from a device that you have introspected – that’s probably the wrong word also– but you’ve introspected to understand it is my device, it’s running the current version of everything it’s supposed to be running, it has AV on it and it is in the possession of Geoff, right? So, now, what are the things Geoff has access to? Let me grant him access to those things, because I understand sort of intersection between policies I’m going to apply, devices he’s coming from, threat intel I might have. But I’m going to make this holistic, very enriched decision about whether my machine should have access. And it’s not so much how I’m doing that. It’s just that I’m doing that.

David Spark

Let me throw this one thing out at you, Melody. We had Jimmy Sanders, who’s the Head of Security over at Netflix DVD, and he has kind of a problem with the zero trust thing, because one of the things he said is “If you’re telling a developer who’s looking and physically touching a server right next to him, that that server does not trust him and the other developers in his network, you’re going to get some serious pushback.” Is there a point where zero trust essentially backfires on your ability to operate as a business?

Melody Hildebrandt

I think the goal, obviously, is that it doesn’t. I’m sure we’ll get into what is easy and what is hard in implementing zero trust. Some work flows are quite easy – web based work flows to SaaS applications. Like, in many ways it’s a much better user experience to access, like rather than expand a VPN, to click an okta chiclet and launch a web app. Like, that’s pretty great. So, I think there’s a set of applications that are quite easy. I think my equivalent may be in my world to what that gentleman was describing is, like, our broadcast environment. In that case we really are used to engineers who are on premise, who are used to physically interacting with large amounts of equipment or how we are able to deliver content around the globe, and it is a paradigm shift for them. I think it’s important that you don’t introduce unnecessary friction. I think, in some cases, with the pandemic and work from home, that really accelerated our thinking around this, when potentially some of our users were like, “Why would I ever need to think about this in a different way?” But, like, actually be able to facilitate their ability to interact with these machines from home and then, how do you then carry those same principles to when you’re back in the office? I think, in some ways, this whole work from home has, like, accelerated for a lot of organizations zero trust. And then when they come back into the office, you’re not going to revert to previous mechanisms. You just need to continue that zero trust mechanism, even when you are physically proximate again to a thing. So, I think it’s, in many cases it’s really understanding the work flows of the users. We can walk through, I think, some that are really easy and some that are hard, and in our journey, at least, that’s been the harder part – how do we really work with some of these more specific types of applications that we need to facilitate this different paradigm in terms of application access that aren’t simple web apps?

How did we get here?

00:10:10:10

David Spark

Shana Cosgrove over at Nyla said, “Zero trust implies a focus on using the Internet and allows for BYOD models of operating, versus assuming a company supply chain or agency can get close to 100% opsec or cyber defense. We use 100% SaaS solutions to operate our business and assume that our users will connect across routers, hot spots etc., where they are, including from their personal mobile devices. Too much of cyber security language assumes control and ownership of a network. Zero trust flips that.” I should mention that in this discussion, most people are pretty anti zero trust, so Shana was one of the sort shining lights who is very pro zero trust. Where do you stand Geoff?

Geoff Belknap

I think she’s exactly right, that if you’re 100% SaaS you’re de facto zero trust. You’re really leaning on that principle of assumed breach and what assumed breach means in the context of zero trust is you’re just not going to trust any network that you’re using. And I think Google famously did this with their BeyondCorp model and they said “We’re going to treat every network that we have on campus as if it’s a Starbucks Coffee Shop, right? That it’s not anymore trusted than that and we’re going to act accordingly.

David Spark

Mike Johnson has said that many times on the show.

Geoff Belknap

Yeah, and he’s perfectly right. I think that’s an inherent principle. Now, again, a lot of people have made a lot of hype out of this, but I think if you just get down to first principles, it makes a lot of sense and being 100% SaaS means you’re not giving any trust to the Comcast network or the Spectrum network that you’re connected to. You’re basing your trust on either your identity, or some other indicator that you can trust the device that’s connected.

David Spark

All right Melody, where do you stand on this, and are you bullish like Shana is?

Melody Hildebrandt

Yeah, I like her focus on using the public Internet and I think that this principle of treat it like an open wi-fi, I think, really helps ground the concept for a lot of users and a lot of IT admins and broadcast engineers. I use that analogy a lot, because it really does, I think, get to the essence . You want to allow what the public Internet does best to do and because of progress around, HDPS everywhere and just enforced encrypted connections for web apps in SaaS, as Geoff said, you get a lot of this for free. So, if your whole world is SaaS, there’s no reason to not be “zero trust.” You inherently are embracing those principles. I think the harder part, as we’ve talked about earlier, is that not everything is SaaS. I think about our work flows – again, in a media company, our bread-and-butter is doing live sports, live news, live entertainment production. This means video editing software. It means we’re administering, satellite transmission from earth stations. We’re running massive broadcast infrastructure. These are not web apps. We need access to RDP, SSA – we need protocols that are specialized. We need thick client applications to do [low-latency] production. So, I think it’s when you have to really think about, not just your SaaS apps. We were able to migrate HR and Finance, for example, very quickly into this model and then had to think about broadcast engineers or post production editors, and you have to begin to chip off these workflows one by one, and be a bit more creative in terms of how you express them. So yeah, I’m still bullish, as she is, but when you get beyond SaaS, I just think it gets a lot harder.

Sponsor – Code42

00:13:41:00

Steve Prentice

Co-writing a business book is an exercise that allows the wisdom and experience of its authors to be vetted, refined, boiled down and then presented to other professionals in the field. Mark Wojtasiak is Vice President of Research and Strategy at Code42 and he did just that, giving CISOs and others the chance to benefit from his company’s insider risk detection and response expertize on their own time.

Mark Wojtasiak

We’ve been researching and publishing data exposure reports since 2018. We had all this information and knowledge that we’ve accumulated as an organization over the past four to five years, so Joe Payne, our CEO, Jadee Hanson, our CISO and CIO, we got together and said “You know what? Let’s write a book about insider risk.” It’s call “Inside Jobs.” So, I brought in insight from an insider risk trend perspective, Jadee brought in security expertize as a CISO managing insider risk, and Joe talks about it from a cultural standpoint. The catalyst behind it is corporate culture.

Steve Prentice

As a company, Code42 focuses on the dangers that come from insider threats. This, and more, is what the book is about.

Mark Wojtasiak

You think of it as a security book but it’s really a business book geared to a CEO, to a CIO, to a General Counsel, to an HR people-leader and, of course, to the CISO, with some practical best practices on how to approach the problem or think about the problem.

Steve Prentice

To find out more about Code42 and to request a free copy of “Inside Jobs” go to code42, that’s code42.com.

Why are they behaving this way?

00:15:21:20

David Spark

Craig Sanders of the US Army said “If throwing a new label on them helps me convince organizational leaders to invest a little money and prioritize improvements, then let’s zero trust it up.” Ashish Mittalof Telstra said “It’s all about just doing the basics right, but every vendor is taking advantage of this term.” And Blake Moore of Wickr said “What the marketing term has done, however, is generate marketing buzz, which has in turn created wide awareness of the underlying principles – silver lining, for sure.” And Taylor Lehman of AWS said “I don’t get the fascination the industry has with giving the same old things fancy labels. It’s just hype that’s used to confuse the myths or uninformed.” Now, I’ll start with you Melody. People are just thinking this is a lot of hype and we’ve had this before, but have we really? And is it really hype? But I definitely see a lot of vendors that sell themselves, like, “We are the zero trust solution” – zero trust in a box. So, what’s your take? Where are we going in terms of legitimacy and hype?

Melody Hildebrandt

Well, of these perspectives, I think I most align with Blake from Wickr. I’m less cynical about the marketing here. I actually think that zero trust does group together into a coherent set of concepts, instead of principles that are important. And that is different, as Geoff said earlier, from security fundamentals. I mean, patching is a fundamental. It’s not necessarily relevant to zero trust. So, I do think zero trust captures a set of principles that are interesting and allows me, or a given user, to be able to, like, kind of look at a given application access pattern and say, “Hmm, is this adhering to our principles that we’ve established?” And it honestly is a different way of doing things than historically has been done. I can imagine, like, if you’re at a cloud native start up that is primarily SaaS, like, you might look at this and say “What’s the big deal? This is how we’re operating today.” But if you’re an organization like ours, which historically had a lot of legacies, obviously on a massive digital transformation journey, as I noted earlier, has a lot of non web apps that actually are the very core of what we do as a business, this section has a different way of doing things. So, I think it’s a positive shift forward for security, I think it would be a positive shift forward for productivity, and particularly for a lot of users who aren’t used to historically being able to actually do their job anywhere but the office. So, I’m with you as well though, that there’s no technology [pressures] that will make you zero trust. Zero trust is a set of principles and there’s a lot of work to actually then make those principles manifest themselves in practice and that’s not a thing you can buy. Although there are a set of technologies that obviously help you get there, you need a strong identity provider, you want a strong end-point solution. These things then add up to a zero trust strategy, and so I’m less cynical on the marketing but, of course, you see it being abused, like all things.

David Spark

All right. So, are you with Melody in sort of being less cynical? Where do you stand here? Again, from the marketing angle of how people are absorbing this.

Geoff Belknap

Oh, I think I’m a deeply cynical person. But in this place I can compartmentalize my cynicism to “Yes, it’s very generally annoying as a security leader to just watch what security companies do with marketing hype.” I think in this case, though, again, I’m with Melody and Blake. Bringing the conversation to the forefront is helpful.

David Spark

Even is there’s sort of an abusive nature that goes in the process, if you will?

Geoff Belknap

I apologize to all my marketing people. I think, by nature, marketing is a little bit manipulative… or maybe I’ll say “influential”.

David Spark

Isn’t that the point, the definition?

Geoff Belknap

Yes, yes it is. I think the only point where it runs away from you is if you as a security leader can’t re-frame the discussion away from “Buy this widget and everything will be better!” which is hogwash, to “How does this apply to us? What should we do about this concept?” And I think Melody made this point that there’s no amount of money you can spend where you can say “We’re officially certified secure.” There no amount of money that you can spend where you can say “We’re officially zero trust,” right? It’s a process; it’s a set of behaviors and decision-making, it’s a methodology in our approach. I think, to some extent, like, as Greg said, I don’t think this is throwing a new label on something. I really do think this is one of the few things that we’ve had in the last five or ten years, where it really is a different approach to how we did it, because ten years ago the way we did it is we wrapped everything in our special security hug, called a VPN, and then we sort of went, “Okay, all done. It’s behind a VPN and a firewall. Double secure. That’s defense and depth. We can all go home.” And instead, zero trust is making us really think about the first principles of what we’re doing.

Melody Hildebrandt

And I think one example of that and one way it’s expressed is that a security team actually really does not always do the heavy lifting to make something zero trust. A lot of the work actually has to be done by a core networking team, core IT, core engineering, so much of the journey for us has really been a partnership with those groups. There’s no tool I can buy that would solve this. It really gets to a fundamental sense of “How do we architect our network? How do we architect our application access?”

David Spark

And I think that that’s just a really interesting point that I want to tease out for a second. When you, as a security organization, are rolling out something big that involves a bunch of different parts of the organization, you’re probably on the right path, right? If you could do something just in security with nobody else involved, it probably is not that impactful. It’s probably not going to make a difference for your organization. In this case, you’re shifting the way the organization thinks about the things that it uses to be successful and that tells me, this is a really good methodology to follow.

What are the best practices?

00:21:15:10

David Spark

Freddy Tse of AWS said, “Trust is not only the core foundation of how cyber security works, but our whole society.” And Abhishek Singh of Araali Network said again, “It’s really the trinity of authentication, identity, authorization, least privilege, and audit monitoring that makes for a complete story.” So, there’s sort of the happy look at this: “Hey, this is really a holistic game here, right?”

Melody, like you were saying, it’s a process, it’s a methodology. We’re shifting the way we’re looking at t. We’re kind of coming full-circle here in our conversation today. What more would you add to this sort of methodology to sort of bring it home for our listeners?

Melody Hildebrandt

I think the main thing I would add is, building on what I was saying earlier about understanding the workflows. I think it’s really important that we facilitate, our users to be able to do the workflows in a low friction, secure way, while also minimizing their risk that they can blow stuff up that is totally irrelevant to their jobs. And that’s part of what I think zero trust is about. How do you enable your employees to do their best work, have access to the things that they need to do but not worry that they’re gonna be the heart of a phishing campaign, that someone’s going to move laterally and take down the entire company as a result of their single error? So, I think it does get back to this sense of understanding what your users actually need to do, and really work with them to be able to migrate their way of doing that into a way that’s more fundamentally secure. And I think my best success story, which I think, is illustrative here, is actually working with the VP of our Post Production Unit. So, they’re the ones who are doing all the advanced editing on things like “The Masked Singer,” or “Lego Wars,” or these live television shows, and we have delivered them our zero trust “solution” which was for non-web apps, kind of a reverse proxy technology, which can be a tool in the toolbox in order to enable these kinds of workflows. And it really wasn’t working for them, because while I worked for finance in these other applications, it wasn’t working for low-latency video editing; it just wasn’t optimized for that. And rather than falling back on VPN, which I think would have been the natural thing to do, they were able internalize this concept of “Well, this doesn’t feel very zero trust-y,” and that’s where I think the marketing is useful because it’s like, they were able to kind of condense the principles, without using a ton of cyber security jargon, and these are creatives, to say “Well, this isn’t very zero trust-y, but hey, we actually did a little research and we found this other application that is really optimized for its low-latency workflows. Can you guys take a look at it?” We looked at it, and went, “This looks great.” We had never seen it. And that’s what they’re using for now. Like, zero trust access to these post production editing workflows. So that, to me, is where this term is really useful, because it really digests these sets of principles, that our employees can actually digest themselves. It can help them interrogate their own workflows and are then are they actually approaching these applications, like, with their right mindset? So, like, that’s what I would add as well. I think that it’s useful to actually engage the employees in the underlying principles and the goals of what you’re trying to achieve.

Geoff Belknap

I love it. I think this is a great analogy for what we’re really doing here. Security is a human problem. As security leaders, it is not our job to change the way everybody works to be more secure, it’s to change the tooling we’re using to adapt to the way everybody works, right? We want the easy thing to do to be the secure thing and we don’t want to shift anybody else’s workflow.

That’s a perfect example: the editing that they do makes the organization money. We can’t tell them, like, “Sorry, can’t edit that way anymore.” We have to adapt to what they’re doing. And I think and I just feel deeply what you’re running into, because we’re on this journey ourselves and we’ve got everything converted that was easy to convert, and now it’s all about those command-line utilities and things – we never really expected there to be a conversation about trust involved in that space. But you have to get engaged and you have to figure out, “How does this work and how zero trust can apply to this?” And it is a hell of a fun ride.

Wrap

00:25:36:00

David Spark

Excellent. Well, that brings us to the very end of this episode. This was a thoughtful packed episode on zero trust. I loved this. And whatever aisle you stand in, whether you think it’s just repackaging the old or you really truly think it’s a new methodology, we want to hear from you. But, more importantly, right now, at the end of the show, I will ask both of you what was your favorite quote and why? And Geoff I will start with you.

Geoff Belknap

I really like Freddy’s quote from AWS that “Trust is not only the core foundation of how cyber security works, but our whole society,” and I think it reminds me of something that I like to say which is “Trust is the foundation upon which your customers can build a relationship with you.” And I like this one.

David Spark

If they can understand that, they can understand zero trust. Melody, your favorite quote and why?

Melody Hildebrandt

I’m actually going to go with Blake from Wickr. “I think the marketing term has generated marketing buzz which, in turn, has created wide awareness of the underlining principles.”

David Spark

And you told us the success story where that actually happened. Awesome to hear. Well, let’s close up the show. I want to thank our sponsor Code42 for sponsoring this very episode. They are actually a very sort of pro insider risk company. It’s specifically around the non-malicious angle of insider risk. For more about them go to code42.com. Just a closing statement: any last thoughts you have Geoff? And I’ll also ask you, because I also always ask our guest if they’re hiring at all. Are you hiring over at LinkedIn?

Geoff Belknap

We are absolutely hiring. Look me up on LinkedIn or Twitter or send me a message any way that you can find me, and I would be happy to point you to those jobs.

David Spark

Excellent. Melody, any last thoughts and again, are you hiring?

Melody Hildebrandt

We are. Have several open roles. Particularly in security architecture, cloud security roles, a couple entry-level roles as well, which I know people are often interested in hearing about those kinds of opportunities. So, yeah, you can find me on LinkedIn as well. I’d love to talk to you more about them.

David Spark

Excellent. Well, thank you very much Geoff, thank you Melody and thank you audience! As you know, we thrive on your feedback. So, if you see a phenomenal, very active conversation online, please send it to me. You can send it to me over at david@cisoseries.com or ping me on LinkedIn – I’m very active over there. And, as always, we appreciate your contributions and listening to Defense In Depth.

Voiceover

We’ve reached the end of Defense In Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense In Depth.