Defense in Depth: Where’s the Trust in Zero Trust?

Zero trust is a hollow buzzword. In any form of security, there exist critical points where we have to trust. What we need is a move away from implicit trust to explicit trust, or identity that can be verified.

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Our guest is Yaron Levi (@0xL3v1), CISO, Dolby.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our podcast sponsor, Optiv

Need a guide on your Zero Trust journey? Jerry Chapman, Engineering Fellow at Optiv and author of “Zero Trust Security: An Enterprise Guide” shares the following takeaways:
– The key elements of Zero Trust
– How to visualize your Zero Trust journey and place it in the proper context
– Integrated technologies to drive adaptive processes and a mature security model
Learn more at www.optiv.com/zerotrust.

Full transcript

[David Spark] Zero trust is a hollow buzzword. In any form of security, there exists critical points where we have to trust. What we need is a move away from implicit trust to explicit trust or identity that can be verified.

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode is none other than Geoff Belknap. He’s also known as the CISO over at LinkedIn. Geoff, how do most people know your voice to sound like?

[Geoff Belknap] That’s a great question. I think most people think about the night terrors that come to them late at night. And they’re like, “That’s clearly what Geoff sounds like.” But no, this is what Geoff sounds like. And you shouldn’t be as terrified of me as you might otherwise be.

[David Spark] It’s not kind of a loud Yoko Ono style screeching voice is what you’re saying.

[Geoff Belknap] I have yet to find a paper bag that I can fit into and bring myself up on stage with, but I’m always looking. And if you know where to find one, hit me up on LinkedIn.

[David Spark] Our sponsor for today’s episode, who is not wearing a paper bag, they are blossoming like a flower, and that is Optiv. You know Optiv. They are an extremely well known VAR in the field – value added reseller – and they do a whole slew of services. More from Optiv later in the show. But let’s get to our topic that was brought to us by our guest, who we’ve had on multiple times before. I’m very excited to have him back. Let me review it. So, our topic today is something that our guest was arguing that zero trust is a misnomer. We have no choice but to trust at different junctures. His question was twofold – what and who should we be interested, and what points, and how should we refer to zero trust since you can’t really run any kind of operation where you trust no one or no actual thing. Geoff, what’s your first take on this?

[Geoff Belknap] I think that’s very true. I think, look, zero trust really came from this place where it was just meant you could mean it to mean least privileged. Don’t infer or imply trust just by presence on the network or from a given IP address. And, boy, it’s really gotten out of hand. People sure think it means anything and everything now. And in fact we’ve had a couple of episodes about this where we’ve talked about we can use trust. In fact in security, trust is one of the most important tools that we as CISOs have in our pocket. I know somebody who knows that very well and preaches trust is our guest today. So, let’s have it out. Let’s talk about what the problem is.

[David Spark] Let’s have him on. So, it is the CISO of Dolby. This is actually his fairly new job. He’s been at it I think for a couple of years now. It is Yaron Levi. Yaron, thank you so much for joining us.

[Yaron Levi] Thank you, David. Thank you, Geoff. And I’m actually happy you guys are trusting me again.

[Geoff Belknap] Well, I didn’t say that. Let’s not jump to that conclusion.

[David Spark] Give it some time, Yaron. Give it some time.

[Yaron Levi] Okay.

[Geoff Belknap] We need to explicitly verify you are who you say you are first.

[Yaron Levi] There you go, yes.

Why is this so darn hard?

3:08.368

[David Spark] Mark Woodward of Google said, “It’s all objectively impossible… Security’ without constant monitoring doesn’t exist..” And Brett Deroche of Amedisys said, “The goal is more informed and explicit trust. The issues arise when we don’t know what we’re trusting… It’s more of a practice to reduce implicit trust that must be iterated upon. It can be a long journey.” And Roberto Eger of Shipt said, “Zero trust is a nice sales concept but you end up in dependency nightmares and application breakage in practice. It’s a necessary goal to work towards but it’s a long and iterative practice.” So, I think what’s interesting here is we want to trust, but there becomes a process to get there.

[Geoff Belknap] Exactly right. And I think there was someone once who said trust but verify. And this philosophy is all about…

[David Spark] It was President Reagan I think was the one…

[Crosstalk 00:04:16]

[Geoff Belknap] I’ve tried to avoid that, but let’s… [Laughs]

[David Spark] I’m happy to say his name.

[Geoff Belknap] Let’s go there.

[David Spark] A lot of people don’t know that that’s where it originally came from.

[Geoff Belknap] Is that right? I guess I’m just old.

[David Spark] Yeah, a lot of people I don’t think know.

[Geoff Belknap] But I think the whole point is we want to be heavy on the verify, not so heavy on the trust. When we were first doing this, when companies were first connecting to the internet, you would connect to the VPN, and that was a new fancy thing. If you were connected to the VPN, it was like, “Great, we got access to everything.” And then over time and for no particular reason we realized maybe that was a bad idea. Well, that’s what zero trust is. We’re not talking about not trusting you or your own. And even though I can see your faces, I can be pretty sure that you are who you say you are. We’re going to verify that your connection r whatever you’re trying to do is appropriate, is from a machine that we trust, or from a machine that we know, or for a resource that we believe you should have access to without just blanket granting trust. And I think it’s all… The whole point is…to Brett’s point, it’s about informed trust. It’s about being informed about the decision you’re making and feeling good about that, and not just granting it based on a presumption.

[David Spark] I want to get to this whole concept of both what Brett and Roberto said. It’s a long journey. It’s an iterative practice. And that sort of flies in the face of the companies out there that sell a zero trust solution. Like, “Put this on, and we’ll give you zero trust.” I guess my question to you, Yaron, is, “What are the elements that are taking so long?

[Yaron Levi] There’s a lot of things. I think first of all it’s the things that we need to do foundationally. We talk on the show many times about foundation of controls and getting the foundations right. We know that many companies, many organizations still struggle with that. So, until we can get there or at least we have some of the foundations properly in place, it’s much, much more difficult to implement what we call zero trust. But there’s another point that I want to make here, David. It’s not just the trust aspect, but I think my frustration with this is with the whole concept of zero. Because if you think about it, there isn’t really anything that’s called a zero trust. For me, and I’m sorry if it sounds a little bit harsh, but it feels to me like one of those things that if you tell a lie too many times and make it big enough, eventually people are going to believe it.

And there’s no such thing as zero, so let me explain what I mean by that. First, in security many times we tend to aspire to some goal of zero. Zero vulnerabilities, zero breaches, zero data loss, never miss an alert. It’s not possible. We know that it’s never possible. The same way that 100% complete security is not possible then 0 is not possible in the same way. So, the concept is anything zero, I don’t think it’s realistic. So, that’s the other side of the zero trust, if you would. But the other thing is if we aspire to zero or aspire to perfection, we always fail. Because no matter how hard we try… And you asked about what are the things, and why does it take so long. No matter how hard we try, no matter how much we invest, no matter how long we’re working on it, we’re never going to achieve it. So, not to mention it’s not even inspiring to inspire to something that is zero. So, if we’re never going to achieve it and we’re constantly failing, what are we doing? Why are we going to do this?

What’s going on?

7:32.609

[David Spark] Jovica Ilic of Adjust said, “Can you trust certain hardware? How about specific hardware components? Microchips? 🙂 It’s an endless loop, unless a trust boundaries are defined.” This gets to your point, Yaron, that there needs to be trust somewhere. You got to have it somewhere. And Arun Sankaran of Lending Tree said, “Had a debate years ago about network segmentation…you’re trusting your routing/switching vendor to read vlan tags properly and maintain separation. Maybe said better as, trust the least amount of things with the least possible privilege?” I like that. And Ofer Shaked said, “Even in Zero Trust, you trust the session, user and device. It’s a fancy name for attack surface reduction.” So, what do you think about that last one? I don’t know if that’s the best way to explain it, but everyone here is talking about what you said in your post, Yaron, is there is always some level of trust here. What is it we’re minimizing?

[Yaron Levi] Yeah, so I agree with all these comments, and I think we also need to think about how we got here. So, when we reflect back on the last whatever, 20 to 30 years, we had more controls in our systems and far less complexity. So, kind of tying back to what Ofer was saying about defense in depth, attack surface reduction, and so on, it’s growing exponentially. We have more systems, more complex systems. So, we could be more intentional and precise about who we trust and what we grant them access to in the past. Over time, especially with what we call digital transformation, this got more complex, and we gave up most of the control that we have in exchange to promise of trust by our third part. They say, “Hey, [Inaudible 00:09:25] systems, trust us. We know what we’re doing. We’re going to take care of it. We can do operations better than you.”

And we actually trust that they will be there forever if we think about that. So, if we think that we trust that they will do all the system administration for us a lower cost, we trust them that they would continue to innovate more than we will ever do. And we are trusting someone somewhere to do that all the time. Because that vendor or that service provider is also trusting their employees, and they’re trusting their service providers. Who in turn trust their employees and their service providers. So, it’s never zero. So, maybe when we realize that… Maybe now that we are thinking about it that we went too far in terms of kind of giving up control, and we’ll try to take the control back. So, now we’re trying to call it, hey, zero trust, kind of bring it back into zero. Which, again, I don’t think it’s possible. So, I like what Ofer said about the attack surface reduction, but I think ultimately it’s also balance of control.

[David Spark] What’s your take on this, Geoff?

[Geoff Belknap] I think first of all, I just want to really pull something out that Yaron said here that really I think even unlocked some thinking for me. Maybe 10 or 15 years ago, your network was way less complicated. You had many fewer partners involved in it. You had many fewer systems integrated with it. And you didn’t need to necessarily have trust or lack thereof front and center when you were making decisions about controls. The world that we live in now is very, very different. To the point where I don’t think either Yaron or I could name all the partners, and all the system integrations, and all the other SaaS or on prem systems that we have – much less immediately identify all the points where we are granting trust between…or where we are crossing a trust boundary between us and one of these other third parties. And now we’ve created… I can’t take credit for it, but maybe I will.

Yes, I invented zero trust, or maybe it was Forrester many, many years ago that coined zero trust as really a way for us to bring this to top of mind. We have to be thinking about how we grant trust between these organizations because we live on that. And now it’s just a matter of going, “Great, as you grant trust, make sure you understand how much trust you’re granting, that it’s limited, and that it’s only the amount of trust or access that’s needed.” And that we’re making decisions when we grant trust or when we grant authorization or authentication based on data points that we already know – not just somebody showing up and said, “Hello, I’m Yaron. Trust me.” And we go, “Oh, all right, cool. Great. I know somebody named Yaron.” You’re like, “Wait a minute. Do you look the same? Are you using the same computer? Are you coming from the same place you usually come from? Are you accessing the same thing you usually access?” All of that is just to remind us the world is more complicated, and now this has to be front and center. And no, it doesn’t have to be interpreted literally. I think this is a journey, and I think that was… One of our other contributors here has suggested that. We just have to be focused on what are we trying to make better. And all we’re trying to do is make it a little bit better every day, and this is an easy for us to think about that.

Sponsor – Optiv

12:28.404

[Steve Prentice] Zero trust is one of those terms that gets a lot of airplay but can vary in its meaning. Jerry Chapman is an engineering fellow at Optiv, and he says it comes down to three elements – identity, security, and risk.

[Jerry Chapman] As you think about the fundamental aspect of an organization that have got different technologies across the organization, these are security components. In some cases, they’re identity components. But they just drive security, and they drive the business. They have controls in place, and they’re managing that affectively. Zero trust means integrating those technologies from just using security aspects to leading the security component with identity. So, now what you have is this concept of identity and security integrated to support zero trust concepts. Then moving that further up the ladder or further up the mountain in a maturity model – bringing risk into the conversation now gives you the capability to have adaptive or just in time decision making processes to support a zero trust architecture. So, identity, security, and risk drives maturity as they are more integrated to a higher level of maturity or a more mature security model to support zero trust initiatives.

[Steve Prentice] For more information, visit optiv.com/zerotrust.

How are the vendors handling this?

14:00.688

[David Spark] Sanjay Tandon of Paramount Defenses said, “It AMUSES me when I hear cyber security companies say – ‘Cyber security is about ZERO Trust, so tell you what, just TRUST US, and you’ll be ALL PROTECTED.” So, this is kind of referencing what was just said earlier. And Oriol S., the CISO over at wefox said, “Zero Trust, like 100% Security is what is: a smoked myth.” So, this is all referencing what you said before. I just want to call out the marketing usage of this term because you were really doubling down on that yourself, Yaron. I quoted you at the top, saying it’s a hollow term.

[Yaron Levi] Yeah, it’s one of those things that our industry unfortunately has littered with magic pill if you would. We’re trying to buy a magic pill to solve a problem. So, the first question is what problem are we trying to solve, and the problem we’re trying to solve back to Geoff’s comment from before is with all the complexity and all the control that maybe we lost or gave away in someone. We had to move from more control in the past, and we gave implicit trust to people who were in that bubble to something where now it’s much more messy. It’s much more complex, so we have to be very, very explicit about it. And there is no magic pill for that. It’s like a diet. I can’t take a magic pill and just can lose a lot of weight. I just have to stop eating those burgers. So, it’s kind of the same thing for me. Many vendors will try to sell you zero trust in a box, and they will slap it on everything. Whether it’s code security, ISO like zero trust Cloud, ISO zero trust GLC. [Inaudible 00:15:52] zero trust almost on anything. But no, it’s the implicit concept of I need to either implicitly give trust or explicitly give trust. And we need to move to explicit trust.

[David Spark] That was essentially your definition of explicit trust. It’s just zero trust sounds so much zippier and snappier, doesn’t it, Geoff?

[Geoff Belknap] Only Siths speak in absolutes I think another famous person once said.

[Laughter]

[Geoff Belknap] I just have to go back to what Sanjay said because it tickled me so much. When vendors are like, “Oh, yeah, zero trust. Absolutely, zero trust. So, buy our third party SaaS zero trust product and just trust us that we will handle all the non-trust in your environment.” But yeah, look, of course there’s trust. Of course that’s what we need. And I’ll also say I’ve never heard of a smoked myth, but now I’ll be Googling that or maybe hitting Urban Dictionary and figuring out what that means. But of course we need to have trust. And when vendors take this too far, this is what happens. Yaron and I end up on a podcast because someone spent 40 million dollars on a marketing campaign at some point to tell everyone to not trust anything and to only buy their product. It works really well, and I don’t blame vendors because, look, you’ve got to find a way to separate yourself from the pack. And if everyone else is using common messaging, that becomes the sort of common vernacular of how we talk about stuff.

[David Spark] I must say in defense of vendors, it is really, really tough to explain your product, not use buzzwords, and differentiate yourself from the crowd.

[Geoff Belknap] I think the upside though is CISOs get it. Most CISOs get it. I think certainly everybody goes through that phase when they’re new to the job when they’re mostly angry at their vendors, and I think that’s just letting off steam because the job is really difficult. But, look, we get it. I think most…when you build a relationship with most salespeople, they understand that that’s not exactly what they’re selling. But they’re in that category of product. Look, for lack of a better solution, at least it helps us understand what sandbox they’re playing in. So, I’ll allow it. And since I’m the one that gets to decide, I think Yaron and I are going to be okay with this.

[Yaron Levi] Geoff, I think you’re onto something. If they spent 40 million dollars just to come up with this concept and now we’re challenging it, we could actually charge them a million and say, “Don’t do it.” So, it would be more cost affective anyway.

[Crosstalk 00:18:11]

[Geoff Belknap] We should set up a Venmo for this.

[Yaron Levi] There we go. Yeah.

[Geoff Belknap] It might be that way I get that budget for the headcount [Phonetic 00:18:18] I always wanted.

[David Spark] Yes, exactly.

What are they looking for?

18:20.386

[David Spark] Elliot V. of Twingate said, “Zero Trust doesn’t mean never trust. It means you start with a baseline of zero, and with granular access controls and constant authentication, you open the doors to machine and human.” That, I think, is kind of a nice, clear, concise definition. Moshé M. Vered who is with the Stealth company said, “Trust is a risk. And as a risk, you wish to reduce it to the minimum. Trust as risk has to be constantly monitored and re-evaluated with time.” I like this idea because I never thought of it like this. But yeah, trust is a risk. The more we trust, the more risk we’re taking on. So, let’s minimize that. Yes? You can’t do a business without risk. You can’t do a business without trust, right, Yaron?

[Yaron Levi] That’s exactly right. I think that’s the key. Because risk and trust are tied together. It’s true for security. It’s true for business. It’s true for life. You take risk by asking somebody out, and then you trust them. You take risk by making a new friend. You’re taking risk by doing everything. And it’s all based on how much you’re trusting them, and maybe you trust over time. But you explicitly trust somebody once you take… But you have to take the risk first.

[Geoff Belknap] Yaron and I met years ago at the FBI CISO Academy, and he took a risk trusting that I wasn’t a crazy person. We still have yet to see how that pans out.

[Yaron Levi] And that trust has kept growing and growing every day that Geoff and I know each other.

[Geoff Belknap] That’s right. [Laughs]

[Yaron Levi] Yes.

[Geoff Belknap] I would sort of thread the needle between these two things. I think trust is a risk to a certain extent, but I don’t think you can have zero with it. I think like with anything… We support organizations…

[David Spark] Right, you can’t have zero risk. You can’t have zero trust.

[Geoff Belknap] Exactly. And if you’re going to have a business or whatever your organization is, job number one is not eliminating all risk and having a perfect, secure organization. It’s managing that risk. I think understanding where to sort of balance the equities of deciding where it makes sense to take a risk. In this case, I think that is the core concept of zero trust is understanding really well and being really well informed about the risks that you are taking. I think it is actually pretty valid for Moshé to talk about trust can be a risk, but you also need to have risk in your business if it’s going to grow, or if it’s going to add value to anybody. Not just a business. If it’s a nonprofit or whatever it is. You’re not going to be able to offer something to someone if there isn’t some risk involved. And zero trust… I do kind of like the way Elliot frames this of it’s a pace to start from, and then you’re going to get information and add…sort of give ground grudgingly, add trust to the environment. As long as it’s well…

[Crosstalk 00:21:07]

[David Spark] I think this, by the way, is a nice bookend to the quotes that we had at the beginning saying this is a long iterative process.

[Geoff Belknap] Absolutely.

[David Spark] And I think Elliot spelled it out.

[Geoff Belknap] I think Elliot did it probably as good as any marketing person could have done it. You should charge money for it.

Closing

21:21.740

[David Spark] Well, that brings us to the end of our conversation here. This was excellent, gentlemen. All right, I want to spend some time. I want you to tell me what your favorite quotes were here and why. I’m going to start with you, Yaron. Which was your favorite quote, and why?

[Yaron Levi] I’m going to go with Moshé M. Vered, that trust is risk. Because I agree. I think they’re very, very closely tied together. You cannot have the one without the other, so I think he very well-articulated that.

[David Spark] And let me just add to this discussion of trust is risk is that knowing your risk is great, and then building contingencies. To just have a sort of a zero trust environment and then not have any other security program beyond it because you’re going to still be taking risk is actually extremely risky.

[Yaron Levi] Absolutely.

[David Spark] So, this is not the only game in town.

[Yaron Levi] Right.

[David Spark] If you will.

[Yaron Levi] Yep, absolutely.

[David Spark] Geoff, your favorite, and why?

[Geoff Belknap] Oh, I think it’s a tie between Elliot with this amazing description of zero trust – that it doesn’t mean never trust, it means start with a baseline of zero, and with granular access controls, and just gradually open the doors to machine and human trust. But I’m going to go also to Brett who said, “This is a practice to reduce implicit trust. It means it must be iterated on, and it’s a long journey.” I think that’s a great point because trust, like anything we do in security, is not a destination. It is a journey. We constantly are gathering information and making choices that lead us to that end point where eventually we retire and become golf caddies or whatever it is we’ll do.

[David Spark] I have a closing question for both of you, referring to essentially both of those quotes that you just said, Geoff. I’m interested to know… The two of you have been security professionals a while ago, but the thing is you’ve built different security programs. So, once you’re with one, and then you’re with the next. But still you still keep thinking about this layering of building trust, if you will. Can you think about say programs that you were dealing with five years ago and today, and has it really followed this model that both Brett and Elliot spelled out in that the layers you have now and the iterations you have now are far more than what you had five years ago? Yaron?

[Yaron Levi] I think it’s more than what we have five years ago. At the same time, we have much more complexity than we had five years ago. And we’re still struggling, many of us, with some foundational stuff. I think if you ask almost any CISO what are the two initiatives they probably dread the most, they will tell you [Inaudible 00:23:53] and probably [Inaudible 00:23:55] This is all tied back to identity, controlling identities, and access controls, and definitions. These are complex, and they’re becoming more and more complex, especially as our complexity…the complexity of our systems is growing.

[David Spark] Anything to add to that? And again, like what your environment is now versus five years ago?

[Geoff Belknap] Well, I think maybe not five years ago, but I think accessing a corporate environment used to just be username and password. And then it became, and hopefully is for everyone at least 2FA of some kind. And we all had our great little RSA tokens, and eventually that emerged into more sophisticated multifactor authentication. And indeed where we are now where there’s FIDO2 as a standard, and you can have different authenticators, and there’s things like initial access, all of that I would say maybe we’re moving more and more trust and adding more and more information as we make decisions on these basic things that we used to grant.

[David Spark] Excellent. Well, thank you very much, Geoff. Thank you very much, Yaron. This comes to the very end of the show. Yaron, I’m going to let you have the last word. And as you know, I always ask our guests are you hiring. Make sure you have an answer for that question. I answer this for Geoff because he’s been on many times, and he’s always hiring.

[Geoff Belknap] Indeed.

[David Spark] And if for some bizarre strange, out of the world reason you would not want to work for Geoff, we want your name, and we want to know why not. But at the same time, you can actually go to LinkedIn and find another job, too, as well. Any last words that I have not already said, Geoff? And yes, you do want a list of names of people who don’t want to work with you, right, Geoff?

[Geoff Belknap] I think you could just tag me on LinkedIn, and we can have the discussion there. And then it’d make a great episode later.

[David Spark] People who don’t want to work with Geoff.

[Geoff Belknap] “What’s wrong with this guy?”

[Crosstalk 00:25:41]

[Geoff Belknap] That’s an hour-long double episode, I think.

[David Spark] There you go.

[Geoff Belknap] Yaron, what about you? What’s wrong with you?

[Yaron Levi] Oh, everything.

[Geoff Belknap] Yeah, that’s what I thought. But I would also want to work with Yaron, so you should think about it.

[David Spark] We can add that – people who don’t want to work with Yaron and Geoff. But you do want to work with both of them. So, if you don’t want to work with Geoff, you want to work with Yaron, Yaron, are you hiring?

[Yaron Levi] I am hiring, yes. And we actually have two positions open in Poland for a senior security analyst and intern. I hope, David, you also have listeners in Poland. So, if you do…

[David Spark] I do have listeners in Poland.

[Yaron Levi] There you go. So, hopefully they listen to that, and they can send some information our way, and we would be happy to talk with them.

[David Spark] Awesome. Thank you very much, Yaron. Yaron Levi, who is the CISO over at Dolby. And also Geoff Belknap, who is the CISO over at LinkedIn. And our audience as well, who is filled with CISOs and people all the way down to interns and people who even are contemplating going into cyber security. And sometimes my mom on occasion.

[Laughter]

[David Spark] My mom. We greatly appreciate our audience and everything they do for us in terms of their contributions and for listening to Defense in Depth.

[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meet up, and Cyber Security Headlines – Week in Review. We’re always looking for fascinating discussions for Defense in Depth. If you’ve seen one or started one yourself, send us the link. We’d love to see it. And when any of our hosts posts a discussion on LinkedIn, participate. Your comment could be heard in a future episode. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to the CISO Series Podcast.