HomePodcastCISO/Security Vendor Relationship PodcastI've Got Zero Trust In My Understanding of Zero Trust

I’ve Got Zero Trust In My Understanding of Zero Trust

Don’t look at me to explain zero trust to you, because I’m just as confused. I’ve heard plenty of definitions, and they all sound good. I just don’t know which one is right, or maybe they’re all right.

This week’s episode of CISO/Security Vendor Relationship Podcast was recorded in front of a live audience at KeyConf at the City Winery in New York City. My guest co-host for this special episode is JJ Agha, CISO, Compass. Joining us on stage were a host of guests, Admiral Rogers, former NSA director and Commander US Cyber Command, Oded Hareven, CEO and co-founder, Akeyless, and Dr. Zero Trust, Chase Cunningham (@cynjaChaseC).

Here are a few photos from our recording, and you can find more here.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Akeyless

As organizations embrace automation, they must control their secrets sprawl. Security teams must enable the transition with centralized access to secrets, and consistent policies to limit risk and maintain compliance. Akeyless provides a unified, SaaS based solution for Secrets Management, Secure Remote Access, and Data Protection. More about Akeyless

Full transcript

Voiceover

Ten second security tip, go!

Mike Rogers

CISOs must learn how to communicate their activities, their intent and their strategies in ways that non-technical people understand. And the way a CISO talks to an HR person is not the same way you’re gonna talk to the CEO; it’s not gonna be the same way you’re gonna talk to the General Council. Last quick story, very first time in the job. I’m getting ready to go down and see the President of the United States and I’m going to brief him on cybersecurity strategy. I sit down with my team, they go through this great presentation at the end of which I look at them and go, “Guys, that’s great. You and I understand this. If I talk this way to the President, he will just look at me like I am an idiot. We have got to learn how to communicate in ways that he and others can understand.” So I’ve lived this myself.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast. Recorded in front of a live audience, in New York City.

Mike Rogers

Work it baby, work it.

David Spark

Welcome everybody, to the CISO Security Vendor Relationship podcast. We are live in New York City. Prove it to you that you’re actually here. Yes, we’re actually here. Those of you standing in the back, I see plenty of chairs up here in the front, please feel free. There’s not gonna be a point where you’re going to want to run out of here, we’re going to have fun for the next 45 minutes. Joining me on stage is a guest CISO that I’ve had on this stage before, but he’s taken on a new title. It is JJ Agha, the CISO of Compass. JJ, thanks so much for joining us.

JJ Agha

Thank you for having me, and I was telling David this is my second time in the city since the pandemic and both have been for the CISO podcast, so I’m glad to be here and guest co-host with David.

David Spark

So, this is a reason to come into the city, as evidenced by this nice wonderful crowd out here as well. Our sponsor for today’s show, who happens to be the sponsor of this conference called KeyConf, which is happening here in lovely New York City, is Akeyless. They are a secrets management company and we are going to talk a lot about secrets management tonight. And we’ll be talking about things related to that, like zero trust and secure access and what not. But the gentleman that you heard at the beginning, he’s going to be our first guest. We’re going to have a series of rotating guests throughout the show and really thrilled to have him. As you can see that he’s worked in a high profile position before as you have heard in this beginning tip. It is the former NSA Director and Commander of US Cyber Command, Admiral Mike Rogers.

Admiral Mike Rogers

Hey Dave, thanks. Great to be here today.

Close your eyes and visualize the perfect engagement.

00:02:32:11

David Spark

On May 12th, President Biden signed Executive Order 14028 “Improving the Nation’s Cybersecurity.” There were tons of key points, but I’ll zero in on the need to improve sharing between the government and private sector, improving standards and supply chain security, and the need to adjust network architectures so as to adopt zero trust cybersecurity principles. Mike, I am going to start with you on this one.

Admiral Mike Rogers

Okay.

David Spark

Three questions. Of the items on the executive order, which is a lot more than I just listed, what’s going to be the easiest to accomplish, the hardest, and which one do you believe is the most critical?

Admiral Mike Rogers

So easiest I would say is probably zero trust. Now, it’s not easy, but it is within the span of control of most organizations.

David Spark

A lot of people are shocked, I’m shocked to hear you say that.

Admiral Mike Rogers

You can do this yourself. We’ll compare the other two. The one that I think is the hardest is supply chain because, in part, each of it is outside of your direct span of control and, quite frankly, you are going to have to work with others to create the changes you need and that’s not always easy. The one that I think is, in some ways, most important in terms of long term, I would argue the information sharing piece because, quite frankly, if we cannot come up with a better collaborative– I don’t like the phrase “collaboration,” I like “integration”. I like the idea that we’re all going to work side by side, 24/7, particular in key areas within the private sector and the government, the whole idea of the government supporting the private sector, not the other way around. I think the information sharing piece is the hardest, because if we can’t get that right, it’s like you are fighting with one hand tied behind your back.

David Spark

This is a discussion we’ve had time and time again and then always the issues of the “But, well, ah, and we can’t let this information get out.” Let’s just start with the positive here and I’ll start with you, JJ. Where have you shared information and it’s actually worked?

JJ Agha

I share information typically through the FBI, if there’s ever a ransomware, and then secondly it’s through your peer network. You have a trusted peer network where you would want to share hashes and IOCs, that transparency where you already have a built, agreed-upon trust; you’re using typical flags on how to share information. But I think one of the big things, looking at the Executive Order, is just having a repeatable run book. Following what Mike talked about with transparency, how do I actually give this information out? How do I share it? Do I call every AG and every State AG attorney? Do I go down and reach out to every single FBI bureau that I need to reach out to? We need a repeatable process for the private sector, and using a run book will just help unlock every single step, very similar to the zero trust conversation and very similar to the transparency conversation about sharing information.

Admiral Mike Rogers

Yeah, there is no doubt we’ve got to make this, yeah. I give you two examples that come to mind. SolarWinds; the main target was government. It’s not the only one, but the primary target, and yet who discovered it? It wasn’t the US government, it was the private sector. And I’ve kidded Kevin Mandia about this, it’s great that FireEye came forward,” I said, but, you know, “Kevin, you spent two weeks internally investigating this, then by the time the government gets this– We’ve got to be working together side by side.”

David Spark

This is just more eyeballs on the problem. As great as the government could be, or as great as the private sector can be, if you just got more eyes on the problem, everyone’s in better shape.

Admiral Mike Rogers

And you get more data.

JJ Agha

I think the issue is that we stigmatize incidents, we stigmatize breaches. You see it on every single ambulance chasing with every single vendor. You see it on the news, where everyone’s worried about the stock price dropping but typically you see a drop and then drums to 20% above market value.

David Spark

We just had a guy from the Verizon data breach investigation report at another conference I was at. He showed a chart that, six months after public companies had had a breach, there was absolutely no difference in terms of where their stock price went. It was an equal, essentially bell curve distribution.

Admiral Mike Rogers

I would argue some organizations use this as a way to come out stronger to build your reputation. Look at how FireEye responded; I thought they came out stronger. I think people were impressed by open, transparent. “Here’s what we know, here’s what we don’t know. Hey, this happened to us, we acknowledge it. The important thing is to make sure it doesn’t happen to you, now let’s focus on how we’re going to make sure it doesn’t happen to you.” I give them big points, we need more like that.

David Spark

Final thoughts on this. JJ?

JJ Agha

Another example was the Codevov incident, a supply chain attack on the application stack and talking about the SDLC. They did a great job about being transparent and just giving information as they found out, and it was a fluid conversation, it was a dynamic conversation. They weren’t scared about opening their doors and saying, “This is what’s happening,” and it caused that more eyeballs on the problem and more folks were providing solutions to the challenges that they were being faced with. So, I think just being open, being transparent will pay dividends than trying to keep it close to your chest, and trying to hide it away, because that’s where you’ll end up with cake on your face a year down the road.

Admiral Mike Rogers

And in the end you can’t control it anyways. I used to say in government, “Guys, we need to work as if everything we do is going to become public knowledge, okay?” It just makes life so much easier. The decisions aren’t easy, but in the long run it’s the smartest way to do business.

What’s the best way to handle this?

00:07:56:19

David Spark

As I mentioned, we’re going to have a host of characters who are on stage, and I’m very excited to have our next guest who is literally sitting right down now and he’s got some stuffed animals for us. This is Oded Hareven, who is the CEO and co-founder of Akeyless. And is the Akeyless gorilla? What is this thing?

Oded Hareven

This is the Key Con.

David Spark

Ooh, I got it, oh my God.

Oded Hareven

We’re at KeyConf and this is Key Con. Come on, David.

David Spark

Who’s getting blamed for that horrible joke? Is it you?

Oded Hareven

Oh, come on! Well, we have a few people I can name.

David Spark

We’ll put a picture of the Key Con on there. Alright, here’s my question. What are the problems with secure remote access that we’re still struggling with?Over on the Cloud Security Alliance blog, Alex Vakulov asks this very question. He brought up two interesting issue: that more of a company’s network is being transferred to the cloud and that’s causing new issues that

companies weren’t prepared for. And, secondly, maybe you don’t want uniform access for all employees. So, certain employees maybe should have higher tier access requirements. JJ, looking back at the beginning of COVID and now, what do you believe have been the biggest changes of how you’re handling secure remote access?

JJ Agha

When COVID broke out it was a mass dash to getting secure remote access up and running. We have to secure the workforce. We have to ensure that the business can continue to operate. That was the main operative. Now, if you look at it where we currently are, it’s following these zero trust models. The idea of multiple concepts coming together, creating that conglomerate of ideas and following these privileges, really tackling IEM, tacking asset management to improve secure remote access and getting away from the, “You know what? We have our gateway, we have a proxy. Secure remote access is done.” That’s one percent of the problem; the problem is diving in deeper. Once you start kind of evolving that as the company matures, you’re going to start bringing out different risk and different patterns, you can solve for the longer patterns. Now, as we’ve progressed over the two years, it’s really solving and standardizing on patterns and moving away from kind of the anti-patterns. Our developers really have embraced that, and they are diving into, “Hey I have this SaaS app, I have this new end point, how can we actually look to get it behind the secure remote access,” and not just say, “It’s behind the proxy.” What authorization is needed? I think that’s the next question. You could solve authentication but what are they authorized to do, and how can you make that dynamic and move away from static conversations?

David Spark

So, connecting the identity with the application and the data, all three together?

Oded Hareven

And the network. I think that this is one of the most interesting things around securing remote access is that today, usually or traditionally you would have though that remote access is a problem of maybe a network security. VPNs for that sense, right, then it’s done and it’s fine. But what happened in the last few years is that we see a convergence between those two worlds, between the network security and the IAM, of the access management for that sense. Now, people are looking on more of a holistic approach, which means that you need to somehow combine your VPN together with your maybe privileged access management, together with some session recording tools and so on. The problem is sticking all of those all together. It’s a lot of tools, and what do you do with it? Obviously, I see it as an opportunity, both for those teams also to be working together, the network people that are usually interested with zero trust initiatives, together with the IAM people.

David Spark

One are the things that this author, Alex, was mentioning about the fact that if you have higher tier people, you put more checks in place. So the idea is, if a person is an employee that only needs low access, doesn’t really need any higher access, administrative access, you’re not putting that many checks in place. In your environment, JJ, do you have more checks in place for people, like who are transferring money or who have had admin access, or are you giving everybody the same level of checks?

JJ Agha

You have to look at what you’re trying to solve with a secure gateway. It’s a VPN or are you trying to solve for the network transport layer? Are you trying to encrypt all the packets that go over it? Could you put the controls as close to the application as possible, to the software, to the user? I think that’s where you’re seeing this kind of idea where the convergence of networks and applications, that is happening when you go into the cloud. You need a service, you need identity, you need asset and they all need to talk to a data store, but you can’t conflate all three of these identities to be one and the same – service to service authentication, a identity to service authentication, to a data storage – they’re all different. For us, I think the approach is the conversation of what is VPN actually solving? I think it’s not solving anything anymore. You have DNSSEC, the packet layer of what you’re trying to solve for for VPN kind of goes away.

David Spark

Is what you’re saying, it’s just too far away now?

JJ Agha

If you look at the OSI, potentially, yes. Because if you’re looking at it, it’s sitting right in the middle. I want to get as close to the data store, I want to get as close to the application as possible and this sits in the middle, so it does a little bit of something. I could say, “Hey, you only have access to the subnet,” but what exists in my subnet? I need a policy broker, I need a policy engine, and that’s where I really get down to the zero trust solution. Again, it’s combining these multiple technologies and having that holistic approach to software, and then you could actually build something that scalable. Are you also going to have a VPN here? Are you going have a VPN out to Azura Network? Bashing hosts to get to your back end of your structure? It’s just a mess and a hodgepodge of multiple solution. Zero trust is there. Secure mode access will follow the lines of what zero trust should be solving for. It’s just going to take a matter of time and continuous iteration to get there. It’s not a one shoe fits all, it’s what patterns does the organization need, and then what infrastructure can support your patterns, and then go implement that.

It’s time to play, “What’s Worse?”

00:14:41:15

David Spark

Alright, everybody. For those who are you not familiar with our show, we play this game called “What’s Worse?” where we gave you two scenarios. They’re both horrible, you’re not going to like either one of them and it’s a risk management exercise. You have to determine which of these two scenarios is truly worse. And I reached out to Nir Rothenberg, who’s the CISO of Rapyd, and I asked him, hey could you give me couple of What’s Worst scenarios in the area of secrets management? So it’s tailored just for you. There are going to be two horrible situations and we’re going to play two rounds of this, by the way. And the audience, you’re going to be voting to which one you like and don’t like. I always ask my co-host to answer first, so this gives you more time, Oded, to think of your answer, alright? So here we go. First scenario, again,both from Nir Rothenberg, so thank you very much. Scenario number one. You have short, easily brute force keys that are rotated every nine days to more new short keys, okay? Crappy length keys but they’re rotated every 90 days. And now the opposite, which I think you can see where this is going, you have long, complex keys that are never rotated. What’s worse?

JJ Agha

Option two. Long term that never rotates. One of the speakers talked about an incident or a challenge and you have to rotate. It’s just best practices about having short lived ephemeral keys that are immutable, but you want to leverage short TTLs and have easily rotatable–

David Spark

So, you think you’re going to get more damage from that than a short key, again easily brute force. Again, we’re not assuming that this long key has appeared on some public database anywhere, or that it’s been hard coded, it’s just one, sure. You still believe that?

JJ Agha

I still believe it, because the day I say, “Hey, this key was leaked.” I saw it in a Git Repo, it’s on Pay Spin, or it’s on a Gist that’s publicly available, I ask the service owner, “Hey can you rotate this?” I’m going to be staring at a blank wall and three days of down service.

David Spark

You are permanently owned at that point. Oded, agree or disagree?

Oded Hareven

I definitely agree, but I’ll tell you even more. When you’re going after that long-lived keys for that sense, you miss an opportunity to change in the terms of crypto agility, and that’s the major problem. When you’re having keys that are constantly rotated, although it might be compromised…

David Spark

Although probably because it’s brute force.

Oded Hareven

…But you do have the opportunity because your organization is used to rotating them, so you actually know here they are. With the longer keys, there is a major risk of actually losing track of them because no one really remembers where they are. That’s the major problem. I would definitely go with short lived, rotated keys because that would allow you to basically one day more easily change their strength.

David Spark

You have this temporary sensitivity that gets rebooted. Again, they both stink, we’re agreeing on that. Now, I want an audience response. Scenario number one, sort keys always rotated, is that the worst scenario or no, by applause? Nobody. So you’re in agreement here. Applause second scenario, long keys, never rotated.

Oded Hareven

That was easy, David, I’m sorry. We’ll take that soft ball.

David Spark

Hopefully we’ll get a little bit more split on the second scenarios. Here we go, two scenarios. “You manage secrets in a secrets manager, a vault…” That sounds great, but here’s where it gets bad, Oded, you’re not going to like this part. “…that everyone in the company has access to.” Everybody. Alright, that’s scenario one. Scenario two, again, you’re not going to like this. Your keys are hard coded…” Ooh, that hurts! “…but your access controls are super tight, only the few people who need to see a repo have access to it and this is audited frequently.” JJ, what’s worse?

JJ Agha

This is a better question than one; this is hard. I’m going to hopefully pick the contrary one for Oded, so it’s a nice little conversation. I’m going to pick that everyone has access is worse. Just because everyone could see your keys, everyone can now access the service and so you have insider risk, you have a lot of copy paste privilege escalation. Great that you could see everything, and it might be auditable. I’d rather have my keys hard coded with tighter access controls, so that I could say, “Hey, these three people have access to it.” I know it’s a smaller blast radius. It’s still not ideal, they’re both terrible. But at least I could shrink my blast radius is where I’m thinking about it.

Oded Hareven

I disagree here. You would love that. So, hard coded within your source code, this can turn out into a massive, or a major problem of a leak.

David Spark

It sounds like it’s the same scenario as scenario two from the last question, yes?

Oded Hareven

Not exactly, because with this problem, when you have them hard coded, you’re actually having the risk of having your source code be exposed and that means to expose your internal keys or secrets, in that sense, to the external world, where in the first option, like you said, the entire company insider or the entire development know, they have access to it–

David Spark

But at least they’re employees you hired and you trust them.

Oded Hareven

But that’s an insider threat problem, right? So it depends where you feel that you’re stronger.

David Spark

The people you know, versus the people you don’t know.

Oded Hareven

Who are you afraid of more, from your employees or the problem that they might have to do a mistake that would cause leakage outside within your hard coded?

David Spark

So if you fear your employees inside, then the problem is in HR?

Oded Hareven

Well, that’s a different question. You can save that for later on.

David Spark

Now, audience, I want audience applause on this. The worst scenario, we have a split decision up here is secrets in a secrets manager but everyone has access to it. Who thinks that’s the worst, by applause? Good amount, good amount.

Oded Hareven

That’s a half.

David Spark

Number two, your keys are hard coded, like what Oded says, but you got super tight controls on them. Who thinks that’s the worst?

Oded Hareven

That’s the worst, that’s not even half.

David Spark

Alright, I little bit more of the audience.

Oded Hareven

That’s 80, who’s winning?

JJ Agha

Who’s your sponsor for this one?

00:21:07:16

Voiceover

That’s something I would like to avoid.

David Spark

On Medium, a developer, Boemo Mmopelwa, wrote about costly mistakes developers make when managing secrets and how to avoid them. His list pretty much is a hit list of top errors such as hard coding secrets and exposing them on GitHub, poor password management, using weak encryption algorithm, poor protection of secrets in transit, and not using a secret manager. Oded?

Oded Hareven

Sounds like a smart guy.

David Spark

Yes. My feeling is, secrets management does not come up at the beginning,. My question to you is, how many black eyes do companies get before they finally choose to use a secret manager?

Oded Hareven

Today, as far as we see it, it is no longer a question. Back then, even three years ago, two years ago when you were speaking with people about secrets management, it might be the most of them would not necessarily know what you’re talking about and where’s the problem, right? Not everyone had been exposed to that problem. But today, if they don’t really need to have some kind of a breach to actually see the problem because it’s coming more and more best practices.

David Spark

Have you seen your sales cycle change as a result? You’ve been around for how many years now?

Oded Hareven

You can say two, since first funded, yeah.

David Spark

So, when you were first talking about this with potential customers, my guess at the beginning, there was a considerable amount of education around just the concept of secrets management.

Oded Hareven

The change was phenomenal, as the COVID came, actually. Beforehand it was like, yes, you had to speak with people about what it is, but then what happened, especially in the last 18 months is that something happened there. The cloud demand was happening, was increasing, as a result of remote work. Everything was tied off together. Then when the cloud initiatives turned on, then suddenly secrets became a problem for many companies. So, we’ve definitely seen a great rise of that fraction in the requirements of secrets management specifically.

David Spark

JJ, I’m going to ask, you’ve worked at a few companies in security, when did secrets management, just the discussion of it, all of a sudden say, “Hey, we’ve got to start taking this seriously”?

JJ Agha

I want to say probably 10 years ago, but we were in infrastructure as a service, we were a CDN, and that was my first foray into secrets management.

David Spark

You were enlightened to it early on?

JJ Agha

Again, I was lucky to be enlightened and exposed to that problem but I would say from the conversations and what I see in the vendor space has probably been, as Oded said, probably the last three to two years, you see this conversation pivoting past privilege access management. That problem of, “Hey, store all your secrets here,” or you could, as I say, you could pull it down. That works for the network later, but now as that convergence conversation about what you’re doing for SCM, what you doing for Google Vault, like how do you solve for this multi-cloud, multi-infrastructure environment? I think that’s where, you know, when we talked about what are best practices, keeping it ephemeral, keeping it immutable, having it easily rotatable. That’s where you’re going to need that platform, and then that’s just a service. But when you start taking about, “I have a key that is over-privileged,” I want to think about overlaying detection response to it. I want to start having honey keys and honey tokens to identify, “Hey, I think everything looks great, but if someone checks out this key, I know I’m hosed right now, immediately.” And then also just the idea of, like, Repo man of what Netflix can open source, but looking at the privileges that are constantly being used, looking at the service that a key constantly uses. If we see a new service check out that key, raise a flag, why is this happening? Do we have this checked in? Is this appropriate? I think that’s where we’re seeing the services heading towards from a secrets manager. You see other companies that have started off as a password manager for humans, and now pivoting towards saying, “I have to solve this for services, I have to solve this for non-human keys.”

Oded Hareven

I think it took us time as an industry, the security industry, to basically understand the shift that happened, very fast, within ten years. Containers have become to be such great use. Think of it, ten or 15 years ago, you had more employees in larger companies, more employees than actual servers. And today you have, in an order of magnitude, a major change of number of computers, servers and workloads, much, much higher than your privileged users. This change, that shift, took us time as an industry to understand what does it mean? What do we do? Oh, workload, this is now the big thing.

David Spark

I want to set you up here, because I want to give you an opportunity to tell our audience exactly what Akeyless does. All day, prior to me recording this podcast, I’ve been interviewing people, some of them your customers, and they talk about that they look at a lot of secrets management programs. I’m interested, just give our audience an idea of what Akeyless is doing in this space and what sets you apart form your competition in this space, and why you think your customers chose you over others?

Oded Hareven

Oh sure. We are the secrets management company, so we provide secrets management. And, in short, obviously, it’s the ability to completely eliminate the secrets within the places that they don’t need to be, and then to be able to simply manage them. What differentiates us from our competitors is, number one, SaaS, it’s much easier to use, faster production, no maintenance required, no heavy maintenance for that sense. We’re providing a product which is wider, with some greater functionality that we provide. We have a stronger security model in terms of the cryptography that we’re leveraging which is called Akeyless DFC, Distributed Fragments Cryptography, which is an innovative KMS as is. The TCO is much, much better in terms of much more appealing. The TCO for all of that, you can save your engineering times–

David Spark

Total Cost of Ownership?

Oded Hareven

Yes, sorry, total cost of ownership. So, less engineering, significantly changed; less computer resources, and that’s it, you can drive on. The on-boarding is easy, there’s automatic migration. That’s a major significant differentiator between us and the competition.

Is this a cybersecurity disinformation campaign?

00:27:48:02

David Spark

Alright. We have our next guest on stage. It is Dr. Zero Trust himself, Dr. Chase Cunningham, please welcome Dr. Chase Cunningham. I have a question about zero trust for you, Chase. Are we taking zero trust too far? Over on Government Technology blog, Dan Lohrman, who’s the field CISO at Presidio, said that, “Over time our perception of zero trust has expanded beyond what was originally intended. It’s evolved into the throwing away of the foundation of business, which is trusted human relationships. But that’s not the purpose of zero trust methodology.” Lohrman quoted John Kindervag, who is credited with driving the zero-trust trend more than a decade ago. “Online trust is the vulnerability,” said Kindervag. “People aren’t the issue, packets are the issue.” By way of context, Winn Schwartau of SAC Labs said, “Trust is a dynamic, not a static criteria.” Chase, I know you’ve been following this for a while. In the past decade how has the zero trust concept evolved for the better and for the worse?

Dr Chase Cunningham

Originally, the idea for zero trust was called de-perimeterization, which was actually gobbledygook to say, but the concept was there: we will eventually live beyond the bounds of the perimeter, we’ve got to do something that recognizes that. And then it started, to John’s point, because he was visionary with this, of the network is the thing because, at that time, the network was where the power would lie. So you’ve solved that problem. We’ve evolved since that. Now, the users are the ones, the admins, the accessors. If you look at where the bad guys go, which is where I always look, they don’t hack firewalls, necessarily, they don’t care about packet manipulation. They go social engineering, go after humans, get access, creds and then wreck shop. So, yes, it’s evolved and yes, it’s evolved correctly, which I think now we see it rotating and revolving around identity. And those other things are part of ZT, but if you solve this problem first, you solve a very key and core problem which is where the adversary goes after you. I have to remind people that, in the evolution, we’re not in a just straight up defensive posture anymore. I want to take the fight to the enemy. I’m going to meet you at the door, I’m not waiting for you to come in the door and come into my home.

David Spark

That’s a good point. Alright, I am assuming, JJ, that when you first heard the term “zero trust” and today that understanding, that evolution of what that term meant, or it has changed over time and maybe you’ve heard a lot of definitions of which some you agree with and some you don’t? Yay? Nay?

JJ Agha

Chase hit it spot on, so his name Dr. Zero Trust really does live. When I first started and learned about zero trust, it was with Beyond Corp. it was the Google, it was the Aurora hacks and very similar, they went to the network layer, right, then they started looking at the devices, started talking about TPNs, and looked at it with a cryptography to solve some of this and had a policy engine and whatnot. They started overlaying concepts, and I think one thing to not jump the shark here, is we need to the basics right and then converge and compile all the other concepts. So, IAM. Do we have appropriate asset management? Do we have appropriate IAM? Are we following these privilege and need to know. If we can’t solve for any of those, then the journey down zero trust is going to be a very tough and uphill battle to solve for, because you don’t know what permissions to grant what user, what asset to what date store. You’re just kind of chasing your tail saying, “Hey, we’re doing zero trust.” At the best, you’re doing what the vendor tells you is zero trust and so, to go back to the original question of are we over-prescribing zero trust, I think as organizations and private sector, public sector, no. As vendors, I think it’s coming from the Executive Order; it’s a new ambulance to chase a bit. But the concept is dynamic, it’s going to be ever- changing and we really do need to evolve. Ten years ago, IOT and this large microcomputing at the edge didn’t exist. Really is now becoming a day to day, where you pull out your phone, you have ten different devices. How are you managing ten different identities from one different user who wants multiple assets? You know, what assets should have access to what data store? I think, to follow up to Chase’s comments, it is going to change and has to be dynamic.

David Spark

You did a presentation about this earlier today, Chase. Walk our listening audience through the three just stages of zero trust.

Dr Chase Cunningham

In the identity space, I talk about the three Js. Justify, just in time and just once. If I can do those things, and we’ve talked about justify is probably the most difficult thing to get right in a policy engine, but if you do those things, you’re talking the power back from the adversary and that’s it.

David Spark

Let’s focus on justify. Justify is, why is this person connecting to this database, this app at this time, this person’s identity. Is this “justified”?

Dr Chase Cunningham

It’s the should, not the could.

David Spark

The should. How do we develop that understanding of the should?

Dr Chase Cunningham

The policy engines here have to be really powerful. They have to be able to take in lots of information, they have to be able to do the telemetry coordination and then enable a decision to happen, which is a justification. You have a lot of these things. You have ticketing systems, you have contract management, you have all these other pieces, and everything out there nowadays has got an EPI; pulling that information in, using it to fill that sort of process engine and actually make a decision that this needs to happen, that’s key and core to this. And the funny thing is, the more you do this, the better you get at it. Everybody in the space talks about AI and ML. I’m a math guy. ML gets better with more.

David Spark

I’m going to throw a little wrench into it. It does get better with more.

Dr Chase Cunningham

With good more. If that’s a thing!

David Spark

With good more, right. But there is a point where, like anything, there is no kind of return.

Dr Chase Cunningham

There’s always risk, and you’re never going to be a billion percent. The other thing, the guy that wrote this thing also said that there is no zero trust. I would agree with you, just like a body builder that has zero body fat will die, so you have to have some. There’s always going to be some. But it’s really not a good way to get people wrapped around the concept to go, “Let’s have some trust.”

David Spark

The other two, just quickly cover those two as well?

Dr Chase Cunningham

Just in time: you get it now, you do something and then that’s it, it’s usually going to be session-based. And then just once. You do it again, if you need it again, I do it again. You can do this and it doesn’t interrupt the user’s life cycle, you just make it fast.

David Spark

It seems that most programs out there, there are solutions for those last two and, like you said, and I’ll throw this to you, JJ is, how difficult is it to create policies to create a justify engine?

JJ Agha

To chase a point, it’s a math problem, so you’re looking at data models, figuring out what are the patterns and that solves for your repeatable patterns, the 80, the 90. And then you have to think about the break glass scenarios and really think about as a business, what are the different risks and what are the different ways to get in if something does occur? And then it’s just like programming and allow list on any firewall. You know this server needs to talk to this server, so I’m going to create the ACLs. It’s the same conversations whether it’s a human to a data store, a human to an application, or an application to a server. What services should they talk to, and then prevent the could they talk to conversation. You do that, it’s just a simple conversation of policy. There’s just a lot of legwork and you have to, going back to Mike’s conversation, have the appropriate conversation and communication to the right business partners and speak their language. I can’t go to my CFO and say, “Well, you can’t connect to SAP and I’m going to start blocking port 443.” Their eyes are going to roll and they’re going to be, like, “What are you talking about?” We need to speak the language as practitioners, whether an engineer or analyst, I think that’s the biggest hurdle, for number one. It’s not about the systems, it’s really just about us as practitioners of selling why zero trust is important.

It’s time for the audience question speed round.

00:36:07:11

David Spark

Alright, I have here in my hand a handful of questions.

Dr Chase Cunningham

I like long walks on the beach.

David Spark

Those are not the questions the audience has for you, Chase.

Dr Chase Cunningham

Alright. It was worth a shot, it was worth a shot.

David Spark

I got six questions, let’s see if we can hit all six, so I’m not looking for long answers. Some quick answers on this, give what you got here. Feel free either one with your first answer to this. Do you feel safer with your data all in one place or distributed? This is from David Berger at the SDG Corp.

Dr Chase Cunningham

Distributed, if done correctly.

David Spark

Okay, what does “if done correctly” mean?

Dr Chase Cunningham

There are ways to do distributed ledger stuff the right way and without the shenanigans of blockchain and actually have it be correct.

David Spark

Alright, I like that answer. JJ?

JJ Agha

I’ll pick distributed as well but, again, done the right way. You can have the right IM, ACL strategy to solve for distributed. You then have a whole other conversation around data leaks and data warehouses that we could tackle some other time.

David Spark

And have you traditionally been distributed?

JJ Agha

Yeah, every application owner wants to manage their own data store.

Dr Chase Cunningham

Unless you’re building it yourself.

David Spark

Second question, this comes from Gui Martins of ObjectSharp. This is going to go to you first, because he’s teasing your “justified, just in time and just once”.

Dr Chase Cunningham

Uh-oh, right.

David Spark

So, how do you reduce friction, with the whole business that is, where security is trying to implement “justify, just in time and just once”?

Dr Chase Cunningham

I tell them that, like anything else in life, change sucks and it’s gonna hurt, but we will get better over time and the policy engine and everything else will catch up to the pain we feel now. I would rather suffer for 30 minutes than die because I didn’t do something. So, my honest answer to them and not technology speak is, “Change sucks, buckle up, let’s get through this.”

David Spark

To some level I agree with you, but to some level people are going to be like, “Ah, I don’t know that means I have to trust what you’re saying.”

Dr Chase Cunningham

Then you will fail, that’s what I would tell them. Your choice is do this or you will fail, and if you think you’re better than all these other companies that have failed at it, then, show me how you do it differently.

David Spark

I’m going to jump to the next question. This comes from Daniel Fabbo of Cimpress and I’ll start with you, JJ. What is your biggest headache with regard to identity access management?

JJ Agha

Too many vendors! I mean, you know, when you think about all these applications and the biggest headache is that security wants a single IM strategy and now I have 100 different SaaS applications; ten of them could support skim, ten of them could support SSO; two of them are stand alone, three of them have no other face support. That’s my biggest pain is the IM sprawl. Secrets manager is here to help you, but that’s the challenge that we’re going to have to solve as an industry. There’s OIDC, there’s WebAuthn, there’s protocols out there that are hopefully, as we go to HTP3, web 3.0, it really starts becoming a repeatable pattern but that’s my biggest pain point is very similar to data sprawl is identify sprawl.

David Spark

I’ve going to throw this one to you, Chase. This comes from Rolando Galan of Gobi IT. He asks, “What would it take for us to live in a world with identity but no passwords?”

Dr Chase Cunningham

We need self sovereign identity, we need biometrics and we need the rapid adoption of those technologies for as much as possible as fast as possible.

David Spark

Those techs have been around, especially biometrics, for quite some time. It’s not happening fast now.

Dr Chase Cunningham

It’s not happening fast now ’cause there’s still this reliance on the old paradigm and, like we said earlier, people are resistant to change. Even though you can say like, “Look, this change is better.” people look at it and go, “But change sucks, so I’m going to do what I’m doing, thanks,” and you stay where you are.

David Spark

I’m throwing this one to you, JJ. This comes from Karla Mancilla Farley and she’s with CaptionCall and she asks, “What ways are you engaging with vendors today,” remember this is the CISO vendor relationship podcast.

Dr Chase Cunningham

Fighting in the parking lot!

David Spark

“What ways are you engaging with vendors today that you didn’t do before?” First of all, are you engaging with vendors?

Dr Chase Cunningham

Yes.

JJ Agha

Yes.

David Spark

What ways are you engaging with them today that you didn’t do before?

JJ Agha

Everything’s virtual, but I typically get phone calls and I just tell everyone, “I will reach out to you when I know I want to solve this problem.” I don’t need a vendor to pitch that, “Hey this is a challenge that you don’t know about that you need to solve for.” From the external face, I think it comes off arrogant to say “Hey, I know your challenges better than you do,” because I do both, and I’m like, “Ah, I wish you did.”

David Spark

Has any vendor really done – and not a lot do this – true due diligence to try and learn about your environment?

JJ Agha

Yes. And so the vendors that say, “Hey, I listened to you on the CISO podcast, or I listened to you on other podcast” and take a line or just do that digging–

David Spark

Sorry, you’re appearing on other podcasts besides mine?

JJ Agha

Yeah, sorry about that.

David Spark

Go on!

JJ Agha

I think that’s where it goes a long way. Just make a human connection and then we could have a conversation beyond just the company to company. I think when we have a human connection, especially nowadays, it goes far and a lot further.

David Spark

Last question, I want you both to answer and it’s time to trash a category here. From Suki Tsai from Cerner, she asks, “What’s the most overrated tech category now?”

Dr Chase Cunningham

The most overrated tech category? As far as just in this space in particular? Because there’s a lot of tech categories.

David Spark

In cyber. We’re going to staying cyber in general.

Dr Chase Cunningham

Artificial intelligence, period, point blank, end of story.

David Spark

Yeah? JJ?

JJ Agha

That’s 1(a), I will pick 1(b) and I’ll probably pick XDR.

David Spark

Why do you believe these are both overrated?

JJ Agha

For XDR, it’s just the same patterns. Why do you need to throw an X? It’s still, an end point, it’s still an asset.

Dr Chase Cunningham

Because it’s sexy and X looks cool.

David Spark

You know, my other co-host Mike Johnson said the same thing. It’s the same darn product here. We’re just creating a new category.

Dr Chase Cunningham

But it has an X in it.

David Spark

It does have an X in it, that does help. That does make it sexy. And I should also mention, and I’ve talked about this before, why the heck is Gartner building more categories? Enough, just stop.

Dr Chase Cunningham

Have you seen the Threat Cube?

David Spark

How many categories in that?

Dr Chase Cunningham

Well, how many’s on a cube, right? Yeah, go look at the Threat Cube from Gartner, it’ll give you a headache.

Closing

David Spark

Oh jeez, we don’t need more categories. That brings us to the end of this show. Thank you, thank you very much to all of my guests. Mike Rogers, Oded Haraven and Chase Cunningham. By the way, Chase, I’m going to let you have the last word here. I also have to thank our sponsor and the people who put on this phenomenal event in New York City, Akeyless. Thank you very much for Akeyless, let’s hear it for them. Go check them out for all your secrets management needs. Their web address is akeyless.io. Check them out. I always ask my guests and JJ, you’re here, are you hiring by the way?

JJ Agha

I am. I don’t know how much headcount I have for 2022, because I’ve been slacking on parental leave, so thank you for allowing me to be here, but we are hiring for multiple of positions for product, infrastructure security, enterprise security. Definitely come on down, ping me on LinkedIn or reach out to our careers page.

David Spark

JJ, any last thoughts on the topic in our discussion today?

JJ Agha

Not me, I think zero trust and secrets management, it’s a needed part of any security program. Getting the right vendor, getting the right partner and getting your organization to believe in it is going to be the biggest thing. Very similar to Chase, h could tell everyone but if they don’t believe in it, you’re not going to solve anything. So I think it’s leverage and lean into the ROI. It’s going to constantly, it will provide you exactly what you want at the end of the tunnel, but it’s just going to take some work and just like everything worthwhile, change is going to be good. Just suck it up and go through it.

David Spark

Suck it up. I think maybe that’ll be the title of our episode, Suck It Up, Losers! Alright, Chase, any final thoughts on today’s topic?

Dr Chase Cunningham

I think the most important thing is think about it from the perspective of the adversary. What are they going to use to cause problems? Then also look at the cyber Serengeti and figure out how not to be the slow gazelle. If you don’t want to be them, do something different and you will not be them, which is a win.

David Spark

Excellent point. Again, I want to thank our audience here at KeyConf, and all of the phenomenal people at Akeyless and by the way this production crew has been completely aces here. Kudos to the production crew. Come on, they have done an awesome job. These guys know how to produce an amazing show, so thank you very, very much. Thank you, as always to our audience for your contributions and for listening to the CISO Security Vendor Relationship Podcast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

RELATED ARTICLES

Most Popular