Zero Trust - we hear it all the time. However, when you've been asked to implement Zero Trust for your organization, it takes on a whole new meaning. In this episode Jim and Chris Steffen from the Cloud Security Alliance, discuss what Zero Trust is and how to tackle it wherever you are in your journey.
Listen to other Navigating the Cloud Journey episodes here.
Jim: Hey everybody, Jim Mandelbaum back with another Navigating the Cloud Journey podcast.
Today I've got a really interesting topic. Actually, some of you might already be tired of hearing about it, but I really think we're gonna dive into some places I'm joined today by, and I wanna stay it right. Chris Steffen, co-chair for the Zero Trust Working Group at the Cloud Security Alliance. Welcome, Chris.
Chris: Hello. Hello!
Jim: Maybe you can very quickly do a little bit of introduction, give a little bit about your credibility here.
Chris: Yeah, I don't know how credible I am, but I'll try. I am a longtime security professional, been doing this for a better part of 25 years. I am the, as you mentioned, the co-chair for the Zero Trust Working Group at the Cloud Security Alliance. We're taking and doing, lots of interesting surveying and researching to really try to further what the general understanding is of Zero Trust, some of the benefits, some of the pitfalls that people are seeing. My day job, I am actually the managing research director at Enterprise Management Associates for information security, risk and compliance.
So it's literally my day job to do this too, and I've done plenty of research there on Zero Trust and all the regulations that come around it and how it all stacks together. And then before then, I've obviously had every position there was, I've been a CIO and, a Chief Architect, and Chief Evangelist over at Hewlett Packard and a whole bunch of other things. Been around the block.
Jim: Bunch of lightweight positions. All right. Yeah. So, we've established credibility, but before we dive in, I think a lot of us are tired of hearing about Zero Trust, but we don't really know the origin of Zero Trust. Maybe you could back us up a few years and actually we're about three years back right now, where all of a sudden everybody started saying, Ooh, I need to actually pay attention to this. Where did that come from?
Chris: Yeah. Don't be tired of Zero Trust. And I know that it, it does seem like it's, the center square of buzzword bingo for everybody lately and there's not a whole lot I could do about that. I promise you, if you're going to RSA here in a few weeks, you will be hearing about Zero Trust. So just, brace yourself, it's gonna happen. But it's a good thing. And finally, the reason that we're hearing so much about it lately is that the government is is finally really taking steps forward to improve everybody else's security. This started out as a concept from some of the o other analyst firms. And it, it was looked at then not looked at. It has always been in the government space as an interesting thing an interesting journey that kinda is a summary journey of a lot of security best practices. But at the end of the day people, summarize Zero Trust by "trust nobody". And I guess at the essence that's true as the guy who coined the term Zero Trust is a gentleman by the name of John Kindervag. And he'll tell you that we as a community in general, have made it overly complicated and it's something that's relatively simple and that is, really taking and having, a good handle on all the different aspects of your infrastructure, the security aspects of that infrastructure and how those different parts all interact with each other and all have to be understood and documented and trusted to come up with an overall security picture.
Yeah. And that, that's the idea behind it and that you're hearing a lot about it now because again a lot of different companies are seeing the value of it. A lot of different organizations are seeing the value of it. The government is seeing the value of it. And it's really starting to gain some legs as being a trajectory, a journey to improve your overall security within your organization.
Jim: Now, for most of us in the enterprise space, it's an optional thing. But if you're in the Fed space, based on some mandates from the executive order, it's really not optional.
Chris: That's right. Yeah. You're going to start seeing some of the latest regulations and executive orders come down. Zero Trust is going to be pretty much mandated at in the fed space. All those three letter acronyms are going to have some. Iteration and some kind of implementation of Zero Trust. But the good or bad news, depending on your perspective is that you're going to end up getting Passed Down Compliance as well.
I term I coined the term Passed Down Compliance a long time ago, and it's the idea that if you're doing business with some vendor up top, that the compliance regulations that they are having to comply with get passed down to the vendors that they work with. So, if you are a government contractor, the government is obviously going to do it, if you're a government contractor, well, they're going to expect that you're going to have a Zero Trust implementation if you're doing business with that government contractor as a subcontractor, likely that you're going to have to be doing that kind of implementation as well. So again, not necessarily a bad thing.
Here in the security space the idea that more people are going to be more secure is not bad. That's again, that, that's good. We like that. That's better.
Jim: So, we've been touting least privilege forever.
Chris: Forever, yeah. So, make it I'm glad that it's getting the attention right?
Jim: Yeah. And this is the first time I think that it's really starting to get some attention. I heard a really interesting survey that was done by, and I won't say who it was cuz I don't think I can give you give 'em credit right now, but let's just say it was a leading researcher that they said that they surveyed a very large number of executives at enterprise organizations and they asked them how many of 'em think by the end of 2026, they'll have achieved any form of Zero Trust and it was less than 1%. So, we definitely have a ways to go, but I think more importantly is understanding it. So, I think what we need to do is we need to do some level setting. Let's, I know that's probably surprising to you.
Chris: Well, no and let me share too, cuz I, I've done my own research in this too. And I'll tell you that I did some survey of six to seven hundred people and 38% said they were starting the planning of their Zero Trust projects. A lot of 'em had data security as a driver. 37% said that they had a driver of data security. The reason that people aren't taking and doing is lack of understanding and lack of budget. Again, it isn't, it isn't that they don't see the business value, in fact, business value was ranked as the least reason. 7.7% said that business value was the least reason that they were going to implement Zero Trust and lack of budget being the greatest reason that they weren't going to implement Zero Trust.
So again, those executives out there are interested in it. It sometimes it's just a lack of understanding. Again, those numbers are real.
Jim: Yeah, I agree with you and that's why I wanna dive in on some of the understanding. Most of the people that listen to this podcast are practitioners. We have some that are our decision makers, but a lot of 'em are hands-on practitioners, and I think one of the things that they get is they get mandates pushed down to 'em, right? Everything just flows downhill, and they get told, do this, but not really understanding of what it is they're doing.
So, I want to dive in real quick. Let's do some education right now. So, the first thing is when we deal with Zero Trust, we have these things called pillars, and then we have these tenets. So maybe what we can do is what are the pillars, what are they at a high level, what the heck are the pillars? And let's dive into a little bit of the tenants.
Chris: Yeah. So, at the highest level, the pillars are a different kind of, of parts that make up Zero Trust. You have anything from identity management to networking to, I'm doing one on data right now in, in the Zero Trust Working group.
And so those are all the different parts that make up Zero Trust. There isn't one part of that's any more important than the other. And then when you start talking about the tenants it's under each of those pillars, what are the different parts that make up. So, pick up something simple like, that's oxymoronic, data is not simple, but pick something like data management. What are the different components of a data scheme, a data security that might make up Zero Trust from regulations to data ownership to data classification data access. Even that next level things like data locality and those kinds of things.
So then you have to understand the regulations and the guidelines and controls that you're going to adhere to in order to make those things Zero Trust, ready and have some semblance of control over those different aspects.
Jim: First of all, I think we can need to shoot a hole in the foot of a lot of vendors right now and say that Zero Trust is not an application
Chris: Please! It's not! Everybody please!
Jim: If you have a vendor that call, that calls you and says, I have a Zero Trust offering, that will solve all your Zero Trust... Hang-up.
Chris: Right away you're gonna go to RSA and you're gonna hear the same thing, right? You're out of the box Zero Trust solution. That, That, that is absolutely not true. That doesn't exist. It doesn't exist. I don't care who you are. That literally doesn't exist. No.
Jim: Now there are pieces. If they come back and say we have for this element of Zero Trust, we have a great solution. I would perk up and say, okay, tell me more.
Chris: Absolutely. And there's plenty of them out there. So yes, depending on, depending on which tenant you're looking at, a different component can be addressed by the 7,000 vendors that are gonna be at RSA. And they may have that piece, and they may have that piece nailed down. They're worth talking to.
Jim: Yes. But I think one of the things that's interesting is, as a lot of folks that I talk to they start trying to bite off a lot. I wanna do micros segmentation, I wanna start, sectioning off all my virtual compute, I wanna start doing all this. And I think that what we need to do is we need to step back and start doing some of the basics, right? So, one of the things that I found really interesting is the low hanging fruit; and Zero Trust to me is start implementing some best practices. Things like multifactor authentication, things like a risk-based approach to access.
Things like a machine itself is an identity and stop forgetting about machine-to-machine communications in that risk-based approach. And so as I start talking about this, we all know, I'm actually talking about the basic outlines of tenants that talk about how do I achieve Zero Trust? And as we start getting into this, there's one piece that is really important, which is visibility.
It's really about how do I know that I'm actually achieving what I'm trying to achieve if I can't validate in some way? So maybe you can talk about this concept of visibility in relation to Zero Trust.
Chris: Yeah. I think that to, to echo what you said we are making this way too complicated, and I'll just give you a strawman example.
You figure that for any Zero Trust journey, it's not a project, by the way let's get rid of that term too, this is, this is something that is a strategy, it is a journey, it is something that is going to be multifaceted and multi-pieced, and it's not something that you're going to likely accomplish overnight.
But let's just hypothetically say that your Zero Trust journey includes, I don't know, 30 different components. Right now, in your organization, you likely have a certain number of those, and that number could be as many as 10. If you're super mature, that could be as many as 20, but you don't likely have all 30. And maybe you don't even need all 30 when it's all said and done. But, it doesn't negate the fact that the 20 that you have done, the 10 that you have done, the, even the three that you have done, are steps in the right direction to make your organization more secure.
So let's talk about visibility for a moment. That's a key one, right? You probably have some management tool out there that you're using a SEIM ,an XDR solution, EDR solution, what, whatever that might be. And that has visibility into your user space. It might have visibility into your networking, it might have visibility into your applications like you mentioned.
And those are all parts and pieces of trying to understand how you're going to not only recognize them in your infrastructure, but then how you're going to secure them. It's very difficult to secure things that you don't know that you have. And so understanding and gaining visibility into those different parts and pieces from users to applications to, machines itself to networks, that is a critical component that you have to start with. So visibility is critically important.
Jim: So, I think that, in hearing you talk about it, so I love this, that visibility means something different to everybody. And I think one of the things that I like to pivot to is what you just said is really, I wanna have observability into what's happening on my network, right?
Yes. I wanna know what's happening. I wanna know that if I put a measure in place, is that measure actually working, right? If I say that I wanna take a risk-based approach, is that, am I mi, am I mitigating the risks that I should be? So that, that really, to me, is more about observability. But when we move in from on-prem, when we move into the world we're talking about, which is now the cloud and let's be honest, nobody moves 100% on-prem to the cloud if they do. Yeah.
It's always a hybrid. Always of some kind. Always. Yep. It's always, and it's probably going to be multi-cloud. Yep. And I love how a lot of people say we only live in one cloud.... no, you don't, because there's somebody out there that grabbed a credit card and signed up with another service that you just don't know about it yet. That's where observability helps. When you start seeing communications you didn't know you.
Chris: you could be totally an AWS shop, we're all AWS but you're still using Office, right? Yeah. You're using Office for something and so you're using Office 365, which is in some cloud by itself. You're using Salesforce, it takes in and has a cloud in and of itself. You're using some kind of analytics engine; it's using some kind of Google analytics or whatever have you. So, you are multi-cloud, everybody's multi-cloud to a degree. Embrace the horror, but that's what's happening, right?
Jim: I love it. You said it. I didn't have to say it. I say that a lot. People go, "no we're not". I'm like, okay, put your head in the sand, but the reality is, you are. So, as we start moving into the cloud, because people listening to this are in different parts of their journey, right? Some people are listening to this going, we've already been there, we've done that. We have some people that are saying, I'm just dipping my toe. And so a lot of people start looking at and going I'm in the cloud, can't I just use the tools that the vendor and the cloud provides? And the first thing I shake my head and go that's great if you only live in one cloud, but we just established you don't.
So, getting visibility into these environments has never been more important. What does North-South, East-West, mean to you from a Zero Trust perspective?
Chris: Yeah. Boy, that's a great question. That's a podcast in and of itself. So let me go back for a second and say that it's imperative that, depending on the maturity and the size of your business, never reject help from others. So, if your cloud provider or your host is going to offer you tools that give you observability and manageability into your environment. You should take that help all day. It isn't the end all, be all. Think of it as the, quite bluntly, and I don't mean to disparage any of the providers or “hosters” out there, but it's gonna be the bare minimum. They're going to give you the tools that allow you to do at least some of the things that you need to do to be able to manage.
Jim: it. I like to use, I like to use the word good enough.
Chris: Yeah, it is, right? And maybe it is, right? Maybe if you are a very immature environment and this stuff is all freaking you out to no end, maybe you start with that. And then the next step in your journey is to take and get some kind of aggregation visibility solution that can span multiple clouds to give you visibility into all those instances. How they interact with each other, the risk associated with each of them depending on what you're doing, so on and so forth.
It is a matter of maturity Yes.
Chris: To come back to your question the answer is that you have to start somewhere, and if you think that you have everything nailed down with the tools that you're currently using, now let's take it to the next step and look at how can we aggregate all that visibility into one pane of glass that gives me a true, at the moment report of what's going on in my overall ecosystem. Not an easy thing to do, and it's one of those things where there's a lot of connectors from an East-West perspective. As you go up and down the sack, there's things that you have to be aware of. There are things that you have to connect to. There are things that I promise that you're going to forget.
And where your tool comes in is do they help you remember the things that you're going to forget? Do they give you visibility on the things that are not documented? Do they give you a sense of understanding of, I am going to deploy this tool; it's going to give me visibility on the things that I know about, but it's also going to give me ideas of things that I wasn't thinking about as well. That's where that real value comes in. I always use the term "phone a friend", right? That's where that value comes in. Being able to phone a friend saying, we've been down this road. Let us help you go down this road together and we'll come up better when it's all said and done.
Jim: I think one of the things that I keep hearing quite often, and you just said it, is the stuff you don't know. I know I'm, stating and obvious, but I think what's interesting when we move to the cloud is the ability to just spin up compute and spin up different VNets and VPCs just at will. If you don't have real time view into that traffic, you won't know it happened until days, weeks, months.
Chris: Let's give a simple example and unfortunately this example is all too real. But we were talking a minute ago about how you were multi-cloud. You are multi-cloud, whether you know it or not. And another perfect example is all the shadow IT that's going on, right? You are completely a Microsoft Azure shop, except the developer who stood up his S3 bucket to do some testing on what he thought was scrubbed data, which actually happens to be the crown jewels of your company. And you have no visibility into that that's very scary. Especially how it's being used, where it's being stored, how it's being configured, whatever have you. And they don't think they're doing anything wrong; they're just trying to get their job done. But that's one of those things, again, you are multi-cloud, whether you realize it or not. And the solutions that you have that provide that amount of visibility will at least give you another chance that you're going to find everything that you think that you need to be looking for.
Jim: Yeah. I agree with you. I think that one of the differences of using the stuff they give you versus some of the stuff more advanced as you get more mature, is that ability to start seeing stuff in real time versus relying on stuff that's legacy.
Jim: Now I wanna go back, we were talking about the different tenants I was asking you earlier, and we talked about the identity based stuff, which is really the crux, and I think a lot of people, That piece of it and my, just so you know, my background is identity, that I come, running home to mama there when I talk identity that's my comfort zone there. But when we move into some of the mandates that have come around with this, some of the visibility mandates that are there, but there's one that is tenant seven which talks about I need to see everything everywhere all at once. God, I hope I don't have to pay royalties for that. But I think that's the mandate. I think that as we get mature, that is something that they're asking for. And I think that what that means, and you tell me if I'm wrong, since this is your world, what they're saying is that we can't just accept the packets. We can't just accept the logs. We need to do enrichments. We need to enhance ours. Is that where you go with that?
Chris: It is. I'll even take it a step further than that too. Is that you can't be point in time, right? And so no matter how you look at it, logs are a point in time, right? I can tell you what happened on yesterday at 2:47 PM and Jim logged in to this computer doing these kinds of things. Great, that's wonderful, tell me what Jim's doing right now okay? I can go back to a log and say Jim is logged into this computer doing this thing. Okay. But I still need to know what Jim is doing right now.
And so you wanna have something that's more point in time and I'm not even necessarily talking about aggregating because we can do some of that as well, but it needs to be something real time. I need to understand if Jim is doing these kinds of things and all of a sudden he's logging in from North Korea, something is probably not right. And so I need a better understanding of what he does, what he's going to do, to be able to make real-time decisions based on what Jim does as a person and how our organization views his role at the company being able to do X, Y, and Z and what kind of data that he has access to.
And so again, quite frankly, Jim shouldn't be taking and accessing, corporate HR data from North Korea. That doesn't make any sense. So, we're going to have a system in place that basically prevents him from doing that. That's really what makes sense. If Jim is in a coffee shop, we think that's probably okay, but because it's not a protected network, maybe we're going to limit the amount of data that he has access to where if his Jim is in our black box, skiff somewhere, he can have access to everything because that's what his job is. So, it really has to be contextual. It really has to be real time. It can't be this trending, and so on and so forth. It needs, you really do need to understand the identity of Jim, what his responsibilities are and what things are outside of the realm of normal.
You can even take it to another step from there. You can add a data component to that. Data has its own identity as well. Can data be accessed in certain places or another? Can it be accessed by certain people or another? Can it be encrypted in certain ways or another? You can even add another component, one that I'm working on that's particularly interesting, is application identity. Is an application an entity in and of itself, should an application be accessing this kind of data? Should an application be accessed by this kind of person? Should this application be accessed by this kind of device? And those are all parts of it that make this bigger picture, that makes up your whole Zero Trust picture that it becomes very interesting. From those decisions now you can take and really do some interesting security related things that really improve the overall security posture of your company.
Jim: All right, so let me just through, go through everything you just said. It was a lot. But I wanna piece these together. Know, you can't boil the ocean. There is no way that, boy, that's a small cup of coffee there! Yeah, it's not coffee, it's vodka. Ugh. So, from what we just talked about, I heard identity, I heard a risk-based approach. I heard UBA, user behavioral analytics. Yep. I heard real-time visibility. Yep. I heard observability. Yep. I heard contextual, which means I have to know where my crown jewels are because if I don't have an inventory of where my assets live, I can't answer the question, how bad is it, so I don't have the context around it. But then I also have the portion where I have to be ready to find new stuff that I didn't know even existed. So, all of that is what I just heard in everything you just said. So I, yes, we're running out of time here.
Chris: The last one is the deal breaker too, by the way.
Jim: What's that?
Chris: So, finding all the new stuff is always the part where we fall down. Because I can take, again, a point in time, I can say everything is all secure all at once, right? I know this because I only have three people and I know what they're doing and I know where they are and I know what computers they're using, and I know what devices they're using, know what applications they're using, and we're good right?
Jim: Three minutes ago.
Chris: Yeah, but now what's happening right now? Jim is still not in North Korea, and I just set up this new, storage somewhere else and how does that integrate with all of this? And then I added a new application, or I added updates to an application or whatever have you.
So, it's that continually evolving infrastructure and that has to be addressed somehow.
Jim: Yes. And I think automation is key. I think we need to start looking at how can we automate some of this recognizing when those new instances are stood up through automation. I think one of the other things that's often overlooked is we look at infrastructure as code as norm nowadays.
Getting those developers on board, getting them involved in the process sooner rather than trying to apply a Zero Trust to them after the fact. I think that's important to educate them.
We are out of time here, so I'm gonna step back. We talked about a lot of stuff, and I think when we got to that big ideal world scenario you gave us, that's for somebody who's a little more advanced and we've gotta dip our toe, right?
Jim: So, I'm gonna put you on the spot and ask you if I'm somebody coming into this. And I had to start looking at how do I get started with this? Now I know I'm gonna ask you where do they go to read more? And I know it's gonna be the CSA, but let's talk about right now if I'm somebody listening to this right now and I need to start just dipping my toe, what do I do?
Chris: So, I'm not gonna say CSA, I can say CSA and you should go look at CSA, but I will tell you, quite frankly, look at the project plans and the budget that you have for the remainder of 2023, if that's what you're looking at.
And then start looking at the vendors that are in that space and just try to understand what their Zero Trust approach is. Not their solution, not the end all be all. Just try to understand how that particular vendor believes and looks at Zero Trust. And they're all different. And again, I'm not trying to promote anybody over, anybody, over anybody.
Take a look at 'em. They all have their benefits; they all have things that are less good. And try to understand how that's going to integrate with your journey, with your company, how you want to approach things. Don't try to eat the elephant all at once, you will not win.
Take and do it piecemeal. Try to understand how you can take and gain some traction in networking. Then take and look at how you can gain some traction in identity. Then look at how you can gain some traction in data. And then after a certain amount of time, you're going to find that, yes, I'm implementing these projects. These projects are gonna take nine to 18 months to implement anyway. But when we're all said and done, we're gonna actually make real headway. But I promise you it's not gonna happen overnight.
And so have a strategic approach of how you would like to take and approach these different projects based on what your priorities and your budgets are already. I will also tell you that your compliance and your risk team likely have a say on how those monies are being deployed and talk with them as to what the priorities are too. Get an understanding of what the priorities of the business are and align that to what your Zero Trust goals are going to be. That way you ensure that you have success. It is, it's, and I hate to say it this way, it's likely to be a multi-generational project. It's going to be something that is going to start with one executive and may even wrap up with another executive. But understand that and understand that the pieces in and of themselves are progress, and then you'll have success.
Jim: That's great. Now, before we leave, and one final sign off here. If somebody is interested in learning more about the CSA, and I know you're here not representing the CSA in general, but I think that being a member of the CSA, I'd like to give them a plug. If someone wants to learn more about this and what the Cloud Security Alliance does, where should they go?
Chris: Yeah, csa.org. Again, I can't recommend them enough. They are non-denominational, right? They're not out there taking and plugging a particular vendor to do a particular thing, so on and so forth. They are doing research for the betterment of, all the boxes and wire types that are out there trying to gain further understanding. Lots of great trainings that they offer, tons of great resources that are out there. Again, at all your major conferences, they'll have a booth that you can come and visit. And again, check 'em out on LinkedIn, check 'em online and then if you're still looking and you can't find anything, you can always ping me on LinkedIn, I'm there too. Happy to take in and guide you where you can go there.
Jim: Wonderful. So, for all of you listening, I want to thank you. If you have any comments, feedback, questions, please reach out to us. You should have links with your podcast as well as if you're on YouTube, there should be some links there to give us feedback. We welcome it, and I want to thank everybody for joining.
And thank you very much for joining today.