EP3 – Evolving Zero Trust

Mike: Welcome back. This is your host. Mike Valladao with the Navigating the Cloud Journey Podcast series where we have real talk with real cloud experts. Welcome to episode number three. Today, I've decided to call our session Evolving Zero Trust. 

[00:00:17] My guest today is Dr. Chase Cunningham. Chase is the Chief Strategic Officer and Ericom Software, but he spent years working in the trenches in both the military and commercial sides of cyber threat [00:00:30] intelligence. In addition to a PhD in System Security, Chase spent about four years as a Principal Security Analyst with Forrester. And just last year, he authored a book titled Cyber Warfare - Truth, Tactics and Strategies. Welcome to the program Chase.

[00:00:48] Chase: Thank you very much for having me. 

[00:00:50] Mike: Hey Chase most of our listeners have at least heard of, or are somewhat familiar with Zero Trust, but please give us your rendition of how you define this [00:01:00] whole paradigm.

The Origins of Zero Trust and how it's Implemented

[00:01:00] Chase: I think really people usually make it way too complicated and they look for this big grandiose definition of what ZT means. And I don't know, like the ethereal determination and I have people emailing me about their dissertations on whatever else. And it's like look, you live this way every day. Whether you realize it or not. It's pretty much don't trust nothin'.

[00:01:21] Mike: That's a good way of putting it. And the way I look at it, it's evolved over the years right? 

[00:01:27] Chase: Yes, we've definitely evolved. It's changed [00:01:30] from the idea actually de-perimeterisation was around in 2003, 2004, The Jericho Forum, when basically they were like, look, there's going to come a time when we won't be able to hold the enterprise inside of our little fence. And that was the idea of getting past the perimeter. De-perimeterisation spelled the Aussie sort of New Zealander way without a Z in it. And then it's evolved into Zero Trust and we've gone bigger than just enterprise security strategy. This is big stuff now. 

[00:01:59] Mike: Way [00:02:00] back in the Reagan days, they had the term , "Trust But Verify". Bottom line is now we're saying just verify, just make sure everything is right. My brother called me up the other day or I called him and I said, "Hi, John, how are you doing?" And his immediate response was "Who is this?" And that's the way everything has shifted. We all are looking at things a little bit differently.

[00:02:24] Chase: Yeah, I think COVID has actually driven a lot of that ideology and that sort of acceptance of this as a thing [00:02:30] because right now, when you go meet somebody, one of the first things that you think is, are they vaccinated? And the next thing you think is have they been around somebody that’s sick? 

[00:02:37] Mike: Let's touch upon COVID. So back up and tell me a little bit how COVID has changed this. 

[00:02:44] Chase: Yeah. So if you think about in your daily, and I said, the reason I say that we do this daily, and people don't realize this we're doing Zero Trust daily, because, if you think about when you're going to a building you go up to the building and the first thing you think is do I have a mask on, because I want to make sure that I'm not ingesting something or spreading something that [00:03:00] I wouldn't want to give somebody else. So that's lateral movement. 

[00:03:03] You think of segmentation, meaning I stay at home. I don't go to places that I don't need to go. I make sure that if I'm going to interact with a group of individuals that hopefully they're all vaccinated or that they've done the right things to make sure that they're physically taken care of and aren't spreading. So, we've been living in this sort of micro-segmentation isolation, limiting lateral movement, validating and verifying by a bunch of different ways for a while now. We just haven't really [00:03:30] sat down and go wait a minute, this is a different sort of look at what ZT is. 

[00:03:34] Mike: Chase. I first got involved in Zero Trust, about 2015 or 2016. When one of the big tech companies out here came to me and said, "Hey, we need some help in changing our security posture". The first thing they pointed me to was a document from Google titled BeyondCorp. I know you're familiar with this. How has Zero Trust or ZT evolved since then? Please share your thoughts.

[00:03:59] Chase: BeyondCorp was Google's first practical implementation, Zero Trust . And they had to do it because of Operational Aroura, where they had this big sort of shenanigan that happened. And basically, their internet traffic for Google got redirected and bad things happened out of that. So they had to recalibrate the way they approached enterprise security and strategy and really isolation. And what that led them to was adopting the principles of de-perimeterisation, Zero Trust, et cetera, et cetera. They evolved it into this thing that they call BeyondCorp, which is their particular implementation of Zero Trust. And that's perfectly okay. I do workshops with people all the time and they get wrapped up around BeyondCorp is different from Zero Trust and what everyone else is doing. No, it's not. It's the same thing. It's just BeyondCorp is Google's implementation of this particular concept. And you know how it works? Because you haven't heard about Google being owned since they started doing this.

[00:04:50] Mike: Good point. And what about other philosophies out there? I hear things like with AWS, they talk about layered security. Is that the same thing as Zero Trust? 

[00:05:00] Chase: No. There's a difference between Expense in Depth. And I say that with all honesty, right? Expense In Depth and actual Zero Trust. And the reason that I say that is you can throw lots of money at the problem, and you can throw lots of things at the problem, but if you don't have a vision and a strategic alignment and a drive towards an objective, you are just throwing money and technology at a problem, which is the Expense in Depth side of this. Whereas if you look at. BeyondCorp and ZT, you start with the consideration of where am I going and what do I need to get there? And then what are the minimum things that I need to actually enable that strategic objective? And that's the difference. I tell people all the time and actually, this is an interesting point, too. When I work with groups, we look at their current strategy and we look at where they're going to go. I have yet to do a workshop with an organization that they haven't gotten rid of a bunch of junk that's running in their infrastructure that they didn't need. 

[00:05:53] Mike: So then what are the pillars? What do you need in Zero Trust.

[00:05:57] Chase: I caveat this too, a good strategy is not beholden to any one individual. So please no one think that there's, this group of a gray beards up on a Zero Trust hill saying, thou shall do this thing and this is anything else is not ZT. In my opinion, from observation and from being on both sides of the coin, military civilian red team, blue team, et cetera. It's seven pillars and those seven pillars have been published. But it really is evolving around always taking care of the core value of the business. And however, you do that, you focus with what controls make the most difference. I happen to think that you make a lot of difference with visibility and analytics, identity and access management, those types of things, and tying that together. But there are other ways to do this based on the needs of the organization. . 

[00:06:44] Mike: And again, just taking it a little bit deeper with next steps. Where do you see things moving towards as far as Zero Trust goes? It is evolving, so what directions are going towards?

[00:06:56] Zero Trust is cloud heavy

[00:06:56] Chase: We're going toward a space that is extremely cloud heavy. We're moving away from old on-prem infrastructure.

[00:07:01] Mike: Now hold on just a second there, since you mentioned the cloud world, why is it different? Should it be different? In cloud, people have shared things that have to be done. Does that change the concepts of Zero Trust? 

[00:07:13] Chase: It doesn't necessarily change the concept, but really what people have to wrap their head around is the cloud provider is not responsible for your Zero Trust infrastructure. And what I mean is that they're going to give you things; they're going to give you access, compute, process, whatever. It's still on you to do security strategy inside the cloud infrastructure. Like Jeff Bezos does not stay awake at night wondering about how secure you are. That's not even a thing. When he's in his rocket up there at the top of space, he's not looking down wondering how secure your AWS infrastructure is.

[00:07:45] So the curvature of the earth has nothing to do with it then, right? The spin and all that. That's not a problem for him, but what your approach has to be is that you are going to be using the cloud because there's a bunch of business benefits there. And the way that you use it should always be along the lines of a secure, strategic initiative which I think the Zero Trust is very applicable in that context. 

[00:08:05] Mike: And does the cloud lend itself well to Zero Trust? 

[00:08:08] Chase: The cloud is your last greenfield environment. It's really difficult, and this is from doing a lot of engagements with organizations trying to build ZT. It's really hard to take something that's been around for the last 30, 40 years and go re-engineer it to be ZT. You can do it, but it's a lot of work. If you look at the cloud. The cloud is this big, beautiful green pasture that you can go move to and actually start putting things in place to enable ZT in the long term. And I think if you look at the organizations of scale that have done that, including Google with BeyondCorp, you can see that's possible.

[00:08:43] Pay Attention to East/West Traffic Threats

[00:08:43] Mike: Okay. And there's of course, the north south traffic that has been the traditional way to look at things. In the cloud, you're doing an awful lot more that's east west. Does that also have to be tracked? Do we care? 

[00:08:55] Chase: Oh yeah. Absolutely. If you're moving to the cloud and you're moving towards these types of future state infrastructures, you should be seeing more, not less. Now, the caveat to that is what more of should be more useful in the context of enabling the strategy and limiting the bad things from occurring. Not just more for the sake of more. So, there's a nuance that has to occur there, but that's where the benefit gained actually becomes a thing inside of cloud infrastructure. And east west, I think, is probably more indicative of threat than north south. 

[00:09:27] Mike: Why is it more indicative of threat? 

[00:09:29] Chase: If you think about it within the context of the bad guy, when I get in I'm in and I'm there. Once I've got a beach head established, that's my north south, I'm doing what I'm doing. I'm taking stuff in and out. However, for me to continue to do bad things, I need to move east west. That's where you'll probably catch me because if you have the right controls and the right visibility, you'll see something that doesn't add up. And we noted this with Kaseya, with SolarWinds, et cetera, that when they move laterally and something didn't add up, that's when the key came of, okay, this is a thing fix this, address it, whatever. 

[00:10:02] Worst Practices In The Cloud

[00:10:02] Mike: Let me throw something here out a little bit different then; a different spin on it. Typically, on this program, we talk a lot about best practices. What about worst practices in the cloud? What can you do that's wrong? 

[00:10:15] Chase: I think one of the worst things you can do is take your old archaic infrastructure and then move it into the cloud and say that we are now cloud enabled and think you've done anything different. You've just taken what wasn't secure on-prem and virtualized it and made it move faster, which is [00:10:30] not a good thing. And I think the other couple of things you cannot do that or are problematic is if you don't have really good visibility and analytics and can't see what's going on inside that cloud infrastructure, you are putting yourself into a very bad position. It didn't work out well for the Titanic, not to see what's in front of them, that's not where you want to be. And then the last thing is not to have really good access management on that cloud infrastructure so that, who goes, what, where especially when you're talking about east west access and privileges, that type of thing.

[00:10:57] Mike: But in the cloud, can't you just spin things up and spend them down? So why are we worried about traffic that may be going east west, because we'll just pop the new version and let it run again, right? 

[00:11:10] Chase: Yeah. That's a lesson that people have learned the hard way is that they think, okay, it's bursting. I can just burst it and do whatever I gotta do. And it dissolves and goes away somehow. The electronic “fairy” cobbles it down and it just disappears. I know that's what happens, containers and all those other cool things you can do in the cloud. They just add to complexity. If you don't manage them correctly. And they have infinitely more power and access than your old stuff did. 

[00:11:35] Mike: So even if we're spinning things up and down, we still have be cognizant of what's going on throughout the entire system. And that's the whole purpose here of Zero Trust, right? 

[00:11:44] Chase: Yeah, you should be looking at things from the perspective of, I like to think about it from a battlefield environment, ex-military; I want to be up on the hill and I want to see everything that's going on so that I can know which pieces are moving where, and then what defenses I need to put in real time so that I can counter threats as they show up. 

Moving from Cloud to Hybrid

[00:12:00] Mike: There's the old axiom "If you don't know it, you can't fix it". And it still applies. I don't care what the environment is. Now let's also take the touch moving from cloud to hybrid. Again, any thoughts there that are of interest? 

[00:12:15] Chase: I've published a study on this. I think most organizations will wind up being some version of hybridized because you always have things that are comfortable. And you like to wrap your arms around that warm server that's been generating business for however long. So you're going to be some sort of on-prem. However, there are things you're going to move to in the cloud. Now, when you do that, you have to make sure that you really have good continuity and visibility and control between those different moving parts because what happens on prem and what happens in the cloud, won't be the same thing, even though you think they will, and it can get kludgy very quickly. 

[00:12:52] Evangelizing ZT

[00:12:52] Mike: Chase. When you were at Forrester, you spent a lot of time on this and pushing a lot of these principles. How much pushback did you get? Has it been widely established now and people are accepting it? Has it been a transition? 

[00:13:06] Chase: To John Kindervag's credit, I think he was the sort of first shot over the bow with really pushing the gospel I like to call of ZT. And he was getting people to understand that there was a general strategic initiative that needed to occur. Where I came along, was really taking his sort of a big vision and putting some formal technical controls and capabilities around it to map into what it had to be. And as soon as we did that, all of a sudden the market took off. And I think that was really where things were getting going was that people realized something had to be done different. They didn't know exactly what it was, and they didn't know how to take all this stuff and use it for that particular purpose. But once we translated that for them, the market really started to go up into the right, which is where we want to be. 

[00:13:50] I've had some people tell me that this is not possible. It's very difficult, et cetera, et cetera. My response is, if you continue to engage in what you've been doing, do you think you're better off than any of the other hundreds of organizations that have been owned?

[00:14:04] Mike: And as far as I'm concerned, it's really a concept. If you embrace the concept, there are different ways of doing things, but I'm seeing some of the major companies out there do it quite well. And like you said, they have not really been hit too much. Everybody's going to get hit. We know that's going happen. But the fact is you can close certain doors. If the doors are open.

[00:14:25] Chase: Yeah, most of the time I think the number that we looked at around the past historical breaches, whatever else, they're staggering, they're almost, I think one in three organizations globally, it had some sort of breach activity occur in the past decade.

[00:14:37] However, those folks that have already been through that have learned they've got to do something different. It makes a lot of sense to me to learn from people around me that have failed and figure out how to not fail. And that's what you get. If they failed and they moved to ZT, why would you not try and move to ZT now and not fail?

[00:14:53] Mike: Yeah. And we've talked a bit about philosophies, but there's also the whole part here that's dealing with people. How do people come into this? Because a lot of its psychology, is it not? 

Soft Skills for implementing Zero Trust

[00:15:04] Chase: Yeah. And that's where honestly, there's a very select group of individuals that are capable. And I don't include myself in this that are capable of really doing the human side of this thing in guiding people to do things that are more, a soft skills in ZT. Like I know a hundred people that would tell you I'm not good at soft skills. I'm good at like hard skills and vectored in and solving technical problems. But you have to bring the workforce into this, and you have to educate and gravitate them towards the solution set. So, I think that people are going to be your continued avenue of most likely compromised. You have to have ways to control what they're doing and keep them as safe as possible. People are the ultimate end point, really.

[00:15:45] Mike: Even my own company, we've got exercises that everybody in the company has to go through; phishing exercises to determine what is a true phishing expedition and what's not. And to figure out if an email is a real. Because we're always getting these things that gets you excited, makes you wonder if, oh, I've got to do this thing immediately. And that's really one of the side pillars, I guess you could say, of Zero Trust is don't believe everything just because you've been told it. 

[00:16:12] Chase: I think that there's a twist that has to occur on that logic too. If I'm going to train people and I'd say this a thousand times over, you should train people, you should educate them, you should familiarize them with it. However, don't rely on their training and education to make them be the stop for a compromise. Just like I can train people to not drive like idiots. However, I still make them put a seatbelt on when they're in the car because people do dumb things and they run into other cars. So, you need to have a technical control that will keep you breathing if things go wrong because people are people. 

Zero Trust and the Government

[00:16:44] Mike: Let's talk a little bit about what's happening lately with Zero Trust. I know you've got your fingers deeply in some of the government things taking place. Let's talk a little bit about DISA and some of the other things that are recent. 

[00:16:56] Chase: Yeah, the Biden executive order that came out in May was a watershed moment around Zero Trust. I think it was mentioned 11 times in that document. I know that there are government organizations that are setting up for government funding starting October this year around Zero Trust initiatives. I know that the government has also established a Zero Trust working group and an office within the DoD. So, the fact that there's all these formal things going on and it's no longer just "Hey, do Zero Trust", it is actually putting a lot of heft into the space, which is very good thing. 

[00:17:26] Mike: And what role is the government playing here? I know that there's the military side. There's also the governance side. Explain a little bit more. 

[00:17:34] Chase: The government's got all these different moving parts. And for those folks that aren't that haven't grown up in the federal space, it's a very different animal, right? You have lots of different agencies, you have subcommittees, you have components, you have commands, you have all these different things. And the point being that there finally seems to be some gravitas going on into enabling ZT at the big grand level. And it will take a long time. But, for an organization that's this big with this many moving parts with this large budget, getting to ZT. That means that everybody can figure out how to do that. Like the days of saying I can't do this because it's not applicable, or my organization can't do it. If the DoD can do it, if the government can do it and yes, again, it will take them time. Anyone can.

[00:18:16] Mike: One of my concerns that I have with the government being too involved, is sometimes they get things wrong. And I'll give you an example here. A number of years ago, I was chartered to take one of my products and certify it for FIPS 140-2. And so, got in, started doing all the stuff. And I had a very lengthy conversation with one of my engineers. Because his perspective was, if we do this, we make our product less safe. Because at the time there were certain cybers that were required by the government, because that was part of the certification process. Maybe that's changed in the new version, but at the time you had to use certain cybers; it wasn't a at least use this. Are those things morphing?

[00:19:01] Chase: There's a lot of changes still continuing to go on. You see some different standards starting to emerge. I think that where we actually get ourselves into a pickle is when we have these requirements that come out and say someone somewhere in a room stood up and said, "This is what has to happen".  And then it becomes a thing, everyone chases that shiny object because there's funding. When, in reality, what we actually need is to sit there and go, okay, how do we do this at the scale we need, what technologies are going to. And then eventually when we get things put to where we need them to go, there will be some standards that follow and really drive that. I'm a little bit concerned, to your point, about some of the drive that's going with, this is the thing and everything else is not that thing.

[00:19:46] Mike: Good. I'm happy to hear that. And hopefully it is going the right direction because as we've titled this, it's evolving, and it will continue to evolve, and we need things to evolve. So, Zero Trust is something that is here, it's now, we're definitely going in these directions and just want to make sure that we're doing it right.

[00:20:05] Chase: Yeah, change sucks. Everyone that anyone that's ever tried to change in your own personal life change is not easy, it's not comfortable, it requires effort it requires focus. And that's the same thing in the DoD, IT space, big enterprise, whatever you want to call it. This requires a long-term investment. This requires initiative, it requires drive. And it's gonna take time. You can't have built an organization and enterprise over the course of X number of years or decades and expect you to wake up one day, hit the easy button and you're all of a sudden ZT. It's just how it's going to happen. So, understand that. I think Allie Mellen at Forrester said it right, "Adapt or die". Like you don't have a choice. You either become the slow gazelle on the Serengeti or you run faster than the herd. 

[00:20:49] Mike: That's an interesting way of putting it because you do have to continue the run. And that's what we're all about here. 

Children's Books: Teaching ZT and IT

[00:20:55] Mike: Hey, another question for you, a little bit of a sideline here is I know that you've also done some things along this line with kids' books. And I know one of the odd things about kids’ books is one of the most important things you have to do is to find a good illustrator. How did you find yours? 

[00:21:11] Chase: So, it's crazy. Cause the guy that drew my books Shirow Di Rosso, he's in Holland, and funny enough, he was an HP engineer for 16 years. So, when I was telling him like, we need to draw a Domain or we need to draw, whatever, he was like, okay, cool. I know how to do that. I didn't have to sit there and kinda, translate it from nerd, speak to artists. He was just one of those rare unicorns that was really good at art and also new technology. 

Mike: Great. I think it worked. So again, I commend you on those efforts because we have to try to teach our kids to think things out in the long run and Zero Trust comes into that. Even with kids these days. 

[00:21:47] Chase: Yeah. Like my kids, I thought about the other day, they've never been a day in their life without wireless. They don't know how it works to them it's just magic. So they need to understand what technology is and the implications that are part of that. Because we do have a group of people coming to the workforce that many of them don't know what technology is, they just know how to use it, and that can be a problem. 

[00:22:07] Mike: And there's also the other pieces of the spectrum that they don't understand technology and don't want to. We aren't seeing nearly as much of that today, at least with the kids, they're able to absorb it. And it's odd how quickly they can pick up things that a few years ago, you never would've seen a kid do. 

[00:22:25] Chase: Yeah. They're a whole different animal. And I think, it's a dual edged sword, right? Where you have to rein them in because they will just absorb information all day long. And it's probably a lot of its information you don't want them to see. But when you do get them onto something that is of interest and is of value and they do start absorbing, man, those little brains are like sponges. It's not like when I was a kid and they had to get me to stop banging rocks into each other, to figure out how to do something. 

[00:22:48] Mike: Time changes, which brings us back to our primary point that Zero Trust has and will continue to morph and evolve. Chase, we've covered a lot of ground here, everything from micro segmentation to least privileges and visibility, even the softer human sides of ZT. So just thinking out loud, it might be beneficial to post some reference material at the end of this podcast, maybe something on BeyondCorp and maybe even some of the latest DoD documents. (Links to resources at end of transcript.)

[00:23:16] Mike: Anyway, is there anything else Chase that you can think of that we really need to get into this conversation? 

[00:23:22] Chase: I think one of the things for me personally, because I had a lot of folks ask me when I left Forrester like why I went to a company that had a remote browser isolation solution was it makes a lot of sense. Like I, I look at not getting infected in the first place. And that's where if you're going to get infected most of the time it's going to be on the web via email, those types of things. So, I personally think, and I'm working with some of the guidance for different federal enterprises around enabling this capability because it keeps people from being infected on the internet. If I can do that, I'm gaining a lot of ground. I would say that's something that is new. A lot of folks aren't familiar with remote browser isolation and what it does. But it's way better for me to have my people cause an infection in a container in the cloud, rather than it is causing an infection on their machine that's actually their end point. 

[00:24:09] Mike: In closing here, we really appreciate all the information that you've given us here about Zero Trust. What's the best way for people to follow you?

Conclusion

[00:24:16] Chase: I'm pretty active on social media. I'm on LinkedIn. I'm pretty easy to find there. My Twitter handles C Y N J A C H A S E C. That's a lot of C's, Cynja Chase C. Other than that, I would say I try and make it a personal thing to communicate with anyone that wants to talk to me. So, if you see me out there, just ping me and I'm glad to get back with you as fast as possible.

[00:24:38] Thank you very much. We appreciate you joining our show today. 

[00:24:42] Chase: Thanks for having me. 

RESOURCES:

BeyondCorp: https://cloud.google.com/beyondcorp/  

DoD Zero Trust link: https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf 

Chase Cunningham's Amazon Books page:
https://www.amazon.com/Chase-Cunningham/e/B00I2PHD3W/ref=dp_byline_cont_pop_ebooks_1