Pitfalls in the Road to Zero Trust

I it's always interesting going near the end of a day like this, because a lot of things have already been talked about and a lot of the points have already been touched on a little bit, but to kind of start out, I wanna say I'm still a little bit of a zero trust skeptic. I've been supporting clients that are, you know, all in we've gotta go to zero trust. That's the gonna be the solution to all of our problems.

I'm, I'm not quite convinced that zero trust is the greatest thing ever. I kind of feel like we've been here before, you know, we've had the next great technology to solve today's problem. And now we have zero trust, which is a whole lot of things to a whole lot of people. I also hear a lot of people talk about, you know, the idea of low hanging fruit and I'm, I am all in favor of taking, you know, the things that are really easy, relatively easy to do to increase our security and using those and implementing those.

But I do think that one of the things that really needs to be talked about in order for zero trust to be successful is that zero trust isn't necessarily a series of small steps. It isn't just, well, let's do MFA. Let's do a cloud IDP. These are important steps, but if you're really gonna get the benefits of what zero trust is promising, zero trust is very radical and it's very radical to your it department, but it's also a radical way of rethinking how your entire corporation does business.

And I, I really like the Siemens presentation. They touched on this a little bit that if you really want to do it and you wanna make it work, you can't just look at the easy bits. Cuz if you pick off the easy bits and you ignore the hard ones, what you have is yet another set of siloed technologies that don't address your entire problem. And that actually makes security more complex rather than trying to make it less complex. I wanna walk through a couple of the kinds of things that I see out there in the wild of, Hey, if you go to zero trust, you're gonna get these things.

Talk a lot about the fact that our modern workforce is remote. They're all over the place. They wanna use their own. They wanna use bring your own device. They wanna be able to use tablets, phones, workstations in order to access your systems. And in order to meet that, clearly you need ways that really address this. But if you don't do it across the organization again, are you really gonna gain these benefits? Zero trust is also a promise is, Hey, this is the solution for our hyper integrated world.

We've got not only your own employees, but all of your suppliers and all of your customers who all have these same kinds of demands. And again, the promise is that by doing zero trust, you can accommodate these various needs while still meeting your security goals, insider threats, huge problem, both the targeted insiders and credential compromise. How do we make sure that we can really address this? And I see a lot of claims that going to zero trust will solve your insider or at least address your insider threat problem enable you to make decisions faster.

And then finally, you know, the big bug AOO of, you know, that ransomware and some of these other areas are hitting is how do I reduce privilege escalation? How do I contain that attack so that when it happens, it doesn't take down my entire infrastructure.

And again, I do believe these are promises that can happen, but they aren't going to happen with an organization that just says, well, we're gonna do MFA and we're gonna check the box that we've taken our first steps towards zero trust. We really have to look at all of the pieces parts and figure out how the entire organization is going to migrate eventually.

Or again, you're just gonna end up with a new silo. So what I wanna do is I'm gonna talk about four of the tenets of zero trust and sort of how they impact what you're doing today and how you get, give a couple of ideas. Can't really go too much in depth in a 20 minute presentation, encrypt everything. It sounds great. We have this huge boundary problem today. We no longer have the concept of an individual network where I can protect what's inside. I do have to admit Siemens had a much better picture of this than I do.

So how do we accommodate that while zero trust principle is I just encrypt all the traffic all the time and that's gonna help me to address some of these boundary protection problems. The problem is is that I'm doing other things at my boundary today. I do. There is still a lot of malware checking that happens at the boundary. There is a lot of stuff out on the public internet that I still don't have inside my network. And I wanna be able to take a look at that.

I wanna be able to look at what's happening and I wanna use powerful sophisticated tools to do that, which generally I'm installing at the boundary. On the other side, I've got a lot of really great data loss prevention tools that I might have implemented to prevent me from sending, you know, the proprietary information from one of my suppliers to a different supplier. So there's a lot of these kinds of threats. And when I look at this idea of encrypt everything, I actually break the ability to do both of these things at my boundary. These are things that have been good security practices.

They are ingrained in it. They are ingrained in information security and they're generally good ideas. So if I'm gonna get to a zero trust environment where I'm encrypting everything, how do I deal with this challenge?

So again, there are things I can do, but you really have to think about them first, before you start running forward with and encrypt everything idea. One is you've gotta make sure your end points can do some of these capabilities themselves so that they're doing the malware checking and they're running your data protection tools. You also may need to look at your existing policies. If you have a policy that says everything must be inspected as it comes through my boundary, that policy is not gonna work with your zero trust people.

So how do you work through some of those policy questions before jumping into the technology? Second piece I wanna talk about is microsegmentation. And in a lot of ways, microsegmentation is one of the most powerful tenants of zero trust. When you look at what's out there in the world, we've taken a lot of time over the past 20 or 30 years to really flatten our networks. We want speed. We want efficiency. We want things to be able to move at the speed of business.

But what happens is that we've also got these challenges of, well, once the hackers in, they can also move with those great efficiencies. And we've seen instances, especially over the past five or six years where successful malware attacks have started at one point in a company and have spread to their global infrastructure in seconds. And that's clearly an issue.

We also have the challenge with our firewalls, that there are so many firewall rules, whether it's whitelist and blacklist and ports and protocols that they have become somewhat unwieldy and are they really doing their job they needed to do so that's really one of the big challenges. Again, that zero trust can help us to enable.

We have this world of highly interconnected, both within our local networks, across our global networks and even with the internet as we move more and more into the cloud and we really need to keep some of that speed because some of that is how we differentiate ourselves from our competitors. If we slow down the speed of business, we're potentially gonna lose business and lose revenue, and that's a great way to get your it budget cut.

So again, in our zero trust world, we've seen this in a couple of the other presentations already today. I'm replacing this idea of highly interconnectedness with micro segmentation. This is actually based on one of the diagrams in the NS publication on zero trust where I've got this control plane, where all my decisions are made and I have to get through the control plane in order to connect the user with the resource segment. This is a really secure architecture, but it's also something that takes time and it takes time with every transaction.

And I think it's really, again, important as we look forward to, how do we make sure zero trust can be successful, that we think about what do those resource segments look like? How do we make sure we get the micro segmentation specific enough to address the challenge, but not so specific that we throttle the ability of the business and bandwidth is also a very important point and think about the bandwidth of all of your users and what they need.

It's one thing for people that are sitting in a highly interconnected, easily broadband available environment, but many organizations have, you know, a factory floor or remote users or pieces of their population that don't have some of that high-speed internet. So think about that as you're planning, what is your eventual network going to look like? The third one I wanted to touch on is deny all by default. This is an area where again, it's a key piece of zero trust that I don't wanna trust you.

Well, again, I have a lot of users. We've got a lot of challenges. And as you walk through, where are you today? Many users have been accumulating access rights, especially users that have been with your organization for a while. Users that have been, you know, maybe moving up into more managerial positions. It's very easy for users to accumulate access and then be very used to having that access. Onboarding heard about that as well.

Today, I wanna streamline onboarding. I wanna make it happen relatively quickly, but now I've got this deny by default tenant. That's potentially fighting against this. How do I be efficient in my onboarding? There's also a number. If you talk to the data management community, they're very much about how do I make data discoverable and available so that it can be used to support the mission of my business. This again, can conflict with the deny by default concept. So I've got my network. That's very segmented. I have everything broken up into little pieces.

How do I make sure I can truly implement a deny by default tenant? And I think the really key factors here are, if you're gonna make everything be approved, you have to make the approval faster. You have to move into a dynamic access world. That's attribute based. You have to do automated workflows so that your users are getting access to the things they need because they have the right attributes assigned to them. You're giving them tools to be able to quickly request access when they find that they need it.

And that that access can be granted if it is a requirement, because with you, don't do these things, your users are gonna revolt against your zero trust vision. And the final piece I wanted to really touch on today is continuous authorization.

This one often doesn't get talked about a lot in sort of briefings because everybody's kind of at the beginning and continuous authorization is not really a beginning stage example conting but, but again, if I really look to gain that benefit of stopping the insider threat and stopping it faster and containing the risk and what they're able to access continuous authorization is the key that can allow me to get there. And I think this really is one of the hardest pieces of zero trust to implement into your vision.

We all know every report, whether it's, you know, every, every, every report you look at compromise, credentials, compromise credentials. That's how people got in. They got in because they were able to get a credential from a user that wasn't paying attention. They were able to get the user to do it for them, or they were simply able to hijack a credential using techniques that have been around for years and they continue to cause 80 or more percent of security incidents, biggest tool we've been using to catch this or monitoring. I wanna look at what's going on.

I wanna do these monitoring, but our monitoring tools are now catching hundreds and hundreds of events. Sometimes every second or every minute, I can't keep up my poor Analyst, get a flag of here's the ones you need to look at. And really by the time an event can be analyzed by a human user. It's too late. If that truly was a ransomware attack and they were able to escalate privileges and near net work is now encrypted. So finding a way to mitigate this problem is very critical, but it is also a little bit difficult and not so much because from an it perspective, we can design solutions.

We, we have the tools, there are great vendors out there. We can make this happen, but how do we make this happen while still accommodating? The very real needs of the business? Our traditional authorization model is that my user authenticates using single factor multifactor, very strong credentials. I then to see if that user is provisioned, do they have an entitlement that says they could have access to this resource and based on, oh, I've got the user, I've got the entitlement. I'm gonna make that decision and let them in, in the continuous authorization model.

However, I again, make this decision significantly more complicated. I still need my user to authenticate. I still need those attributes from the user. Do they have the entitlement or do they have appropriate attributes that connect to my digital policy rules? But now I'm also analyzing what endpoint are they using? Is the endpoint meet the policy rules and the requirements from my organization. I'm then looking at the environment, where is the user coming from?

Are there factors that need to be considered based on, you know, geographic location or time of day or other environmental attributes that might be coming in? And then finally the user behavior analytic, can I say, well, Hey, this user looked good, but now as their behavior continues, they are not acting in their normal fashion. They are gonna flag and that's gonna reduce the risk score, which will then impact that access decision real time. And I'm gonna take all of these factors and somehow put them into a risk score that everybody's gonna agree.

This is my threshold for whether I'm gonna give this user access to this resource. And I think that one of the challenges is simply that this is very complex and very complicated and making sure you're doing it with the right fail, open, fail closed for the right resources is a piece of the challenge. But I also wanna talk about what happens when this goes wrong. My developers are in the middle of trying to get something fixed it's after hours, but their user behavior is flagging. This is not the way my developers normally behave.

And my risk score goes down and they're denied access in the middle of the fix. My CEO is sitting on an airplane in an untrusted environment and my risk score on black access. So she can't see that information from her endpoint or another example, just the plain all Analyst. The risk score goes down. There's something going on with their end point or their environment. And they're in the middle of generating a time sensitive report and they get locked out.

I would pause that if any of these types of events happen, all of the work that's gone into creating this environment, somebody's gonna turn around and say, turn it off now. And it's gonna be very difficult to recover.

So I think it's important as you look at these different factors that you really get an idea of what is your organization's tolerance for risk and not just for risk from the outsiders coming in, but risk from your insiders and your authorized users, not being able to do their job because of your zero trust environment, need to make sure that it is empowered to enforce the decisions that they've got leadership buy-in that this is the way this organization is gonna work. And finally, you need to test it, test it in the real world and then test it some more because these situations will happen.

And the more you've got experience in how to deal with them, the better you're gonna be able to move forward. So I really believe again, coming at this as a bit of a skeptic, you need to look at these organizations, cultural policy things, as well as your it stack in order to make your zero trust journey successful. Any questions.