Zero Trust has become a bit of a buzzword in the IT channel and though its foundation is relatively well understood, there exist considerable differences in execution. At its core, a Zero Trust cybersecurity paradigm insists that both parties in an exchange of information ask for and verify the legitimacy of the other. This works towards creating a security system that can accurately allow or deny all activities on a platform or service.
Recent examples of high-profile cyberattacks highlight the importance of this style of technology, but for those interested in pursuing it, there is a considerable amount of information needed. However, a recent webinar featuring CrowdStrike’s Senior Director of Public Sector Technology Strategy, Andrew Harris, among other cybersecurity professionals offered an opportunity to truly understand and utilize this technology.
The webinar, hosted by DLT, dove from the executive brief all the way down to the technical knowledge to best utilize Zero Trust. GovCyberHub editors had a chance to sit down with Harris to get more information on the benefits of zero trust.
GovCyberHub (GCH): What is Zero Trust? Why has it taken on new importance in today’s cybersecurity paradigm?
Andrew Harris: CrowdStrike views Zero Trust as a framework with 3 major principles:
1.) Trust nothing
2.) Verify everything
3.) Anticipate a breach
Zero Trust is also much larger than anyone vendor. The goal for customers should be how do they build the best Zero Trust environment, where each vendor doesn’t just provide visibility and control but augments the other products around them. This increases our ability as cyber defenders to enforce policies at multiple points of the architecture while making more confident decisions based on increased context and awareness.
“How do we still operate and support the mission or keep the lights in the face of cyber risk and cyber breaches? How do we detect breaches while limiting their damage through automation? How do we prevent data leaks through sharing signal across vendors, preventing exposure to an untrusted device or user? All these can be addressed, in part, within a Zero Trust framework.” -Andrew Harris
The concept of Zero Trust isn’t necessarily new. Some previous examples include the Trusted Computing Group (TCG) who pushed the Trusted Network Connect (TNC) open architecture. When I was Chief for Strategic Programs in the Department of Defense we pushed Active Cyber Defense (ACD) 2012 whose goals and objectives are aligned to that of Zero Trust Architecture today. However, we have seen a big push in the past few years since the technology enabling these objectives has become more mature thanks to cloud and SaaS applications. And of course, network architects having to redefine their IT architectures, and as an end result, revisit the cyber enforcement points, unfortunately, due to the COVID pandemic.
GCH: What are the pros and cons of Zero Trust? Is there really a trade-off between security and efficiency?
Andrew Harris: There really are no cons of Zero Trust besides the term itself being over-used and therefore more of a marketing term which everyone’s vendor tries to attach itself to. There is also no trade-off between security and efficiency—there is no reason why they can’t go hand-in-hand. In fact, the best security initiatives need to take into account what I call “operational feasibility”—the ability to be as seamless to the end-user as possible while enabling the administrators to operate it.
When viewing the problem based on the data from within a security system, which is receiving signals from other systems in the environment including non-security ones, we are able to make smarter decisions and with higher confidence. When every vendor’s product and platform are sharing and consuming such signals, these systems can really increase automated responses, drive efficiency, and make for better outcomes.
Ultimately, it comes down to mission resiliency. How do we still operate and support the mission or keep the lights in the face of cyber risk and cyber breaches? How do we detect breaches while limiting their damage through automation? How do we prevent data leaks through sharing signal across vendors, preventing exposure to an untrusted device or user? All these can be addressed, in part, within a Zero Trust framework.
At the heart of this is no longer the network. It’s the device and the identity. It’s also the correlation across, which requires the understanding that digital identity can exist on many systems at a given time and it only takes one of those systems to be compromised for that identity to also be impacted. This is a simple example. It becomes much more complex when looking at the context of data that the machine or user is interfacing with, the application providing the data, the application’s configuration, etcetera. This becomes a visual graph of connections and correlations and when synthesized correctly it can help us anticipate breach, minimize the impact and eventually drive automation to confidently evict the adversary.
GCH: Will Zero Trust remain in the foreseeable future? What should business leaders know about Zero Trust?
Andrew Harris: Again, the concept of Zero Trust really isn’t new, but thanks to the cloud and enhancements on big data ML, it’s become more realistic. Customers will always push the principles of Zero Trust, although as we’ve seen multiple name changes for this before, the name may change but the concepts won’t.
Customers don’t just want to do business with vendors to help secure our digital estate, they want partners who will stay relevant over-time. This means true partners need to enable their customers, both the advanced users as well as those looking for turnkey solutions, so they meet those operational feasibility requirements and can be tailored for that customer’s environment with integrations.
“Business leaders should expect to be able to pick the best of breed vendors, integrating them based on secure APIs and automating workflows so their IT and security teams can continue to focus on the hard things and not the repetitive. They should want to make these decisions with no compromises, meaning no vendor lock-in.” -Andrew Harris
The sharing of signals across vendors without being forced into a single vendor-owned end-to-end platform is key to help drive decisions and behavior. That single vendor won’t be held accountable; they would be the fox watching the hen-house. They would own the platform, including the operating system, potentially the cloud and infrastructure, the identity provider, and even the security for all those components. There is no check & balance in this model. Customers can’t choose the best-of-breed to defend these components. Unfortunately, we already saw this and the result from Sunburst, where customers had no chance to defend themselves or know they were under attack—the single platform with security from the same vendor failed them. It’s hard to anticipate breach or drive the right behavior in that model.
Business leaders should expect to be able to pick the best of breed vendors, integrating them based on secure APIs and automating workflows so their IT and security teams can continue to focus on the hard things and not the repetitive. They should want to make these decisions with no compromises, meaning no vendor lock-in. Do they want the best email security solution? They should procure that! Do they want the best-of-breed EDR solution? They should procure that as well. Those best-of-breed solutions can integrate with each other, drive automation, share signal in a bi-directional manner, making both better and more effective for the customer. This is where we also see the convergence of the eXtended Detection and Response (XDR) market really converge with that of the Zero Trust Architecture principles. But ultimately, leaders over time will need to make sure both vendors in this example are growing with them, remain best-of-breed. There should be no vendor-lock in. Again, that contradicts the outcomes of what Zero Trust is all about.
GCH: Zero Trust has been an idea for a while, but have there been any major developments since remote work has become the norm? Has Zero Trust taken on new importance in the new cybersecurity environment?
Andrew Harris: Remote work started to remove the legacy network-centric view of securing our digital environments. The end-user can operate anywhere now; from their house to checking in while on vacation, and some still office. The castle-and-moat strategy we’ve used in the past is no longer effective, nor has it been for the past many years.
The strategy does a terrible job anticipating breach. With a lot of the segmentation and enforcement points done at the network level, this means an adversary who finds themselves in the environment can laterally move, disrupt a mission and ultimately take control of the environment, with few speed bumps on the way.
“Regardless of what tomorrow holds, what we do know is this transformation towards Zero Trust will allow our customers to anticipate breaches like never before.” – Andrew Harris
This really has moved the endpoint and identity to the forefront of the conversation. If a user logs in from their home computer, should they be able to access a resource or interact with potentially sensitive data? If a user is logging in with their corporate laptop or government-furnished equipment (GFE), is their device healthy enough to access the same resource? By measuring the device and by measuring the digital identity of a user, we can make much better decisions, especially when those signals are shared.
But again, this concept of network-centric security has been written off for a few years. Most recently though, has certainly accelerated due to the dramatic increase in remote work we see today. Regardless of what tomorrow holds, what we do know is this transformation towards Zero Trust will allow our customers to anticipate breaches like never before. From there, through our current best-of-breed device and identity protection capabilities, and through our strategic relationship to other best-of-breed vendors. Best of all, our integrations are API driven, so any custom solution can also integrate into these workflows which is extremely important for our Public Sector audience with some home-grown products and capabilities. That’s how we will help our customers realize the outcomes of Zero Trust today and for the foreseeable future.
GCH: Will businesses, organizations, or government agencies have to fundamentally change their existing cybersecurity procedures to use Zero Trust?
Andrew Harris: All agencies and departments are poised to pivot towards Zero Trust. However, we saw a few customers conflict with the outcomes of what Zero Trust is pushing for, which again, is mission resiliency in the face of a capable cyber adversary.
We saw definitions and implementations of Zero Trust only applied in the context of the cloud. This means there is no signal being used for the on-premises infrastructure, leading to major blind spots. Without this, how do you know if a digital identity was compromised on-premises? You don’t. Unfortunately, Sunburst made this very apparent to those customers.
We’ve seen others jump all-in on cloud identity, which also means onboarding their on-premises applications to the cloud for authentication purposes. Those same customers were unable to access on-premises applications when their cloud-identity provider goes down for hours at a time. Those same customers had to rewrite many of those applications.
Those same customers are now talking to CrowdStrike on how it can be done smarter, quicker, without unnecessary dependencies. We saw the major misstep by other vendors, saw an opportunity, and bought Preempt which is now our Falcon Identity Protection capability. That can protect on-premises applications, on-premises Identity without all the unnecessary work of rewriting applications or adding dependencies to authentication. That same technology can also increase the visibility of blind spots while increasing the return of investment of identity providers and multi-factor authentication (MFA), by applying it to on-premises authentication.
In addition, Zero Trust requires us to have bi-directional feeds. We are integrating with our best-of-breed partners as well. But we saw another opportunity by tying in log analytics and creating a way to further leverage the cloud and ML so it’s not just cybersecurity products or vendors pushing the way into Zero Trust. There are hundreds of examples of major attacks being detected by the Network Operations teams, those responsible for service uptime and performance of applications. You’ll see a lot more from us on this front to further mature and remove friction to customers to mature their Zero Trust story with other datasets.
Ultimately though, agencies are poised to extend their current trajectory into one that carries Zero Trust’s principles. Zero Trust isn’t a single vendor nor something that can be completed in a single acquisition cycle. It’s applying the principles of Zero Trust to where they currently have the cyber capability and where they plan to, as well. It’s ensuring their Identity and Access Management (IAM) capability can talk to their host-based security platform, which can talk to their secure access and service edge (SASE). Meaning they all share signal and increase the return of investment to the other, which enables everyone to save money in the long term while increasing capability.
We’ve seen many in the Public Sector embark on this journey a decade ago when the concept was called something else. We’ve seen many put their holistic strategy together as they prepare for this journey. We’ve witnessed NIST push their special publication on the topic. Many Departments and agencies are well on their way to making this a reality and have some pieces of this already in place. However, we all must remain outcome-focused, and that is assuring the mission even in the face of that capable cyber adversary.
GCH: What role does Zero Trust play in supply chain dynamics? How can Zero Trust help address compromises in the supply chain?
Andrew Harris: CrowdStrike has done much work in this line of thinking, especially with Sunburst still fresh in many minds.
For starters, identifying incidents and cyber-attacks against an asset allows us to take automatic action as well as modify the risk score of the impacted device, as well as all identities indirectly impacted who were exposed to the device at that time.
“Zero Trust, if done correctly, will help us prevent the next Sunburst, which was really an adversary starting in the environment in one server and expanding that control leading to total compromise of on-premises and cloud environments.” – Andrew Harris
Automatically quarantining a device first comes to mind, although isn’t always possible for a customer. We can also look at the impacted accounts and potentially enforce multi-factor authentication (MFA) the next time they try to access a resource—even for legacy applications, which is possible thanks to CrowdStrike technology. We can modify the actions those impacted identities can do based on their elevated risk score and the same goes for the impacted device as well.
What we can do with our third-party vendors and partners, who also consume our signals, such as Okta and Zscaler, is to increase the ROI of those vendors and allowing them to use their respective policy enforcement points and make decisions on our signal. This all means smarter decisions with full insights across vendors.
The above isn’t just specific to a compromised supply chain but anytime the adversary finds themselves in a customer’s environment, which again is CrowdStrike’s third tenet to Zero Trust—”anticipate breach.”
GCH: Why should people interested in learning about Zero Trust go back and watch this webinar? What will attendees be equipped to do after watching the recording?
Andrew Harris: Zero Trust, if done correctly, will help us prevent the next Sunburst, which was really an adversary starting in the environment in one server and expanding that control leading to total compromise of on-premises and cloud environments. It will enable us to make smarter, quicker decisions, lowering the total cost of ownership (TCO) while increasing the return of investment (ROI) of the integrated vendor’s products. Ultimately, this enables us to continue to focus on the new and emerging threats to protect our digital estates as our adversaries continue to mature as well.
We hope that the information we talked about will present perspectives of what Zero Trust means, but ultimately refocus on the outcomes it was set out to solve, and that is mission resiliency against a capable cyber adversary. This will help evolve anyone’s strategy as they start or continue their journey implementing the principles of Zero Trust. No one has more to lose than the public sector due to its unique mission in protecting lives, carrying out the interests of the country, and serving its constituents. Nor is anyone more targeted than those in the public sector, unfortunately.