Transcript
Rajan: I’ve been in cybersecurity for a little over 14 years. For the past 7-plus years, I’ve been primarily working in the public cloud space, so AWS, Azure, Google Cloud, Kubernetes, cloud native. That’s primarily the space I’ve been. I’m fortunate enough that I’ve worked with a lot of Fortune 500 companies. I’ve worked with them on strategy or how to get those things implemented.
A lot of the things you would hear are learnings from what a lot of people have tried doing, what we have failed at. Hopefully that comes across as well. My last one was a CISO. I’m still a CISO for now in an EdTech company called Kaizenteq. I recently discovered my love for cloud security training. That’s the Cloud Security podcast I run with my co-founder.
Zero Trust (ZT) – Basics
I know we had a few different levels in terms of experience and people who’ve seen zero trust. I did want to start by leveling up the playing field for everyone once. Don’t worry, I would not try and bore you guys with a government diagram, which is a very tiny one there.
Essentially, the way I would describe zero trust, as much as there’s a negative connotation to it, and a lot of companies try and change it to something more better than zero trust, because I think the initial thinking behind this was that we do not trust where the communication is coming from, so I want there to be a “trust zone” created between whether it’s my network, whether it’s my identity in the network, whether it’s the applications that are running in the network, or whether it’s my devices that are in the network. There are different ways to describe this.
Another common term that is very used quite often is ZTA, or zero trust architecture that a lot of people talk about. The idea is that you’re using the principles of zero trust to build an architecture. When you Google it, that’s where most of your terms come in from, ZTA, ZT, this one called ZTNA, which is network.
I did want to show this. This is the NSA diagram for how they describe zero trust. This is 8th of March 2024. You probably find that a lot of the information you find, or at least when we started googling for it, because we are trying to find a consulting company that could do it, but then most of your time, you land on a government document. The reason for this was because when America, as they do, they started saying, we need zero trust everywhere, especially when the presidential order came in.
A lot of the government documentation got updated, and they had a limit, or at least they had a timeline they had to do something about within the next two years. You’ll find a lot of updated documentation, if you’re looking for a reference point, primarily from the government organizations, and they’re trying to do this at their end. How much of it is done? It’s a work in progress. I’ll probably go through the pillars in a bit. For anyone from the UK, I definitely covered, try and finding a local source, but NCSC has not updated their diagram since 2021. NCSC has some documentation, but there hasn’t been updates since 2021.
The point being, they all still rely on the same basics that I called out earlier. If you are thinking in terms of where it is important, and maybe you are not in a public sector at this point in time, but there’s a very popular analyst firm which makes all these predictions and makes our life difficult with more acronyms. Gartner is the company that I’m talking about. They came up with a prediction that by 2025, 60% of the public sector would be at least doing something in zero trust.
In fact, if you talk to most government organizations across the U.S. and some parts of UK, they’d already have some projects already in line, starting with zero trust. There’s a lot of conversation just comes up, “We’re doing this for zero trust. We’re working towards zero trust”. Mostly the public sector. I personally have not seen a lot of the private sector talk about it as much, and different reasons for it. Most of them are busy with GenAI, but maybe zero trust will come in soon.
In terms of the market cap, and I feel I should have an asterisk next to it, because this is a second prediction from Gartner on how big the market would be by 2027, it’s $3.99 billion. If I go back to my previous slide, public sector usually has a lot of money, so I can imagine that’s where the money is coming from. I’m sure it’s all a mix of private and public. That’s where the number is coming from.
Zero Trust – Practical Foundations
Now that I’ve laid the foundation for zero trust, and at least everyone understands it, I wanted to add a few more layers onto that diagram that I was talking about earlier. This is the simplest way to understand zero trust. When people talk about zero trust, they usually talk about these five pillars. They talk about identity. They talk about device, network, environment, application workload, and data. A lot of you are already quite experienced, and I don’t need to explain what each one of them mean.
In the context of zero trust, this is probably more referred in the context of how these five foundational pillars are applied. We’re not going to go into the diagram. If you just focus on the middle, there’s a thing called policy enforcement point. The whole idea of zero trust is that across these five pillars, we have some policy engine or policy enforcement point that helps us make the call for, is Ashish the right person to authenticate? Yes, he or she has the right username, password. Is Ashish authorized to log in into this? That’s another policy call. Is Ashish coming from a trusted network? That’s another policy call.
The idea is that you would be able to use a policy engine and hopefully get to a point where you can automate a lot of that policy to be able to do zero trust. I do want to call it out. It’s an ideal scenario. This is an ideal diagram. I don’t know how many people have policy enforcement points. We have a lot of policies and procedures that we have seen and we’ve worked with for a while. This is what they would like people to go.
Again, this is a diagram from 2021. I do want to keep you guys updated in terms of the timeline, in terms of how quickly things are moving. At this point in time, the idea behind those five pillars is to be able to put this through a policy engine that helps us make the call, because we don’t really want to be doing manual approvals for every time Ashish wants to access this HR application.
This is the foundational piece. I’m not going to talk about the five pillars, because I think you guys are smart enough for that. I wanted to start by what they mean by what should the zero trust journey or architecture stand on? I’m assuming everyone has some understanding of IAM. Everyone knows IAM? All of us know authentication. Everyone knows username, password. Everyone knows the fact that we need to have single sign-on, if we want it to be like a federated authentication. The reason I bring this up is, identity has become the new perimeter across cloud, across your on-premise, even though network used to be the first one.
The way I would describe identity these days is how on-premise used to be, at least for people who are from a security background. The way we joke about this is that on-premise was like a castle. You have one bridge in, one bridge out. If you get in, you can access everything you want. If you have to get out, there’s this one path out to the internet. I would describe public cloud as an amusement park. Imagine Disneyland, we have multiple entries, multiple exits, you have no idea who’s coming in, but everyone wants a VIP pass as well.
They want to get on every ride that’s possible. You’re trying to go, I get it, but why don’t we just start with the limited pass first and then start adding a lot more? The point being, identity is a lot more complex. When we talk about identity in 2024 where we have cloud environments, we have on-premise environments, we even have OT, IoT devices that are out there as well.
We have started having a lot more conversation about not just human users, but non-human users as well. I’m sure people who are in the cloud space already know this. Whether you’re Azure, AWS, or GCP, you’re already dealing with non-human users, machine users that are going to just do a task, servers that have identities, that have permissions that can be used for it as well. The foundation pillar for zero trust in 2024, at least the way we have envisioned it has been more around the fact that human users, non-human users, for example, for humans we know MFA works.
For humans, I want to know that, yes, Ashish has authenticated. What does that look like from a non-human user perspective? What is machine user doing already? As I say that, I will also say, this is probably the place where most people start. A lot of us have already proved we know IAM. A lot of us have been doing IAM for a long time. We’ve already started on the zero trust journey without even knowing it. We wouldn’t let any random person on the internet just authenticate to our application. Hopefully I’m keeping some part of my promise where all of us are at least walking away with doing zero trust, at least starting to do it.
The second thing that we will talk about after this is, yes, I’ve made sure that Ashish has the right username, password, but is he coming from the right device? Do I trust the device he’s coming from? That’s the second layer of foundation that people talk about, where, if you’re trying to implement this in your organization, the very first tier, the reason people start with identity is because it’s probably the most understood so far. It’s also the place where we have the most maturity in most organizations, since we’ve been doing it for so long. Unless you’re using a custom application. I don’t know if someone works in mainframe? Those things use a numeric password still, like a 4-digit numeric password. Hopefully you’re not in mainframe.
Outside of it, primarily, you’ll find we have a good handle on identity as a general tech community. The next layer that is spoken about these days is non-human users. The second one after that is identity of the actual endpoint, or the device, or the server, or the laptop that we’re coming in from. That’s our second layer of foundation, where, once we have started working on the identity piece, we have some sense of, I’m pretty confident, identity is good. I’ve got MFA for human users. I have hopefully least privilege or role-based access control in place to have some confidence that only the right people have access to the right information.
The next layer of zero trust you probably would think about is, the device they’re coming in from, is that trusted? The second foundation is the unified endpoint management. To start in that journey is when a lot of people start doing your network segmentation, is another word people use. They said, on-premise, I had this super DMZ zone that I’ve maintained for a while. I’m able to look at this and go, I’ve got a demilitarized zone. Anyone can do anything in there, but I have a private zone. The point being, you need to know what your identities are and what your endpoints are going to be that you trust. I will talk a bit more about this in a bit later slide when I talk about the use cases.
The next one, this is probably the hardest one to go for, resource ownership, tools, and processes. Everyone I’m sure has an asset management system which is very mature, very dynamic, which is more than Excel sheet. For context, I was on a call with a CISO for a FinTech company, and they have over 400 AWS accounts. They were using Google Excel for recording 400 AWS accounts. I’m going, “This is great. You’ll be fine”. My hope is you guys have a better one.
The reason I say this is the hardest one is because of the complexity of environments these days, you have on-premise, hybrid cloud, multi-cloud, cloud native. There’s Kubernetes self-hosted, Kubernetes which is managed. Complexity in compute as well. Now we have multiple CI/CD pipelines. A lot of you are dealing with multiple languages being used in the organization as well.
At the same time, you have to find the balance on being developer friendly, because you don’t want to limit their speed. These days it’s not easy for you to keep at least a log of how many real-time assets you have. If you were to go down the path of doing zero trust from a foundation perspective, I personally feel this is probably the hardest piece. Like, identity, we got this.
Endpoint, to an extent, we have all these endpoints that we know that at least someone in corporate network knows how many devices we have. Someone in DevOps team or cloud security team or cloud engineering team would know how many cloud accounts we have. It gets a bit muddy at the more complex environment. At least for me personally, I found this is the hardest one. Because even if you get the resource, next hardest part is, who’s the product owner? Who’s the owner for this? Is the owner still in the company? No idea. The longer the organization has been in existence, the more complex this third one goes. That’s why, at least for me, it’s the third one.
Data classification, of course, is a security thing, so we have to talk about data as well. At least since I moved from Australia, I find data is even more important in the Europe and UK regions. GDPR is actually a thing. I’ve been using it wisely. A lot of organizations sometimes don’t even have a data classification. I was joking about the whole GenAI and AI space earlier. I’ve been fortunate enough, through the podcast, I get to talk to a lot of people.
A lot of people have over 200 GenAI or AI related applications already, they’re working on today. Kubernetes or containers first, is a very real strategy for a lot of organizations that are trying to go fast, even if it’s doing AI projects. You’ll find what at the moment is not spoken about is the incident response for it. Being security people, we’re a bit paranoid. There’s a reason for that paranoia sometimes, where, if an incident does happen, do we know the risk that we are exposing ourselves to? Is it a high risk? Is it a low risk? Is it really something that we should be worried about, if it’s just public data? I’m like, yes, we have the website, as long as it’s not defaced.
If it’s PII or personal identifiable information, like my driving license or my passport number? Think about this from a developer perspective, the application you’re building, you would not want that to have any secrets or anything which is customer data sensitive, because that’s where the trust of the actual customer is coming from. This one is partially easy, because you can have a data classification for. I think the simple ones, if you’ve never done this before, it’s literally what is confidential, what is private, what is public.
Those three are the simplest data classification to go for. Anyone can do it. As an organization, it’s very easy to tell what is confidential, what is private, what is public. The hard part over here is, imagine if you are an organization that’s been there for years. This is before internet, and there are a lot of companies that have done this, before data center was a thing, and now there were data centers, and now they moved to cloud, and now they’re doing multi-cloud and the data center.
One of the biggest challenges we found was that a lot of data from certain number of years ago is no longer relevant. Would you have the time and money to spend on going back on that mountain of data that has been left for years? No one has classified it. No one knows it’s even relevant. No one wants any data that is probably about something which is not even a system these days. Is the business ready to spend money on a project that’s going to go through data for 25, 30 years?
At what point do you draw a line for, actually, I only care about data for the last 10 years or 5 years, whatever that tenure is. As you can see, the complexity and the practicality keeps going down as I keep going down. The intent is to at least have you informed for what is practical. Hopefully this gives you that information.
From data classification implementation or foundationally, when we spoke about, we have a data classification, we know confidential, private, public. How do we find out about this data? The first challenge we had was, how much data are we ok to classify? The second challenge we had was data sprawl. Maybe all of you have done a big data project when people were talking about big data before GenAI.
A lot of that conversation was primarily around, we have a data scientist who happens to work for a university who wants access to the data, and I promise they’ll delete this after. Give it to them. They said they deleted it. You have no idea if they’ve actually deleted it. That’s just one scenario, that’s called data sprawl. That’s a very real thing as well. There’s a whole category again Gartner has created called DSPM, if people are interested. It’s a data security posture manager which helps you identify any sensitive information across your network. The idea being, it is a real challenge.
Even if you were to just classify data, just to identify where’s my data, if you still want to call that, but that’s basically the other part which a lot of people struggle with. I didn’t even know where to start if I were to just go 20 years, 10 years, 5 years back. How many projects have we done? We have 400-plus applications with many contractors that came in and went, is that in their personal laptop, not in their personal laptop? Who is going to answer that question? At least that’s where I felt that’s the complexity for that.
The other one is unified logging. This is kind of like IAM. A lot of us already do logging for performance monitoring. A lot of us do logging for error management, troubleshooting. Some of you may already have security logging being separate as well. The idea behind zero trust foundation is also to have unified logging for data lake. I feel like this data lake’s work has been thrown everywhere. Everyone has a product called data lake as well. I think this is where it came from, unified logging.
The idea behind that all of us, instead of just basically having these multiple sources for logs, we should probably be able to have all of that into a central storage called data lake. As we do that, we can use it for security, we can use it for performance monitoring. We should be able to use it for troubleshooting and any other unusual activity that you have to monitor on a day-to-day basis for application. That’s where the unified logging comes in for.
The biggest challenge you find here is that there is no unified framework for how do I differentiate between an application log versus a security log versus a memory log? There is no common framework that brings all of it together, so I can just type in a query for, Ashish logged into linkedin.com today, and he basically made a post, which was weird, because he’s at the moment speaking, but somehow there’s a post out. Someone has to go and find out that in the log.
Separating that information, what that query would look like, that’s a lot more complex question to answer. There are some answers. Cybersecurity specifically has an open-source cybersecurity framework for logging. Security logs can be generally categorized into a known template so you can use it.
Last one, this is probably my favorite topic these days, at least for 2024, for two reasons. One, in general, there has not been a lot of conversation about incident response in the public cloud, cloud native world. Most organizations that I speak to, they believe that their on-premise incident response plan works one to one in the cloud context. Even though we’ve now used Kubernetes for building the same application, we’ve rebuilt the application using cloud native, somehow we have complete confidence that incident response plan from our on-prem is going to work in cloud.
The idea behind including incident response in zero trust is that, if you were to successfully go through all the initial ones, to an extent, over time, the number of incidents should reduce. You should technically get to a point where you should be able to connect without a VPN onto any network, and they should be able to validate that, yes, Ashish is coming from a trusted device. Doesn’t matter if he’s on the internet, but we know that device. We know Ashish has the right credential. We can maybe ask for a second form of authentication if we just want to level up the trust.
Primarily, we trust where he or she is coming from. That level of trust over time should mean that the number of incidents that you have to respond to should reduce. Initially, you’ll definitely find that building up what would an incident response look like in the new world of zero trust, if you’ve gone through all of that, significantly changes.
Even something as simple as, there’s an incident, how do I give access to my SOC team or incident response team to that environment? That’s a very difficult question to answer when people have multiple ways of doing zero trust. That was the foundational pieces. Hopefully, that at least sets some foundation for how real some of these foundational pieces may be in your organization.
Zero Trust – Misconceptions
I want to talk about some misconception as well. Some of you have tried doing zero trust. Some of you may have heard about zero trust. The first misconception that I’ll talk about is that asset management thing that I was complaining about earlier with an Excel sheet with 400 AWS accounts. It’s not a bad place to start. At least you know what you’re looking at. As much as I was complaining about it, the myth is that you should need to have a perfect inventory for you to start doing zero trust.
Let’s not aim for perfection, because even zero trust people themselves don’t want to aim for perfection. It’s supposed to be a journey. If you have an inventory that you feel is of critical applications that you want to enable with zero trust, I think it’s a good place to start. You don’t have to have a perfect inventory to go for. The other one is, you can buy a product for zero trust. There’s a lot of vendors. They would say, you can just buy zero trust, including Microsoft.
A lot of vendors have started calling out that we’ll be that one solution for zero trust. We all know how realistic that is. There is no product that can solve zero trust for you. Even let’s just go to foundation pieces, there’s no machine out there that can solve that problem for everyone. Even if they tried to, it’s only part of it that would be solved. To make sense all of it together, it’s not even practical. That is definitely a big misconception. Hopefully people don’t have that in mind.
The other one is end-state vision. I was talking about perfection on my first one. Most of the zero trust work we have done has been around the fact that we have a North Star. We go with the fact that we want to at least have our identity, which is at least our new perimeter that we’re dealing with. We trust that should be zero trust. What that looks like may differ for the risk level of your organization.
Some people are ok with the fact that, for me, zero trust is that Ashish can log in from any device he wants, as long as he has the right username, password, has MFA. Some people may say, actually, that’s not good enough. I want Ashish to be able to come from a laptop that is issued by the company and has the right software, so we can check for endpoint security as well. Or I have a device log that checks for what that device is. It depends on how you would want to approach it.
Depending on how flexible your organization is with that definition of what that could look like for zero trust for you, feel free to make the choice, because no one has really set out that it’s prescriptive architecture for this is how you build zero trust. You would find various examples of people trying to implement their version. The best version is the one that you find that works for your organization, so the best tool for the job.
Obviously, I’ve been caught talking about identity perimeter. The network perimeter is still important. We still have on-premise environments. We still have data centers a lot of us that work in. Network perimeter isn’t gone away. It’s just that now you need additional context around it as well. Some of you may be getting out of network perimeter soon. If you feel network perimeter is not needed, it is still very much needed, because that’s what your trusted zone would be. That was all the misconception. I’m sure there’ll be plenty more. I just wanted to add that in. Don’t buy a product which says zero trust. It’s probably the theme over there.
Zero Trust – Business Use Cases
Business use cases. I did promise you guys, at least you’ll be able to walk away knowing whether you can implement zero trust today, if you have implemented, what else you can add to it. I’m going to go through a few use cases. The first one, which, again, links back to identity. Already, as you can see, there’s a theme coming, human to application. We’ve been doing human to application, username, password, for a long time. To a large extent we trust that the username, password with an MFA or some other verification for trust, were good enough to validate that, yes, this is a really good use case for you to start building zero trust at least with identity in mind.
As I said, based on the risk level of your organization, you may already be doing zero trust because you’re doing IAM with MFA, or federated identity with MFA. Service to service is the next business use case. This is not just your application to application, but it’s also application to your cloud service provider. For people who use Terraform, it could be to your Terraform cloud. It could be to your CI/CD pipeline. There’s a lot more services in play these days, which is not custom, which is not a thick application, which is basically something installed on a server. A lot of the applications these days they have APIs. They allow for you to have a programmatic access to them.
Everything that you do on the cloud service provider is enabled by API. It has authentication. It has allowance for MFA. A lot of the business use case, you would find that they start with human to application, which gets to a point of comfortable, human to application. In this context, humans are internal employees, but for your case, it may be external customers as well who use your SaaS application. Or maybe you’re a bank and I’m a user who complains on the internet about you guys.
That’s probably the most well aware business use case people have been doing for a while. It’s about adding layers based on the foundation we spoke about, what layers would you want to add for zero trust. The same goes for service to service as well. A lot of us may have been doing mutual TLS as a thing between services, two microservices want to talk to each other. You probably want to authenticate them.
If there’s a backchannel, you can use SSL certificates for it. Or you could go down the path of saying, we probably want to have some user that we rotate passwords for. That’s a bit more complex, but mutual TLS usually does the job. What layer would you want to add to that? Would you want to have a trustful network? Would you want to have a data classification down there that, for any external third party, we only want non-personal, non-PII data to go out. Again, how you want to do it for your organization, but that’s what this business use case is about.
Essentially, the OT and IoT environments are probably the next business use case where it’s an environment which has become a very software defined network. You can have APIs there. You can communicate with devices which traditionally would have just been, someone has to walk up there, plug in a laptop and plug a USB and update the firmware. We’ve come a long way from it. There are sensors these days that are available on devices. Think about any physical thing. I’m thinking of a tractor for people in the farming industry.
People in the road whenever you pass the toll gate, that’s basically automated as well. I did an interesting project in Australia where we have motorways, we used to have this massive boom gate, so you never have to tap in, tap off anywhere. Most cars these days are smart enough to have that little tiny box in your car which detects the fact that you’ve passed a gate. The project that we were involved in doing security was around, how do you make sure the information that’s collected on those toll gates on the road, on the highway or the motorway, how do you ensure the integrity of the information coming across?
Because literally, no one’s really standing at every toll gate to make sure no one’s plugged in a laptop in there. It’s like, how do you trust that information? How do you trust the fact that, yes, Ashish did jump into the highway or the motorway in the first gate, came out in the 10th gate, or the second gate? Can he bypass it? There was a lot of interesting scenarios that came up as part of that project. I think for me, that was the closest experience that I had with it. I’m sure your scenario would be a bit more different. We didn’t end up doing zero trust there, I think, but had some principles. That was an interesting project that I got to be part of.
Next one is operator to infrastructure. Operator to infrastructure is a lot more about the fact that I have automation, I don’t want to be, maybe NoOps is a thing, apparently, but we’re very far from it. As much as I’ve tried seeing it, it’s not there. I personally feel that all of us do generally want to get to a point where humans don’t have to intervene a lot in things that can be automated. Even things that are automated these days still requires a human to trigger the action.
The idea behind this is that if there is a known set of processes that we can work with, we should just be able to use them, and it can be just scheduled. I think my alarm at 7 a.m. every morning should just happen every day, for Monday to Friday. I don’t have to schedule it. The use case over here, and I personally have not seen it worked out, but they’ve said some people have done it, but you’re able to get to that point where we are already doing a lot of automation.
How do we get to that automation through zero trust that we don’t have to level up our trust every single time, but we can still do automation. Many of you who may have tried doing automation with MFA, I can tell you, super hard. As engineers would ask you, it gets a bit difficult in a complex environment. I personally haven’t seen this, but it’s a business use case that has been shared publicly on the internet, so I wanted to put that in there.
Last one is human to data. This is more in that privacy space, as well as knowing what data we have access to. I spoke for the data classification earlier, so I probably would not share a bit about this. It’s very obvious what that human data piece is. Last one is probably more important, which is custom applications. A lot of us have legacy applications. Hopefully, no Windows 2000 anywhere, but if there is, you can remove it now. I give you permission to remove Windows 2000 from your environment.
The idea being, we have a lot of legacy applications that we unfortunately still carry, because it’s very critical for our business. A lot of focus for what I spoke about earlier has been around microservices, cloud environments, Kubernetes, containers, but these legacy applications are still required. They are still going to be there for another 20, 30 years. Mainframe probably even longer.
Once you’ve done most of the use cases on the top, you should be able to eventually get to the point where you can actually work on custom applications that you have developed internally, which may just use username, password, which may not even have MFA. How do you develop trust for that? I haven’t seen anyone do that, but it’s the ultimate dream for people who would be able to get there.
Zero Trust – Where to Start
I spoke about foundation. I spoke about misconceptions around zero trust. I’ve spoken about the use cases as well. For some of you who probably have not started this, this is probably a good one to at least set the foundation for where or how you want to go with this. The first one being, reasonable zero trust project goal.
As I was talking about the risk level, your organization may just say, we got the identity pillar covered because we have applications that are authenticating. We have applications that are authenticating and require MFA. No one who’s not an authorized user can access the application. You’re happy with that coarse grain. You don’t want to go fine grain in terms of how much level of checks you’re doing in terms of the user authenticating.
That could be a good enough reason as well. It’s about articulating what that North Star would be for your organization if you were to walk that journey of being zero trust, or at least, when I say, being zero trust more like you want to walk that journey of getting to that end point. What does that North Star look like for you? That is probably the first place I’d recommend you start. Ideally, the identity, my personal favorite is because a lot of us already understand it. It’s already been done.
Human to application, again, another one that is a lot more. We’ve done that for years. Those two are the easiest ones. Networking and data classification, as I’ve spoken about challenges, data, the moment you start the conversation, I at least found that the last time we tried having the conversation, it got shut down really quickly, because who’s going to spend the money to go back to 20 years of data.
That just basically just meant dead end. I totally understand this. It’s not a business use case. Is the upside of having us go through maybe one or two resources looking at 20 years of data, classifying how much we actually care about, how much we don’t care about, and probably spend a whole year on it. Is it really worth the investment, or should we just try and go on this GenAI train? Maybe. It’s a question for the organization. I would say the big two, if my personal recommendation, would be that identity piece and the human to application. Those two are usually good ones to start, because we’ve been doing it for a while.
We already talk about service to service in terms of microservices already. A lot of it has already been done. The foundation is already there. We just need to add what our North Star for zero trust looks like. That would be probably my recommendation for big two. You could totally go down the data path and do other things as well.
This is probably a hard one for everyone, even if developers, security people, documentation is not a thing. Hopefully GenAI is supposed to make it easy. Maybe this is possible now, that we don’t have to document anymore. At least the way I see it is that a lot of us have started walking the path now that most of our environments are supposed to be dynamic. A lot of us may be mature enough that we make changes in environments on a daily basis, on a weekly, monthly, quarterly, much more frequently than what we used to. If you are one of those organizations, you probably are already doing a living architecture diagram where it just keeps changing, or maybe it doesn’t change.
The idea behind zero trust is that, more than the living part, it’s more the flexibility part, where it provides you flexibility to add more layers, rather than make it more stringent. That’s where the living architecture piece comes in. It’s not from a perspective that we have defined that there’s a three-tier web architecture which is going to do all these microservices, API, whatever. It’s more around, how can we give flexibility that we still continue to work at the speed that we have always worked as an organization. That’s where that comes in from.
Other one being, realistic scope to building authenticity. This goes back to the first point, which is the reasonable expectation for what you want your North Star to be. That would help you scope for what you want to cover. Again, if you start the journey for zero trust, it’s not a six-month project. It is definitely going to be a while. I think I have been involved with projects I’ve been running for at least two years, and we’re still doing at least the networking part. Segmentation is what we’re working on still.
Having a realistic scope and the realistic timeline for how long it may take, especially if you’re an enterprise that has been there in the industry for a long time, I would probably have a realistic scope from that perspective. Say, the business wants to know, what’s the return of investment for us going on the zero trust path, because you believe in it, how quickly can you show some points on the board for, yes, we are making progress. Have some realistic scope around it.
Retrofitting versus modernization. This is taken from the whole conversation about moving to cloud, but it’s still relevant. You can retrofit into an existing environment, which is where it goes back to the North Star again, for how you classify zero trust. Whatever you’re doing today, you could add layers of zero trust in there, and that becomes like a business use case.
This is what we understand zero trust to be in our organization, and we’re doing this. This is what we are retrofitting it in. Or, you could do what a lot of other organizations are doing or being forced to do in public sector because of the government narrative, they have to completely change how the network works. They have to completely change how the architecture is done. The choice is made based on the North Star that you would probably end up on. I’m going to throw over DevSecOps here, but it actually is something which we talk a lot about in the security community, because we want to work with developers.
I think the idea is all of us want to create great quality code written for great applications that we all can be proud of. Making security integrated, not by making it a stopper, is definitely something all of us believe in. The same policy or the same thought process is required for the zero trust as well. You would find that not everyone is on the zero trust board. One of the organizations had to reword the zero trust because somehow it came across negative to a lot of people. It was more like, “You don’t trust us. We’ve been working together for 20 years and you don’t trust us?” I’m like, no, I didn’t mean it in the English context, but in general.
Some people had to change the name. You may hear the word high trust sometimes as well. There’s a lot of different variations on it, but the idea is the same, where we believe that this would mean that we’ll have fewer incidents. This would also mean that we can give a lot more flexibility to developers. It doesn’t really matter if it’s work from home or work from wherever, the level of trust can still be heightened easily, and the number of threat scenarios also change quite dramatically as well. That is also the point that I want to call out.
Zero Trust – Business Metrics
Business metrics. Some of you are obviously leaders. Some of you may want to share this with your leaders. This is some of the metrics we basically started working on to start showing the ROI for what’s the point of all this money being invested, especially if it’s going to be invested for a long time. Some of the metrics that helped us, in terms of coverage, was how many applications are already zero trust enabled? If your zero trust North Star is, I want to have all my human to application identity covered for that.
How much coverage do you have across the board for your applications? Maybe you have a data lake. Maybe you don’t have a data lake. Is there a centralized telemetry you can have for all your applications? Do you have a security data lake? Maybe adding another layer. The other part where people also get interested in at least from a security perspective, is that, if zero trust means more security, does that mean that the number of detections I can do for threats are higher? Do they reduce over time?
If they do reduce over time, then the ROI is the fact that before zero trust, we used to be 60 incidents in a day, now we’re down to 10. That’s a great ROI to show to organizations as well. Having some historic comparison for the number of security events, that definitely goes a long way in showing that before the zero trust implementation, this is how good we got. Last one, for security people, is probably a pain, which is the number of false positives we get in the environments. This is across the board for most security products out there as well, that sometimes the first time you implement something, there’s a lot of false positive. Over time, the intent is to reduce it.
Zero Trust – What’s Next?
What is the next step after this? My hope is at least you have some practical understanding of where you want to get to with zero trust. You have some idea of where you may already be for zero trust, and some idea for how you can have a positive impact in your organization for implementing zero trust.
See more presentations with transcripts
