A highlight from Zeroing in on zero trust. [CyberWire-X]

The CyberWire


Extra hop and capital reina of crowd strike. Here's rick howard. I had the chance to sit down at the sabir. Wire hash table with an honest to goodness internet celebrity. His name is john kindergarten currently the senior vice president of cybersecurity strategy and group fellow at the onto it grew. He's also an old friend of mine and colleague. We both worked at palo alto networks together for about five years. But more importantly he's the guy that wrote the original white paper on zero. Trust back in two thousand ten that we all base our zero trust deployments on today the papers called no more chewy centers introducing zero trust model of information security and he wrote it when he was working for forrester a cybersecurity research and consulting firm in that paper. He became the first person to say that we should all just assume that our networks were already compromised by the likes of fin seven wicked panda and cozy bear and that we should design them. Accordingly to reduce the probability of material impact to be fair john didn't originate zero. Trust idea after all the concept started kicking around security circles in the early two thousands. The jericho forum started talking about de perimeters ation as far back as two thousand four. The problem they were trying to solve was that most of us install an electronic perimeter a wall that bars access to our digital assets. But once you have legitimately logged in you have access to everything inside the electronic wall by d. parameters ation the jericho forum meant that verifying identity and granting access authorization. What happened away from all of our digital assets. In other words it would happen outside the electronic wall once granted the user get access to the asset they needed not all the assets within the perimeter the us military incorporated some of these ideas into their black coroner in two thousand seven somewhere between then and two thousand ten. The community started to refer to d- perimeter ization as software defined perimeter or sdp in two thousand and ten john kiner vogg working for forrester published his essential zero trust white paper that solidified the concept and expanded upon it that same year because google got hit by a massive chinese cyber espionage attack coined operation aurora their site reliability engineers rolled out an internal version of sdp as part of a network redesign a few years later about the same time that the cloud security alliance adopted as dp as a best practice. Google lhasa commercial offering of their internal. Sdp architecture called beyond core. But let me be clear. Sdp is not a complete solution as john. Kindergarten would likely point out. There are many things you can do to improve your zero trust posture. But if you deploy the nest ep architecture you would be a long way down the road on your zero trust journey. John would disagree with that. He really is annoyed with vendors who claim that there. Sdp solution is zero trust solution and he would be right at best they give you a framework to hang your zero trust policy on at worst. They are collection of new and shiny tools. That security practitioners would have to deploy and maintain and we already have too many of those. We are responsible for. I personally like the frame idea. But that's just me regardless. Since i john at the hash table i asked him what drove him to write the original paper. In the first place. I had been a security engineer and architect. Prior to coming to forrester in two thousand eight and i had always been frustrated with this idea of trust in digital systems because when you installed old school firewalls which is still true today but even worse back then you had to assign an arbitrary trust level to various interfaces in order to get traffic to flow because that was what policy was based upon and in fact you were going from an internal interface that had the highest trust level one hundred to an external interface that had the lowest level zero. You wouldn't have to have a alpo rowlonin at all which are found to be just scary. Why don't we put out by rules on this because we just don't we don't have to because we're going from trust untrusted. I thought that was silliness. And then i started to investigate trust. I met some people who thought about it. A lot and started explaining the differences between say direct trust. I know you for a long time. So i i trust you and then you have a friend who you tell me about. And you say he's a good guy that's transitive trust and i understood it at a human level but i realized those concepts didn't translate well into the digital world the poster children for why we all need a robustly deployed zero trust. Posture are edward snowden and chelsea manning because according to john these government whistle blowers proved that identity is not sufficient to prevent data leaks. We'll snowden and manning are still the most famous. Because they're like the beyond saying madonna cybersecurity. They were trusted users on trusted devices. They had the right patch level. The right antivirus but nobody looked at their packets post. Authentication they're still the two best use cases because it automatically shuts down this idea. That zero trust equals identity. I've proven to you. With two words snowden manning the zero trust does not equal identity because the identity of those packets. What user they were tied to was not in question on those networks just no one looked at him. No one cared. They had way open access. Remember john wrote the original paper over a decade ago. He also wrote a bunch of follow up papers. After but the forrester leadership team decided to hide that behind a paywall as such most of us have never read them including me. And i'm one john friends. The result is that there has been a void in pushing the idea forward other authors and researchers have jumped in to fill the vacuum and put their own spin on the idea. Evan gilman and doug barth published their own book on the subject called zero trust networks building secure systems untrusted networks and security vendors have begun claiming that all of their product for zero trust solution. Which as you might imagine has caused some confusion amongst us practitioners and that annoys

Coming up next