Listen to learn about zero trust tenets and where to get started in implementing zero trust in your environment.
"Zero Trust is essentially a security initiative saying that you are going to assume that attackers are present in any environment you're working in. The main goal of that is to remove implicit trust in the design and implementation of whatever you're doing."
“Zero trust” is something we hear a lot about but in many cases it seems to be a buzzword used to sell us something. However, it can be an excellent approach to security when done well.
Geoffrey Sanders (Senior Member of the Technical Staff/Situational Awareness Team, Software Engineering Institute/CERT Division, Carnegie Mellon University) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA)to discuss the tenets of zero trust and where to get started in implementing zero trust in your environment.
Listen to learn:
Connect with our guest on LinkedIn
Learn more: SEI Website
Resources:
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm a principal security analyst here at SecurityMetrics. I would really like it if you would like and subscribe and share this out with friends. We wanna make sure that more people understand cybersecurity is it's approachable, it's understandable, and that's what we try to do here on this podcast. Today, one of the topics that you might have heard about a lot, people people think zero trust is kind of buzzwordy or they don't understand it or it's something that maybe a vendor is trying to sell them.
But zero trust is so much more than that. So I reached out. I wanted to get somebody who really knew this topic and totally found the right person. Jeffrey Sanders.
He's from the, SEI, CERT team. So let me let me read you a little bit about him. And if you know what CERT is, you already realize this is cool. Hang on. Jeffrey Sanders is a senior member of the technical staff in the CERT division of the Carnegie Mellon University Software Engineering Institute. The SEI is a federally funded research and development center or FFRDC, a nonprofit public private partnership that conducts research for the United States government. One of only ten FFRDCs sponsored by the US Department of Defense, the SEI conduct conducts r and d and software engineering, system engineering, cybersecurity, and many other areas of computing, working to introduce private sector innovations into government.
As a member of the situational awareness team, Jeffrey supports sponsors in multiple areas of network systems, security, and survivability.
His current areas of interest include analytics, big data, data fusion, and zero trust. Prior to joining the SCI, Jeffrey worked as a security architect in the defense industry. His experience includes more than twenty years in security operations, system security engineering analysis, vulnerability assessment, and penetration testing.
So happy to introduce to you and welcome Jeffrey Sanders. Thanks for joining me today.
Hi, Jen. Great to be here with you on the SecurityMetrics podcast. Thanks for having me.
Did did I miss anything in there? Is there anything, kinda cool going on in in your end of of the world, especially in zero trust? I know you have some blogs out there. We're gonna make sure that people have have links to them.
Oh, yeah. It's it's, as with most things, the the domain is, well, a little over a decade old. Right? And and now folks are actually getting into specifics because it's it's not no longer just a a concept or a, a topic. Now people are actually trying to implement it.
Right.
And that's seeing a lot of documents come out for that.
Yeah. So it's gone from, the I the good idea to the how do we implement this good idea.
Yeah. Correct.
Right. That's probably why we're hearing a lot of, vendors talk about it now too is it's matured to a point where, where people want to do it but aren't quite sure how. So, how would you now that I've said it's kind of a buzzword, but it actually means something. Right? So how do you describe zero trust?
Fundamentally to me, and when you take a look at the, eight hundred two zero seven from NIST, which is zero trust architecture, when you get down to the nuts and bolts of it, it's really a security initiative. Right?
Security initiative is saying that you're gonna assume attackers are present in any environment that you're working in.
And from there, the main goal of that is to remove implicit trust in the design and the implementation of whatever you're doing.
That's and I think that implicit trust is really what some of the older security architecture was based on. In in the past, we would say, oh, do you have a good, crunchy outside the soft middle is kind of, what people in the industry have called it, where if you have a good firewall, the assumption is that if you're inside that network, then you can be trusted. But zero trust doesn't assume that at all.
Correct. And and it assumes that, you know, pardon, that basically your your adversaries in your network work. Right? You don't it's it's the opposite. You're gonna assume they're in there and you wanna design based on on that assumption.
I think when you look back into the older way of doing things, because most networks evolve over time, they would install a firewall, then they put an active directory, and things just grew out over time. That concept was something that people wanted to work towards, but it wasn't necessarily inherent in how they design things.
Right.
So so now it's really they're calling that out. They're saying this is how we wanna build it, and we really need to look at the architecture and ensure that those principles are built into it.
Right. So, you wrote an excellent article on zero trust. It was posted on the SEI blog earlier this this year. And and like I mentioned before, we will have the links in our show notes. I think everyone should go read about it so they understand more about it and how to how to go about implementing it in their environments.
It lists zero trust tenants from the NIST publication eight hundred two zero seven.
So I've I have read a lot of NIST publications, and they are a slog. Like, some of them, you just read them and think, okay. Who wrote could you have made this any drier? But I get it. I have take I too have taken technical writing classes.
But, but the information is super useful. And I thought if we talked through these tenets together rather than just saying, oh, go read it and everybody tries to read it and says, oh, these words on a page. So if we talk through it, maybe it would help people really understand the tenets. And then when they go and try to implement it and have to read these things, they will have more of a basis of understanding. So, if that's if that sounds good to you, let's launch into that.
Yeah. It sounds good. One thing I do wanna point out is, you know, not every NIST document is is the same. Right? They are they all have different context and different intents.
So when you look at the eight hundred two zero seven, which is what we're referencing here, is keep in mind the context of the document.
That's really important. Yeah.
They they vary widely, you know, unlike the eight hundred fifty three, which is all about controls, this is this is really about much higher level stuff. So, you know, logical components, abstract definitions, general models of the, of the initiative itself.
And that means that that interpretation and implementation of those concepts are left up to the reader.
Super important. Because tenets, like you said, that's conceptual. It's this is these are principles. This is not a checklist that's going to help you implement it. This is the the foundation of understanding so that you can then go forward to the next steps.
Yeah. And when we talk about, eight hundred two zero seven, when you start reading through that and you start looking at the appendix b, they're actually doing a gap analysis. They're telling you the pieces that that aren't really well defined and filled out. So even though you're talking about, a concept that's a decade old, there's still a lot of things people are trying to figure out. Even in the NIST document, they're saying we don't we don't have answers to this per se. These are things you have to think about and and we're gonna need to address as we move forward.
I really appreciate that caveat. Okay. So with that understanding together, let's start talk with about the first tenet. All data sources and computing services are considered resources. And almost all of these words can mean different things in different context. Can you help us understand what that means in terms of, of zero trust?
Yeah. Well, sometimes when you read through things, they can be a little ambiguous. And and even when I go back to the definitions, I have to make sure I get a really good, wrap my head around it well enough. Right? So from my understanding of the tenant, what we're talking about is resources are synonymous with, and in general terms, something that is a source of data or provides a service.
K. So that doesn't always mean it's gonna be a server.
It doesn't mean it's going to be, a mobile device. It can be an IoT device because that will generate data. Right?
Mhmm.
It can be a shared drive because that's where data is gonna be stored. It can be, your Office three sixty five instance where you're doing your email over the web and or just a general web application in general.
So it makes sense to use the word resources because it could be applied to a lot of things that fall into a lot of different categories and maybe they didn't wanna limit, an organization's view of what potentially a resource would mean.
Correct. And, you know, you can actually define a personally owned device as a resource if you want, but I wouldn't necessarily say that that would be a a common definition of one.
Okay. So we're looking at at at, data sources, something that provides data sources, something that provides services, within an organization's set of things.
Mhmm. Yeah. And, one of the ones I'd point you to so in an eight hundred two zero seven, they actually have what's called figure two, which is the the zero trust logical components of an architecture.
There, they're using, things like, a user and a subject.
They're both synonymous. They're the same thing.
That subject resides on a system and then access as a resource.
Okay.
Right? So within that, what you what you're seeing is the resource is gonna be something that's behind what they call a, policy enforcement point. That's kind of the the security control mechanism for zero trust.
Okay.
Alright. And yeah. So the that diagram helps me a lot when I go look at it is to say, okay. Here's what they mean by resource when you visually look at it.
Terrific. I'm I'm gonna go look at that diagram again. Any, any work that I do, if I can get some kind of a diagram to help put the pieces together of whatever I'm looking at, it seems like that we we humans like pictures.
It helps solidify the understanding.
Yep.
So, our second tenet is all communication is secured regardless of network location. And, this seems to go to the heart of one of the main differences between some of the legacy architectures and and the the, zero trust that we were talking about before. How would you characterize this tenant?
I would characterize it pretty much what everyone knows as end to end encryption or protection in some in some fashion of that communication and authentication of that communication. Right? So it's not just that you're protecting it and encrypting it, you're actually authenticating.
So that tenant calls for the confidentiality and integrity.
K? They specifically call out the source, but when you're talking about, an encryption and understanding what a subject and a resource and enforcing that, from a technical perspective, that's what we would end up calling mutual TLS. So you're actually making both the client and the server authenticate mutually so each knows which one is. Right?
Sure.
Okay. And basically, when you look through that with that that, authentication and protection, the key of that tenant is is all those assets are untrusted.
Whether it's inside or outside, right, and especially in this borderless environment now Mhmm.
It it's everywhere.
And, you know, one of the conversations that happens fairly frequently when I'm working with groups, on their security and it comes up more when it's a compliance based security assessment. Because oftentimes in compliance, some of the the the more more well known standards don't say that you have to really secure your internal communications.
They they say if it's going over a public network, you have to secure that. But the assumption is that internal networks are, are more secure and you don't have to to do anything with them. And and my my response is I don't really regardless of what the compliance standard says, if you really want to secure your information, you're gonna take seriously the fact that information flowing over a network, whether internal or external, is has vulnerabilities. It's going to be a a place where information can be taken and used improperly.
Correct. And, you know, just from pen testing background and things like that, when you're talking about these borderless environments when you're working with clouds and, other partners and things like that, you know, it's that trust exploitation piece.
Right. Right?
So if I can, compromise somewhere and pivot in that you have that implied trust in a lot of those designs. So so we wanna get rid of that implicit trust and say, okay, basically, and this you know, the communications between two points have to be locked down too and they have to mutually authenticate and understand that they have rights to talk to each other.
Right.
So next, we have access to individual enterprise resources is granted on a per session basis.
We talked a little bit about resources when we covered the first tenant, but the idea of a session might be unfamiliar to some of our listeners.
Mhmm. Can you describe what a what a session is and how it applies in zero trust?
So per session, I would just consider that a unique connection between a a subject and a resource or or a user and a service. Right?
Right.
Simplest example, that probably everyone can relate to is a, a unique tab in your web browser.
Perfect.
Alright. Each tab you open, that's a unique session. It uses what's called what from a technical perspective called an ephemeral port. So each tab has a different port that's communicating with the server, and that's that unique connection.
Excellent.
And so in in in zero trust, you have to authenticate individual access. You have to have that granted per session. You don't you don't just have a session open then. So sometimes and I where I've seen this is I've gone to purchase something in a shopping cart and then closed out everything and then gone back to that website later.
And my stuff is they recognized me. Stuff is still in the shopping cart. Now that's not necessarily a a persistent session, but it's more probably cookie based. But just just kind of conceptually getting to something that you don't have to authenticate to the second time you get there. So, having to authenticate every time is more the the, zero trust, idea.
Yeah. Yeah. So kinda what zero trust does is that policy enforcement point we talked about. Consider that your, your application layer firewall between the subject and the resource at at a session level. K?
Basically, that policy enforcement point monitors the session and enforces all these, attributes that zero trust is looking at such as identity, the subject, the resource, the policy that's allowed for that specific connection between those two.
And, you know, in many cases, when you're practically doing that with technology, you're you have some type of agent on your system that understands all those pieces and parts that are moving around and is watching that that, that port on that, browser and is actually talking with the the zero trust architecture on the on the endpoint destination as well.
Right. Okay. So our fourth tenet, this is kinda long. Stick with me. Access to resources is determined by dynamic policy, including the observable state of client identity, application service, and the require requesting asset, and may include other behavioral and environmental attributes. And so what the heck does that mean?
It's a it's a long winded way of saying that the architecture, is dynamically looking at multiple pieces of information and generating a policy based on those attributes for for each session. So you still may have a long running session, but there's new information coming in like, threat intelligence, maybe some HR data that says that person is no longer authorized to access that resource.
So over time, the the zero trust architecture is monitoring all those connections and all as all those new attributes come in, the policy is being updated, deployed, and the enforcement point is applying that policy as time continues.
So just because you have access to something, you you don't get to maintain it if something else changes.
Correct. So a a good example is if you have a an endpoint, say your laptop. Right? And, when you log in, everything's good because the agent sees that there's no malware on your computer. Right?
And you open a a an email and you get compromised with a phishing attack. And then that agent is still running, it does its its safety check on your on your system to say, oh, okay. I see a piece of the malware now. That gets communicated to the architecture and your your trust level drops.
Right? So then that session is cut off based on whatever policy is in that architecture to say, okay. You need to get this cleaned up before you're able to access the resource again.
Alright. So tenant number five, little bit more straightforward than the last one. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. This feels like, a lot of monitoring logging, that type of thing. What do we need to know about, this one?
Well, so we go back to the no, inherent trust. Everything's considered hostile no matter which the asset is. Right? So generally speaking, the zero trust architecture is continually gathering and mining data about assets that are connecting and communicating in the architecture.
A lot of folks know this as what what we call continuous, diagnostics and monitoring.
Mhmm.
And and really, one of the key things when you're talking about this to keep in mind is, most organizations are still trying to get their hands around, good asset inventory and maintenance.
Yes.
And this is key component of that.
Right? For for zero trust to understand the asset and any kind of risk that it presents to the to the architecture, you're gonna have to have that continuous, data collection and mining.
And and it needs to know, is this an enterprise asset, or is it a bring your own device type of thing? So if it's bring your own device, then we're gonna trust that even less because we don't really know the configuration as well.
Mhmm.
So the the device type may determine what type of resources you can even access.
Right.
Well, one of the especially with my, groups that need to respond to HIPAA, one of the things that I ask them is, how do you know you're not being breached right now? How do you know that what is in place right now is secure that you're not currently losing data?
And and many of them are still at the point of, well, I don't even know what assets are on my, network.
I'm not sure who's accessing what. I don't I don't know what state they're in, much less the traffic that's going on or changes that have been made to any of these assets.
I don't I don't have enough insight. And I think that's that's a real key to improving the security stance of any organization is how do you know what's going on?
Yep. Mhmm.
It's it's really about, number one, being able to define your operational processes and knowing those well enough to automate that. Because when you look at zero trust and the tenants and and what the architecture stipulates, you're really having to, do a lot of automated collection and and even some analysis. I mean, there's some architectural patterns out there that talk about, SOAR.
Some of it, you know, the NIST document has a has a SIM in it, but when you look at some of the more advanced ideas about zero trust, they're talking about a source system. And in order to do so, you have to have playbooks that that, you know, run well.
They're consistent in the results they produce because it's not gonna blow something up in the network. Right?
Right. And and SIEM is more just for people who are not maybe familiar with SIEM and SOAR, SIEM is s I e m and SOAR is s o a r. SIEM is more information gathering and evaluation, and SOAR is a more of an orchestration of of things, and automation of things.
Is is that your perspective as well?
I didn't mean to Yeah.
So, my analogy is SIM is the kind of the automated analysis as best as you can get.
Soar is the next step of, reducing the the human analysis effort. So you can define, your operations and your analysis well enough to say, okay. We can automate these five steps, but these three in the middle require a person to actually look at the data and, provide some input and then the the rest of that process can finish.
Right.
Okay. So then, let's see. Oh, we're up to our sixth tenant which states, all resource authentication and authorization are dynamic and strictly enforced between acts before access is allowed. So so how is that managed?
It's really that continuous monitoring concept is those those sessions and the the the subject and the resource are continuously monitored, data is collected, new threat intelligence comes in, an anomaly occurs. Right? So so, practically, you're having, multiple services do this.
A good example I can point you to is the Google Beyond Corp model. They have a lot of, papers written about that and, you know, they have a thing what they call is called the device inventory service.
Okay.
And and, basically, it's talking to a bunch of different things in the architecture, collecting information, making decisions, and then generating policy.
And that's a periodic thing that gets that gets pushed out. So really the key thing here is is most folks are used to, you know, I authenticate with my two factor or something like that. They're let in, they use the service, and they use it until they're done.
This zero trust is kind of the next evolution of that to say you're logged in, the zero trust components are, periodically generating new stuff. They're looking at the situation, and then they're making a risk decision based on that, and then the policy gets updated.
Okay.
So, that brings us to our final, seventh zero trust tenant.
The enterprise collects as much in super information as possible about the current state of assets, network infrastructure, and communication, and uses it to improve its security posture.
So I run into a lot of organizations who think a quarterly external vulnerability scan or even internal vulnerability scan covers what they need to know about their security posture. They so that it's a quarterly report. It's fairly high level, and they say, no. Look. We're good.
But I I try to always have conversations about why that's not good enough. But, what do you think, is meaningful information in in order to improve a security posture?
Well so when we talk about zero trust, you're really saying that we're we're challenging the traditional technology operations model. Right? Yeah.
The dynamic nature, it's implying, continuous information gathering, plus you have to automate that and and have some type of response to it. So, oh, at the end of the day, the goal is to protect the data.
And with these environments becoming more complex, you have to reduce the the human technology interaction required to achieve that. Right?
Right.
So back in, you know, ten years ago, I would run my vulnerability scanner. I would I would collect that. I would do report, and I would, you know, publish that quarterly.
Now you have, like, a network access control that's that's scanning your system and dynamically understanding what that is and then moving you over into a particular area of the network once once you're clear. So we already see those those components and all these things are pushing that envelope to drive organizations towards a higher performance model.
Right.
Right? So these things are really pointing to agility and resilience.
Because, when you look at all the components in the architecture, you you can't have a single point of failure because the the security model of a zero trust architecture is default nine. They're saying you're not gonna be able to talk any resource unless we allow you to. So all of those things have to be, working, responding, available, and, responsive.
Right?
Right.
So, so those are the seven tenets, that I wanted to go over. Your blog post goes into much more depth than that. You have, more information. Specifically, you talk about what threats you need to consider towards a zero trust model. Because I think you need to look at threats, towards zero trusts in a slightly different way from threats towards a maybe a legacy architecture. Is that correct?
Yeah. Plus it's it's, again, you know, it's unique. Every every architecture, every enterprise is different, and the the risk and the trade off decisions that are made are different.
So it's really understanding the tenants and then flowing those down to, you know, the technology that implements those ideas.
Right. Right. Well, this has been very informative. I really appreciate it. And I hope that that our listeners have have gathered some more information about zero trust. And it's it's a little less, I mean, kinda just just buzzwordy and more something that they could consider learning more about and applying.
I I personally, as a security professional, believe that zero trust is is the way forward, in future architecture. And and I hope that people will start taking it seriously and and digging into it more.
Yeah. Yeah. It's a it's a really, great paradigm, but it's just, you know, I think the average estimation going from initiation to finish in most enterprises, at least a five year journey. Mhmm. So start small and and do increments. Right? It's a lot of complexity.
Good advice. Good advice. Well, thank you very much, Jeff, for joining me today, and I hope that we get to talk to you again in the future.
Yeah. Thanks for having me, Jen.
Alright. Bye bye. Thanks again for joining me here on the SecurityMetrics podcast. I really hope you will like and subscribe. Share this out to people, especially people who are struggling a little bit right now with what is the concept of zero trust or maybe looking at what is the next architecture step in my organization to really increase our security stance. Zero trust is the way of the future. Talk to you again next time.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
