The Inner Circle

Expand all | Collapse all

Zero Trust, Coffee & Dave Lewis

  • 1.  Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 12:17:00 PM
    Hi folks,

    Thanks for taking the time to stop by. I'm Dave Lewis. I work as a Global Advisory CISO with Duo Security which is now part of Cisco Systems. I have been in security in one form or another for over a quarter century having done everything from being a firewall admin through to being a CISO. It has been a wild ride over the decades and I've learned a lot of lessons along the way (mostly from falling on my own sword).

    For the last three years I've been focused on Zero Trust or as I'd prefer to call it, Trusted Access. This discussion is more about reducing risk in your environment as opposed to chasing boxes with blinky lights.

    I'm here to answer any and all questions about zero trust to the best of my ability. If I don't know the answer I'll be sure to track it down afterwards. Looking forward to our discussion.

    Thanks,

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------


  • 2.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 12:27:00 PM
    Hi Dave, 2 part question:

    1. Noting you are already changing the name of Zero Trust, what do you think the best definition of it is?

    2. Favorite 90s band?

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------



  • 3.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 12:53:00 PM
    Hi Jim!

    1. I believe the best definition for zero trust is wrapped around reduction of risk. All of the core fundamentals for this framework remain the same. I prefer "trusted access" as it removes the negative connotation. Frequently when I would speak at conferences in the "before times" people would point this out to me. The framework is sound but they were put off by the term. Fair enough, we can shift the thinking. Too often we get ourselves bogged down in analysis paralysis as to what $something is that we end up doing ourselves a detriment. Viewing the perimeter as anywhere an access decision is being made is one example of how we can shift our thinking.

    2. That's a three way tie between Bad Religion, Rage Against the Machine and The Archers of Loaf.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 4.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 12:42:00 PM

    Hello Dave,

    Thank you for taking the time to answer questions on Zero Trust. Can you please explain what Zero Trust is, what business solution it solves, and the market you serve? How does Zero Trust reduce risk in a given environment?

    Thanks!



    ------------------------------
    Anna Campbell Schorr
    Training Content Development
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 5.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 12:58:00 PM
    Hi Anna,

    The traditional way we would view security was heavily based on location trust. Example, "it's behind the firewall so we trust it". A zero trust model establishes trust for every access request regardless of where that person or asset may be. The premise being here to continuously verify trust. This approach can help prevent unauthorized access, contain breaches and reduce the risk of an attacker's lateral movement. This will help reduce the risk to an organization while lowering costs and help to improve the odds that the systems, people and data are kept safe and secure.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 6.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 05:24:00 PM





  • 7.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:04:00 PM
    Hi Dave,

    An interesting Point of View (PoV) if an organisation has a certain level of maturity, would you advocate throwing away their existing technology along with the kitchen sink or would you work with the organisation to help them on their ZT (Trust Access) journey i.e. to fulfill their immediate Use Cases in support of their business?  What do you mean by Trust i.e. from a human beings behaviour perspective in terms of psychology, because there are many different perspective on what Trust actually is.

    What do you think Trust really is in the context of Trust Access or Zero Trust Security?

    Often we find the same issue with Digital Identity, where standards cannot for instance define and agree exactly what Digital Identity is and would rather use the term Identity or Identification as being more meaningful.

    On average how long would it take an organisation to achieve full Trust Access, if they were motivated in your opinion?

    ------------------------------
    John Martin
    Senior Security Architect
    IBM New Zealand Limited
    ------------------------------



  • 8.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:20:00 PM
    Hi John,

    Thanks for your question. I would never advocate for throwing out existing tech (unless it is older than I am) along with the kitchen sink. In many cases the aforementioned tech will contribute to a zero trust/trusted access framework. The idea is to make better use of the technology that is in place and augment with other solutions where is makes sense. This is a risk based discussion that has to have a keen eye towards financial realities. In a perfect world we could just sprinkle magical security dust on everything and have it work but we need to be practical about these things.

    Digital identity is a much more protracted discussion that will require years of discussion. Mostly for the simple reason that everyone has a point of view and building consensus will take a long time. People are funny like that.

    As for the time to deploy that's not really a simple question to answer. There are variables such as staffing, budgets and legacy systems that need to be reviewed. I've seen a highly motivated company with thousands of employees move to a zero trust framework and it took them 8 years. While other smaller shops can do so in under a year. There is no straightforward answer for this question other than to say that it is now far easier to do so from a tech perspective than it has historically been. The human element is where the way forward can become more dubious.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 9.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 09, 2020 03:37:00 PM
      |   view attached
    Hi Anna
    This is from Forrester. John Kindervaag coined the term a few years back but its been in existence sincer early 2000's. US DoD started using it and called it "deperimeterization"
    Attached is also a deck I put together for a small presentation I did. There are some CSA collateral in it

    • All resources are securely accessed no matter who creates the traffic or from where it originates, regardless of location or hosting model, cloud, on-premises or collocated resources.
    • Adopting a least privilege strategy (LPS) that enforces access control to eliminate the human temptation to access restricted resources.
    • Continuously logging and analyzing user traffic inspection for signs of suspicious activity


    ------------------------------
    Keith Patterson
    President
    Malpaso Consulting
    ------------------------------

    Attachment(s)

    pptx
    ZT SDP Presentation.pptx   222 KB 1 version


  • 10.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 10, 2020 12:55:00 AM

    Keith,

    I'm afraid you you are a victim of "fake news" or "revisionist history". The term "de-perimiterisation" was coined by Jon Measham, a former employee of the UK's Royal Mail in a research paper, and subsequently used by the Jericho Forum of which the Royal Mail was a founding member.
    Ref: https://en.wikipedia.org/wiki/De-perimeterisation

    It's first appearance on the scene was at the 2003 RSA Conference (Europe), see attached press coverage.

    Also the opening keynote for Blackhat 2003 (Europe) and Blackhat 2004 (USA).

    It resulted in the formation of the Jericho Forum (eventually run by the OpenGroup):

    https://en.wikipedia.org/wiki/Jericho_Forum

    The correct timeline is here (from a webinar I did a couple of week ago with KuppingerCole and Duo Security) - see attachment; and shows the intertwining with the work of the CSA.

    in 2010 John Kindervag presented a document called "Zero Trust Network Architecture" (note the full title) which proposed "Segmented, Parallelized, and Centralized" internal networks as a solution to the de-perimiterisation problem (I was there in the audience, in Boston, at its launch, where he credited Jericho for the original thinking and problems statement).

    Note that; if you read the original paper by John, whereas the term may have survived, the concepts proposed by him are all about fixing the internal network and bear little, if any, relevance to the problem(s) today.

    Whereas I'd argue that the original Jericho Forum "commandments" from  2006 are as relevant, if not more relevant, today

    https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

    Regards

    Paul



    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------

    Attachment(s)



  • 11.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:08:00 PM
    How does the zero trust model establish trust for every access request?

    ------------------------------
    Jaclyn Parton
    Marketing Coordinator
    Cloud Security Alliance
    Bellingham WA
    ------------------------------



  • 12.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:24:00 PM
    At the risk of leaning towards brevity, yes.

    A lengthier answer is in how that trust model is implemented. Trust levels are dynamic and change to adapt to your evolving business, so how that access is established will be subject to the policy of the organization.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 13.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:14:00 PM
    Hi Dave,

    Thanks for being here.

    Question: Will Zero Trust ever become a commonplace term for non-tech people (like me) or will it be mostly a behind-the scenes security model?

    ------------------------------
    Jeffrey Westcott, CPA
    CFO, Cloud Security Alliance
    Bellingham, WA
    ------------------------------



  • 14.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:30:00 PM
    Hi Jeffery,

    My pleasure. I think that it will become more commonplace over time but in a way that is more acceptable to everyone from technologists to luddites and all points in between. This is why I prefer to use a term such as Trusted Access as opposed to Zero Trust. I've heard from many non-technical people that they view zero trust is far too negative of a term for their liking but are onside when the concept is discussed. So rather than trying to force the issue a rebrand for a sound approach seems logical.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 15.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:30:00 PM
    What's the easiest way for an organization to begin implementing Zero Trust? Scalability can be a challenge. Where should I look to take the first steps?


  • 16.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:36:00 PM
    Hi John,

    First and foremost an organization has to do their homework before talking to a vendor. They need to have a firm grasp on their user management, asset inventories and applications that are needed to keep the lights on. This coupled with having defined repeatable processes will go a long way to preparing an organization for the next steps.

    You're absolutely correct. Scalability is always a challenge but with proper planning and rationalization of assets the enterprise they can work to mitigate that type of issue. The first step after that which is a simple way to reduce risk is to move to multifactor authentication to reduce risk posed by the venerable password. A password does nothing to verify who the user is rather, that they happen to know the correct secret handshake to enter the clubhouse.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 17.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:36:00 PM
    Edited by Shamun Mahmud Dec 08, 2020 01:37:12 PM

    Hello Dave,

    Thanks for the coffee-talk conversation around Zero Trust Network Architecture (ZTNA).  Many solutions tout Zero Trust and take different approaches to achieving it.  So, it can be confusing for an enterprise looking to implement ZTNA as their future security architecture.  NIST recently published SP800-207 Zero Trust Architecture, in hopes of providing clarity.  Can you provide your opinion on SP800-207 (scope and effectiveness).  Can you also conjecture on how enterprises can best leverage that NIST standard at scale?

    Thanks and best,

    Shamun



    ------------------------------
    Shamun Mahmud
    Standards Officer, Sr. Research Analyst
    Cloud Security Alliance
    WA
    ------------------------------



  • 18.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 01:46:00 PM
    Hi Shamun,

    My pleasure! Confusion is pervasive to be sure. NIST SP800-207 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf) is an excellent resource for an organization much in the same vein as the NSA document (https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/CSI_MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF) for selecting an MFA solution. The key thing here to keep in mind is that these are all tools to assist an organization and are by no means the sole authority. As to how a company can implement this at scale they need to do what makes the most sense for their particular organization.

    There is no "one size fits all" for ZTNA so an organization will need to make informed decisions using tools such as the aforementioned resources and plan, plan, plan so that scale and security is factored in right from the very beginning.

    ------------------------------
    Dave Lewis
    Global Advisory CISO
    Cisco Systems
    ------------------------------



  • 19.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 08, 2020 02:27:00 PM
    So I'm going to fundamentally disagree with your renaming; ZT was already a bad (and incorrect) term, but was snappier that "de-perimiterisation" (the breakdown of the corporate perimeter as an effective security boundary.

    There is no such thing as "Trusted Access" - that implies being able to replace "Trust in the internal network" with "Trust in your access system" which we should all know is BS.

    So what is ZT? - I'd argue that;
    • It's an (architectural) state of mind
    • A journey with quick wins, as well as long term strategy!
    • Security architecture aligned with business strategy!
    • A design for "Internet" and implemented on both Intranet & Internet!
    More importantly it's about "risk-based" access
    Making a risk-based decision
    About access to data and/or systems
    Based on the trusted identity and attributes
    Of all the entities and components in the transaction chain

    The problems with "trusted access" is that you fall foul of the "locus-of-control" problem (Jericho Forum commandment #8) - in IT terms, you turn a variable "maybe Paul Simmonds, based on a number of factors) and the IT system turns it into a binary "IS Paul Simmonds" and passes that on to every system inside your organisation no matter whether it's the server with the lunchtime menu, the R&D Server with pre-patent research, or the server with the Corporate results going to the city.
    And then of course there are all those pesky users that are in your identity system that you do not actually employ, or manage properly (contractors, JV partners, temp staff, cleaners, summer interns etc.).
    Then there are the thirty audit staff from E&Y who just turned up to audit you. connecting their PC's to your network, requiring access, but their IAM system is different from yours!
    The real-world examples are endless on why what  we do is broken, and why just implementing an access system we "trust" is NOT the solution.

    Light blue touch-paper and retire to a safe distance.......

    Paul

    References:

    Jericho Forum Commandments, https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf
    Jericho Forum "Identity" Commandments, https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
    Identity 3.0 Principles https://www.globalidentityfoundation.org/downloads/Identity_30_Principles.pdf
    https://downloads.cloudsecurityalliance.org/events/csa-congress-emea-2014/Paul-Simmonds.pdf



    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------



  • 20.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 09, 2020 08:20:00 AM
    @Paul Simmonds, you put it so well that I had to 'like' your reply.

    As a Software Security architect, I view Zero Trust not as (only) Infrastructure Security or Enterprise Security problem, but as a way to sharpen Security mindset/thinking. You will never have Zero trust.. as far as I understand how security works in technical implementation; there is always a root trust store. However, the goal of 'Zero Trust' architecture/implementation sets you on a journey of continuously improving security posture that risk-based and self-aware.

    Any level of secure implemented is founded on 'Trust Access'; I think, where we security purist have an issue with is - There is too much trust flowing through the system. 'Zero Trust', even though technically absurd, is a good war-cry to express our zest for setting the highest bar for the identity security.

    Thank you @Dave Lewis for triggering interesting conversation. Definitely matched the energy of my morning coffee!
    ​​

    ------------------------------
    Girish Jorapurkar
    Security Architect
    .
    ------------------------------



  • 21.  RE: Zero Trust, Coffee & Dave Lewis

    Posted Dec 09, 2020 02:30:00 PM

    I think there is room for "Zero Trust" and "Trusted" frameworks.  I don't think we should go away from Zero Trust, though.  I feel security is always lacking on the end-user side, and they should respect our concerns to keep the network secure.  The Zero Trust sends a message to end-users that resources, access, and equipment are a privilege and not a right they have at work.  To keep that respect and understanding between the two groups is important and the term "Zero Trust" does that better than anything else out there, so far. 



    ------------------------------
    Scott Lakin
    System Administrator
    USACE
    ------------------------------



  • 22.  RE: Zero Trust, Coffee & Dave Lewis

    Posted 23 days ago
    I think we need to examine the word "Trust" carefully - from a human being context: 

    Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice. 

    But what is trust? Here are some possibilities:

    1. Trust is a set of behaviors, such as acting in ways that depend on another.
    2. Trust is a belief in a probability that a person will behave in certain ways.
    3. Trust is an abstract mental attitude toward a proposition that someone is dependable.
    4. Trust is a feeling of confidence and security that a partner cares.
    5. Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
    The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.

    And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data

    For zero trust:  For zero trust to be effective, it needs to consider not only the user, but the risks of the resources themselves. It does not. You would never grant access in a zero trust model if the assets have remotely exploitable critical flaws. Zero trust ignores the resources risk, while focusing inordinately on access controls.  Hence we should not use the term "Trust Access", especially if the resources risk has been ignored or the assets have already been compromised aka Fireeye/Solarwinds lessons.

    Regards


    ------------------------------
    John Martin
    Senior Security Architect
    IBM New Zealand Limited
    ------------------------------