Let’s Get Real About Zero Trust: How To Assess Your Security Posture

Hank Schless  00:10

Hi, everyone, my name is Hank Schless. Welcome to Endpoint Enigma. We're excited today because we are going to be talking about a term that's really familiar to all of us, but has almost become a default for cybersecurity vendors to kind of blurt out as the answer to all today's security questions. And I think that you can probably guess what I'm talking about. And that is zero trust. It's become such a buzzword that at this point, it's actually hard to tell if the vendors who we're talking about really understand what the term is and what the philosophy it supports actually means. So last episode, we touched on some of the challenges that organizations face when achieving zero trust or being on the path to having a secure zero trust posture. And especially in the age of remote work. And today is going to be a little bit different. Because personally, I think that it's important to understand where we've been with something like this in order to best achieve goals for now and in the future. So despite the fact that the term of zero trust has really been overused, there is still a ton of value in what it stands for. I think the goal here… I really want to bring the term back to earth a little bit and understand how it's changed over the years. And who better to help us on that track than the one and only Andy Olpin. Andy has over 22 years of experience in the IT industry, and spent the last four years at Lookout as a solutions engineer. He was at MobileIron before that, and then spent over a decade at Disney working in security and compliance. So Andy, welcome to the show.

‍

Andy Olpin  01:37

Thanks for having me here.

‍

Hank Schless  01:39

Always, always my friend. So let's kick things off here and just levelset really quickly, in case anyone listening doesn't live and breathe security like you and I do. Can you just give us a quick run through of your definition of zero trust,

‍

Andy Olpin  01:51

Zero trust in a nutshell is trying to figure out where all of your trust relationships are between your different IT components, such as “Do I trust that user?” “Do I trust this device?” And trying to evaluate those assumptions to make sure that whatever trust you have is warranted. So we'll talk quite a bit about that as we go. But that might include things like, “Yeah, just because I manage that device, can I really trust it?” Right? Or, “Just because that user says they're that user, do they have the right user ID and password?” “Do I really know what's that user?” “Do I really know that the behavior they're doing is something I want them to be doing on my network?” 

‍

Hank Schless  02:29

Yeah, absolutely. I think that's actually my favorite use case for all of this. Just because the user is who they say they are doesn't mean it is who they say they are. So I think that illustrates it pretty well. So, with that in mind, and kind of think about where we are now, maybe pull on your experience. And tell us a little bit about how this philosophy came to be and the term came to be in the last decade or so.

‍

Andy Olpin  02:49

Yeah, so I'll go back even a little further than that, just because sometimes it's important to understand, kind of, the past and where we came from. And then some of the things that have changed that have led us to figuring out we need zero trust. So, if we look back, you know, 20 years or so, most IT organizations were all based around the data center, right? So, they owned or leased data center space, they ran servers in that data center, and they stored all of their data within that data center. They controlled who had access to the data center, which devices they allowed in, which users they allowed in. And in some ways, that was a really good model for it, right? They built the data center kind of like a castle. And they had only a few gates. They had the monitor so they could watch the people coming in there and out. They knew what was happening, they knew who had access to their data, and they could control it pretty well. Now, at the time, they do things like, “Well, I'm going to set up a VPN and then I'll only let my corporation manage the devices via the VPN,” which was pretty good, right? Because hey, if I had the corporate-managed device, at the time, it was probably managed by Microsoft SMS, which meant we could push patches to it, it probably had antivirus on it like Norton or Symantec antivirus. So you know, you were in a pretty good place,  security wise, but you can already start to see there, if you look at it a little further, that even back then we needed some zero trust, because the device is corporate managed. That doesn't mean it hasn't been infected by something. That doesn't mean the management agent hasn't fallen out of management. So should you really be trusting that device without validating its state? But again, we'll come back to that in a minute. But then what happened is after, you know, we had this pretty good security model, we had all these gates going in and out of our castle. We were monitoring who was coming in, we were able to monitor what data was going out, so we can control where our data goes. We could look for any malware as it went in and out of our gates. Well, now comes along the cloud. And that made a huge change because now, instead of saying, “Oh, I've got this data center, and all of my data is stored there.” Now you've got somebody else's encampment outside your gates and you are putting your data there, which means now anybody has access to it. You don't have those handy gates and those handy VPNs, and the firewalls to keep everybody out. Now, any endpoint can get access to your data. The other thing that changed back then was we start to see different types of endpoints come in, where, before that, you know, in probably the 2000 timeframe, you're only dealing with Windows devices, which meant you could have one management strategy, one control strategy, one strategy for securing those endpoints. And it worked the same for all of them. But now we're here. And you're looking at, oh, I have Windows endpoints. Oh, now I have started bringing in more Mac and iOS and Android, and how do I manage and secure each of those separately? And especially now that your data is out there in the cloud, are any one of these endpoints owned by anybody that could have access to OneDrive or Google Drive or wherever it is? And that's really led to IT security companies realizing that zero trust really needs to be a thing. We really need to understand the security of the user of the device. They're coming in from where they're connecting from. How are they authenticating to our environment? Are the behaviors they're doing within our environment in line for something I would expect them to do for their job. Right? It adds a lot of complexity. But if we can get it right, it really adds a lot of additional security to our data that's no longer in our data center.

‍

Hank Schless  06:20

Right? I mean, as you said, it's no longer in your control completely. And realistically, it's never going to be. And it sounds like you understand a lot more about the context of what someone is trying to access and whether how they're accessing it or what they're accessing is either a sign of, as we said before, like the person isn't who they say they are or maybe there's something on their device that's made its way and there's just… Without that castle approach, that type of control, that type of visibility into, kind of, the infrastructure, so much is happening outside of basically a non-existent perimeter at this point that it’s impossible to really have that same level of control and visibility you’re used to and… It's just, there are a lot of great things about the cloud. But this is obviously one of the complexities that comes along with it. But the one thing you mentioned early in your last comment is VPNs. And those are still thick, right? You know, everybody's got corporate VPNs; it's not going anywhere. But it does seem like –– correct me if I'm wrong –– but it seems like there used to be a lot more than there are now. Is it something where, like, they just likes… Do they grant too much implicit trust now; like, where do VPNs stand in all this?

‍

Andy Olpin  07:23

Yeah, so I'll talk about VPNs but I also want to talk a little bit about kind of the change in the threat landscape –– so, the other part about zero trust. And the other reason why it's so critical is that 20 years ago, yes, we had data centers. But also the threat landscape was different; you know, typically, the kinds of things that IT security was protecting from were network spreadable worms that were going to cause damage, that could be very costly, they could be annoying. But now, what we have are professional teams, who are focused on trying to encrypt data in your organization, so that they can steal money from you. And these are people with a will and a focus on getting inside your data, right? So it's a much more serious threat that we need to be protecting from now where VPN is in play. So before, back in the old times, we were using VPNs as a way to get your executive users on their laptops into the data that sat in the data center. And most corporations still have a data center with some internal data on it, right? Not everything is moved to the cloud. So you'll still see VPN is used for that. Now there's two particular problems with VPNs. First and foremost, most corporations will set VPNs up in such a way that if I can get access via the VPN, my movement within the internal network is pretty well unrestricted. So if I can just get your login credentials, I now have access to anything that's in your data center. And, you know, I, as an actual user, may not need that kind of access; I may only need one or two specific sites. But the VPN gives me access to everything. So that makes it a very juicy target from a ransomware perspective. The other challenge with VPN is the way it's architected. So if you think about a VPN; what you do when you build a VPN is you put something called a VPN concentrator in your network, but internet accessible –– right? –– so that all your laptops… What they'll do is build a VPN connection to that concentrator, which gives them access to the internal network. Now that concentrator itself, especially over the last year or so, has become an even better target than your end users’ VPN credentials. Because if I can find a way via an unpatched security flaw, or something else, to get into that box, not only can I access all of the internal stuff that a VPN user can –– so, giving me access to your network –– but I can now watch all the back and forth traffic. So if I see a system administrator connect, I start to get information about your internal network and which servers might be the high value servers and, you know, a lot of data and telemetry that I may not have any other way… So, VPNs have become very questionable in terms of the security there now.

‍

Hank Schless  09:56

Okay, so yeah, so it sounds like the implicit trust issue is definitely in play. APNS is sort of the way in. But what about the endpoints and users themselves, because earlier you alluded to the fact that just because you know your password and can authenticate with a second form of authentication, it doesn't mean you should be trusted. But tell us a little bit about why teams need to think about the fluctuating risk levels of the actual endpoints and users and the context of the data that they're accessing.

‍

Andy Olpin  10:25

This all comes back to, again, that whole zero trust model and how you figure out what you should be trusting and what you shouldn't be trusting. First of all, as you said, the endpoints: just because they're managed doesn't mean they should be trusted. What we need to be doing is checking the endpoints at all times with some sort of validation, right? So when the device connects to a VPN, when it connects to a cloud environment, before it's allowed to have access to data, we need to know that the operating system is in a good state. We want to know if the operating systems were compromised in any way. We need to know that the AV is running and hasn't detected anything. We may want to know, hey, are the patches up to date on this device, right? So we want to understand everything we can understand about the endpoint. So we know what the security state of that endpoint is. Now, once we've done that, that gives us a base to kind of start from, alright, we can say, okay, the endpoint seems safe; we don't think that's compromised in any way. Now, we need to look at the user. Now that includes the authentication information that might be user ID and password and hopefully some form of multi-factor authentication, so that we get a pretty reasonable assurance that that user is who they say they are. But we also need to build on top of that some behavior checks, right? So just because the user signs incorrectly, if you watch them and they start touching files they don't normally touch in a very large way –– you know, where normally they'll access two or three files, all of a sudden, they're modifying 200 files on our OneDrive environment –– that might indicate some kind of ransomware attack; we need to take a look at that. We also need to check at the time of authentication things like the magical teleport-in user. So, you know, if I log in from Florida, and then an hour later, you see a login for me from somewhere in Asia. Clearly, that's not possible, right? I can't teleport, nobody's invented that yet. So there's got to be some kind of game going on here. So we might want to turn around and say, “Alright, there's something funny here, maybe we block the login, maybe we require additional authentication.” But we just want to be a little more careful when we see something like that happen again, because we want to check and see that nothing's happening that could affect our environment, as soon as possible.

‍

Hank Schless  12:35

Right? I mean, you just basically don't want to have a sort of lag time there and give anyone the opportunity to do anything actually damaging. I mean, you can kind of control and contain. But there is kind of a threshold there where you start to go into, maybe, crisis mode, and nobody wants that. So, you know, and yeah, I think that one thing that you and I have always taken the same approach on is really not overstating what you can do to help the customer, especially in the context of security, because that could actually be very bad for everyone involved. So now with so many vendors out there using zero trust as a buzzword, what do you think is really the best way from the customer perspective, to be able to really cut through that noise and know what to look for in a solution?

‍

Andy Olpin  13:16

There is. So I think the first thing to understand, and I'll tell anyone this, no matter what vendor talks to you, they cannot solve zero trust by themselves, right? There's no single vendor. Zero trust is not something you buy from a vendor and then implement on your network. It's a way of thinking about how you architect your network, about how you control access to stuff, about how you're validating the state of everything in your network all the time. Again, it's the way you do business. It is not… It's not just a point product. Right? So in terms of how you actually implement that, the first and most important thing you need to do is start with a goal in mind. Don't come in and say I need to implement zero trust everywhere on my network. It's too hard to do. It's not focused enough. What you should do instead is pick something specific, like, “Okay, I use Microsoft, and I have a lot of data stored in OneDrive. I think that's probably okay. But I'm gonna start with that.” Right? Let me make sure that that data is secure. Because again, it doesn't exist in my data center. And maybe that's something I've got specific concerns around, right? So I need to go get a handle on what's out there. who's accessing it, how are they accessing it, what kinds of data is being stored in OneDrive, right? Do we have users who are maybe violating my corporate policy and uploading PCI documents or health documents when they shouldn't, right? Do I need to take action on that? But the point is that that's something actionable. You can take a store of data, figure out how to implement zero trust around it. And then, once that's complete, we can look at the next set of data. But really, it's going to be business by business, figuring out where your weakest points are and where your most important or most sensitive data is, and then building a zero trust strategy around it.

‍

Hank Schless  14:59

Right. I think the most important thing there is not even just from what the vendors are saying. No one solution is going to solve zero trust. But from your perspective, as the person taking on this project is really understanding and being okay with the fact that this is an ongoing and evolving topic. It's something that it's a moving target. At this point, I don't think anyone will be able to say, “Yes, I have fully achieved and implemented zero trust.” Right? So one thing I'd like to hear from you is, you spent a lot more time talking to folks who are in the exact situation that we're talking about. Where do you see Lookout sitting in the zero trust, I guess, ecosystem –– strategies for people who are successfully moving along this path?

‍

Andy Olpin  15:39

Lookout exists in a couple of different points. And honestly, the reason why we're talking about zero trust today is because it's pretty core to what we do. Now, our focus is around protecting access to data that exists either in the cloud or an internal application, typically, like a file share, or repository like OneDrive, data stored in Salesforce or SAP SuccessFactors; we want to be able to bring those zero trust assurances to access to those cloud providers. And that includes evaluating the endpoint, looking for the behavior of the user, but as well as figuring out what data you have stored out there, because that is an important part of this. So I might have different protections or different insurances I need for health data or PCI data than I do for a random spreadsheet that one of my employees created with nothing sensitive in it. So we really have to play all those pieces and parts. And our job is to make sure that we can say, alright, we know what this piece of data is, we have taken the context of what's in there. Is it sensitive? Is it interesting? And then we build rules around that. And those rules might be who you're allowed to share it with, what kind of endpoint you can use to download this –– like maybe only corporate endpoints is the security endpoint, okay, before you're allowed to access it. Does the user behavior seem suspect before I allow you to access it? And then if you access it, I might apply rules like data loss prevention rules, I might mask social security numbers, or I might encrypt the document or apply DRM, right? Again, it's all around the context of the data, the user, the device are coming in from and combining all those into a single set of automatic policies. So you can be confident that your data is protected, no matter where it lives. And because Lookout is a single platform that exists across all of these clouds, you can deploy us to protect the data in Salesforce, you can deploy to protect the data in Microsoft OneDrive, Google Drive box, and our policies are the same for all of those different cloud environments. The other thing that we do is Lookout’s original mandate; what created us as a company was our mobile security product. And that's still a very strong focus for the things we do. And we bring that into the cloud security space by being able to report on the state of those mobile endpoints. So now, you can enable things like bring-your-own-device connecting to cloud with more assurance, because we can say, hey, we know that even though that device is not owned by the company, I can tell you that the security state is good. We know the apps they've downloaded aren't risky, we know the operating system is not compromised. So the network they're connecting over is not playing any games with encryption, right? So again, it's all about that zero trust, we want to build a path from the user to the device all the way up to the cloud, and then encompass what's stored in that data. So we can build you a single policy that you can then take action on.

‍

Hank Schless  18:32

Yeah, I think the most important part there also is… is being able to pull the mobile device into all of this, because there are lots of other ways out there to be able to understand the state of things from just the cloud perspective. But you know, from where I sit, I think that that mobile site is pretty differentiated. 

‍

Andy Olpin  18:47

It is and it gets overlooked a lot because the assumption from a lot of organizations, again, going back to zero trust is oh, it's an Apple device. It's an iOS device, I can trust it, right? And most of the time, they're correct, you can. But our job is to make sure that the operating system hasn't been compromised, so that you know, you can trust it. Because when you look at something like Pegasus, which has become a big thing in the news lately, what Pegasus does is compromise the mobile operating system so that they can install some underlying spyware. That kind of violates all of the operating system security principles from Apple or Google, which is why Apple is actually suing the NSO group because of what they did here. Right? So it's really important for you as a security organization to be able to say, “I think mobile’s secure, but let me be sure that my mobile devices are really secure. I think they are.” That's all part of your trust.

‍

Hank Schless  19:39

Right. I think that's a good way to boil it down a little bit. So all right, we're coming up on time here. But I do have one more question for you, which is, you know, what's the end goal? Is your interest, like, what's this all for? What's your advice for individuals, organizations who might feel overwhelmed by this task? I mean, your CEO may walk over and say, “Make us zero trust. What make us achieve zero trust?” Yeah, someone doesn't totally understand, like, the whole thing about, like… they may say something like that. And when he walks away, you're sitting there like, “Okay, where do I start?” What would you say to someone who's in that situation?

‍

Andy Olpin  20:11

Again, start in a single place, right? So what you want to do with zero trust is the goal is to reduce breaches against your data. It’s to make sure that any data that gets out, it's properly protected –– right? –– either encrypted or DRM protected, right? So if you're told to do something like that, you know, some executive comes to you and tells you to boil the ocean and implement zero trust. And that kind of stuff has happened to me. So that is a very realistic scenario. Figure out first what data needs protecting the most. I know, if your organization does a lot of credit card transactions, PCI data might be a good place to start. I might say, “Alright, well, the PCI systems are over here. And they're segmented off. But let me make sure none of my users are doing something stupid recording credit card numbers and putting them up in the cloud, right? So I can start implementing that. The other thing you can start doing is checking for clouds that users might be using that you don't know about, right? This seems like kind of a no brainer. But it's also something we've lived with for a while, since the advent of things like Dropbox and Google Drive, where your end user environment is such that maybe your users want to share something with somebody outside the organization and you haven't as an enterprise IT organization deployed something that lets them do that. So they say, hey, I'll just throw this up in my personal Dropbox and send you the link. So you need to start getting a handle on that as well. Even before we start talking about putting all these protections and policies over your existing cloud environments, maybe you want to start by getting an inventory of what cloud environments your users are using, because sometimes that can give you some really good insights. We've seen in many cases where I'll go into an organization and you'll start gathering data, either from the endpoints or from the network equipment, about what clouds are in use. And you'll find entire departments where some director authorized the purchase of a Dropbox business license with no input from it. And their teams are all sharing stuff like crazy over Dropbox, and you've got no central management. You've got the auditing. You don't have the same single sign-on multifactor protections that you really want. So helping to find stuff like that can be a great first place to start.

‍

Hank Schless  22:17

Got it. Alright. Well, Andy, I'm sure you and I could go on forever. We could, we could. We definitely could. But thank you so much for joining us today. Really appreciate your insight as always on this stuff. And I hope that everyone listening found as much value in this as I did. Andy, thank you again for joining us. You can always find the latest from Lookout on our blog at blog.lookout.com and also follow us on Twitter and we hope that you enjoyed the conversation and we'll talk to you again soon. Thanks.

‍