Zero Trust

Cole French:

Zero Trust. Has there been a more used buzzword in the world of cyber security? It’s certainly up for debate. What isn’t up for debate though is the value of the Zero Trust mindset. If you’re wondering how you might be able to leverage Zero Trust, you wont want to miss today’s conversation. Welcome to the Cyber Compliance and Beyond podcast, a Kratos podcast that brings clarity to compliance. Helping you leverage compliance as a tool to drive your business’s ability to compete in any market. I’m your host, Cole French. Kratos is a leading cyber security compliance advisory and assessment organization.

Providing services to both government and commercial clients across varying sectors, including defense, space, satellite, financial services, and healthcare. Now let’s get to today’s episode and help you move cyber security forward. With the advent of cloud computing, organizations looking to take advantage also needed to shift their mindset. The traditional networking architectures present in on-prem deployments were suddenly no longer necessary. The need to secure the network remained, but in a certain sense, it seemed as though the network ceased to exist. Enter the concept or mindset of Zero Trust. The Zero Trust mindset expanded the traditional networking approach to include any assets or interactions within an organization.

You see, it isn’t just technology, it’s who you trust. And the default is no one. The Zero Trust mindset and technologies that allow its implementation focuses on the most granular aspects of access to an organization’s resources. The hardest part of Zero Trust is that, well, it’s hard to do. The technologies are there and readily available. In fact, most organizations already have them operating in their environments. The hard parts are changing the mindset, determining the risks, who to trust and not trust, and how much. Joining us for today’s conversation is Danny Connelly. Danny has 20 years of cyber security experience split between offensive computing as an ethical hacker and defending some of our nation’s most important networks used in the COVID response.

As a highly regarded thought leader and trusted cyber security advisor, Danny provided guidance and formulated strategies to combat emerging threats for various agencies across the federal government. We hope you enjoy this episode. Danny, thanks for taking the time to join us this afternoon on the Cyber Compliance and Beyond podcast to talk about Zero Trust. And so we will just get right into it. Could you just give us a high level overview of exactly what Zero Trust is? I think a lot of people are familiar with that term. We hear it spoken about a lot, but if you could give us a high level overview, that’d be great.

Danny Connelly:

Absolutely. Thanks for having me here today, Cole. You’re right. We have heard that term quite a bit lately in the last few years. It’s certainly become a huge buzzword, but Zero Trust really from my perspective, is something that we’ve been trying to do for the last 10, 20 years, which is implement least privilege, default, deny security, right? Doing that with traditional security tools and technologies has been very difficult to do. So really moving away from the concept of implementing cybersecurity per location or at each network level layer that you own.

Really shifting that to the users, the applications, the data. So regardless where your application is hosted, regardless where your users are traveling, and regardless where your data is hosted or is moving to, how do you make sure that that is secure regardless where it’s located.

Cole French:

And then I assume I’ve also heard that essentially the concept too is also that you don’t trust anything on your network. So you treat everything as though it’s from the outside. Is that-

Danny Connelly:

Absolutely, and that you assume that it’s already breached. If you work from the mindset of there’s an asset on your network that’s already breached, how do you minimize the blast radius? That’s really what Zero Trust is. It’s making sure that there are security technologies and controls in place so that one infection doesn’t turn into a major issue.

Cole French:

So that conceptually seems simple enough. However, I can already see, and given my experience with traditional networks, I can see the challenges just at a high level of what this would be like to implement. So maybe you could go into how are organizations going about implementing Zero Trust?

Danny Connelly:

I mean, it’s a daunting task to think of, but it’s actually easier from the security perspective because, well, if you leverage modern cybersecurity solutions. If you’re trying to implement Zero Trust with traditional firewalls, ACLs, and things of that nature, it’s going to be impossible. But modern cybersecurity solutions are built to really focus on that user to application layer security, and it really does help bring security and functionality to organizations. It’s kind of a win-win, but agree, it’s a daunting thought to think about the whole thing, I guess in itself.

And there is no one solution. There’s not one product that you implement and say, “I’m done.” It’s kind of a journey. It’s a never-ending security enhancement that at the end of it really does give you better functionality and better security.

Cole French:

So where would you say people start then? I guess from... You mentioned that it’s a journey. So where’s the best place to start from, “Hey, I want to get to Zero Trust?” Where would I begin?

Danny Connelly:

I generally tell folks to start with their biggest risk first. Every organization is different, every network is different. So really depending on where that biggest risk comes from. I think a lot of the folks, especially with COVID or when COVID hit a lot of folks had the risk of the remote users. How do you ensure security of those remote users regardless if they’re at home or they’re in the office? So that was a big area that we saw organizations focusing on is that remote user connection and being able to connect a user to an application without a VPN, right?

There are a lot of resources out there as well that you could leverage regardless if you’re a federal customer or a federal entity and have to comply with that. There is a lot of good information out there. So depending on what your Zero Trust strategy looks like, or if you’re using a framework, you could follow one of their resources. Or again, I would really circle back to your biggest risk first.

Cole French:

And for our listeners out there, we did an episode, I don’t know, three or four episodes ago on risk assessments and how to conduct risk assessments. And I don’t think it’s everybody’s favorite undertaking in the world, mainly because it’s hard and it forces you to really ask a lot of questions and come at it from a specific mindset. But to what Danny’s mentioning, I think Zero Trust is one of those, sometimes there’s a buzzword out there and people kind of just plug it in like, “Hey, can we just put Zero Trust in place and that’ll take care of all of our stuff?” But again, it’s a journey, and then the journey needs to be informed properly.

So conducting that risk assessment upfront to really identify, I mean, you should be doing that anyway regardless of whether you’re planning to implement Zero Trust, but identifying those risks to your organization and quantifying what those risks are. I think that makes sense as a strategy to begin your implementation or to begin the journey on your way to Zero Trust.

Danny Connelly:

Absolutely, leverage the data that you already have and leverage the tool sets that you already have. It’s not just a rip and replace. Depending on the capability and the solution, there might be something that you don’t know that you already own that could help really strengthen cybersecurity there.

Cole French:

So you mentioned earlier that different technologies support Zero Trust versus others, the traditional ACLs and those kinds of things don’t so much. So maybe could you go into, how would I know if I’m wondering, can I leverage tool sets I already have? What are the things I need to look at or questions I need to ask? Or what do I need to be considering to determine, do these tools I already have, would they work in a Zero Trust implementation, or do I need to look at potentially different or new technologies?

Danny Connelly:

So from the firewall perspective, I’m not saying you don’t need a firewall. Everybody needs a firewall, period. But firewalls became so much over the years. It started out with kind of traditional ingress and egress rules where you’d filter based on specific ports and protocols, and then that became a next gen firewall where really you’re putting advanced threat protection, sandboxing, you’re putting all these other capabilities on top of the firewall. And add SSL inspection, which is a beast in itself. So all of a sudden you had to do all of this on one box or in one platform at a specific location.

With Zero Trust solutions and not to name-drop solutions because there’s many technologies that would work. Things like Zscaler, where you take that onus off the network owner and the system itself, and you’re doing it in the cloud. It gives you the ability to still have your own policy enforcement, your own policy control and definition. But really to do that and apply that to user traffic regardless where that user traffic is. I’m not sure if that was a clear cut answer, but it’s shifting the mindset a bit to do things a little differently than what we’ve done in the past.

Cole French:

So is it really shifting from on-prem to more of a cloud-based approach? Would you say that’s necessary from a Zero Trust perspective, or can you also incorporate on-prem components?

Danny Connelly:

I think there’s probably a mix is probably the right answer, but what I’ve seen is that organizations that are able to move the fastest have leveraged cloud-delivered security solutions. From my experience, things like CrowdStrike, things like Zscaler, Akamai, Kona Site Defender for web. Things that you really don’t have to stand up new infrastructure on-prem. But again, I’m not anti-on-prem technologies either. It’s just really allows you to move a lot faster as a security organization.

Cole French:

So you mentioned Zscaler as an example. I’ve interfaced with Zscaler before to access different applications. And you mentioned earlier, maybe not thinking of it from a firewall perspective, but from a user to the application. So if I’m accessing an application, I guess this is kind of getting into the weeds a little bit, but let’s say I need to access a web application and I’m going to use Zscaler as the example here. What is actually happening behind the scenes when I’m trying to access that application? Is Zscaler acting like a firewall essentially, or is it performing some other type of functionality? What would you compare it-

Danny Connelly:

It’s all dependent on your identity. So you actually have to authenticate to Zscaler and Zscaler gets your entitlements and your authorizations before you’re even able to see the applications. So a traditional... I guess the way it used to be is an attacker. An attacker would be able to see your applications, assuming it’s public facing or if it’s exposed to the internet. So there’s an attack surface there. If there’s a new zero day or there’s new vulnerability, or even just traditional port scanning, right? An attacker would be able to interface with that application.

If you use a modern solution like Zscaler, you’re not able to even see that application as an attacker unless you authenticate to it first. So it’s really game changing from that aspect of you’re not having to implement all these firewall rules behind the scenes manually to enforce that. It’s the technology itself that’s allowing you to have that capability and it really does reduce the attack surface and it reduces the risk.

Cole French:

So essentially what I’m gathering is that, and you’ve kind of already alluded to this, but I guess just to say it clearly is that Zero Trust is less device-based and more user-based. Is that a fair assumption? But also how does, device authentication even potentially, is that a thing within Zero Trust architecture?

Danny Connelly:

I mean, it really depends on the capability. And if you look at the Zero Trust maturity model from CISA or NIST 800-207, there are specific pillars. There’s a network pillar, there’s a device pillar, identity pillar, and within those pillars, there are specific capabilities. So the device is still important and knowing the device, so certainly device certificate and things of that nature is one way that you could keep track, but also the agent-based approach as well. Just making sure that that is a corporate-owned device before it can access specific data is something that really helps. And to do that, there are specific posture checks.

You could say, “This doesn’t have XYZ agent on it, and maybe it has vulnerabilities. We don’t want it to connect to our resources.” Or maybe it’s a high-value application. So that same example where the application isn’t seen, you could do the same thing that, “Hey, this user has 10 higher critical vulnerabilities, maybe has a CrowdStrike alert on it.” You don’t want them to interface with your application until that’s remedied. So you’re able to put posture checks like that in place.

Cole French:

And I think that’s huge because if we look at it from a defense in depth perspective, it’s one thing to verify my users and say, “Hey, this user, they’re entitled to use this particular application.” But if you can couple that also with, “This user has the entitlements, but their device that they’re using doesn’t meet these essentially conditional access policies.”

Danny Connelly:

You got it.

Cole French:

[inaudible 00:15:22] vulnerabilities. It sounds like you can go down to pretty granular level, down to configurations, things like that. You can get pretty specific with it. Is that right?

Danny Connelly:

Absolutely. And it helps security teams because in the past, somebody would have to reach out to that end user, somebody maybe from vulnerability management or from the IT team that, “Hey, we know this person’s going to have issues with this application because they have so many vulnerabilities.” Trying to get in front of it, I think it reduces a lot of the overhead that we traditionally have spent on chasing folks around and trying to get compliance or trying to get security.

Cole French:

I can speak from experience having worked in a SOC years and years ago in which we did. It was the traditional vulnerability scanning and endpoint management tools that’s valuable, useful, all that stuff. They did their job and they did it effectively. But you still had those things that hung out there forever and users you had to track down. I remember we had a guy on our team, that was what he did. He just contacted people all day long about vulnerabilities on their systems, and sometimes he had to go actually find those people and talk with them and walk them through how to do what they needed to do to make sure we could remediate those vulnerabilities. So being able to remove-

Danny Connelly:

It’s a big challenge,

Cole French:

Huge challenge. And even if it’s relatively straightforward. It’s somebody, like I mentioned in that case, that’s all they’re doing and not all they’re doing, but so much of their time is consumed with just chasing that down. So from a value standpoint, you’re not getting a lot of value out of that person’s time and expertise. They could be spending that doing other more valuable things that actually address risks like we talked about there.

Danny Connelly:

Right, right. And yes, exactly. I mean, it’s like playing Whac-A-Mole, and I’ve seen whole teams dedicated to this. I mean, communicating and trying, especially if you’re looking at the operating system, vulnerabilities are one thing. But then if you look at application layer vulnerabilities like struts, Apache struts, there’s so many application layer, vulnerabilities, it gets more complicated. So there are entire teams that would be dedicated doing that. And don’t get me wrong, I’m not saying it removes that vulnerability at all, but it buys time. It gives the organization some breathing room and some time to address those vulnerabilities. It’s not a fire drill, which seems like one every day.

Cole French:

It buys time and also acts as a form of mitigation, right? And so you’re not actually vulnerable or you can at least reduce the vulnerability until whatever the issue is resolved.

Danny Connelly:

Right. You got it.

Cole French:

So I guess we’ve kind of covered this in our conversation so far, but if you had to summarize it, what would you say are the advantages of a Zero Trust approach?

Danny Connelly:

I mean, reduced is the likelihood that one infection would turn into a major breach. So I was a pen tester for five years, and it was fun because you just had to find one way in. You had to find one pathway because once you got a foothold, nobody had network segmentation. Nobody had a lockdown to the point where you couldn’t move laterally. And if you’ve ever I guess tried to implement network segmentation solutions, it is so challenging and so difficult to do.

We spent years and years implementing network segmentation solutions, and at the end of the project, our pen testers were able to walk right through it because you had to... Especially if it’s a Microsoft environment. There are so many ports and protocols that need to flow bi-directionally that there are big pathways that attackers could leverage. So I’d say the biggest advantage is really minimizing or reducing that lateral movement risk and reducing the blast radius that one infection can turn into a major breach.

Cole French:

I mean, that’s typically what we see when, like you said, it only takes one. So to the extent that we can eliminate the ability to have one compromise extend to my entire network or result in a keys to kingdom kind of situation, that’s a pretty big advantage.

Danny Connelly:

It is.

Cole French:

Now switching a little bit from the advantages to what are some challenges you’ve seen when it comes to organizations implementing Zero Trust?

Danny Connelly:

Folks not willing to make that mindset shift. It is such a big mindset. When cloud first came about, and I think it was the cloud first initiative, I was anti-cloud. Until you really see that cloud can bring efficiencies to security as well, I was really against leveraging that. So I think that’s the same thing with Zero Trust is that mindset shift and just being open to do things differently or talk about it. There’s a lot of folks that really put their arms around the way they used to do their old jobs and don’t want to let go. So that combined with silos, the network teams, and the security teams didn’t necessarily play nice for a long time.

I think that’s another thing is just being comfortable with being uncomfortable. I’d say until really you... I don’t know when it happens, I think it’s probably different for everybody, but you kind of see the light and it’s like, “Wow, this makes my life so much easier than what I used to do.” I think once people start seeing that and that we’re all in it together. We’re all working on behalf of whatever organization, and our mission is not network versus security, and once you get on the same page of this is the challenges for all of us, I think it’s a challenge.

Cole French:

And I would add too, I know we talked about at the beginning the risk component. I think that... And I confess I haven’t worked on a Zero Trust implementation or even worked with anyone to strategize for Zero Trust implementation, but I have worked with customers who are considering it, weighing it, things like that. And something that’s occurred to me in some of those conversations and as being affirmed in our conversation now is that I think there’s a lot of things you have to think about and hard problems you have to grapple with, like risk, what’s important, stuff. I think the old school methods, if you will, give us kind of this sense of security because I can look at it, I can see it.

Whereas I think Zero Trust is more of a... I mean, there is an implementation and I can look at it and see it component, but it’s definitely a different way of looking at it. And you have to think about what are the risks, what are the problems? What is it that I’m actually trying to solve? What do I actually need to control? All that kind of stuff. And I think it’s just... At least what I’ve gathered is there’s just more thought and more strategy that’s required in the implementation, which I think is intimidating to some folks and to some organizations.

Danny Connelly:

It is. I would say that’s spot on. But one thing that helped us was really to look at the benefits, the user experience enhancements, the functionality enhancements for our users. And really whatever solution that you’re looking at, you really need to do a pilot. And a pilot has to involve those end users, especially challenging end users, the ones that complain the most. If you’re able to bring a solution to them and they’re advocating for you for that solution, that’s a win. That means security is no longer a barrier. That means security is really enhancing their productivity.

And that’s what we’ve seen when we were looking at Zero Trust solutions as well as the ones that would really help security, but also really help our end users.

Cole French:

So speaking of helping security, helping end users, and getting to a place where organizations are working with a Zero Trust mindset, what are some good resources that, I know you mentioned a couple, NIST, 800, was it 207? And I think you mentioned another one from CISA as well?

Danny Connelly:

CISA has a lot of great resources. CISA Zero Trust Maturity Model is one of them that I recommend a lot, but there are a lot of great resources from the federal government out there. And the nice part, if you’re not a federal entity that has to comply with those, you could leverage that document to build your own Zero Trust strategy. You don’t have to use the guides out there that are specific to the federal government, but it’s great information and there’s no need to go out and I guess reinvent the wheel and start from scratch. So 800 NIST, 800-207, I mean, it’s a big document and it’s scary to look at it on its own, right? But it’s meant for organizations of all sizes and really is a good resource to tailor your strategy.

Cole French:

I was chatting with a colleague yesterday, and I mentioned that it’s interesting in a lot of cases when it comes to compliance and kind of the documentation that exists on the government side, it creates challenges with what’s out there in the wild, so to speak. And technology tends to run a little bit faster than some of the government documentation standards, things like that. But I was remarking that actually in this case, this is one where I think there really isn’t a compliance framework per se, where you can say, “Hey, plug Zero Trust in here, and it solves for these particular compliance frameworks.” But the government has great documentation on how you actually would do Zero Trust.

Danny Connelly:

From an operational perspective.

Cole French:

From an operational perspective, and actually strategizing, implementing, stuff like that, whereas I feel like most of the time it’s the compliance frameworks that drive what organizations end up doing from a strategy perspective. But this one’s a little different where it’s more strategy and documentation on how you would do this and less on the, “Here’s what the security compliance requirements are in XYZ framework.”

Danny Connelly:

It was a big shift for the government, and I think that’s why it’s been so well received, is it’s not, “You have to do this and by this date.” It’s kind of that why and, “Here’s the benefit and here’s how to do it.”

Cole French:

So speaking of compliance, and that is something we try to talk about here on this podcast. So just in your experience, Zero Trust with compliance, how have you seen organizations succeed from a compliance perspective using Zero Trust technologies or a Zero Trust implementation?

Danny Connelly:

Depending on the framework you use. I mean, there is a mapping back to specific control set. I mean, if you’re leveraging the federal resources and CISA guidance, those will map back to specific NIST controls, I mean, there’s your compliance crosswalk there. And again, depending on what you have to do if you’re doing a CNA and it all ties back to 853 or whatever control set that you’re mapping to.

Cole French:

And it sounds like from our conversation, it’s really going to be organizationally driven as far as the mappings are the mappings, but Zero Trust like we’ve talked about is more of a strategy and an approach, and there’s technologies you use to implement it. But it’s not like a tool that you deploy and then it’s like, “Because I deployed it and configured it now meets all these security requirements.” So it’s going to be different for each organization.

Danny Connelly:

And you and I can both implement Zscaler and depending on our settings, we could have different security. I mean, it goes down to the configuration as well. So that configuration, there should be, again, some sort of playbook or mapping to get to whatever compliance level you’re trying to meet.

Cole French:

And again, I mean, I guess this will be the third time now, so maybe it’s a broken record, but it is like each... We work with a lot of organizations that compliance is, “Hey, what do I need to do? And how do I pass this control?” But the mindset should be, what should security look like in our organization? What’s important to us? What are the risks we need to worry about and drive your solutions forward? And compliance is something every organization has to deal with, but take that as it comes up, but to the best that you can let your organizational posture drive whatever it is you do from a compliance perspective.

And now some compliance frameworks are more prescriptive than others. FedRAMP is fairly prescriptive, but also you’re dealing with cloud systems, so it’s confined to a certain type of system, whereas CMMC, for instance, is much broader and much less prescriptive. It is very much, “Hey, I don’t really care how you do this. You just need to be... I don’t care how you do configuration management, but do you do configuration management?” It doesn’t have these particular components associated with it. So I think Zero Trust is the same thing. It’s like you said, it’s a mindset first, and the implementation is going to be different for every organization.

Danny Connelly:

It really is. And technology most likely will be different as well. But I’d say one last thing to hit on that I’ve seen is very important is the communication. Communication with the end users, the stakeholders, other folks, application developers, network silo, and really opening up or breaking down those silos, right? I’d say one thing that really helped us is with the relationship with the network team is when we started sharing our threat intel report saying, “Hey, this isn’t a theory. This actually happened here at our organization.” Once they started seeing some of that data and the information we were sharing, it’s like, “Wow. This is why we’re implementing this security solution,” or “This is why we’re redoing this process.” It really helped, I guess, minimize the roadblocks.

Cole French:

I think that’s a great point to close on is just communication, making sure each particular part of your organization is communicating effectively with each other and sharing information that’s relevant and specifically relevant to, if possible, the mission of the organization. I think that’s a great point. Well, Danny, I really appreciate you taking the time this afternoon to come on and chat with us about Zero Trust. I think our listeners out there will find this to be a very valuable conversation and appreciate your time and insights.

Danny Connelly:

Thanks, Cole.

Cole French:

Thank you for joining us on the Cyber Compliance and Beyond Podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss or you just have some feedback for us? Let us know on LinkedIn and Twitter at KratosDefense or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. And until then, keep building security into the fabric of what you do.