From Concept to Practice: Architecting and Accelerating Your Zero Trust Objectives
Zero trust is about re-architecting access in a “not to be trusted” world in service of thwarting cyberattacks against applications, assets and users. In this video, you’ll hear from John Masserini of TAG Cyber, Marcos Christodonte II, CISO of CDW, Kevin Dana, VP of Information Technology of World Wide Technology, and Allen Jeter, CISO of Chainalysis on how advances in authentication that embrace and incorporate zero trust principles can materially improve the secure posture of organizations of any size.
Transcription
John
Good afternoon, everyone. Thank you for joining us today for our panel on Zero Trust, From Concepts to Practice: Architecting and Accelerating Your Zero Trust Objectives.
My name is John Masserini. I'm the senior analyst for TAG Cyber. Today, I'm joined by a fantastic panel of CISOs. We're going to start with Kevin Dana.
Kevin
Hey, everybody. My name's Kevin Dana from WWT. I am the VP of IT and Security.
Marcos
Hello, everyone, I'm Marcos Christodonte II. I'm the global chief information security officer at CDW.
Allen
Hello there. I'm Allen Jeter, director of IT at Chainalysis.
John
Welcome, guys. Great to see you. We're going to spend the next few minutes just kind of talking about your strategy and your objectives with zero trust, right? It's everybody's kind of top of mind. We're all, you know, probably heading out to RSA in a few weeks, so we know it's going to be the buzzword of the year.
So, Kevin, I'm going to start with you. When we think about zero trust, you know, there are a lot of different definitions. How have you defined zero trust?
Kevin
For WWT, we really do look at this as really narrowing the surface area down to the individual and then mapping what that individual should be able to either access or do. And then that becomes very important from an identity and access management standpoint to ensure that we know who that person is and then map them to their roles and their activities so that they're not doing or having access to more than they should but certainly able to facilitate doing their job effectively and then matching that with the overall employee experience as well so that it's not encumbering their ability to do their work.
John
Yeah. And, Marcos, I'm going to ask you the same question, but I'm also curious about kind of the importance to the organization.
Marcos
Yeah, absolutely. I think, you know, there's a lot of definitions for zero trust. You know, we hear, you know, a lot of different buzzwords and rhetoric that are tied to it. Oftentimes a lot of vendors might try to sort of sway you towards, you know, their product as they sort of define zero trust. But I think at an essence level, I look at it as, you know, you want to verify before you trust, and then you don't want to just over-rely on that verification, you've got to continue to verify, so verify again, and again, and again.
And so I think, you know, if we take a step back and think about trying to simplify the notion of zero trust, you know, really, I think about it in almost four different outcomes. And I kind of equate it to four different Vs, if you will. And the first is to kind of verify the human or the machine. The second is, you want to be able to validate zero-trust risks on a continuous basis. The third V is you want to void what I consider to be excess or risky access.
And then you want to view risk signals really on a continuous basis. And so if I kind of walk through those very quickly, you know, verifying that human or the machine, you know, you want to authenticate that employee, you want to authenticate that third party or that system to ensure that they are who they claim to be using factors that are essentially resistant to credential phishing.
And so that second V is validation, right? So you want to validate that risk continuously, which means that you don't want to blindly trust that initial verification. As I mentioned, that verification is essentially a snapshot in time. Risk can continue to increase, and so you want to make sure that you're continuously validating that risk. And then the third is you want to avoid anything that is excess from a risk perspective based upon a variety of risk vectors.
For example, has the device health on that particular asset changed? Is the endpoint firewall disabled, as an example? So you want to make sure that you're continuously verifying that risk and then voiding it if something is risky. And then the fourth one is just viewing the risk signals at scale, essentially. You don't want to place too much trust in that, you know, zero-trust architecture.
I think sometimes we tend to take a lot of pride in our work, and oftentimes that can lead to a bit of a false sense of security. So we want to expect that our controls might entropy over time, and we want to make sure we're continuously monitoring as well. So I think as I think about the importance, it's really aligned to those four aspects.
John
And, now, Allen, when you think about, you know, zero trust and how it's defined at Chainalysis, kind of where are you in your journey, and, you know, how is the project going, or how is the initiative going?
Allen
Yeah. Thank you. So when I think about zero trust, it's not one solution or two solutions paired together, it's a mindset. And it's kind of a way of thinking around least privilege access in an ongoing sense. And so, you know, a lot of great stuff has been said, and I'll just kind of pair onto that. But, you know, outside of kind of the hardware validation step, the kind of authorization step, the kind of making all of these factors and MFA factors resistant as possible to an attack, that is all wonderful.
And I think that there's another side to this that I see, and it's kind of supporting the user experience of that. And it's kind of navigating your employee base or your organization through these secure pathways. And so, you know, for us, that's kind of been paramount. It's been kind of this equal balance between enablement and security.
And, really, if we can achieve those, then we can achieve kind of a broader win for the organization on just kind of making these efficient pathways more secure. To kind of add onto that, we are thinking about zero trust in kind of a more modern approach in terms of assigning access to individuals.
Rather than kind of long-lived access for specific resources, we give time-bound access, and we set up kind of pathways for people to get access they need to not inhibit their workflow, but it's time-bound, it's validated, it's audited, there's an approval chain, and it's not permanent.
We pair that mechanism with the device trust, you know, solutions that we've seen kind of specifically around Beyond Identity and some of that continuous authentication, and we get a really awesome kind of solution and holistic solution that doesn't hinder the enablement and the access, but it's also in line with a lot of our security principles.
So that's kind of how I'm thinking about zero trust and kind of moving away from long-lived privilege and starting to move towards this concept of least privilege all the time, so... Yeah.
John
Yeah, that's absolutely a great approach. And, you know, I think as we roll down, you know, this zero-trust path, I think a lot of that kind of maturity is really going to start to come out, right? You know, for the last two years, we've been hearing nothing more about, you know, "I have to start a project, I have to get this done, and I don't know where the end goals are," or whatever.
And really understanding that it's a maturation process rather than just a project, I think, is really kind of critical. Kevin, you know, when we think about a zero-trust strategy, you know, we often have these discussions with our executive committees, our boards, or, you know, potentially, you know, the broader audience.
How are you articulating the value that this effort is bringing to the whole enterprise and kind of the long-term benefits of undertaking this?
Kevin
Well, I think, as others had mentioned, there are aspects of this that are changes. So I guess I just want to back up, first of all, and recognize that there are aspects of this that may seem disruptive because it's changing perhaps the workflow or the way that employees have been used to working.
In fact, if you think about passwordless, there's a lot of process and systems and things that have been built up around that paradigm that cause us to rethink. And then when we rethink how we do those things, then how do we actually communicate, train, etc.? So, there's that aspect of change, and that disruption can obviously be a challenge. So kind of getting back to your point about how do we actually engage with executives and board around what we're doing and getting the buy-in and also giving them a heads-up or asking for the help on getting us through those changes is, to the best of our ability, to communicate what those kinds of experience changes will be, where can we expect there to be some noise, do our best to actually communicate those things upfront, whether that be through piloting or, you know, progressive rollouts of different capabilities.
But then with that also, which I'm assuming everyone has as the basis, is reports on the different metrics that we have from a security standpoint and our reports out to the board on a monthly or quarterly basis, so we can start to show where we are being more effective through some of those changes, whether it be a reduction in stolen credentials through phishing exercises.
Whatever those metrics are, those are the things that we would want to kind of hone in on and show cause and effect through some of these changes. It won't be necessarily black and white, night and day, but we would and should expect to see there to be a difference overall through that that helps to essentially quantify the benefits that we see by pivoting towards this approach.
John
Marcos, I want to tie into what Kevin just mentioned. You know, as security executives, we've all kind of had to make the decision around what efforts to undertake, and where to align the budget, and how to kind of move the whole program forward. Where does the zero-trust strategy, you know, align?
And when it comes to importance in your long term, you know, if you think two, three, four years out, where does your zero-trust strategy play in that, you know, long-term role?
Marcos
Yeah, I think, you know, some really good points. You know, ultimately, it's definitely a matter of connecting with the business and making sure that, you know, they understand the whys. And, really, I think about this in two contexts. One is, you know, the threat context. And that's really not about FUD, or fear, uncertainty, and doubt, but it's about data, it's about facts, it's about stats.
If you look at any of the key sources that are out there, whether it's the Verizon Data Breach Report or you know, CrowdStrike's Threat Report from last year, you'll see thematically that, you know, 80% or so of cyber attacks leverage identity-based techniques. And so, similarly, if you threat model any of the recent breaches that are out there, I won't, you know, call out any vendors or names, but, you know, there's been a number of those, and so, thematically, passwords were always the underlying issue.
You know, whether it was a password, or whether the attacker was to gain access, bypassing MFA, getting that credential, and then being able to log in from an untrusted or unauthenticated device. So I think that's kind of the first context to root it in, really a sort of, you know, threat lens. But then there's also the compliance lens.
When you look at the sort of regulatory requirements that are out there today, you know, government mandates, you know, NIS, DOD, the White House just, you know, released an executive order. And similarly, the National Cybersecurity Strategy that just came out, you know, often also referenced the need to ensure that a phishing link or to ensure that, you know, someone using a bad password isn't something that's going to create national security risk.
And so, similarly, you don't want that to create risk for the business. And so, it's all about really explaining that why, and I think those two contexts are key, you know, the threat context and that compliance context. And then in terms of the roadmap, you know, ultimately, this is, to me, an area of focus. When you look at those stats, when you look at those data points around what are the key, you know, breaches and the root cause of those breaches, you know, ultimately, we want to adopt an approach that will reduce, you know, classes of attacks.
And if we know that, statistically, that is the top class, then that's definitely something that we should be looking to prioritize now.
John
Yeah, absolutely. And we've all been doing this for a long time, and, you know, it's lovely to see the transition from just, you know, running after fires, patching, doing all that, you know, throwing firewalls at problems and really, really addressing some of the underlying issues.
I mean, you know, I would argue security people hate passwords more than anyone else, right, because we really know that it doesn't give us much, you know, security. So, you know, I really love, you know, what all three of you are talking about right now because it's really going to change fundamentally how we address things. Allen, I'm going to flip it back to you.
You know, Kevin kind of mentioned some of the kind of higher-end projects, like passwordless and such. What are some of the key pieces and functionality that, you know, our listeners can really kind of go back and think about on how to start this effort, right?
We talk to a lot of enterprises, and there's a lot of intimidation, right? A lot of people are just...you know, they don't know where to start. They really, you know, don't know...you know, we always get the question, "Well, how do we know when we're done?" Right? So, you know, if there were three things that you could just say, "Just start looking at these," what can people use?
You know, some of the ideas that people can take away, they really get going down this path.
Allen
Yeah. Yeah. Thank you for asking. I think, you know, I try to look at maturity stages in a crawl, walk, run comparison. So maybe I'll give kind of all three to answer your question. I would say the crawl stage in terms of adopting a zero-trust solution for an organization might be to leverage a new technology, like passwordless, like Beyond Identity, that could, you know, add on to the current authentication security robustness.
And that would be maybe the crawl stage. I would say maybe the walk stage is starting to define your perimeter a little bit better and shifting your compliance requirements onto the user rather than kind of chasing them down. Creating this proactive policy that in order for your users to continue to work, they need to be compliant.
And so I think that's the walk phase, and that can be turned on with some of the Jamf integrations inside of Beyond Identity to start to kind of flip your approach on managing compliance at scale. The third is kind of the run phase, is going more towards this continuous authentication, which Marcos mentioned, and really having the initial alerting when policies are broken or devices break certain rules.
And then having kind of the holistic long-term data set to start to analyze trends as well and anything that that catches. And so, yeah, I would say all three of those tracks encompass the Beyond Identity products, depending on what organization and what stage you're at. That would be maybe a good kind of quick recommendation on three various pathways to achieve a more zero-trust approach.
John
Kevin, I'm going to...same question, but maybe a slightly different perspective, right? So, you know, again, we're all fighting for budget and trying to balance, you know, our spend. When we sit down and, you know, really kind of lay out that strategy, how do we communicate something as conceptual as zero trust, or even, I mean, you mentioned it, right, passwordless?
That's a concept that most non-security people would, you know, not struggle with, but kind of just kind of look at you and go, you know, "What do you mean we're getting rid of passwords?" How do you communicate that to, you know, non-security folks, board members, executives around the benefits of, you know, not just the solution, but the direction?
Kevin
Yeah, I think the angle of attacker approach, I guess it's not an attack, you don't want to attack the board, but it would be, I guess, first and foremost, for better or for worse, there is a benefit of the board and the public at large is quite aware of ransomware and phishing at this point because of all the coverage.
And not to use that as a fear-mongering, but it's an easier approach to be able to articulate or to engage them because they're dealing with that. They're often targets of the phishing more so than the rest of the population. So that would be the first aspect of kind of framing at least one attack vector that they would be familiar with, and then extrapolate from that other attack vectors that would be similar but certainly, you know, as dangerous or more so because it'd be getting into the vitals of our systems.
So then being able to show, then, and talk to how something like, well, zero trust in principle, as Allen said, and the different kinds of capabilities that would be there, but even more particularly here, something like passwordless as, "Here's an opportunity that actually creates a better overall user experience and helps to mitigate these types of attack vectors," is at least one aspect of this that would help to make that very real to them in a place that they read in the newspaper on a daily basis.
So that would be, you know, the one kind of piece that I would get to, and that way we can frame the problem sets and make it less conceptual, more real but then kind of extrapolate the rest of the concepts that we're dealing with in the security world. And then hit that with, "Here's how we start to go about solving that," making sure they understand that it's not one silver bullet that solves these problems, but we're going to start with something like passwordless.
We're going to remove, you know, admin-level access if that's something that hasn't been tackled before, and go with, you know, role-based security or, as Allen mentioned, you know, time-based types of things. So I think the combination of those things helps to make that real and pragmatic as opposed to conceptual. And then, hopefully, then the money follows because you've been able to make it a real thing that they would see your return on from that.
John
Yeah. I would say... Yeah. Certainly, when I was...you know, been sitting in the seat, it's always, you know, they trust us to spend, but we have to show progress, right? And, you know, that, the ability to compartmentalize it and lay it out like you had said, is absolutely critical. So, Marcos, I'm going to kind of pivot to you in the same kind of vein and really ask, when you started this, how did you pick what you were going to attack first?
How did you decide that, you know, we're going to go...? You know, we hear a lot of people say, "I don't know where to start. You know, it feels like I'm boiling the ocean, and, you know, we have to disrupt the whole infrastructure." What opportunities did you have that you really said, "Okay, this is a great place to start down this path, and, you know, we're going to be able to use that as a proving ground and really show the benefit of it?"
Marcos
Yeah, I think just kind of going back a little bit and then I'll come back to that piece is, you know, I think the last question was a good one. Because, ultimately, there's a level of, I mentioned, kind of stats and data and sort of facts. When you're able to lead with business value and to put things in terms that the business understands, I think you can get that buy-in, that adoption.
You can allow, you know, executives to reach that epiphany that, you know, this is a path forward. And so, specifically, when you start talking about the time it takes to reset a password, as an example, the number of help desk tickets that come through for password-related requests, whether it's a lost password or forgotten password, password resets, that takes time and impacts productivity.
So there's a cost dimension to that. So being able to unpack that and to convey that, I think, is very important. The second piece, I think, to that kind of business question is using analogies. I think when you're able to tell the story and put the mind of those business executives, you know, in a environment that they understand and you kind of draw on that parallel, I think that's another way to really help cement the why and the understanding in their mind.
For example, you know, when they have movers that come over, you know, they don't just allow any movers to show up and come into the door, right? They've got to validate that they're actually from the appropriate moving company, as an example, and check their credentials. And so I think that's key. But in terms of what you said and specifically around where do I start, I think it really just depends upon, you know, kind of the business architecture, the network architecture, you know, the level of maturity today.
When you think about the way in which we work today, we're all kind of global, you know, this sort of hybrid working environment. You know, for me at least, it was really looking at device-level authentication. You know, it kind of goes back to machine verification days of, you know, NAC or, you know, 802.1x when, you know, we're worried about folks plugging in devices into the network.
You know, now when, you know, we're remote and virtual, it's really about understanding which devices are trying to access our resources, and then being able to delineate between a managed device that might be able to have a little bit more reign and freedom to access certain applications or an unmanaged device that perhaps you only want to allow to have access to lower-risk applications.
So, really, that's the key for me. I think, you know, authenticating devices is just as important as authenticating users. And so that was really the thing that I looked at as I started to prioritize my strategy.
John
Awesome. So, as we kind of come to the close of this, I'd like to ask the three of you to come up with kind of one piece of recommendation, an idea, just really something that would help someone who is just starting down this journey.
You know, one little tidbit that they can go off and actually start thinking about and maybe act on. So, Allen, I'm going to go to you first. Any kind of recommendations or suggestions for our listeners?
Allen
Yeah. I would say look at the current data, ask the users, talk to your users, identify what is currently being accessed. Start to understand kind of those experiences and those access methodologies, and then start to build a plan to improve it.
And generally, I would say, if you can improve the user experience with the security, then that's going to be a win-win. And that's a pretty agnostic place to start in any business, but I would say that that's a pretty decent place to start, so...
John
Awesome. Thank you. Kevin, any thoughts?
Kevin
Yeah. I kind of mentioned it in one of the previous things, but I do think that passwordless is a paradigm change, that at least our experience has been that we've had to take a step back then and look at a lot of the processes, whether it's password resets, etc., and those types of things, and really reframe how do we approach those things as we roll something like that out.
If you just continue to add to what you've done without really taking that zero-trust paradigm shift and look back, you'll potentially run into some conflicts that might cause interruptions either to the user experience or to your overall objective.
So, make sure that you actually do reframe to that mindset, I think that's what Allen's call to action was there earlier, and then have that guide what you're doing. So it's not just a matter of continuing necessarily, that doesn't mean you throw the baby out with the bath water with all you've done, but you need to re-look at what you did, and then bring that forward in the context of this new approach.
When you do that, just to react on those things, it does provide greater opportunities for increased security and better overall user experience. And I think that makes us a great position for us to all be in in the industry at the moment. I mean, there's obviously the great risks that go with that, but there's great reward as well.
John
Yeah. I can't recall very many opportunities when the security team could make both the user happy and more secure in the same effort. So, yeah. Absolutely. That's good. Definitely one of the great things about it. And, Marcos, I'm going to turn it over to you.
You know, any kind of parting thoughts?
Marcos
Sure. I think the panel really, you know, captured it clearly. The only thing I would add is spend a lot of time upfront contextualizing the business use cases, really understanding all the different ways in which the business runs from a process and workflow perspective, and how implementing policies around device authentication, device posture checks, and passwordless might impact their workflow.
You know, really understanding that is, I think, key. And as part of that, also getting champions within the business to really stress test those policies as well. And then finally, just communication. I think communication is key. Having a robust communication plan. You can't overcommunicate, so definitely spend a lot of time communicating in advance and throughout the journey as well.
John
Awesome. Gentlemen, thank you very much for your time. You know, zero trust, for all the buzzword that it is, I actually feel that we would all agree it's actually the right way to go, and it can make a substantial difference in any security program and in any enterprise.
So, really do appreciate your time. Thank you very much.