Garry Coldwells - Demystifying Zero Trust

[Applause] hey everybody um thanks for joining us thanks for the after lunch attendance that's really good um I was told you know monotone really slow speech and the first head to nod first of all his head goes like this buys the drinks tonight that's the deal right and it won't be mine I can promise you so that's good um yeah so thanks a lot I'm going to talk about demystifying zero trust so just briefly talk a little bit about zero trust um kind of start with what it's not because that's the easiest bit then I'll get into a little bit of the history right not a lot of people have a great awareness of how far back this this concept goes I'll talk briefly about the history talk about some of the near-term 2018 at least in terms of nist and what they've put together and where that is um and then from there get into kind of the practitioners or The Operators perspective in terms of you know how do we approach what do we do what is what is you know what are the basis of of how we go forward I'll talk through the mindset you want to apply and you know to the modeling and the structure and then finish off with reassessment it's you know zero trust is not a thing of like I'm gonna go to the store I'm gonna go to the rack I'm going to buy pink zero trust I'm going to install this thing and we're magic it's done I'm going to go to the board get my bonus and everything's wonderful absolutely not the case zero trust is an ongoing Journey so trust is a vulnerability it's dangerous right so it's exploited and it has always been exploited um I happen to find an old snippet that I'd recorded 28 odd years ago which is an old CSI FBI search document that was produced way back then 28 years ago and at the time it was found that Insider threat was the greatest the greatest issue of the time right so the concept of identity of who these people are what they do within our infrastructure is at that stage was very nice and like it was it was it was very simplistic stuff and that was obviously part of the problem so there's some key underpinnings that go with that I'm going to talk about activity Ministries activity how we model for it how we we're going to work away from that and do it in a way that's measurable and attainable right because one of the things that happens it was just talking about zero trust and there's a lot of confusion in the industry and a lot of confusion in the market right there's people that do products that they claim on zero trust capable there are people that do services that are zero trust capable there are people that do combinations of these and you've got to be really careful about what you're taking on here so let's get into this identity and access management and outstanding practice an absolute Cornerstone of our industry and what we need to do but as a statement this is identity Nexus management is not zero trust right it is a contributor to the state that informs the model which will get us to where we need to be with us but this is not the singular piece that gets us there right so just sit this sit the table on that zero trust network access tremendously interesting amazing groups of product Suites that people have that will deliver these types of functions for you and have a very solid place in your structure and in your thinking but this is not again we don't buy as Etna and we have an answer here right and in fact some of the ztna that's out there is a little bit aged and needs to be you know updated so incorrect on that one micro segmentation again tremendously useful really you know functionally where we need to be in terms of adaptation and moving forward but this also is not zero trust and then finally zero trust is not a product I mean I joke about it in terms of like buying the pink one the green one the red one you know if I pay more for the red one is it better than the pink one you know kind of mindset there's unfortunately a lot of marketing has glommed onto the xero trust principle and concept and try to sweep a lot of rubbish under the carpet on that one we want to avoid all of that please and so what it is zero trust we go back to the Genesis so Stephen Paul Marsh and to make sure everyone's listening I'm going to say at the Battle of Sterling not the University of Sterling because that always get to feed people like whoa hang on where are we um it's after lunchtime April 1994 in his foundational paper he introduced the concept of zero trust um the Jericho forum is a following 2003 started talking about what was then sort of categorized as deprimaturization so the sense that our focused previously on hardening the inside with the moats and keeps and all the the language we had at the time for defensive circles around our key infrastructure and key people in key regions and resources with an outward view started changing quite significantly even that back then so that's 20 years ago people started really practically thinking about how this is going to work and go and here we are 20 years later with a very confusing landscape with the zero trust thing being thrown about so key thing there and I'll just reference there D perimeters deep perimeterization lovely if you could actually say it which maybe put my teeth in um is uh it was referenced in 2009 by Mark kedrich in a book called endpoint security he's a San Diego based researcher did some original reading around this stuff red poll stuff I was in put together a book on on endpoint uh security and he really he really got a hold of this and really published quite extensively from that I would say from his work some more stuff came forward including 2009 Google uh took its first stab at actually deploying a parallel structure called Beyond Corp which is a zero trust Enterprise that they were building experimenting and growing it continues to grow it continues to evolve uh which is key that's the this is an evolutionary process this is not a we start here we spend 100 million dollars and we get to their kind of a thing this is something that we'll ever be ongoing whether it's a 10 exercise or 100 million dollar exercise is a process with no end right ultimately and then looking at that the stuff that really started getting a lot of comp a lot of attention John kindevag with Forrester in uh 2010 he talks about the zero trust model and he's the first person that really codified the approach of like let's take this thinking look at it from a perspective of like how could you Embrace this as a practical model that people could use and go forward with and so this 13 years ago was the start of the conversation started really making this a practical thing that people could actually bite off on and understand and so later on in the slides I'm going to talk about how we approach zero trust I'm going to talk about kind of the five core principles of what you want to do I'll talk about the Kipling method in terms of application and how you build your policy around that um I'm about to break out into the nisting as well which is brief I'm not going to go too deep on that um but all of that really leveraged off John's Key work John is still very much active in the zero trust uh in the zero trust world and he's now because of all the marketing fluff that's going on is actually sort of looking at rebranding the zero trust approach as original zero trust or true zero trust and the intent there is to be like my carpet sweeper that is being sold as a zero trust devices rubbish this is actually what you need to be having to think about uh he's a hell of a character like if you ever get to get him out he loves racing he loves cowboy boots um having him in Toronto in July for the Indie race uh in a in a suede jacket and cowboy boots in 28 degree heat is quite fun good man to manage at that stage but very smart operator and uh I had mentioned the nist piece so a little bit detailed but 2018 nist in their cyber the Cyber Excellence group within that published SP 800 207 and within that they looked at a number of principles and how you could actually Define them and apply them so this is where we get the first government look at putting together something that would be then generally available and broadly accepted and documented and run and this is the first piece of that I highlighted the one that one piece there and that's enforcing accurate per request access decisions right so again back to the identity component identity is absolutely part of what you need to be having there be it for a resource a person or just a function and then per request access decisions need to be validated as we go through this is a foundational thing that we have there right I did reference the paper for those that need it I'll give you a minute if you need to have that the slides I believe will be available and there is a recording that we'll have that's absolutely well worth a read right for anyone that's going to embrace this approach start down this road or even better pay a consultant to come in and tell them what they should be doing around this having a foundational read in there building some understanding of what's available what you should be thinking of we'll introduce some questions you might be able to put to people like that and based on their response you might be interviewing other Consultants or really embracing them and welcome them into your organization to do great things for you I did promise to be a little bit contentious but I was told to turn it down so I hope we've been okay here let's look to this um a couple of key callouts are we going to do the laser thingy separation of control and data plane right inputs so you know rediscovery your engine for constant rediscovery and constant inputs look at your policy structure pki inputs ID management your sim Etc but the breakout here is separation control and data plane select your input component process it through something well that will take it through a policy enforcement Point it'll validate through policy and usually through layers of policy and layers of structure here to to give you a no no go decision based on a go decision we can then forward it on and have a sense of of propriety very simplistic modeling very simplistic look there's a great deal of detail that goes into this but I wanted this up there just specifically because it calls out that separation here and in a practical sense why how you would apply that is again looking at you know what you would commonly deal with in an architecture perspective identity structure and Source including you know some sort of regionality Etc device and workloads again regionality where they're located what performance what they perform for us and how they operate whether they're calling to an application or providing the application Etc so data flows taking it into a context there what access type is required and then transaction right so break that out into the little chunks you can understand and build on and go forward with that so back to some of the original Concepts and thinking there the perimeter changed right so originally we looked at our organization as our piece with maybe some adjacent satellite functions that we have secured Etc but we have we have these pieces that we secured and with time and especially you know the last three years with what happened with work from home and and the and coven the pandemic things change dramatically and so what I'm just going to paint this out what we have now is essentially a function that's that is required and available everywhere users are everywhere applications are everywhere our control of infrastructure has changed dramatically and so with that we've had to change the architectures change our approaches to meet these you know requirements concerns and objectives through there so this is a simple example my context within the company that I happen to work for is I'm actually 14 different devices within their infrastructure and so they need to have an understanding of like what is this user's identification what certificates are on those devices what state is the device in terms of security posture like what is applied within there what controls are in play et cetera Etc and based on the the you know the communication of all those things to a control point to that decision piece to the policy structure I would be granted access to things either intern or external to the organization in accordance with making sure that you know from a zero trust perspective making sure that policy is applied correctly and so again internal users work no matter where they operate from internal of course being the old way of thinking Partners contractors work from home people Etc all of this is in context all of this is in scope more and more the data center is actually collapsing and moving away right so I work in Canada quite extensively most the banks there have had significant you know collapsing and shrinking of data data center functionality and Personnel in favor of cloud functions more and more applications of course are directly you know accessible outside of the organization anyway current count and just a quick interest point SAS applications does anyone want to have a guess or does anyone have a sense of how many SAS applications are viably commercially available to you today someone's thrown a number oh three thousand ten it's so commercially available there are there are entities so if you include China in what's available then you're probably in that region and what we recognize in most of the western world is about 58 000 unique SAS applications that you could potentially interact with and your users could potentially be using right or you could potentially be providing the services through and leveraging as part of your Enterprise scope so from a zero trust perspective that's a lot to take in that is not a human issue at that point I am not going to be sitting down at a device going through and maintaining currency on 58 000 applications that are growing at about 5000 applications every quarter to keep any sense of scope or understanding of what's going on in it this is a machine issue right so here's one of the Practical intersections if anyone was here last year when I talked about machine learning for the sock here this is now in you know on the front end of the house practical application machine learning and AI in terms of making the Discrimination for you on what is going on in that scope right and so when we look at the old Define perimeter it was physical flat Network and I'm going to paint this out and then obviously talk about the other static policy so things that we would potentially apply and then never think about again like I commonly go into environments where I'm talking to people about their architectures and I said damn this is a and I say like you know paint paint for your Landscapes tell me where the applications are tell me where your users are what cloud infrastructures you use what's in the data centers how do we use these things what are the data flows let's understand your business and how things go and they'll paint this picture of how things are and what have you and part of what will come out of that is there is inevitably device or device is within their infrastructures that have been there for decades that nobody can touch just in case something ever happens on that device right the policy that was set there way back in the day like it might be an old checkpoint you know 3ob firewall from 25 years ago but we know that that's the Caribbean banking arm they send us once a quarter they send us this little blip of communication which is you know goes to that specific back office guy in legal don't touch it it's the only way we can work it we think it's secure we kind of hope it's secure the Auditors can't even tell us if it's secure but like just leave it that's where you get into static policy and stupidities around that kind of thing that has to change obviously uh and then generally they're network based and network-based because we own the networks we own the infrastructures that we could kind of get our arms around the interconnect points were obviously commercially done through mpls or you know direct connections all t1s Etc back in the day and so the new is more Concepts like logical perimeter right we don't own the infrastructure we don't know where things are we own function we're on outputs we own applications right and we contract these things and they're they're amazing and I'm really hoping we kind of secure those really well because sometimes we miss on that as well and people really do um we segment the next so segmented networks these days there's not the concept of like you know the old pictures you see of like untrust firewall trust but that's 25 years ago as a model that's even 20 years ago's model but again referencing back to 19 you know 1993 oh sorry 2003 thinking changed deep perimeterization 2009 really started catching hold 2010 John's paper this is one of the most significant things is the segmenting of the network into function right it's not region now now it's function where it's like this is the HR Network and this is the legal Network and here's my you know Payment Processing Network Etc and you start logically breaking these things up by functioning form which is far simple as obviously to to secure from a zero trust perspective Dynamic policy and again static policy this person going to that thing for this you know for these reasons with these Security checks great never never think about it again rubbish Dynamic policy these group of ips right Office 365 these group of ips I will give my people access to these things and if they access those I will I would expect from them these inputs right or this user ID these certificates these checks on the inside checks behind the policy you know before the policy is applied and that can be dynamic so as their state changes as the IPS themselves that we're getting service from change Etc we don't have to stop the process we'd have to reinitiate a connection we can actually adjust for these things and go forward and log those things which is useful more of a context-based mindset for my security so very specifically think about this in terms of like not ports and protocols but layer 7. so John kinderberg last year at cx-22 got up on stage about four minutes about zero trust the most important message on those four minutes was zero trust requires application Level security it's a layer 7 construct if you do import some protocols in whatever form you will never know exactly what the applications are that are processing through those and they can be obfuscated and they can change in you know they can flux while they're processing and you're just blind to that it has to so there's context within there this is also context in terms of the data in flow so I'll talk briefly about single pass architecture but essentially what I'm saying is within your security controls is the ability to look at the stream of what's going through and make determinations of what's on the Fly there not just what's at race but also what's on the Fly and what's in motion for you class Cloud host success I've already spoken a little bit about that but just in thinking there in terms of like volume um pretty much everyone I talked to these days has SAS in in great volumes and can't get away from that and then lastly the new sort of thinking is more of a prevention room to the mindset prevention first right this is something that's been around for at least 12 years people have started thinking more about less about here's my perimeter this is what I defend I can see it so I know I'm safe to more of like if these things happen what are my responses going to be and let's make sure we have those in place that I don't have to think about it at the time as they happen it's automated it just occurs right so xdr MDR type approaches within that as