Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
Yes. Let’s go ahead and introduce Dr. Chase Cunningham. He’s the chief strategy officer at Ericom Software. He’s also the author of the book Cyber Warfare: Truth, Tactics and Strategies. Welcome to the show, Chase.
Chase, before we jump into the whole piece about zero trust, tell us a little bit more about this book.
I was lucky that Packt asked me to write it. They basically said, “What kind of topic would you want to write?” I was like, “Well, I would like to write a book about strategy in cyberspace and about what I consider to be the historical proof that this is a battlefield environment, not that it is a place for sending kiddie pictures to Grandma.” Obviously, it happens and it’s necessary, but it’s really a combat field, and the only way you survive combat is to have a strategy where you outlast the adversary, and that was the approach I took in the book. I think all the feedback I’ve gotten has been very positive. It’s been nominated for the Cybersecurity Canon Hall of Fame, and the focus of it was really about “If you do these things, this is what you should expect, and this is the reality of the space in which you operate.”
So, how do you get started writing a book? This is something that’s always interesting to me. How do you sit down and buckle down and put pen to paper or finger to keyboard to get something started?
For me, it was really one of those deals where they reached out to me and said, “Look, we’d like somebody to write a book about cyberwarfare.” Then they said, “Go at it however you like.” I mean, that’s the fourth book that I’ve been published or copublished. I’m working on another one now, and it’s one of those deals where I’ve always found that you just start. It doesn’t really matter if you think you’ve got Hemingway in your blood or whatever. You just word-vomit and work your way forward from there, and eventually, you can keep polishing that thing until it becomes a good piece of literature. I mean, that’s where you’re trying to get to. I would say, to be totally honest, I have never started a writing project with an end state in mind. I just start writing.
Chase, I haven’t read the book yet, but I just threw it in my shopping cart on Amazon. So, I am going to get it. One of the things about security, and identity and access management, that I always found was that if you’re in an industry, your companies are competing with other companies. However, as security practitioners, we are in the same boat together. I’ve been willing to share not inside secrets per se, but at least approaches, frameworks and information that we’re all in this together. So, I’m wondering, how does that strike you, that statement that I just made there? Then, also, were you interacting a lot with other folks in the industry to get information, to cite them, as you were going, or was it just really you sitting down and just going from your brain?
Well, you are on the Identity at the Center podcast, and I feel like identity really is at the core of a good zero trust approach. I’m wondering if you agree with that. How do you see identity fitting into taking that zero trust approach?
I published this a while ago: Identity is the mechanism around which the gears of zero trust revolve. Sean Ryan and I, and other analysts at Forrester, published a paper on identities beyond human, which is also interesting, because if you think about it, machines have identities now. Robots have identities. Cars have identities. I mean, if it has a unique identifier and it does something digitally, it has an identity, and all of those things are potential avenues of compromise. It’s not necessarily the human issue, but it is an identity. You hear people say all the time too, “Well, the most secure system in the world is the one no person has ever touched.” Correct. The reason that is, is because no identity, no access, no user of any type has ever been on that system. So, if that’s the reality, then it must mean that identity is the central point of this thing.
Obviously, we named the podcast for a reason. So, it works out pretty well from that perspective. With all this talk around zero trust, something that gets lost sometimes is, who is zero trust right for? Is there a certain type of organization? Is it based on size? Is it based on resource? Is it based on vertical, or is it really something that spreads across pretty much everywhere?
Well, it’s one of these things where it’s about security strategy, and I do workshops with folks all over the world, talking about how this can be applied to them. It’s OK if you’re one of those organizations that doesn’t like the term zero trust because you think it might hurt your relationship with employees or whatever. Fine, but the basics of it are, what you’re trying to focus on is what you should consider, like the physics of what’s required to cause compromise — which is inherent trust relationships, default configurations, all those things that we talked about — and removing those by the practices that you’re putting in place.
You can call that strategy whatever you want. However, the industry has accepted ZT as kind of the common point of conversation. This is not something that is inherent only to mega enterprises. This works for mom-and-pop shops. I have a zero trust environment here in my house. This is something that can be applied to anybody, everywhere, and that is the real beauty of an actual strategy. It’s that it’s something that can be translated between organizations or even between users.
I’ve got my firewalls and everything else. Then I’ve got a Wi-Fi network working for my kids and everybody else, but me, in my office, I run on my own separate LAN. I connect direct to where I need to go. Everything has got MFA on it, na-na-na-na-na. I’ve got my own little corporate setup. For my kids, they’re all running on Chromebooks. They all run through all their own segment of the network. They can only go out to where they need to go, and they have MFA applied to everything they need, and it is where I am in control of the router, firewall, switching infrastructure. So, when I see stuff — and I get a report every day on everything going on in my network — if there’s an anomaly, I’m investigating it. It’s one of these deals where it took me maybe two days to get it configured the way I wanted it, but it’s up and running, and I can look literally right now and see that one of my kids upstairs has got too many scans running on their machine. So, later on today, I’m going to have to figure out what’s going on with that thing.
I think about when I got into IT many moons ago, and the approach of the corporate network was “There’s a firewall. Outside of the firewall are outsiders. Inside of the firewall are the insiders, aka the people we trust.” I think what zero trust is about is that just because you’re inside the firewall, it doesn’t mean that you can be trusted. Not that you’re not a trustworthy person. It’s just that, number one, people can get past firewalls. There are many entry points into a network. Number two, when you look at data breaches that are occurring, something like a third of them are insiders that are performing data breaches. Here’s another point that I want to make. It’s that I don’t think that the firewall is not something useful. I mean, heck, you just gave a breakdown of your —
Yes, the firewall is not going away. It’s just that just because somebody is inside of the firewall or just because an identity is inside the firewall, it doesn’t mean that its activities can be trusted. That’s the way I’ve been thinking about it.
I like to think about it too as far as, if you’re thinking about zero trust at the broad, strategic level, it’s like if I think about what goes on when I’m driving my vehicle somewhere. This is a little bit crazy, if you think about it, but when I get in my car, I don’t have to do things to make myself safer. It’s about as safe as it’s going to get, because I have airbags that are automatic. I have a GPS, which is built into the system. I know where I’m going. I’ve got a seatbelt. The engine has got governors on it that will only allow me to go so fast.
Then, when I get on my network — quote-unquote, the street — that is owned by the state, and the state and the federal government have made it where I can get where I’m going and pipe me directly to what I need to do, and then I do what I’ve got to do, and I come home. That’s kind of what you’re talking about when you think about what it should look like as far as firewall, network infrastructure and moving a user from somewhere to somewhere else. You don’t, hopefully, just jump into your car — you don’t do any security or anything, no safety, whatever — and you just bag it down the road and hope that you’re going to get where you’re going safely. It’s about leveraging the resources that are in front of you and having security and safety built into the apparatus that you’re using.
About a year and a half or two years ago, I started seeing a lot of IAM and security products saying, in other words, “We’re zero trust certified.” Not really, but —
Yes, because there’s no certification. Yes.
Yes. They’re packaging and they’re marketing around zero trust, which is cool, because it started to create that mindshare where a lot of the clients that Jeff and I work with were saying, “Our target is zero trust. We’re working toward a zero trust framework.” You’ve mentioned you’re consulting with organizations and telling them how to get toward zero trust. You run into clients at all ends of the spectrum in terms of how mature they are and how ready they are. Talk to us about how you approach that and how an organization might get started down the zero trust route.
Well, it really boils down to, there is a maturity curve here. The maturity curve is based off of where you are in the space around compliance. While I’m not necessarily a fan of compliance being your end state, it is a good line in the sand for where you are. So, if you’re an organization that has been heavily compliant — healthcare, banking, whatever — you probably have solved a lot of some of the more intricate problems in cyber. At least, hopefully, you have. You’re probably further along the road toward a more zero-trusty-type infrastructure. Whereas, if you’re new to cyber — you’re a small business, you’re outside of those heavily compliant frameworks — you’re probably solving for what you would consider to be the earlier problems in ZT, and that’s OK. The thing about this is, solve for what you need to solve for — it’s not everything all the time — and continue to invest in the things that solve those problems strategically as you progress going forward.
There’s really an order of operations, then, to getting zero trust in place. You have to have the basic blocking and tackling in place to be able to get to zero trust, or do you see it as being able to start at either end of the spectrum, whether they’re immature or not?
If you look at where the market has been trending, the smart play is to try to move more to the cloud faster because that is your greenfield environment, and you can do so much more. Google just published their BeyondCorp stuff — you could build a zero trust infrastructure in Google and be good to go. Microsoft has got their zero trust thing for Azure. It’s starting to show up in more places. The better place to be if you do it correctly — let me make sure I caveat that — is the cloud. However, you can still enable ZT in legacy infrastructure, but it’s probably a bit of a heavier lift.
Yes, there are probably more legacy decisions that would be made that need to be unwound and unspun within an organization. Is there a particular type of organization or company that you see has been doing zero trusts pretty well? I’m not talking about things like Google and Microsoft, where they obviously have their own type of implementation approaches. That, we can talk about in a minute, but I’m curious from a real-world example, do you have any that you can talk about?
Well, a really great example, as far as the long focus on this is, we’ve been doing a bunch of work with the federal government — specifically the U.S. Navy and the U.S. Air Force — on their migration to ZT. For them, I mean, this is a giant infrastructure, a 400,000-node network. They say, “Our plan is to be a manageable zero trust infrastructure by 2030.” So, they’re talking 10 years or nine years of evolution, and they’re very, very pragmatic about it. The leadership there has said, “We’re going to start from scratch as we move into this GovCloud infrastructure,” which is super.
Then there have been some banks that I’ve worked with that have said — an interesting point for them was — “We want to move to ZT, but we’re going to start with 5,000 users.” My response to them during those workshops was, “Let’s start with 50, all right? Five thousand is huge. That’s boiling the ocean. Let’s make sure we have everything right — entitlements, accesses, privileges, logins, MFA, na-na-na, for 50 users. When we have that, then we can go to 100, and then we’ll just continue to replicate that going to forward.” To their credit, they said, “Look, this is going to take us —” I think double what they had estimated in time, but they’ve been getting it right.
Yes, I would imagine that a lot of it is predicated on the concept of roles, which are applied to the rules within the zero trust framework.
Yes. If you’ve got a 400,000-node network, in the case of the government, that’s going to take some time to slot people into the right roles.
Those networks were built in the ’60s.
Yes. Is there a zero trust for punch cards? That might be a good one.
It’s funny you mentioned that, because I did do a workshop with a government organization that still has punch cards. For that, it was like, “I think you just segment that off.”
Let’s talk a little bit more detail around BeyondCorp, which is Google’s version of zero trust. I want to say it was just a couple of days ago. (We’re recording this on January 28, for those who are interested in the fourth wall.) That has now become generally available. I think that’s a good starting step for folks, at least who are on the Google Cloud Platform, but I believe it still works across other clouds and maybe even on-premise applications as well. One of the things that is important to their implementation of this, and to all of them is, this concept of an identity-aware proxy that sits in front of applications that basically translates the rules or the roles that are assigned and then matches that up with the resources. Is that the correct way to think about it, at least in the BeyondCorp version of it?
Yes. What’s a really good point to take away there is, Google started putting things together for an infrastructure a few years ago, after the Operation Aurora thing. You notice that you haven’t heard Google in the news in the last couple of years as far as compromise or breach activity, and they’ve deployed BeyondCorp for them, their zero trust implementation, globally, and it’s been a real game-changer. So, when you see a corporate entity that’s that big, that’s that diverse, that that’s fast to do these types of things and it works for them, it’s a good thing — we can aspire to that too. BeyondCorp as a service is actually pretty slick. I haven’t gotten my hands on it yet to play with it, but I’ve seen the demo, and I’ve had briefings from Google. It’s a pretty cool system. I’m a big fan of the GCP infrastructure because you can do lots of things. They’re making it where it’s you don’t have to be a zero trust PhD to do zero trust things.
Yes. I think one of the benefits, too, from the Google side is, they have YouTube. They have scale, and they have the latency issues figured out because they’re running it internally at least for Gmail and their YouTube infrastructure. I will include a video that I found that explains how you get started with BeyondCorp, and what are the different components around it so that, hopefully, that’ll help people as well. Are there any differences between what Microsoft is pitching as zero trust versus Google’s version of it?
Well, I think Microsoft’s one thing that they’ve done different, besides the Titan Key, as part of their authentication protocol is, Microsoft has set up — I guess you’d call it a work center for organizations and businesses to talk with them, and they have people there that are dedicated to help you figure out how to use Azure, set stuff up with Azure, leverage the resources there correctly. It’s one of those deals where it’s kind of cool. Well, it’s not kind of cool. It is cool, because it’s a way of guiding people through the process of using Azure to do it. While Google is good because it gives you the capability and that breadth of offering across an infrastructure, they just drop it on your lap and say, “Here’s how it works.” Whereas, what I like about Microsoft is, it’s big and it’s complex, but they do have dedicated resources where you can go and say, “Hey, I don’t know how to do this.” Then an actual human will get there and go, “Look.let me walk you through that process.”
Chase, I thought it was really interesting how when Jeff asked about organizations that are leading the charge, you mentioned some of the military and banks. I think to myself, “OK, yes, the benefit for them, the risk profile, it’s kind of obvious,” but what I’ve been seeing is that attacks are heading downstream toward smaller, midsized businesses. I think for those organizations, a lot of times, the security and identity practitioners are having to convince their upper management that “Hey, we need to be secure. Maybe not as secure as a bank, but we’re at risk as well.” So, maybe you can talk about changing mind-sets, and what you’re seeing in terms of small and midsized businesses needing an approach like zero trust.
Yes. That’s also a funny thing you would say that because chapter three, page 55 in my book — literally, the title of that is “Attacks Move Downstream.” I think what we’re seeing is that the adversaries have realized that the government, big banks, big healthcare, they have figured out the way to make themselves a harder target, and obviously, they can still be got, because anybody can, but they’re at least typically a more difficult target. What does that mean for the adversaries, especially the adversaries that are not government-related, hardcore EAT, persistent-threat-type operators? That means you go after the slow gazelles, and the slow gazelles on the cyber Serengeti are small and midsized businesses. You go after them with things like phishing, drive-by download, ransomware and those types of acts.
The goal there is to get in and then weasel your way up into those bigger infrastructures because of shared privileges, excess access, bad passwords, all the things that we know will eat your lunch. From the adversary perspective, why would I waste my time trying to bang down the door of the FBI when I could work my way through a business that has access to something that does bigger work within the federal government or a big bank? That’s what we saw with SolarWinds — SolarWinds isn’t a small company, but what did they do to get in there? They worked through the software vendor’s supply chain to get in, and then they worked their way into infrastructure. It’s a great example of moving downstream to go upstream.
So, for our Talladega Nights, they’ll say, “If you’re not first, you’re last.” In this case, if you’re not last, you’re first, right? It’s about not being the lowest-hanging fruit and the easiest target for people. As long as you’re faster than the other person that the bear is chasing after, you’ve got a pretty good shot of getting away. Is that accurate?
Yes. It’s also one of those things where people need to remember, like I said, that this is a warfare environment, and there are no allies. There’s no Geneva Convention in cyber. There is no rule or law that says that you can’t be gotten by somebody. It is literally whoever isn’t the harder target is going to go down sooner or later. It’s not a matter of being afraid. It’s just that’s the reality of what it is. You’re transiting an environment that is the only place in history where every human, every access, every business, every government is all at play in the world of trying to get one-up on each other, and that’s where the slow gazelle gets eaten by the faster lion.
Yes. I guess that’s probably also important to note too, if someone is specifically targeted, then —
You’re going to get got. That’s it. You’re going to get got.
Let’s talk a little bit about what Ericom does, because I find it very interesting around the remote-browser isolation concept that you’ve worked into zero trust. Can you talk a little bit about, at a high level, what is it, and how does it fit into that zero trust framework?
Sure. We have a new offering that’s going to be launched, I think, in March, which is specific to small and midsized enterprise. It’s all obviously interrelated. I wrote about this a couple of years ago at Forrester. I was interested in it as far as I thought it made sense in the context of ZT: What does everybody use to access the internet? Well, they use a browser. Then, where would you get attacked most likely? Via the browser. So, it just makes sense, based on the historical context of endpoints not doing well and antivirus failing when adversaries go after you, to try to run protection when the software is actually on your machine. Or, can I use the cloud, put an emulator up there, and the user doesn’t know that they’re actually operating in a cloud-based virtual browser? Then all the bad stuff happens there, and I’m removed from it.
In the context of ZT, it’s one of those deals where I don’t trust that my users might not interact with malicious content. So, I’m going to push them to remote browsing, and that way, I can protect them in that remote instance. I use our RBI all day, every day. I don’t notice weird, blippy stuff. The only time that you might see a little bit of a blip is if you’re doing heavy-duty gaming through the browser, which most people typically don’t do. The regular old stuff — YouTube and everything else — I have never noticed an issue with me being able to access stuff and see it. It looks like it is in the regular old Chrome browser.
Yes, that’s very cool. For those who are not familiar with the acronym RBI, it stands for “remote browser isolation.” I’m glad you mentioned gaming, because I am a bit of a gamer, and I have used quite a few of the gaming services, or the cloud gaming services, I should say — things like Google Stadia, Shadow PC, GeForceNOW, and that is one of the biggest problems that most people have with that concept. You’re essentially streaming all this data and video. Sometimes, it’s on 1080p HD, and sometimes you’re trying to get it up to 4K. That’s a lot of bandwidth. You mentioned that you haven’t experienced any major blips in that. I think that is really interesting because that’s also one of the things that when I think about from a privilege access management perspective, and session recording and monitoring and things like that, where you’re setting up these sessions, that’s been a historical kind of pain point that administrators face as well. The performance just isn’t as good as if it was native.
It sounds like you’re able to work around and that it works across browsers too. Does this require a certain browser like Chrome or —
No, you use whatever browser you want. It doesn’t matter. Once it’s up and running, it’s a proxy configuration. It takes 30 seconds, and then you’re done — if that long. If you’ve configured a proxy, it’s less. Once you’re up and running and you’re there, you really don’t know it.
I never want to tell people that something is perfect. Every once in a while, you run into some old, outdated, weird site or something like that, and you might see a little bit of a rendering issue, but in general, for the average, everyday stuff that you use a browser for, I’ve never run into an issue. We have a capability in there called crystal rendering. That basically eliminates a lot of that kludginess that you would get with some of the other RBI solutions. You don’t notice that it’s there, and that is where you get a lot of value in the security. It’s the users just doing what they do. They’re not having to configure anything, change it. I’m not saying, “Turn the VPN on” or whatever. Just use this plug-in and go browsing in it. Problem solved.
Is there a certain bandwidth requirement to be able to achieve that kind of experience?
We’ve got PoPs and everything all set up all over the world so that we have the connectivity that’s needed there. Other than every once in a while, you might run into if everybody in the house is — my kids are on the Net and I’m on the Net, we have gig speed. Every once in a while, I’ve gone on to something, and I’ve seen a little bit of a blip in it, but nothing where it’s been degrading my user experience. .
That is cool, and I’ll put a link to Ericom in the show notes, too, so that people can check it out. I definitely recommend taking a look at it. Chase, I know you’ve been really generous with your time with us, and I want to start getting things closed out here for us on this episode, but before we go, are there any final words of wisdom from the doctor that you can give out to everyone?
I’m sitting here listening to Chase, and I was thinking. I think I had a great idea, which is that I want to put together a blog article of the top 10 people to follow on LinkedIn, and Chase is up there, Brian Krebs — there are a few others. So, I’m going to put that list together. Jackson Shaw is another one who we’ve actually had on the podcast — people who put a lot of great content out on LinkedIn. Chase, I know that you’re very open in networking. If you’re listening to this podcast, Chase Cunningham is somebody you should be connected to on LinkedIn.
I have a follow-up question. It’s tangential to that because I get a lot of great articles, webcasts and things that you publicize on LinkedIn, but I’m wondering, what are you reading right now? What are one or two things for the practitioners who are listening to this podcast that they could tune in to to enhance their knowledge?