Informal chat with our host Reece Guida, CTO Jasson Casey, VP of Product Strategy Husnain Bajwa (HB), and special guest Chase Cunningham, also known as Dr. Zero Trust. The group discusses zero trust, the important role of authentication, and they throw in a little history to keep it interesting.

Transcription

Reece

Hello, and welcome to another episode of "Cybersecurity Hot Takes" podcast. We have a remarkably special guest among us today who may or may not be a doctor. But before I get to that, let's do our fun little intros as per usual. My name is Reece Guida. I'm an enterprise sales representative, also your podcast host. 

I'm going to kick it over to HB. 

HB

I'm HB Product Strategy at Beyond Identity. 

Jasson

Jasson Casey. I'm the CTO here at Beyond Identity. 

Reece

Jasson Casey is also a doctor, but he's not the doctor I was talking about earlier. 

Jasson

I can't prescribe that penicillin for you, Reese. 

Reece

Dang it. 

Chase Cunningham (Dr. Zero Trust)

Yeah, I am a doctor. Actually, I do have a doctorate, but it's Dr. Zero Trust, if you want to be informal, I guess. But Dr. Cunningham would be the thing that makes mom proud. 

Reece

That's right. And I hope she is proud listening to this today. 

Chase

I don't know. 

Reece

So we brought Dr. Zero Trust here today to talk about zero trust. Oh, my gosh. So surprising. 

Chase

Shocker. 

Reece

The hot take is the journey to zero trust starts with authentication. 

Chase, what do you think? 

Chase

I don't think that that's entirely wrong. I think if you really look at the requirements for enabling ZT, and this is where most folks go wrong, they're always looking for, like, this perfect defense sort of concept. Perfect defense doesn't exist. Literally, one of the main tenets of ZT is accept compromise. You're going to get compromised. 

People click stuff. Humans are humans. We shouldn't try and fool ourselves that they're not going to be. Now, if we look at that as like, a given, well, what does the adversary have to have to continually be successful inside of systems? And there's so much data published on this. You'd have to be blind or living under a rock or blind under a rock to really not accept that this is a thing. Somewhere along the way, authentication happens everywhere. 

If you can interrupt the ability for the adversary to be continually successful and authenticate continually, you make them miserable. And, I mean, that's what I try and get people to understand when I'm talking about zero trust is I'm not worried necessarily about the defender. I'm really focusing on how do I make the bad guys' investment time, operational needs, not worth it for them, and they go find an easier target. 

A rising tide in cyber does not lift all ships. If they decide to break into my neighbor's house, it sucks for my neighbor, but Chase is fine. So that's kind of what... I don't disagree, right? Authentication is critical, and I think one of the primary problems to solve to begin with is look at where the greatest avenue of compromise is. It's users, it's creds, it's privileges, it's authentication, those types of things. 

Why would I focus on anything else first when that is, statistically speaking, the exponentially larger threat space. 

Jasson

Kind of the way that I got here was it's similar, but the take has to do with communication, right? In order to do anything useful, whether it's reconnaissance, lateral movement, exfil, I have to talk to something, right? I have to talk to something to see it. I have to talk to something to move to it. 

I have to talk to something to give something back to it. And at least in enterprise architectures, there's almost no communication that is not authorized, right, in some way, shape, or fashion, or at least shouldn't be. 

Chase

Shouldn't be. Yeah. 

Jasson

Right? And one of the principles that I kind of took out of zero trust is essentially, if I focus on my communication barriers, right? It's, how do I have a logical consistent system that's actually, number one, if everything is, in fact, authorized? I'm going to see all of these movements. If everything is authorized or if my authentication system, that's providing authorizations, is always getting either directly bombarded or indirectly accessed, right? 

When people are carrying, tokens are back and forth, I have this natural toll bridge, right? That the good guys and the bad guys have to cross. So it feels like this natural high ground to kind of lever not just intelligence, but also action. And at least from our perspective, like when we put authentication at the center of ZT it's really the thing that we can always count on. 

That's at least how we got there. 

Chase

Yeah, I mean, I think it stretches across the space. I like to use the Lockheed Martin Kill Chain as, I think it's kind of a biblical reference, you know, military me says that, that has to be a thing. OODA loop and whatever else. But if you look at the kill chain, everyone's got this victim mentality of the bad guy's only got to be right once. No, the bad guy has to be right continually. 

Jasson

Six times in a row, right? 

Chase

If you can get in any one of those, you interrupt the bad guy's life cycle. They operate on budgets, they operate on requirements. The Mexican drug cartels are now involved in cyber ops. They have other things to do. If you're interrupting their life cycle and you're making it hard for them, they'll find someone else. 

Jasson

I'm sure there's an economics role here, but people do what's easy. 

HB

And I think we're really big fans of the Kill Chain as well here, because when you think about it, laying things out in a chronological and ordered fashion where initial access is followed by some sort of persistence installation, is followed by some sort of reconnaissance that's progressively growing in time. 

As security metaphors go, it's akin to, wouldn't you want to have strong security at your front door before you start putting bars on your windows? So if you're designing something that's, it's natural entry points are not protected, I think you're always going to have a lot of issues. 

And people have ignored those natural entry points because they've assumed that those are resolved issues that, "Oh, well. I went to SSO and I vastly increased my lateral movement risk and attack surface, but no big deal, I solved it with MFA." 

And I think now we're just kind of seeing that you need to properly resolve it in order to be secure in the modern environment. 

Chase

I mean, truth is in data, truth is in mathematics, right? If we're going to talk with aliens, I mean, that's how we would talk with them, because it's the universal language. It's the same thing in cyber. You take in lots of data, lots of telemetry, lots of information, you use it mathematically, algorithmically within a policy engine to do these things at scale, and you're able to do that. I think, to your point, as far as one of the first things to do or a key piece to move to ZT, if you're not using policy capabilities that have that algorithmic mathematics capability, you can't keep up. 

The scale of this problem is almost infinite. And if you're trying to do this with spreadsheets and Timmy the intern, it's game over. The bad guys play on complexity, you know what I mean? Like when I did red team stuff, if I found a network that was really complicated and they had two IT people, baby, it's game on. I'm just going to eat your lunch. 

Jasson

Yeah, yeah, yeah. So there was actually some work done by DARPA, and this was the late 2000s, and they were red teaming a Little Bird helicopter, and it was, "Wire" did an article on. Are you familiar with it? 

Chase

No. 

Jasson

So the gist of it was they thought their systems were vulnerable. They wanted to get a red team on there. It's a lot of software in the helicopter. And the, surprise, surprise, red team came back and said, "Yeah, we basically popped every system." And so the project was basically set up to, let's do a before and after. And they had this area where they wanted to apply formal methods, trusted computing to software security, and embedded systems in the avionics of the helicopter. 

And the gist of it was exactly that. A lot of software systems are inherently complex, and they're not necessarily designed or constructed using these kind of structured, inductive rules. And this work that's really been cooking around for probably 40, 50 years in the academic community, hadn't really seen a lot of sunshine, had started to see progress over in Europe, and like flight control systems of Airbus or whatnot, and so DARPA wanted to test it. 

And so they use these formal methods, techniques to actually redesign a lot of the software in the helicopter. They ran the red team again, red team came back, and they're like, "Well, we got 1 system of the 20." And when they looked at their notes, DARPA forgot there was that one system, so they didn't even work on it. And the principles really in all of this was rather than having a system that sprawls in complexity, if you're building a system that has these kind of composable rules that's based on this kind of logic system which formal methods kind of extends into software development and compilers. 

You then have a lot of power to actually say what scenarios are possible, and what scenarios are impossible regardless of the inputs the adversary actually gives my system. And where that's starting to make its inroads into our industry right now is trusted computing in terms of TPMs and enclaves. 

And so when we talk about authentication at the core of ZT for us, that's the one thing that we can trust, right? Like, there is an assumption at the core, do you choose to trust…

Chase

HahaSay that five times fast? 

Jasson

Yeah. Do you choose to trust Infineon, the OEM manufacturer of this tiny, little TPM chip? And then this is a decision you get to make. But if you decide to choose, to trust them, then at that point, it's just logic on, is this key, in fact, a key embedded in an Infineon chip on a Dell backplane from X, Y, and Z? And receipts can be provide. You can verify the math. So this is inherently a way of kind of decomplexifying a situation, but also having these provable attestations and assertions of what you're actually dealing with. 

There's still assumptions. Zero trust doesn't get rid of all of assumptions, but it does help you minimize them. Anyway, that's like one of my favorite stories of like a real academic math thing having its time in the real world, and we now actually depend on it. Like, at the heart of a TPM is exactly that. 

Chase

Well, and I do a lot of workshops with folks, and they talk about ZT being kind of an abstract concept, whatever else. And my response to them is, "Well, if you're are a relatively functional adult you live ZT anyway, all day, every day, or you should at least." Like, take the idea of somebody pulls in your driveway and they walk up to, I don't know, fix your air conditioner. 

Do they just open the door and walk in because they have an air conditioner sticker on their van? Or do you go like, "Hang on, like, wait a minute, who are you? Why are you here? What do you need to do? Or you need to get to the air conditioner? Well, the unit is out back, so go out back and do your thing, and then when you're done, come check in with me, and we'll sign papers and you leave." That's a ZT approach, and you are authenticating that individual for a reason to be there. Like, in my house, I live on a gravel road. 

I know who's coming and down it. I've got two evil Pomeranians to make sure that you show up, I know you're there. I've got a Doberman in case the poms don't work. That type of thing. So this is not such a crazy concept, but folks just have to wrap their head around that it's doable if technology makes these conceptual approaches possible. 

Jasson

Yeah. What's the reason for belief? 

Reece

I think your message is really empowering. Do you find that people are becoming less intimidated by zero trust now that there's just been so much marketing saturation of the term? 

Chase

I think, I mean, the good thing is the hater rate on the buzz terms is fine, but if you look at cyber, we've, typically, over the course of like, say, the last seven years, anything new that's come up has been buzz, buzz, buzz. It shows up at RSA and it's gone next year. ZT has been there for years on end now. Like I've almost been hit by the ZT bus, literally, the actual bus in San Francisco twice. 

So this thing has enough gravitas and enough adoption that it is staying around. And the fact that we have federally mandated initiatives with billion-dollar-plus kitties, money behind it, is pushing this. So I'm really pleased that the concept and the strategy is taking hold. 

HB

Yeah, I think that's spot on. And I think, we were talking the other day about the difference between a trend and a fad, and in security, there's always a fad du jour that the analysts are pushing. 

Chase

ChatGPT. Sorry, ChatGPT. 

HB

Just another layer of defense in-depth or an excuse to get people to spend more money on something. 

Chase

Expense in-depth, I think they call it. 

HB

Exactly. And I think zero trust in what it sort of gets you away from, perimeter security, castle and moat kind of architectures, and what we had done for 25 years in terms of physical security, port-based security, colored ports, those kinds of things, pushing that to a more mobility centric, work from home, work from anywhere type of environment where you're sort of transactionally verifying it similar to your life, which sounds like it's lived in sort of…

Chase

Redneckville. You can say that it's fine. 

HB

It sounded like a "24" episode to me, or something like that. Like where there's a person that you really need to go find and that person knows exactly when you arrive. 

Chase

Exactly. Yeah. That's how you want to be. Yeah. 

HB

Yeah.  And so I think zero trust, for us at least, has really emerged as a trend and the work that NIST is doing now in terms of defining architectures and keeping it flexible and adaptable, it's really encouraging to us. 

Chase

Quickly, because I know that you want to wrap up, but the folks should look at this. The first time that the perimeter model of security categorically failed was 1260 BC. That was the fall of Troy. So we've known for 1,000-plus years that, that model wasn't going to work. All we did was digitize it, make it global, and make it move at the speed of light, and thought we'd fix the problem. 

Reece

I think that's a really compelling place to end it, especially with CrowdStrike's Super Bowl commercial. 

Chase

Yeah, it was kind of comical. 

Reece

Definitely harkens to that. Yeah. It's all right. So I know you got a busy day to get to in New York City. Before you go, any other advice for our listeners embarking on their zero trust journey? 

Chase

I think the biggest thing is just to understand that it's really about you, your business, your strategy. The tenets of ZT, the concept, the theory can be applied based on your needs, and that's how you should approach it. 

Reece

Thanks, Dr. Cunningham. See you next time. And don't forget, beloved audience, like and subscribe. Smash that button. See you next time.