Authentication Meets Zero Trust

Dr. Chase Cunningham, known as Dr. Zero Trust, reviews the current state of zero trust, why enterprises look first to modernize identity and access management when starting their journey, how authentication is at the critical intersection between identity and security, and why the rise of Zero Trust Authentication is the inevitable next step and is foundational to success with any zero trust initiative.


Hi, I'm Chase Cunningham. Dr. Zero Trust, if you want to be cool. Dr. Cunningham, if you want to be formal. 

I appreciate the folks from Beyond Identity inviting me here to talk about ZT. But let's really talk about Zero Trust just to begin with. I think we have so much stuff going on in the market where there's a lot of jumping into the mix to say we do ZT too, that it's good to see organizations who get into this and start talking about leadership and engagement and growing the initiative because we've got plenty of buzz, which is not a bad thing. 

I think honestly, we should bury that conversation about buzzwords being bad. Buzz is good as buzz actually has staying power. And if you think about it, ZT has been around, even though it's been buzzword stage since 2018-ish, 2017-ish, if you really want to go back that far, I think that's when I almost got hit by a zero-trust bus out there in San Francisco at RSA. 

So the fact that it's still here and that it's still being adopted broadly means that there's staying power. So let's just be real about that. Where we're moving with this, the global initiative in ZT, if you're following things, is that we're trying to solve problems systematically and strategically. 

The goal for ZT is not to just keep throwing money at the problem. Defense in depth, to quote my good friend, Rick Holland, is really expense in depth. And we've figured that out. It's good for the adversary. It helps complicate things. It also means that we are literally cutting our own throats at the security persona level because we're trying to say we need more technology to solve the problem. 

The days of us getting blank checks are pretty much over. If you talk to CISOs, CIOs, CEOs, which I do on a regular basis, they're not just sending money anymore to solve cybersecurity. If you do not walk in and have an organizational strategy and a plan that you can leverage, the odds of them giving you a blank check to do security, pretty slim, especially for any organization that actually knows what the hell they're doing. 

So, understand that the reason that ZT is growing like it is is because there is value to the strategic positioning and the initiatives that we're putting in place. You know, the DoD strategy, which is something that a lot of us were lucky enough to be involved in either influencing or authoring, is built in this strategic structured manner for a very specific reason. 

It's a rollout over time. And if you notice, one of the things that they're doing in this first stage, and this is all publicly available, you can go look it up, is they're talking about solving for the identity and the users, and really making sure that we take care of authentication, and protocols, and multi-factor, and passwordless, and all those things. 

And the piece that we should take away from this is why is that something that you do first? It's pretty simple when you actually step back. Why is authentication, is identity, are the entities, because I think this is much bigger than just a user, why is that so critical to secure, especially when we're thinking about ZT? Well, what does the adversary use? 

I mean, everyone talks about the Verizon DBIR, the DBIR, we reference that as a biblical, you know, tome every year, and people still will sit around wondering, how are we going to stop the adversary? How are we going to take back the initiative and start gaining the high ground? What does the DBIR tell us is the number one avenue of compromise for the last X number of years? 

And I mean, go back to when the DBIR first became a document we read, it's users, credentials, privileges, access, authorization, authentication, those things. It is not crazy zero-day whatever, it is not super amazing AI-powered nuclear fission, hacker, whatever. 

It's users, entities, credentials, default passwords, logins, access, authorization, authentication, those things. Therefore, if we're going to put a strategy in place, and this is, again, why you see this in the DoD strategy and organizations are adopting this as their first jump into ZT, you solve for what the adversary needs to be successful. 

It's literally that simple. If we know, and we have decades worth of proof, we have analysis, we have data, we have all these things that tell us that this is how a compromise occurs, and this is not only how it occurs, but how it gets worse. You know, it's okay to be on the Titanic if you've got watertight integrity. If you don't have watertight integrity, you wind up with, you know, people floating on a door in the middle of the frozen sea. 

It's not a good place to be. So, what we want is to remove the adversary's ability to be continually successful. I can deal with a compromise, like people are going to get hacked, users click things, folks download stuff, there's misconfigurations everywhere. It is too big of a moving target to operate with the mindset of, "We will never be compromised." As a matter of fact, when I do workshops with organizations, the first thing that we talk about is accepting the reality of compromise. 

You're going to get hacked. I'm going to get hacked. As sure as the sun shall rise, death, taxes, and hacking. Maybe the sun doesn't rise, who knows? But really, what we're trying to get to is what does the bad guy need to be continually successful? If we accept that compromise is a given, in some way, shape, or form, they need authorization. They need to be able to authenticate. 

They need to be able to escalate privileges. They need all those trust relationships that revolve around an entity within a digital system. I'm an admin on my machine. I shouldn't be, but I am. What can I do with that admin credential? We look at default creds. Most of these systems that come to us, and this is why I say entities, not just users. 

Authentication, authorization, access is bigger than just people. You've got a digital thermostat, you've got cloud stuff, you've got wirelessly enabled printers, you have crazy new capabilities being leveraged all the time, applications, blah blah, like all this stuff that is connected. How does it get to something within that connected system? 

It's pretty binary. It happens by authentication, by escalation, by access, usually crappy passwords, and whatever else. But that's key. So, if you're going to solve for ZT, I personally think that one of the main things that you solve for first is taking care of the authentication protocols that are bouncing around, you take care of how users are getting to systems, and you take care of what the adversary would need to be continually successful. 

Excessive privileges will eat your lunch all the time. Most of what you look at, especially even with the API hacks that are going on now and a bunch of these other new compromises that we're dealing with, it's just a different avenue for initial access. And then after that, what do they do? 

The same thing that they've done for decades on decades and they go through the process, and people sit around wondering, how do we solve this problem? We know what it is. If you're solving for things like authentication and authorization and access and the ability to remove the adversary's foothold, you're winning. Are you done? 

Absolutely not. Hell no. Are you moving towards a position where you are more defended? Yes. Are you making your organization a harder target? Yes. If you make your organization a harder target, what will happen? 

The adversaries will find an easier target. This is why I talk about the slow gazelle and those things all the time. If we live on the same street and my house is well-defended and yours is not and they break into your house, I'm sorry, I'll send you some cookies. But they didn't break into my house. Like, this is not a place where a rising tide lifts all ships. You do the right things and you take care of your organization, you be the harder target, the faster gazelle, and you see what happens with the herd at the back. 

It's unfortunate, but that's the reality of what we're dealing with here. Lastly, zero trust is achievable. Strategically speaking, it is achievable. I know organizations and I'm working on publications around literally the value proposition and how much use and good there is for zero trust when it's put in place. 

It is not doable in today's digital ecosystem without solutions and technologies that work at scale. It's simply not doable. Unless you are a one-person shop with one computer and one manager and whatever else, the moment that you get to the kind of r-naught value of like the viral side of this thing, it's too big, too fast. 

You throw in cloud and containers and Kubernetes and developers, and and, and and, and, and, and and, it's just not doable. Therefore, this is why we have such a growth of vendors in the space that are trying to solve for this problem. There are some vendors that are very good at this. There are some vendors that are trying to latch onto the marketing initiative. And there are some vendors that flat have nothing to do with ZT that are just trying to, you know, ride the bandwagon and the wave. 

Your organization should think about how you're... and this is why we're having a leadership series and I think it's great they're calling us the bridge to zero trust, because what we're trying to do is bridge the gap here. Your organization should be thinking about how this strategy can be leveraged for your organization. There is no biblical tome, there is no thou shalt only do these things. This is about you and the things that you need to enable ZT for your business, your organization, your users, however you want to look at it. 

Know that you can do this. Know that zero trust is achievable. It's a lot like body fat for bodybuilders. They'll never get to zero because if they did, they would die. You're never going to get towards total zero trust, but you're getting towards a place where you have much more manageable trust at speed and at scale. 

Trust is a vulnerability. You can do this. If you don't, you are basically choosing to ignore the value proposition that hundreds of organizations market that is growing exponentially has validated as a real thing with real value. And you are choosing to roll the dice and gamble and hope that you are not the slow gazelle on the Serengeti. 

Sooner or later, you will be. So, the choice really is going to boil down to, do you start engaging in zero trust now and be ahead of the curve and be at the front of the pack, or do you wait and roll the dice? I'm telling you unequivocally, you can get to zero trust. I know that it's possible. The technologies exist. 

But if you focus on the things that the adversary needs to be successful, you can begin eliminating their power position. That's what you're actually trying to get to. Zero trust is not a product, it is not a singular technology. You cannot buy it off the shelf. It requires strategic alignment, it requires technology optimization, it requires human optimization, and it requires business cases to validate why we need to do this. 

I think it's worth noting a lot of organizations, there's books being written on the topic right now are wondering where to start to enable ZT. I think it's a combination of a couple of approaches. I think number one, personally, I think you should run a red team mop because that gives you a real grounding in what the adversary would do to come after you. But I think also if you ground your thinking in statistics and data, I mean math and those numbers is how we would talk to aliens, it should be pretty clear, the first problem that you should solve is around identity, and access, and users, and passwords, and those types of things. 

If you're doing anything else, you're solving for a problem that is further down the road and is not going to provide the immediate benefits that you would see. If you look at the organizations that have moved in on this, and I'm talking at the global level, if they've taken care of identity and users and access and authorization and those things first, they're actually solving a large percentage of the problem space. 

Everything in this engine that is the digital ecosystem revolves around access, authentication, authorization. Solve for those problems first and you're gaining some significant ground and you can actually take reports back to leadership and say, "Look, we had all these things that were out there that were misconfigured and potentially risky, now they're gone." 

That's a winning value proposition. It's numbers, it's metrics, it shows that you're making a change and making a difference. So before we get further into this, since I just want to answer the question because it comes across so often, if you're going to do things in ZT, what do you do first? I think you take care of identities, and access, and users, and passwords, and authorization, and authentication, and you do it the right way at scale with a technology solution that can validate what you're doing is actually making a difference. 

I think zero trust, at its core, is key to the future of the digital ecosystem, and I think for most organizations, if you really step back and look at it, you should think zero trust is a requirement for your business. I hope you enjoy this session. I really want thank you for listening to me. And I really want to thank Beyond Identity for hosting this event.