CISO

Contextualizing Zero Trust

Play the latest episode
|
Jul 9, 2020
27 minutes

Subscribe

Listen to the Security Intelligence Podcast wherever you get your podcasts.

Contextualizing Zero Trust
July 9, 2020
| |
16 min read

Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.

On this week’s Security Intelligence podcast, Aarti Borker, Vice President, OM, for IBM Security, joins the hosts to discuss Zero Trust.

As Chase Cunningham of Forrester summarized in an earlier episode about Zero Trust, the essence of the philosophy is, “Never trust, always verify.” When it comes to verification, Borkar adds, “the right person, the right data, the right time, the right context makes all the difference in the world.”

Listen Now: Contextualizing Zero Trust

Looking at the Whole Picture

Outside the world of security, trust is a part of so much of what we do as human beings, impacting everything from how we make decisions to how we do business. Many of these decisions are based on “perceived trust,” which doesn’t quite cut it when it comes to security. To create the frameworks that govern identity and access management (IAM), data and threat management, trust must become quantifiable.

Context can help progress perceived trust to quantifiable trust. Every interaction, every verification requires “looking at that whole picture every time,” Borkar says. “The context of that interaction is unbelievably important.”

Innovating Through Zero Trust

Borkar has seen examples of Zero Trust in action, from applications in privileged access management to fraud protection technology. It might sound contradictory at first, but operationalizing Zero Trust can help organizations pursue innovation.

How does applying guardrails lead to innovation? Zero Trust’s “tenets force us to provide a simpler answer around security that is connected, that is continuous, that is easier to follow and that becomes a habit,” Borkar says. With shared context and a clear framework, everyone is on the same page as they drive the business forward. “The interconnected nature of security that a Zero Trust philosophy can provide, to me, helps innovation more than it ever has before.”

Listen Now: Contextualizing Zero Trust

Episode Transcript:

MOULTON: So, this week we’re revisiting two of my favorite things, Zero Trust and conversations with Aarti.  Earlier this year, we talked to Chase Cunningham about Zero Trust, we’ve talked to Aarti about AI bias, and today, we’re bringing the Zero Trust conversation and Aarti together. I think you’re really going to enjoy this one.

COBB: In revisiting the two different topics, do you think that the perspectives on Zero Trust have changed, David?

MOULTON:  Not a ton. But I do think that there is a little bit of a shift that Aarti really highlighted. She articulated this idea that one of the most important things to understand about Zero Trust is this idea of context.

And that’s maybe not new for everyone, but I think the realization in the conversation with Aarti was how important that is so you can have a Zero Trust policy, but if you don’t have context across your control set, you’re missing out. And that’s maybe the big evolution from, you know, never trust, always verify to never trust, always verify and understand context.

COBB:  This is the Security Intelligence podcast where we discuss cybersecurity industry analysis tips and success stories. I’m Pam Cobb.

MOULTON:  And I’m David Moulton. Here’s my conversation with Aarti Borkar about Zero Trust and the importance of context.

Earlier this year we had a great conversation with Chase Cunningham from Forrester about the genesis of Zero Trust and how organizations can put that concept into practice.  One of the ways he defines Zero Trust is never trust, always verify. Never trust, always verify. Aarti, what does that mean to you?

BORKAR: Well, to me, it probably means a way of life, to be honest, but I’ll park that part of the story. In the world of security, though, we are going through a phase where the actual elements we secure — the data, the application, the infrastructure — is getting broken up and fragmented and separated across multiple elements, which makes the need to coordinate and verify who is very touching what element that much more important.

So, it’s always been on people’s minds in the world of technology and security that verification of who they give keys to their kingdom is important. But as we expand the digital transformation realm, as we expand digital business interaction with partners, et cetera, that verification becomes that much more important.

And now we’re verifying on very small portions of the foundation, because it’s not, hey, I’ve got this massive door that allows you to enter this castle and I’m going to check the door of the castle, it’s I’ve got 25,000 rooms and you’ve got to check every one of them.

So, totally agree with Chase, and I think it’s become more important right now of ensuring the right person has access to the right data and apps at the right time under the right circumstances.  And to me that’s Zero Trust.

MOULTON: So, that idea of the right person at the right time with the right data and the right access, is that how you’ve expanded the meaning of Zero Trust?

BORKAR: I think if you step out of the world of security, still live in the world of business and technology, but outside of security, trust is the foundation of a lot of what we do as human beings. We do business with people we trust. We make decisions based on, quote/unquote, trusted data. It’s just a common term we use all the time.

But a lot of that is perceived trust. In the world of security, that needs to be quantifiable. And so when we get down to the specifics of ensuring the right people can get to the right data, which inherently means that the wrong people can’t, and the right people can get access to only the data that matters to them, and then we’re looking at the circumstances and the timing of when they access that data, it starts making this construct of trust that we have a bit more quantifiable, that we can sign our names off on, that we know that, even with the best intent, somebody is not making a mistake by just clicking on something wrong, et cetera.

If they don’t see the data they’re not meant to see, they can’t actually make the mistake of sharing it with somebody they shouldn’t. And so, yes, for me, it goes from perceived trust to quantifiable trust in the world of security, and the right person, the right data, the right time, the right context makes all the difference in the world.

MOULTON: So, I really like that idea of perceived versus quantifiable, particularly as we move from human to systems. And as you’re talking about that idea of Zero Trust, and you can then go through the right person with the right access at the right time, that’s really a good way of thinking about what Zero Trust means that goes beyond, in my mind, never trust, always verify. That’s a good framework, or you know, rule of thumb. The next one is one that you can start to engineer into your practices.

Now, one of the things I want to pivot to is this idea of remote work. And all of us are now experiencing a dose more of it than maybe we had in the past, and I’m curious, how does this shift to remote work and the different tools and the ways that we’re accessing different applications and data, interacting with one another, how has that impacted this idea of Zero Trust?

BORKAR: Three things that are happening. People are moving to the cloud faster because if everyone’s working remotely, it’s easier to do it in a digital fashion. And the movement to cloud is specific, it’s because the business is moving to a digital form factor even faster.

So, now you’ve got more touch points and more integration points, and each of those points needs to get verified.  You’ve got more point to point conversations between individuals that are now in their houses with the company they work for, but those same individuals with clients and partners. And so you’ve got a lot more one to one interactions through a digital realm, each one of them requiring verification.

So, the Zero Trust philosophy and foundation becomes that much more important because security is as good as your weakest link. And if you’ve got hundreds of these little point to point interaction patterns between people, devices, clients, partners, machines, phones — pick, right, there’s a whole host of them — then consistently following a philosophy that we’ve been talking about around Zero Trust gives people the guidance on how to stay safe as they go through this transformation of remote work.

We were already dealing with a lack of a perimeter with the journey to cloud. Remote work makes that perimeter, or if there was a sense of a perimeter, completely disappear.  I don’t think that there’s a more important time for us to adopt and make a habit out of the Zero Trust philosophy that a lot of us have been talking about.

MOULTON: So, with more importance placed on Zero Trust, and you’ve articulated all the reasons why and how that fragmentation has just made it more of an imperative, can you share with us what successful Zero Trust looks like?

BORKAR: So, let’s go back to what Chase started talking about, trust by verify, right?  Verification requires some set of rules or some of set of contexts of saying, what are you verifying? I’m verifying if this person is allowed to access this data. Great, but where…how do you know it’s the same person? Have you double checked that?

It is about time. Did they ask for it in the middle of a workday because you know there is a meeting happening, or did they try to access large swaths of data in the middle of the night when you don’t expect them to work? So, the context of that interaction is unbelievably important.

So, taking trust but verify and taking it to operationalizing it requires the need to be able to contextualize the frame of reference for every one of those rules. Today in the world of security, we build those rules in various aspects. We build them around threat management, and we’re looking at network traffic and logging and the incidents and the threat intelligence.

We do it slightly differently in the world of data.  We build rules on what somebody is allowed to access based on the type of data there is and kind of have a set of rules on behavior of interaction with data, and that is people or machines accessing that data.

And then there’s a whole other world when you’re thinking of identity management, of access — accessing something as simple as your bank account has, you know, a set of rules that are defined which allows you to access or not access and how people catch and catch things like phishing and more.

Each of these rules tend to be distinct and different.  Being able to weave a thread across them gives you the verification you really need to apply a true Zero Trust philosophy or foundation.

So, to me, the importance here is making sure we are looking at that whole picture every time when we do make a decision to verify or not verify a particular interaction. That starts becoming a tangible way to put the philosophy into our products, into our technologies and into our behavior patterns that we can monitor and operationalize.

MOULTON: So, when we think about what a successful Zero Trust implementation looks like, it sounds like it’s all about context, right, having that data that you can use to make your decision and then what sits outside of that data. Do you think that organizations have a really solid understanding of how context improves their Zero Trust implementation today?

BORKAR: I’m going use a story that my grandmother used to tell me a long time ago, because I’ve thought about it more than once as we’ve built out a point of view on Zero Trust. She was trying to get me to step back and see a bigger picture, and she used to talk about a story where six blind men run into an elephant, and one of them touches the trunk and thinks it’s a snake, and one touches the foot and thinks it’s a tree trunk, and another touches the side and thinks it’s a wall.

And each of them, in their own right, felt that they had enough context to say that it was a tree trunk or a snake or a wall. The right thing to do would have been to say, hey, I’m at the front, and I feel this thing that looks like a snake; and I’m on the side, and I feel this thing that looks like a wall. And just sharing that information might have given them the way to say, oh, actually, we’re touching an elephant.

Not to take a childhood story and make it sound like the solution to our security issues, but that’s nearly what happens today in the world of security. We have siloed groups that have siloed outcomes that they’re trying to achieve and conversations they’re trying to have.

And so, in their own right, they will think that they know the context, but what they’re missing is to get the full picture they need to work with each other and get a broader story.  So, the fidelity of the response to a problem situation is coordinated across more than one of them. It allows them to find the problems faster, it allows them to solve them faster.

So, going back to your question of do I think people know the answers, unfortunately, probably not as much as they should.  The good news is most of them are starting to realize there is more that they need to and could do here.

MOULTON: I’m wondering, how do you enable the business to innovate better in that space?

BORKAR: That’s the magic. So, the good part of Zero Trust is it not only provides a security foundation, its tenets force us to provide a simpler answer around security that is connected, that is continuous, that is easier to follow and that becomes a habit.

So, what does innovation require?  And when we say innovation, it should be technology innovation, it should be business innovation, it should be outcomes for the end clients in different parts of the world. It could be the world of finance, in retail, distribution. All of them have cool, new, innovative ideas, and security needs to support them.

If we can create a framework that is connected because of the context and is preventing everyone involved from taking missteps, then the innovation actually flourishes because they don’t see the security elements as gates, they see them as guardrails that they can use to ensure that innovation follows a path. And guardrails tend to speed up process because people aren’t floundering, whereas gates require people to jump over it to get to where they want to go. So, to me, the same set of values and ideas help innovation from a business perspective.

A lot of this correlation that we’re talking about happens behind the scenes. As a result, the right context‑driven action can take place. For example, a team is working really well. You’ve got the right mix across a company, across a few other companies. We tend to have a fear of insider threat, which means, hey, this is a mission critical project.

We’ve got a bunch of people working together. Is somebody going to betray our trust and is take this information somewhere else, or is someone spoofing being part of our team, watching, and wants to take this information somewhere else? If you’re constantly watching for it, that hampers innovation.

On the flip side, if you can say that, hey, my security platform is watching interactions on a variety of domains, things that happen on the network, at the endpoints that a threat management platform would constantly look at, and then it’s correlating it to all the data associated with the project and it’s looking at whether there are any rule violations on the data access.

And then it’s looking at interaction patterns and access patterns of all of these members because that happens on a daily basis and through an identity platform. And guess what? All that information is correlated. And better still, we’ve got a response platform that can coordinate a response in near real time across all these three elements.

That gives that team a sense of peace of mind to be able to continue innovating on a high‑profile project without constantly worrying if one of them in that team might create a breach they don’t want to happen. And so the interconnected nature of security that a Zero Trust philosophy can provide, to me, helps innovation more than it ever has before.

MOULTON: I really like that, Aarti. I think that idea of if you want innovation, erect your guardrails, not your gates really resonates. You think about a gate, you got to stop, wait for it to go up. But the guardrail maybe lets you go a little faster because you know that if you do make a mistake, you’re going to get bumped back out on to the road as opposed to a full wreck. Aarti, do you have any examples of Zero Trust in action from your experience?

BORKAR: I’ll tell you some of the examples that we’ve come across from a few different clients in more than one…there are simple ways. The data identity part that I was talking about is starting to become real for a lot of our clients. We’re starting to see information where the data team is sharing details of what data is important with the identity team, because the data team does it today, it has rules, it has governance patterns, it has setups.

Sharing it with the identity team starts giving the identity management setup the ability to say, hey, you’re authorizing this person to this system. This system happens to have details of all your clients, all your suppliers, you know, loyalty information, whatever it is. That simple context of being able to say what is in the system you are giving people access to is allowing clients that we know to make the right decision about should they or should they not give access.

It becomes even more important when you’re talking about privileged access management and the types of information that they should have. So, we’re seeing a lot more correlation between clients on the data and identity side.

Another context driven example for me that becomes really clear in this working from home scenario is we’ve got, you know, we’ve got a fraud solution as part of the portfolio. That fraud solution is capable of identifying if a person that is logging in into, say, a single sign‑on page of the company from a home computer which is not managed, has malware.

So, just by the interaction, the technology, the fraud technology, which is on that Web page, can say, hey, this person that’s logging in seems to have some malware. Now, the right thing to do is not tell the person who’s logging in, hey, you’ve got malware; it is being able to connect that to the SOC.

And so the fraud technology, in this case, automatically passes context to the SOC saying, this identity interaction seems to come from a machine that has malware. Now, our platform that the SOC uses has threat intelligence combined with SIEM and SOAR capabilities.

And so the minute it gets this information from the fraud solution — and we’re seeing banks use this heavily as they’re starting to see more working from home elements — that SOC can now do something. The SOC analyst can do something about this specific machine and respond across all domains of activity that’s coming from this home computer, not because there’s a malicious intent by the user, but because there seems to be malware on the machine.  Now, it can also, similarly, find malicious intent.

These correlations between technologies, automatic integration, passing of context we’re starting to see being adopted and deployed a lot more now, especially with the mass working from home environments and remote interaction environments that are in place, than ever before.

So, we’re seeing clients across industries actually.  Obviously, the financial world is very careful about this, but it’s starting to be more prevalent in manufacturing, in retail, where more and more of face to face interactions from the prior timeframe is now remote.

And I can keep going. This is something that excites me. I love being able to find solutions where correlation by software automatically talking to each other provides the client an easy button to solve a problem that otherwise would be very hard to solve.

MOULTON: So, Aarti, let’s talk about the people that are critical to bringing Zero Trust to the forefront of an organization’s security strategy.

BORKAR: So, the interesting part here is we talked about a few elements. We talked about innovation, business growth, the current circumstances of where people are working, the changes businesses have to make. If you think about all of these questions, they all require the business teams to be involved with the security teams to get the right answers.

And that’s probably been the hard part, of ensuring that the conversation is not just the security team figuring this out on their own, but the technology teams, the IT teams, the line of business teams coming together and having a discussion in language that everybody understands without that being lost in translation.

So, if you ask me who’s required, you actually need the security team who understands the nuances of business a little bit, and you need a business team that realizes that their brand presence and identity as a company is heavily dependent in the digital world of being secure and trusted.

And bringing those two groups together starts giving you the right answer on which team or the right team or the right set of people that can put the Zero Trust philosophy architecture and habits into play such that the entire corporation benefits from it.

MOULTON: So, you’ve really hit on this idea of bringing things together for success, right, whether it’s data and context or if it’s going to be business teams and security teams. And I like the idea that Zero Trust is not just this, you know, limited to security, but it’s a business philosophy and then it extends up and down into the business and into the security teams such that you can innovate so that you can go faster.

It’s just…it’s really exciting. I can see why you get jazzed up about this. So, given the needs for security to drive more innovation in the business in order to keep up with consumer demand, how do you see the CISO’s role evolving with regard to Zero Trust?

BORKAR: So, one of my favorite CISOs, and I won’t definitely give you a name because, you know, they’re all my favorites, sort of, but one of them said something to me a few weeks ago, actually.  He said that he learned it from his mentor. He said the best…there’s great CISOs and there’s good CISOs. The good CISOs truly understand the problems and get the solutions; the great CISOs understand the business.

And so the role of the CISO, to me, is one of the most critical roles in the future of nearly every market segment because every company is doing more work digitally. And so it’s gone from being a supporting profile to the technology needs of the company to being a primary voice at the table as the business is getting run.

And so for that CISO to be able to sit at that table and tie the technology needs, understand risk, understand security requirements while creating a frictionless environment for business and innovation to exist is going to be paramount.

And for the…which is a leap from where they’ve been, right? And a lot of CISOs are on this journey, but that role will continue to solidify as a combination of business and technology acumen and decision making going forward.

MOULTON: So, just like that security team needs the business partner to figure out context and those sorts of things, there’s no way that that CISO is going to be able to go on that journey alone. And when you think about which C‑suite leaders are going to be needed to help that CISO succeed and the business succeed together, who would you tap first?

BORKAR: Oh, good question. I think, you know, there’s…the CIO and the CISO already partners, so I’m not going to go down that route. I think the other person that is a good partner in crime for the CISO starts becoming the chief technology officer or the chief digital officer that a lot of companies have.

The roles of the CTO and the CDOs live on this intersection of futuristic innovation and the reality of the technology of today, and the CISO’s responsibility goes from reality of technology today to ensuring that they’re extremely secure.

So, there is a bit of an overlap in their thought process, one more role futuristic than the other, and I think they can play off each other, they’ll support each other. And if those two roles come together as a clear partnership, they might be able to provide the right guidance for innovation and security to the rest of the company as a group, as a joint group.

So, thanks for making me think about that. I do think that the digital officer, technology officer persona would be a good friend to have for the CISO.

MOULTON: So, that’s your Zero Trust kickball team, CISO, CIO, CTO and the chief digital officer.

BORKAR: That sounds like a perfect combination to go change the world.

MOULTON: So, Aarti, a ton for our audience here. Thanks so much for joining us for the podcast on Zero Trust. I’ll look forward to our next conversation.

BORKAR: Always look forward to talking to you, David.

COBB: So, David, one of the pieces of that discussion that I really love is the idea of the Zero Trust kickball team. And we know Aarti mentioned CDO and the CTO and a CISO.  Who else would you put on? Who would you put on your team to really stack the deck for Zero Trust?

MOULTON: Yes, so I think my mind goes immediately to the chief marketing officer. I’m just a little bit partial to the idea that that’s a person that is so tied to customer experience and to some of the benefits of really great security or some of the downfalls of a security breach with customer churn and trust and those sorts of things.

So, as you put the CMO next to the CTO, the CISO, the CDO, I think it rounds out that outside‑in point of view. The technologist is there, you’ve got your data officer, you’ve got things like privacy mixed in, and then you’ve got your CISO that’s the human glue that brings that executive team together.

COBB: Curious, I know that it’s an outside‑in perspective, but I wonder if there is a need for, like, the chief human resource officer.

MOULTON: Oh, I like, too.

COBB: Yes. See?

MOULTON: Yes, maybe both. I mean, how big is this kickball team?

COBB: It’s immense.

MOULTON: There we go.  Then, perfect.

COBB: I mean, perfect.

MOULTON: We’ve made it the right size.

COBB: However, I think there might be other suggestions.  So, if you, dear listeners, have thoughts or suggestions on who else should be on this Zero Trust kickball team, you can leave a comment on SoundCloud or wherever you see this podcast posted and really confuse whoever’s sharing it if they’re not sure of the context. So, that’s what we’ve got for this episode. Thank you, Aarti, for joining us as a guest.

MOULTON: If you enjoyed this episode or missed our earlier conversations about Zero Trust or AI bias, you can always listen to our backlog on Apple Podcast, Google Podcast, SoundCloud or Spotify. And while you’re there, you can subscribe. Thanks for listening.

Megan Radogna
Megan Radogna is a contributor for SecurityIntelligence.
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00