The Zen of Zero Trust: Industry Insights from a Rousing Roundtable
For the past decade, conversations have increasingly shifted from the erosion of the network perimeter, to the post-perimeter, and BeyondCorp. Ten years ago, trends like cloud computing, software as a service, mobile device and public network access were a challenge to secure enable productivity. Today, many of these challenges have been addressed – at least from the perspective of protecting the end user. Now, the risks are much more advanced and concern the underlying architecture and process of application development and service delivery, as well as mitigating third party risk.
Recently, I had the opportunity to moderate a panel discussion, “The Zen of Zero Trust,” along with Karthik Krishnan, CEO of Concentric AI. We were joined by an excellent panel of cybersecurity experts, including Sebastian Goodwin, VP of Cybersecurity for Nutanix, Avishai Avivi CISO/CPO for Tax Credit Company, and Jason Lish CSO/CPO/CDO for Advisor Group. Collectively, the panel was full of MBAs, Six Sigma graduates, published authors, and a variety of public and private sector experience across pretty much every imaginable vertical.
Our conversation was set to focus on “zero trust,” a popular cybersecurity architecture that is transforming everything online, from data in documents to APIs. From cybersecurity to operations. We began our discussion with the difference between zero trust for data vs. zero trust in the network. Zero trust for the network is where the first wave of solutions has materialized, designed to protect exposed resources from exploitation. Zero trust for data is where the next wave of challenges and solutions are focused.
Our panelists discussed how cloud-based productivity and collaboration tools, such as Google Workspace and Microsoft Office 365 represent a new risk surface because they have the potential to create a lot of unstructured data. Likewise, application delivery “as-a-service” may expose APIs to abuse or third-party risk from partners. Yet CISOs know that they cannot say “no” to enable these new services. Consequently, we are seeing zero trust solutions that focus on permissions and monitoring for inadvertently risky or malicious behavior.
But how does one define this risk? We played a bit of buzzword bingo to ask our CISOs, “what keeps you up at night?” The main concern is understanding where the data is. Most organizations should have a pretty good grip on their PII since they have to protect it for compliance, but what about IP? We discussed how Six Sigma data is incredibly valuable and targeted by attackers, but this data is unstructured and distributed, which makes it more difficult to protect. We also discussed how APIs are like Pandora’s Box; once you set an API in motion, it can be difficult to go back.
APIs in particular can be a vector for third-party risk since they may be exposed to partners (or fourth-party risk from your partner’s partners). Compliance certifications, such as SOC and ISO, can help ameliorate some of the concern around third-party risk since they demonstrate the partner is trustworthy and secure, but it is important not to stop there. It is also important to understand what data is being shared, both upstream and downstream.
Speaking of compliance, it is one of the biggest budget drivers for 2021. The question isn’t “security vs. compliance” because compliance is required, and it can help justify investment in new security controls. For 2021, these CISOs are looking at privacy as a big trend because of recently introduced compliance frameworks, NIST 800-53 Rev 5 and ISO 27701. Of course, GDPR and CCPA served as predecessors to these frameworks, and ultimately this focus on privacy comes back to data breaches. It was also interesting to note that organizations are still making investments in basic attack protections, such as ransomware and phishing – proof that more advanced security controls are rather effective at preventing more advanced attacks.
The panelists also discussed how deploying defense in depth or best of breed security solutions will pretty much ensure your compliance, but you will still need to go through the audit process. As for some of these best of breed security solutions, we discussed how emerging controls need to be dynamic since risks are no longer static. And again, we discussed how CISOs do not want to stand in the way of service delivery, so they have to balance security vs. availability.
API security is important because APIs can be abused for exfiltration in a variety of ways. The OWASP API Top 10 can provide more detail here. But the important point to make is that API security needs to account for agile development cycles – API security needs to be implemented into application development architecture, to testing and into deployment. Machine learning solutions have proven to be particularly adept at adopting to dynamic environments instead of static rules.
Ultimately, zero trust security is about building a flexible architecture that is able to adapt to risk. Security and privacy need to be baked into the business during the solution phase. A “shift left” approach to security seeks to implement security and privacy controls during development to catch vulnerabilities before production. Security teams need to build relationships across lines of business to make this happen. And in particular, foster a relationship with a liaison from the development team that can serve as your “security champion.”
The importance of zero trust security is more important now than ever before since so many employees now work from home. The perimeter, as we used to know it, really is gone.