A Security Architect Reacts vlog and podcast with Gareth Young, Founder and Chief Architect of Levacloud LLC, reviewing the Microsoft Security Blog “A Clearer lens on Zero Trust Security strategy: Part 1”
Hi everyone, my name is Gareth Young. I’m the founder and chief architect of Levacloud. You’re joining me today at the start of a new series called “a security architect reacts”. This is a completely unscripted series where we’re just going to dive into the depths of the Internet together and look at different blogs, articles and videos and I’ll give my unscripted opinions and thoughts as we go through.
I got the idea for this series, thinking about the situations where a CIO or CISO might flip over an article or a video to their chief architect or security architect and ask; hey, what does this mean? This series is how that kind of that conversation would go in my head.
So the first one that we’re going to look at today is all around zero trust. It’s a Microsoft Security blog. I heard someone say recently that zero trust is just Z scaler solution and it’s not really achievable. They claimed that you have to completely move to their platform if you want to do it, and that zero trust was just invented in the last couple of years.
That couldn’t be further from the truth, i appreciate it can be quite daunting to deploy a zero trust framework within your organization because it’s it’s such a mammoth piece of organizational change. We always recommend breaking it down into different, more consumable projects. I felt like this article we’re going to look at was one worth exploring together as our first one, as it’s going back to Ground Zero and exploring the roots of Zero Trust.
So with that said, let’s just get into this and see where we end up.
A clearer lens on zero trust security strategy: part one.
(author) Mark Simos leads Cyber security architect, Cyber Security solutions group.
As you can see, I’m using that read aloud feature within Microsoft Edge here (the voice is called Microsoft Aria), So we’ll see how well this goes. Interested to see what Mark has to say on this topic here.
Today’s world is flooded with definitions and perspectives on Zero Trust, so we are kicking off a blog series to bring clarity to what Zero Trust is and what it means.
This first blog will draw on the past, present, and future to bring a clear vision while keeping our feet planted firmly on the ground of reality.
We start off with some observations and insights on how people are seeing Zero Trust, then highlight some great work at the National Institute of Standards and Technology (NIST) to make Zero Trust real using products available today, and then highlight work being done at The Open Group to standardize Zero Trust (including an origin story of The Jericho Forum from Steve Whitlock).
Did anyone else hear of the Jericho Forum before? I must admit, even for me that’s a new one. I knew that the open group had a lot to do with the origins of zero trust, but I never realized that was born out of an organization before that, sounds sounds very cloak and dagger I must say.
Perceptions and scope: How people see Zero Trust
As we talk to customers and partners, it’s become clear that most people see Zero Trust as either a strategic security transformation or as a specific initiative to modernize access control.While zero trust principles are critical to securing access control to the cloud and digital assets, zero trust scope doesn’t stop there.
On this point as well, like for me, I’ve noticed that Zero Trust’s very much become a buzzword, and it’s causing a lot of different individuals in the industry to just disregard it. I think that’s very unfortunate, because honestly, mainstream zero trust is probably one of the the most key things to happen in the security space, and it’s going to continue to grow and be key over the next several years for sure.
The urgent need to modernize security beyond the classic perimeter approach extends to:
- Detecting and responding to threats to your assets in the security operations center (SOC).
- Protecting data anywhere it goes.
- Continuously monitoring and improving IT infrastructure security posture.
- Integrating security into application development processes like development operations (DevOps).
- Continuously reporting and remediating compliance risks.
- Extending these capabilities across IoT and operational technology (OT) assets that are frequently targeted by attackers.
So quite quite interesting, these bullet points are alined with something that I usually say when I’m talking about zero trust frameworks. In general, this is truly, a more proactive form of security. When I think back to the perimeter security model where we would build a wall around everything, put a bunch of reactive security tools in there and then wait for things to be picked up, that was very much reactive in my view, whereas this kind of continuous monitoring and looking at the health state of our devices and whether our users need to maintain the same level of permissions all the time, constantly looking at those different data points and making decisions on access, it’s very much proactive and that definitely aligns with this.
The confusion comes because access control is almost always the first priority to solve, whether or not you are planning a major strategic overhaul. As business-critical assets move outside the perimeter to cloud and mobile, the first priority is always to rapidly put in controls to ensure only authorized people can access these business assets. Additional focus is added to this initiative as attackers have learned to reliably get past perimeter access controls with phishing and credential theft attacks.
Access control is urgent but it isn’t the only security problem to solve across this transforming technical estate.
I do agree with that last point, and to an extent, yes, access control is urgent and is not the only security problem to solve. When you look at the Microsoft Zero Trust framework, you’ve got identities and endpoints at the foundation, and then you have the the other pillars as they’re called, such as Apps, Data and Network.Yes, those are other security problems to solve. But at the same time I see so many organizations that don’t even have basics like MFA in place. Access control definitely is the first priority to solve, a lot of focus needs to be put in that area, so let’s not overshoot here on that.
(although on reflection i appreciate the author was trying to point out that people think zero trust is only access control, but actually there is a lot more to it. My point was that access control is such a huge problem for a lot of organizations, that yes we can highlight the other areas, but lets not understate the issues with access control)
NIST: Zero Trust capabilities available today
The National Cybersecurity Center of Excellence (NCCoE) is bringing many vendors into the lab to implement their solutions for Zero Trust to create actionable guidance. This is creating clarity by implementing the actual technical capabilities of today in a highly transparent process.
I also witnessed how this effort is driving consistency in the industry during my participation as a member of the Microsoft team supporting this effort. I watched many vendors share their vision of Zero Trust to the collective project team during the kickoff (which was like a condensed version of the RSA conference show floor). The only thing I saw in common among these presentations was that each vendor used the NIST Zero Trust diagram (often mapping their solutions to it). While this illustrated how challenging it is to get a common view of Zero Trust, it also showcases how valuable NIST’s efforts are at creating much-needed consistency for Zero Trust.
For more information, read our blog Microsoft and NIST collaborate on EO to drive Zero Trust adoption or visit the NCCoE project page.
I love that they’ve included this in here because that’s it, zero trust is a standard, It’s not a Z scaler solution, It’s not a Microsoft product, it’s a standard that different vendors are building their own flavor on top of.
As an example, the way Microsoft is doing it, it’s modular and you don’t have to be all Microsoft for it to work, maybe you want to use VMware Workspace One instead of Microsoft Endpoint manager.It’s your single pane of glass for managing all of your devices.As it happens, device compliance and device health states can be fed through by API from Workspace One into Intune, and endpoint manager, to help influence trust decisions. Conditional access, which is at the center of Microsoft Zero trust engine can make trust decisions on access based on what’s coming in from that third party tool. It can be, a multi vendor solution.
The Open Group is well on the path to defining Zero Trust as a global standard, similar to The Open Group Architecture Framework (TOGAF), Open FAIR, and others. This rigorous process is focused on clearly defining the scope of Zero Trust, what it is, what it isn’t, and how to link Zero Trust (and security) to business goals and priorities. This top-down approach complements the NIST technology-up approach to provide additional clarity for Zero Trust.
So just to pause for a second, It’s interesting, talking about the open group. Togaf is an enterprise architecture framework, and when you think about the the ecosystem of enterprise architecture modeling tools being developed because of that, do you think we’ll get to a place where zero trust vendors could start developing zero trust architecture modeling tools that simulate the impacts of trust decisions as networks or implementations get more complex and we have advanced micro segmentation of networks, etc. Maybe I just gave someone a little IP suggestion, I should take it over myself and just delete this out of the video, honestly. One for levacloud to work on.
Some historical context from the Jericho Forum®
The Open Group is no stranger to Zero Trust as they host the (now-retired) Jericho Forum® which is widely recognized as planting the seeds for what became the modern Zero Trust movement. The Open Group’s Zero Trust work builds on this work from almost 20 years ago and focuses on the challenges faced by modern enterprises today.
Before we get into the current work, we thought it would be helpful to do a quick review of the Jericho Forum® origin story. While the world was different back then in many ways, this effort was born of the truth that perimeter approaches were failing to meet security needs even back then.
Steve Whitlock is one of the original Jericho Forum® members and graciously shared this origin story:
The mid to late 1990s—By all measures, security costs were rising but the solutions weren’t actually solving the problems. A few Chief Information Security Officers (CISOs) of large enterprises based in the United Kingdom met periodically to try and figure out what was going on. While their perspective didn’t fit the accepted norm of “protect the network,” these CISOs were not novices. One CISO of a large United Kingdom-based energy company had been among the first professional CISOs in Britain and trained many people who would go on to run information security at other corporations. Another at a European energy company had written an internal document that evolved into the ISO 2700 series of security and risk management standards.
In January of 2004, these four CISOs formed the Jericho Forum® to focus on defining the issue, termed de-perimeterisation, and proposing a way forward. Their efforts quickly attracted other strategic thinkers. In 2005, the first Jericho Forum® conference was held and a visioning white paper was released. This was followed in 2006 by the Jericho Forum® Commandments.
It’s crazy, I don’t think a lot of people realize how far back the development of some of this stuff actually goes.
This set of strategic principles is designed to enable an organization to survive in a world without traditional perimeters. The Jericho Forum® went on to issue a series of papers on related topics including cloud security, secure collaboration, security protocols, Voice over Internet Protocol (VoIP), wireless, and data security. And a second set of commandments concerning identity, entitlement, and access management was released in 2011.
Later, the Jericho Forum® was fully absorbed into The Open Group, and having laid out its principles for change, formally shut down in 2013. The Jericho Forum® articulated the need for better data protection, including the use of smart data, and one of its founders created a global organization to define the parts of a global digital identity ecosystem. Others from the Jericho Forum® contributed to a cloud security organization’s guidance documents.
The Zero Trust Commandments and beyond
The current work of The Open Group builds upon those hard-won lessons and updates them today with recent best practices, current trends, and expected future trends:
- This started with the Zero Trust Core Principles that defined Zero Trust, including key drivers and core principles.
- This continued into the Zero Trust Commandments that updated the original Jericho Forum® Commandments, defining a non-negotiable list of criteria for Zero Trust.
If you have a look into these commandments and principles, you can really get a sense of how they drove the development of the Microsoft Zero Trust architecture. I guess arguably, you could just say “duhh” to that point, otherwise it wouldn’t be zero trust.
- Work is now underway in The Open Group to build on these commandments and provide a full technical standard for a Zero Trust reference model.
The Zero Trust commandments are one of the clearest ways available today to identify if something is Zero Trust or not. If you hear a claim of Zero trust, you can ask:
- Does this action support one or more commandments?
If yes, it can be part of Zero Trust.
- Does this action violate a commandment?
Anything that violates a commandment is not Zero Trust (and is probably counterproductive to business goals, security, or both).
We will dive deeper into the Zero Trust Commandments through several upcoming blogs in this series.
That was quite interesting and hopefully that shows that Zero Trust isn’t just Z scaler product. There’s a lot more to it. We’ll explore more of these blogs together as they come out and Uncle Satya and team over here at Microsoft tell us the story of zero trust. I guess it’s going to dive into how how Microsoft is kind of moving forward with that vision.
Cool OK, great stuff. On that last point about questioning if a solution truly is zero trust, because it has become such a sales buzzword, I’m seeing a lot of different solutions out there that claim to be zero trust, but really aren’t. It’s reminds me of a slightly different but similar situation. XDR products extended detection and response became popular, suddenly everyone was renaming their “whatever” antivirus endpoint capability to XDR.
Use thiskind of questioning when some of these things come out of the woodwork trying to sell you zero trust.
With that I appreciate everyone joining me today and we’ll see you on the next one!
You can read the full Microsoft Security Blog here.
Contact Us with the button above to learn more about the Microsoft Zero Trust Framework
Learn More about our Zero Trust Services