Root Causes 89: PKI's Role in Zero Trust

Tim Callan

Today, we are going to talk about some new guidance out of NIST regarding zero trust architecture.

Jason Soroko

Yeah. NIST, um, it’s still in draft form. It’s the 800-207 Special Publication. Specially titled Zero Trust Architecture and for those of you who are in encryption in the PKI world, digital identities, it’s something you want to check out.

Tim Callan

Yeah. So, of course, just for everybody’s background, we run into other things that NIST does in our world and in particular, we talk about them a lot in terms of quantum cryptography, quantum safe cryptography, but in general, NIST has taken this position, this leadership position in the technical world, you know, and it is supposed to be a standards and technologies body and it’s an objective sort of third-party body with good technical chops and so NIST comes out with things like recommendations and guidance and sometimes coordinates activity. There’s usually not, there’s not a lot of direct teeth to it in terms of a requirement but a lot of people view it as a best practice and then some people turn around and make it their own requirement to say you have to conform to what NIST says on this.

Jason Soroko

Yeah. And I think NIST really what they are trying to accomplish here is to try to put together some of the best thinking in what zero trust as an architecture means and it’s not really hey, you have to build your network this way. It’s not prescriptive. It really is a set of principles to plan out your enterprise infrastructure and your workflows and, in fact, that terminology comes right out of their abstract and I think that’s a great way to describe what they are trying to accomplish here.

Tim Callan

Yeah. So, we’ve talked about zero trust before but give us just the one or two sentence capsule summary of zero trust in case the listeners didn’t hear that episode.

Jason Soroko

Sure. It might say like a marketing term, right? Zero trust. It’s just one of those quick-off-your-tongue kind of terms that can be said. And so, people who have been around security a long time might think, oh geez, just another flash in the pan idea, when in reality this is just one of the more recent terms for the principle of least privileges, you know, one way of thinking about it within your network. Most networks today are quite different than they were not that long ago where previous security architectures were hey, there’s the outside world, the hostile public internet and then there’s my firewall and then everything behind that firewall is my enterprise network and everything is hunky-dory and happy.

Tim Callan

And it’s all safe. There’s no bad actors in there and nothing bad can happen inside the wall. As long as the wall holds, we are all good.

Jason Soroko

Absolutely.

Tim Callan

Right.

Jason Soroko

So, I remember for quite a while people were making the analogy to the French Maginot Line, which you can see how well that worked in World War I and that architecture from a cyber security standpoint also didn’t work and works even less now because not everything is sitting behind a safe and sound firewall.

Tim Callan

Right. And that whole concept – and we’ve talked about this before, too – that whole concept is so outdated that it’s hard to even imagine if you tried to do a mental map of all the various places where you have process and compute going on, a lot of it happening on hardware you don’t even own, how would you ever draw a line around that?

Jason Soroko

Think about this for a moment? You remember the good old, the attack on the Iranian nuclear enrichment plants – Stuxnet.

Tim Callan

Stuxnet.

Jason Soroko

Think about this. The industrial equipment. Right? The controller equipment that was interfered with by the Stuxnet virus, all of those pieces of equipment were of course listening for commands on their critical industrial network and whenever a command reached them that was able to be interpreted, they simply, you know, in their own machine way they gave a salute and did the job.

Tim Callan

You betcha. Absolutely.

Jason Soroko

And they trusted every single command that went across that network as implicitly trusted.

Tim Callan

And so, the opposite of that is zero. So, zero trust means that basically everything, every command must be justified within governance policies or it won’t be allowed.

Jason Soroko

That’s it. I mean I’ll read the sentence right out of the abstract which I think captures it really well. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.

Tim Callan

There you go. Excellent. And so, we also, you know, zero trust, as you said, there are some other words that mean the same thing. Right? People are talking a lot now about software defined perimeter and that’s all interwoven with zero trust. These are – I don’t want to say quite equivalent, but these are inextricably linked concepts.

Jason Soroko

Yeah. Absolutely. In fact, I think it’s a great terminology because now with public clouds being meshed with your enterprise, sometimes we call that hybrid cloud. Whatever. Hybrid network. Whatever you want to call it. That in combination with the fact that you’ve now meshed APIs from yourself, your partner, other business units you may have. All these things run with different DevOps principles. Wow. Where is your enterprise from a network standpoint? This kind of software-defined isolation of pieces – this is something I said before in a way. I don’t think it has ever caught on but you have to think about your network at the atomic level. What are the individual apps and physical nodes that are on your network and the things that your network-attached devices are actually speaking to? In other words, you really have - - the boundary, the edge is at the identity level of each of these things.

Tim Callan

Right. So, every user, every device, every process has an edge that envelops it.

Jason Soroko

You should consider all of every network to be hostile. That I think is the other way of saying this. So, in other words, we talked earlier about the Maginot Line. We talked earlier about the firewall is the perimeter. I think one of the fundamental ideas we are talking about here in this podcast is identity being the new perimeter.

Tim Callan

Right. For sure. Absolutely. And once you do, right, once you say, you know, there is no green zone then how do I do anything? How do I get anything done? What I have to do is I have to make sure that every actor, if you will, every digital process that is giving me a command or receiving information from me is qualified to do that.

Jason Soroko

Absolutely. So, if you were to do some internet searches on zero trust. You know, just from a commercial standpoint, who as a vendor is offering this? You will start to see a lot of vendors who are in the policy, engine policy administrator space.

Tim Callan

Right.

Jason Soroko

And that makes a lot of sense because authorization is an important part of this as well. So, this asset – a printer, a workstation – this thing has its own identity and so does the user that actually interacts with it but should a printer be able to do x y and z as a privilege way beyond itself? Probably not. And so, therefore, as you said earlier, Tim, it really needs to be tied to governance. So, in other words, governance needs to be tied to policy and those policies need to be enforced. So, therefore, zero trust as a mechanism, as an architecture really should have a lot of authorization concepts within it not just the authentication part.

Tim Callan

Right. But also, the opposite of that is true. I mean what you said was just very salient. You ended that sentence by saying “and these policies must be enforced”. So, zero trust also isn’t just policies. Like you have to have the right policies. Someone has to say there is no good reason for my printer to be requesting data and sending it off to some IP address in Indonesia. Right? So, we are not gonna allow that. But then we also have to not allow that.

Jason Soroko

With everything that you and I just said, the fact that you can call it a printer; the fact that you can identify something as a workstation, a user, that’s gonna be because that printer, that user, that workstation are gonna possess an identity. Well, in the year 2020, in the year 2025, 2030, what’s that gonna mean from a technology standpoint? Well, this is a PKI podcast, so you shouldn’t be surprised to hear that PKI is a fundamental part of zero trust because if really, if the main push of zero trust is that identity is the new perimeter, where is that identity gonna come from? That identity really should be managed in a place like a PKI management system and those things, those assets, those users should be provisioned with and securely possess something like a certificate. Right? It could potentially be other things down the road but currently technology, that’s what it’s gonna look like.

Tim Callan

Yeah. So, you know, and we talk about this a lot but just imagine attach a strong digital identity to everything – essentially. Right? Every, like we said, every process, every user, every device, every server, you know, every piece of iron and then at the end of that you are then capable of enacting those policies at a very granular level. Like really, the degree to which your zero trust is truly zero is mostly a function of how much time you have to put into establishing policies.

Jason Soroko

That’s it, Tim. It’s granular to the point where we now use terminology such as micro segmentation. In other words, instead of that - - that firewall idea was always a good one. In fact, what we now realize is we needed a lot more of them, just a lot smaller lightweight versions of them.

Tim Callan

Right. Exactly. So, why isn’t - - like, I don’t know. There’s a couple questions I could ask of this. I’m gonna ask you this. Why is this a new or a relatively new conversation that’s going on?

Jason Soroko

I think the push, Tim - - by the way, every single concept we’ve brought up here such as earlier in the podcast we talked about authorization; then we talked about authentication; we talked about identity; we talked about micro segmentation - a lot of these ideas are actually quite old. What really zero trust is about, especially the way that the spirit of this NIST guidance is really talking about it. It is trying to bring together all of those really good ideas that have been around and wrapping them together. So, there’s a couple great diagrams in here. Some of them actually show a lot of terminology that you all might know like sims, threat intelligence, activity logs, policy enforcement, good old-fashioned PKI – all those terms, which if you walk the RSA show floor, you might think that those things were completely and mutually exclusive and really would never have anything to do with each other. If you looked at it from vendor standpoint whereas zero trust is trying to show you how to put these things together so that your overall enterprise architecture is cohesive coherent so that from the foundational PKI identity, all the way up to hey I’m watching what those identities are doing in my sim and the enforcement policies I’m gonna write in the meantime are all acting together. And, Tim, to answer your question very directly, I think what has caused this is this really lock, stock and barrel move to the cloud. There’s obviously still gonna be a lot of on-prem stuff going on for lack of a better way of saying it.

Tim Callan

Stuff – that’s the technical term. Stuff.

Jason Soroko

The technical term stuff has to do with, you know, you are still gonna have certain kinds of crown jewels sitting in a server room and that’s fantastic.

Tim Callan

Or old legacy stuff that you just can’t, for whatever reason, you just can’t get it off the hardware and into the cloud and it’s not worth trying and you just keep a rack.

Jason Soroko

Yeah.

Tim Callan

Yeah. Of course.

Jason Soroko

But, on the other hand, I think a lot of people have seen the advantage of scaling out to the cloud and that scaling out to the cloud now means where is my network?

Tim Callan

Yeah.

Jason Soroko

I think also, Tim, this usage of APIs. I can hire a third-party API so that I don’t have to invent it. I don’t have to host it. I don’t have to run it, administrate it, support it, and yet I can put it together with an offering of mine and sell the whole combined solution to a customer through my own API. Well, all of the sudden now, you realize you now have logical network spaghetti – again, a technical term – for the distributed nature of my assets, my users. It’s tremendous the push towards that nowadays, Tim. So, therefore, as a security principle this is what zero trust is trying to do which is no matter how you architect your network – public cloud, hybrid, multiple public clouds, whatever it happens to be – trust nothing between the things. In other words, at the atomic level, each one of your users and assets really need to be issued an identity. That identity needs to be protected, everything needs to be mutually authenticated across whatever network boundary they are in and then policy enforcement needs to be in place and then on top of that you need to monitoring all of that.

Tim Callan

So, what success looks like for this NIST document would be (1) that it helps some people who are trying to understand is this for me, helps them evaluate and come to the conclusion that, yes, this is for me. But then (2), this also can be a little bit of a recipe book. So, if I’m a CSO or a security professional or a CIO who is trying to implement this sort of zero trust approach and we don’t really have it today or we have it kind of partway, I can really dig into this NIST document, and it will help me structure and architect my own approach to zero trust for my situation?

Jason Soroko

Yes. In fact, Tim, this document goes as far as to get into concepts such as application sandboxing. So, in other words, if you happen to be building an application you need to be cognizant of this because it’s just another form of segmentation, isolation. Zero Trust. You may or may not even need to get into that with your enterprise architecture, but I think NIST has done a really good job here of going from high level principles all the way down to, hey, here’s also some good ideas you need to be thinking about. They’ve mixed a lot of stuff and I think that document is valuable, and I really encourage people who are in the security business to take a look at it.

Tim Callan

Yeah. I agree. It’s meaty but it’s short enough that it’s readable. It’s about what, 55 pages or so? So, it’s readable but it’s certainly not shying away from the details and it’s free. So, it sounds like it would be a real good use of a lot of people’s times if you are thinking about zero trust to download the NIST document and dig into it.

Jason Soroko

One of my favorite sections, Tim, comes towards more the middle to the end which are the threats associated with it, which are, ok, now that you’ve employed these security mechanisms what are the doors you have to watch? So, in other words, Section 5.1 Subversion of Zero Trust Architecture Decision Process. Well, in other words, if your decision process mechanism isn’t itself protected, you could be in trouble. Another one is a denial of service of the same thing, of your policy enforcement engine. If a DDOS can hit it, well, you are in trouble. Again, because this whole thing is identity-based, Section 5.3 Stolen Credentials. So, this is good because there is no architecture that’s perfect but an architecture that tries to minimize where your weak points are there’s only so much you can do. Your security team can only be so big. So, let’s try to minimize where the leaks in the boat are and the things, we have to fuss over are at a minimum so that we can get on with our job of running an enterprise.

Tim Callan

Yeah. And again, rather than having to hunt around and look for the stuff and read lots of articles and wade through vendor information trying to figure out what is true and what is propaganda, instead of that, they’ve done a nice job again, impartially, of pulling it together and summarizing it here in this document.

Jason Soroko

You know, Tim, one of the things that we are a big believer in is automation and visibility especially across identities. Hey, Section 5.4 Visibility on the Network. I was really glad to see this document because it was so aligned with the philosophies that we hold as professionals and also, you know, commercially as a company that we have, and it was just really good to see that all of these best ideas all coming together in one consumable document. It’s still in draft, anybody who wants to still submit information to it I think still can but I think it’s coming together very well.

Tim Callan

Yeah. I mean it’s in draft but already this is a great document. No need to wait for it to be in its final form. There’s no reason why you can’t get it and get something out of it today.

Jason Soroko

You got it, Tim.

Tim Callan

So, thank you, Jay. I’m glad we talked about this. This is a good document. It’s recent and it’s valuable. So, give it a look and once again, so you don’t have to go back and listen to the earlier part of the podcast it’s the NIST Special Publication 800-207 and the title of it is Zero Trust Architecture. That’s plenty that you need to do a search and find the document. Anybody can get it and it’s worth looking at.

Jason Soroko

That’s great, Tim. Thank you very much.

Tim Callan

Alright. As always, a pleasure to talk to you, Jay.

Jason Soroko

Got it.

Tim Callan

And this has been Root Causes.