Catching up with the authors of O’Reilly’s new book, Zero Trust Networks
Editor's note: attendees at Black Hat can get a free signed copy of Zero Trust Networks by Doug Barth and Evan Gilman at Edgewise Networks’ booth (#1665). Reserve your copy now to ensure you don’t miss out on this world exclusive opportunity.
How difficult do you imagine it will be for businesses looking to secure their cloud and data centers to adopt a zero-trust mindset for their network security? What sort of fundamental shift in the way they think about cybersecurity will it require?
Cloud-based infrastructure is perhaps the easiest case for zero trust implementation for several reasons. First, they are entirely software-driven. This opens the opportunity to discover resources in an automated fashion, i.e. you can make an API call to understand exactly what servers you have and where they are. Contrast this to the physical world, where there is no such convenience, and hardware inventory must be tracked through labor-intensive means. A device inventory is one of the cornerstones of a zero trust network (tweet this), and is essential in being able to achieve the automation which it requires.
Second, cloud adoption demonstrates the ability to readily change mindset, and this is critical for zero trust adoption. Cloud operations often come with some degree of automation, and are a significant departure from the way that infrastructure has been run in past decades. Both of these considerations are ever-present in a zero trust network, and willingness to adopt cloud echoes flexibility in this area.
Finally, running sensitive systems in a public cloud lends itself naturally to the idea that you cannot trust your network neighbors. In a physical datacenter, it is often hard to reason about why you shouldn’t trust your network. After all, you control the whole thing, right? In reality, it is less about what you control and more about how malicious actors perform reconnaissance and move through your network… alas, this point is often lost in translation. As such, cloud-based datacenters lower the mental barrier to entry associated with the zero trust model.
What's the logical first step for an organization that's interested in the zero-trust model of security and doesn't know how to start on the path of adopting it?
Start gathering data. Put a system in place which serves as the source of truth for all the devices, applications, and users in your network (tweet this). Most organizations already have a user inventory in the way of a directory, however few have device or application inventories documenting exactly what is running and where.
Zero trust networks dictate that policy must exist in order to allow any particular network flow or request. Another way to say this is that a zero trust network operates in whitelist mode. If there is not a policy which permits a particular flow, the packet is not transmitted. In order to accomplish this, it is necessary to have a database of expected flows and requests. These expectations are modeled logically—that is to say, application X may talk to application Y in fashion Z, and not IP address A may reach IP address B. Taking this approach allows one to divorce policy from underlying network implementation, however device and application inventories are required in order to reach this goal.
It is important to note that while these inventories might be manually populated or backfilled at first, they should ultimately stand as a source of truth. Once whitelist mode is enforced, it can be said that a device does not effectively exist on the network unless it is represented in the device inventory.
What are the business challenges that moving to a zero-trust model can help resolve? How can IT architects use these opportunities to convince CIOs and CSOs of the benefits of zero-trust networking?
There are many business drivers for moving to zero trust, and the drivers which matter most to a particular organization will dictate the manner in which zero trust is adopted.
Many organizations face challenges in applying security policy across heterogeneous environments (tweet this). For example, it is common to operate a “hybrid” cloud, in which on-premises datacenter resources are maintained in tandem with cloud-based resources. Despite the split, security policy is unified, giving rise to synchronization tasks and maintenance overhead. How do you configure your on-premise security policy at the same time as your cloud-based policy? And how do they translate?
Zero trust solves these problems through automation and abstraction. When policy is defined as X may talk to Y, we can use code to determine whether Y is in the cloud or in your datacenter, and calculate the necessary enforcement and connectivity policies. As such, network position or location doesn’t matter as much anymore, allowing remote workers and datacenter workloads to roam free, so long as they are able to attest to their validity and present the appropriate credentials. On top of that, the policies are fully automated and the enforcement responsibility is distributed, removing the need to maintain network gateways and VPN concentrators.Where does zero-trust go from here? What's the next stage in the evolution of network security?
Marc Andreessen is famously quoted as saying “Software is eating the world.” This statement has never been truer, and applies strongly to zero trust networks.
Automation is the key enabler for zero trust networks. Otherwise, the maintenance overhead is prohibitive, particularly in dynamic environments. While there are a handful of software options for various problems which the zero trust model encompasses, there is no end-to-end solution… yet. Such a solution necessitates complexities such as secure introduction, audited change management workflows and transparent network encryption. Edgewise has just launched, and more will follow. We are only now seeing the beginning.
What prompted you to write this book now, and what do you hope it will achieve within the security community?
Hailing from PagerDuty, a multi-cloud multi-region fault tolerant platform, we were forced to face security challenges which were ahead of the curve. Being technologists, we understood the value of the frameworks we were building, and wondered why more people weren’t talking about such approaches. After giving a series of conference talks, we realized that the zero trust model is something the world badly needs, and was eager to learn more about.
So, we wrote the book because we believed we held knowledge that needed wider dissemination. We believe strongly that zero trust is the only way forward for network security (tweet this), and without any resources available for people to learn more, the industry was locked in an echo chamber. Thus, the book is intended to show a new way. To show that the status quo might not be the only or best way, and that ubiquitous fine-grained whitelisted enforcement is indeed possible.
The first chapter of Doug and Evan's book is available as a free download here.