CyberTalk with Dr. Zero Trust - Chase Cunningham - Ep. 50
Dr. Zero Trust Chase Cunningham joins the podcast this week to discuss how after 30 years organizations are finally approaching cybersecurity strategy the right way.
Episode Table of Contents
- More Than Three Decades of Cybersecurity Fail and the Dr. Zero Trust Strategy
- The Disconnected Nature Between Security, Operations, and Business
- Younger Generation versus Older Generation
- The Prevailing Competitive Differentiator
- The Concept of Zero Trust
- Where to Get More Info About Zero Trust?
Episode Introduction: More Than Three Decades of Cybersecurity Fail and the Dr. Zero Trust Strategy
Arika: Welcome to Forcepoint's To the Point Cybersecurity podcast. Each week, join Eric Traxler and Arika Pierce to explore the latest in government cybersecurity news and trending topics. Always covered in 15 minutes or less. Now let's get To the Point.
Arika: Hi and welcome back to To the Point cybersecurity podcast. I am one of your hosts, Arika Pierce, and joined as always by Eric Traxler. How are you doing, Eric?
Eric: I'm doing well, Arika. Looking to find out the secret to security today.
Arika: That's a perfect segue because we have a guest that's going to do just that. We have Dr. Zero Trust Chase Cunningham who is a principal analyst at Forrester Research. Hi Chase, thank you so much for joining us this week.
Chase: Thank you for having me. I'm glad to be here.
Arika: So just for our listeners to know before we usually start these podcasts, we do a little bit of a prep with our guest. And Chase, you just said something that I think is a good place for us to start. You said we've been doing it wrong when it comes to cybersecurity for 30 plus years and you feel like we're just now starting to do it right. So what have we been doing wrong? Let's just start there.
Chase: Well, it's not that anyone sort of maliciously went out there and architected environments with the idea of "Let's figure out how we can make this as ownable as possible." But the perimeter based model of security like is categorically failed. And the fact that we still have organizations that are running roughshod into this thing about building up really high walls and keeping the bad guys out. That's the wrong way of thinking about it.
Breaking Free from the Comfort Zone
Chase: And we can't continue to propagate that misery and think we're actually going to fix the problem. So it's one of these deals where no one did anything, quote "wrong". But what we kind of did was set ourselves up for failure. And if we don't change the approach, all we get is more failure.
Eric: So Chase, one of the inherent problems with perimeter based security is that it grants access based on implicit assumptions.
Chase: Yeah. On trust.
Eric: On trust. Why do we do it? If we know that this doesn't work, if we know that the adversary can breach the perimeter. I remember Dmitri Alperovitch used to put a slide up, now the CTO of CrowdStrike, the higher the wall we build the taller the ladder the adversary builds. And they can always build a taller ladder than the wall. Why do we do it?
Chase: Well, and it's for a couple things. Number one is ease, right? We've been doing this for the last 30 years and it's always hard to actually implement change. Like anytime you do something that requires strategic change and whatnot over the longterm, there's a discomfort that comes and no one wants to be uncomfortable. You have to realize that this is failed approach. And we have to basically have leaders that will stand up and say,
We're going to do things differently. Even though it's going to suck.
So like get ready to embrace the suck a little bit.
Chase: And then the last side is people are familiar with that old approach. And so, it's a warm fuzzy sort of, "We can do this. It's been there, this is how we've done it." And that just can't continue.
The Disconnected Nature Between Security, Operations, and Business
Chase: It requires a bit of discomfort and a change in thinking. And if we don't do that, then all we have to look forward to is more of the same.
Eric: Your Navy's coming out in you. I love the embrace of the suck. Yet we continue to embrace the suck. We have very smart people who continue to do more of the same. When I talk to customers all the time, they talk about getting away from the perimeter and then they focus their spend on firewalls or they focus their attention on the latest endpoint solution, if something's going to get through the perimeter, but they create almost like a micro perimeter at the end point that isn't going to work.
Chase: Well, I mean, we've actually been, even if you look at how we design infrastructure, we've still been designing infrastructure the way that you build buildings where it's the sort of waterfall methodology for infrastructure of do a bunch of stuff and then shove it out there and then come back later on and try and fix the problems. Where if you look at what virtualization is actually built to enable, you can have what I kind of call agile infrastructure and that's how you design and iterate and test and build. And that's how you move from perimeter based old approach to new approach.
Eric: Well let me ask you a question then. One of the components I see all the time and when I talk to peers, both commercial, government, international, local, US government really doesn't matter is the disconnected nature between security and operations and the business. And when I say operations, really IT operations.
Breaking Down the Perimeters
Eric: So when the business is looking to do something, whether that's a military organization, civilian government, commercial, doesn't matter, the disjointedness between the IT operations side and the business is pretty high. With cloud it's getting even worse in many cases. Not all, but many. And then the disconnected nature between security and IT ops is also high. Don't we have to break those walls down? I mean those are perimeters in themselves, aren't they?
Chase: Oh yeah. And it's something that I do a lot of these sessions with folks and part of that whole thing is actually educating them on security as a business enabler. And security, if you're doing it correctly, is something that you can put out into the market and it makes people leverage your services and buy more et cetera from you because you as a consumer, you want to know that all this digital stuff that your organizations are leveraging is safe and secure.
Chase: And when it boils down to it, it is becoming a buying decision whether or not an organization can stand up and say, "We have a security strategy. Like we know what we're doing. This is our proof." People are starting to drift away from just buying everything from someone and crossing their fingers and hoping that they don't wind up with a mega breach.
Eric: I'm glad you're seeing that.
Chase: It's slow, but it's starting to come. I mean, the fact that now I'm getting invited to do lots of briefings and stuff with boards at big companies, that they understand that it is a business enabler and that it is a competitive differentiator, which is a really, really good thing.
Government Versus Commercial Sector
Arika: What about with government though, right? I mean government is different from the commercial sector. Do you feel as though you're making business decisions. Do you feel as though they're also taking that shift as well?
Chase: Well, I mean luckily the government has been getting punched in the face in cybersecurity for so long that they've been, they've had to get good at it whether they wanted to or not. And the government is one of the few organizations that is sort of leading this whole thing. And folks forget that, right? This is the only industry where we actually follow what the Fed does because the Fed is the leader. Normally you would never say that the Fed is the leader in anything.
Arika: Yeah, I was going to say, you don't hear that too often.
Eric: And we see great examples in Fed. At least I do. And then I see horrible examples where the fact that they're on mainframes and still working with COBOL is some of the best protections some organizations have. So it does vary also, but there are definitely groups within the government that excel.
Chase: For sure. I mean, I'm a veteran and I'll say that just like with the VA system, if you go look at how they've done it for the users of that system, it makes it where it's hard to even leverage that entire apparatus. A lot of people that I know that are vets have been literally trying to figure out ways not to have to jump into that network. That, to me, is a great instance of not making security usable for the user and they go somewhere else. Like it's more convenient to go to the VA office than to use the VA website.
Younger Generation Versus Older Generation
Eric: Arika, what do you think about that from your experience with millennials? Will that resonate?
Arika: It does. I mean, we know, especially with younger generations and that's something that there's been a lot of discussion about in the VA now. You always think of veterans of being baby boomers and older, but you have a much younger generation of veterans. And so if there are work arounds or things that make it easier just because of access issues, certainly they will do that.
Eric: So, they'll have to Google where the local VA office is, hospital system or clinic. Then they'll get in a Zipcar or an Uber to drive over there all because they can't get the service online via their phone or their watch.
Chase: You actually made a good point about the next generation that I've actually been reminding people of is like the older generation, we have an issue with kind of big brother and monitoring and people looking at what we're doing online. Where when you talk to the kids that are coming into the workforce now, they've grown up in an area where they were always online, they were always doing stuff digital.
Chase: Funny enough, they're actually more okay with being monitored if they know that there's a reason that it's happening for the purposes of which they're employed. If you talk to them, they're like, "Okay. I understand what you're doing. You've got to do what you got to do. I'm used to being digital, just do it." Whereas the older generation are the ones that will say like, "No, I don't want you to monitor me. Like don't big brother me."
Moving To The Cloud
Arika: Very true. We've done a couple of podcasts where we've talked about that. And, again, it's just because if you've grown up with the phone in your hand and access to the internet, everywhere you go, it doesn't seem like a big deal to know that you're being monitored or things are being checked.
Eric: Talk to me about the move to the cloud, Chase. Does that make this easier or more difficult? The perimeter is dissolving. It's absolutely changing. Move to the cloud, easier or harder?
Chase: Well, so if you do it correctly, it can make it easier. If you do it with the same old approach, it can make it much, much harder. If you actually leverage the cloud for virtualization and design and iteration and that type of thing, you can get real benefit from it. If you just say, "Well, this is what we did in my on-prem network. Let me just go shove this in the cloud and it'll be different." That's a fool's errand. It just doesn't work that way.
Eric: And I see a lot of that in the, I see both in the government. Obviously, my background is mostly government here. I see a lot of that where they literally will lift and shift an entire operation to the cloud because some director said cloud first. And they don't know how to spin up and spin down resources. They don't understand the virtualization concept. They don't understand that security is required. That it isn't provided by Amazon and Microsoft on your users, your data, your applications necessarily. And the expense just goes.
Chase: It just becomes cloud. Cloud enabled misery is what it becomes.
Eric: But you checked that box.
Chase: Oh yeah. You are in the cloud.
The Prevailing Competitive Differentiator
Arika: You are in the cloud.
Chase: Taking what you had and now you've shoved it up there. So hopefully you got it right.
Arika: So, Chase, what do you see when you look into the future in terms of this new direction, change of mindset, changes in incorporating security into how we do business? All of those things.
Chase: Yeah, I mean I think it's going to continue to be where security and the secure nature of infrastructure is going to be a competitive differentiator. I think that a lot of the technologies that are coming into place like self sovereign identity, biometrics of virtualization is going to kill off a lot of these painful security apparatus like endpoint security, like VPNs, like passwords. And it's going to become where security is built in. But it's going to take a while to get there. I mean I'm already seeing it, doing the industry analyst side of things, where the trend is starting to show that that is achievable, but it still is going to require people to decide that that's how they want to architect these environments to live that way.
Eric: Because it really comes down to ensuring that I, the user, am who I am portraying myself to be, right? At the end of the day.
Chase: And that you should, and that's it.
Eric: And I'm doing what I should. Whether intentionally or maliciously, I'm also doing what I have access to and what I should be doing. Correct?
Chase: Yeah. And the other thing that comes up all the time is the way sort of end points have been put together is I have like an Intel Xenon 7 processor and I have all this horsepower on my machine.
The Weakest Link In Security
Chase: When for the majority of the work that I do, I use PowerPoint and Word. I don't need all that horsepower, I don't need all that capability. All that's good for is enabling malicious things to occur. So, give me an image that only has those things I need to do my job. Everything else, just ship it off somewhere else. You could run an entire enterprise with entirely virtualized desktops and be okay.
Eric: Arika is going against my gen generation. A lot of challenges here. I love having my Macbook Pro with an incredible amount of power that I have administrator rights on and I can do what I want to do.
Chase: The bad guys love that too. Like that's exactly what.
Arika: That's a good point.
Eric: This is where I think my Gen X background is just killing me.
Arika: Chase, true or false. Are humans the weakest link in any organization when it comes to security?
Chase: No, I don't think humans are the weakest link. I think actually architecture is the weakest link. I think humans are the ones that enable that architecture to start to topple over. I mean people are people. We shouldn't build systems based on the fact that people kind of do dumb things and people do whatever. But it should be built where the architecture is built where they don't cause that massive failure. You might be a problem, but your problem is at least localized. It shouldn't be "Oops. Sally's screwed up, let's just knock the entire system over."
Eric: So are you saying the architecture should support the users, but also prevent them from doing intentional or unintentional bad things?
Eric: And we should build architectures that way.
The Concept of Zero Trust
Chase: Yep. I'm a proponent of... I don't think you can train your way out of this. Like people, to your point, still do dumb stuff. You can train them all day long and get them the next day on a phishing email. But if your architecture is designed correctly, I really don't care if people are going to cause problems because they can't cause a massive problem. I'm okay with a cut from a piece of paper. I don't want an arterial bleed.
Arika: Chase, you must listen to our last podcast where I confess that I had recently clicked on a phishing email even though I co-host this podcast.
Eric: And she didn't report it to IT, Chase. She knew about it.
Eric: Okay, so I'm going to transition then. We would be remiss without bringing up the concept of zero trust. Although I'm not sure I love the name. I was doing some research and I saw one of your tweets, Chase. "The first person that walks up to me at RSA and asks, 'Have you heard of zero trust?' gets a high five. The first person that has no idea what zero trust is, but sales pitches it anyway gets punted." Zero trust, machine learning and artificial intelligence are these three concepts that nobody understands in my experience, but they all talk about.
Chase: I think I understand Zero Trust.
Eric: I'm sorry, there are a couple of people. Customer wise I hear over and over again, machine learning, artificial intelligence, zero trust. That's how we're going to fight our way out of this problem. But people don't understand. They don't understand the technology concept areas very well. I love the "but sales pitches it anyway gets punted."
Enabling Zero Trust
Chase: Yeah. That's what I try all day long to basically get in the middle of the marketing stuff and the truth behind it because there's a benefit to that grand strategic approach of enabling zero trust. And what we mean there is essentially eliminating lateral movement and overly subscribed admin creds and all the things that you kind of know you shouldn't have in architecture and focusing on getting it to zero. Not some, not a little bit. We want zero. And then being able to architect around that. There is a difference between the marketing side of it and the reality of what you're going to bring into that space.
Eric: Arika, I think we have a big chasm here between the two in my experience.
Arika: No, no, I would agree. I would agree. It's funny because we hear so many different viewpoints on the podcast so it's always interesting to hear someone else's perspective that's a little bit different than what we've heard before.
Eric: So what do we do, Chase? What do we do with zero trust? How do we really get down to the intent as opposed to the marketing speak around it?
Chase: Well, I mean it's one of those things where an organization has to basically say like, "Look, if we're going to have a secure enterprise and architecture, what are the minimum things that we have to have to get there?" And that's where we put together the framework that we did ZTX to say these are the seven core components that you need to get to zero trust. And then, we basically do the analysis on the market and which vendor solutions meet that need.
How To Gain Zero Trust
Chase: because let's face it, you may have a vendor capability that offers you four or five or six pieces of that puzzle, but there's always going to be something else that you need to add in. So the goal of that whole thing is to see without ever looking at the straight up vendor side of "What do I have to have technically to enable me to get to zero trust? Okay, I understand that. Now based on those components, which solutions enable me to get there with that technology?"
Arika: Just out of curiosity, and of course not naming any names or anything like that, but do you feel as though are most of the solutions hitting those seven core components for ZTX or is it much more marketing speak and more getting punted?
Chase: No, I mean there's some really good solution sets that are well aimed at that. And interesting. They're kind of as a two sides of the coin. There's the platforms sort of play where the solutions will be three or four of those core components that are offered and they're offered in kind of a package. Or there is, "We are really good at X and this X piece fits into zero trust very well." And so there still is a decision point that has to be made by the end user of "Do I want to go with as much platform as I can get and drink a lot of the Koolaid or do I want to try and put this together with seven different core components from seven different solutions providers?"
Eric: And what are you seeing in the market?
A Slow, Glacial Move to the Right Direction
Chase: I see it's based on the maturity of the organization. If it's very mature organization that's been steeped in security for a long time, they typically want to go the platform route because they understand how to get the most bang for that buck from that singular provider. If it's an organization that's less mature, they typically are trying to bring in the best of breed from five or six or seven different capabilities and tie them together, which either way will work, but it still doesn't matter unless you have a strategy and a plan to get there.
Arika: I guess we‘ll see what the future holds, but it looks like, to your point earlier, at least we are seeing the mindset to thinking about how we approach cybersecurity to start to shift in the right direction or towards the right direction.
Chase: Yeah, I mean it's a slow glacial move. I mean this is a battleship, right? It takes a while to turn it.
Eric: With a popsicle stick.
Chase: Yeah. It is a good turn.
Eric: So how do you see data in the middle of the zero trust architecture or model?
Chase: Data is the core component of security. And I think people kind of forget that because there's all this other sexy, cool tangental thing that we do. But that's why we're in security is to secure data. No one breaks into a bank to say they're in a building. They break into a bank to take money. That's what data is, is the currency.
Eric: Data is the goal.
Chase: That's what they're coming for. It's really important to make sure that you understand across the entire life cycle of zero trust that data is why you're doing what you're doing
Understanding the New Side of Zero Trust
Chase: and if the solution doesn't enable you to do better data security via segmentation or isolation or authentication like any one of those, then it's not a solution that actually meets the need for zero trust.
Eric: I find a lot of our customers focus on the identity and access management side of zero trust. They talk a little bit about micro segmentation but many don't quite understand what that is or how to effectively implement that. And most are challenged. Going back to the beginning of this conversation. They don't understand the data. They don't understand risk in the organization, which means they never understand the value of the data, who should have access to it, how they should protect it. And obviously we spent a lot of time on data here. Not a commercial, but because of that I really understand. We drill into customers and it's very apparent they don't understand the value of different types of data in most cases. You just see the same thing?
Chase: I see that all the time. And that's where I think I've taken a different approach to the new sort of side of zero trust instead of the old were I've never told anyone ever like "Let's go off and do this data discovery, classification schematizing, blah blah blah" side of it.
Eric: You lost me already.
Chase: Yeah, because I mean honestly that solution set doesn't exist in the market. It's not there and one user can create data so fast, so you know quickly, that it negates that whole approach. So that's why I think that the differences being made on finding out what the users are doing, how they're accessing that data and then securing it based on that approach.
Where to Get More Info About Zero Trust?
Chase: Not spending all of your time trying to do this data discovery and schematizing thing. I mean, there is not a solution on the market that enables that.
Eric: I think we saw that as old school DLP, right? "We're going to come in and protect everything." I don't think a lot of organizations were very successful with that approach.
Chase: No. Everyone I've run into that wanted to do legacy DLP.
Eric: They're still doing it.
Chase: you basically want to.
Eric: Yeah, they're still doing it. You've got to understand behavior, human behavior and intent. The data's important. It's not just "put a policy out there to scan it" though. I agree with you.
Chase: Well, and I mean ultimately who uses that data, that's what matters. Data without users. Just sits there.
Eric: Who uses it, what their intent is, how they're planning on using it. And you can baseline off of that. Okay. So where are you with your YouTube channel on Dr. Zero Trust?
Chase: So, yeah, I've got a few videos out there. I'm getting ready to put another one out. And my goal there, actually kind of to your point earlier, is I deal with so many small and mid organizations that don't have the wherewithal to understand a lot of these big security plays in concepts. Is I'm just trying to boil it down and put it into very succinct, very clear and concise, usable terms for those small and midsize organizations, so that they can get the value out of it. Just like the big boys can.
Arika: That's good stuff. Where can users check it out? What should they search on YouTube?
Zero Trust Buttons
Chase: Just look Dr. Zero Trust. I'm the only one there and it's pretty easy to find me. It's an interesting channel and I mean the thing that really try to get across is like, "Look, this is practical stuff. I'm not in there putting out the unsolvable problems. Like this is real world." I literally did a video called zero trust buttons and it was "This is how simple this is."
Eric: Awesome. So as we wrap up here, I want to swerve a little bit on you, Chase. Why did you join the Navy?
Chase: To be perfectly honest, it was so I could get the hell off my parents' farm when I was 17.
Eric: I joined the army for the same reason and my grandparents had the farm across the street but to get out of the house.
Chase: I had to figure out a way to get off the farm cause I was tired of being free labor. So, I joined the Navy and became a different time of free labor.
Eric: Well we appreciate what you've done for the country in your service. And my request would be,I think the big mission ahead of you is simplifying security, getting that message out for the world regardless of where you are. Just simplifying security and getting something where we can get tangible results and stop doing the same old same old that doesn't work
Chase: I really appreciate that. My mission in life is to just to make it where people can understand how important that stuff is. That's why I did the comics I did for kids in cybersecurity. Like the the goal of this is just to help everybody in my opinion be a little bit safer cause safety matters.
Not Closing Doors on Zero Trust
Arika: Yeah. I think when it's less intimidating, I think it has more of an impact and we can go further.
Chase: And I mean this is solvable. Like this is not rocket science. Like there are things you do, things you put in place and ways you approach it that can make a difference.
Arika: Absolutely. Thank you so much, Chase.
Eric: We certainly hope so.
Arika: This was such a great discussion. Really appreciate your time today. I think we've covered, wow a number of great topics. So really, really thank for being on the podcast.
Chase: Thank you all for having me. It's great talking to you.
Eric: Chase, until we speak again. Thank you.
Chase: Y'all have a good one.
Arika: Thank you. And thank you to all of our listeners out there for tuning in this week. Please continue to subscribe, share the podcast. As well as drop us a note. Let us know what you think or what you would like to hear about us talk about next. So thank you and have a great week.
Arika: Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/govpodcast. and don't forget to subscribe and leave a review on iTunes or the Google Play Store.