Dr. Chase Cunningham and the Impact and Future of Zero Trust - Ep. 118

Episode Table of Contents

•    [01:23] Dr. Zero Trust Chase Cunningham
•    [08:04] The Only People Making Money in Cyber
•    [16:29] Subverting the Zero Trust Concepts
•    [21:55] People Value Security More Than We Think
•    [28:49] Organizations Looking At Zero Trust
•    About Our Guest

Dr. Zero Trust Chase Cunningham

Eric: Carolyn Ford has decided to move on to bigger and better opportunities. She will no longer be joining me on the podcast every week. One of the great pieces of news, though, is Rachael Lyon, who you may know from episode 68 is taking Carolyn's place. We were at RSA talking about what it takes to run a cybersecurity show from an industry perspective.

Rachael: Thank you, Eric. I could never fill Carolyn's shoes, those are some pretty big shoes, but I'm super excited to be here. For my first episode, we’ll be talking with Dr. Chase Cunningham.

Eric: Welcome to the podcast Dr. Zero Trust, Chase Cunningham. From episode 50, we talked about Zero Trust for probably 30-35 minutes. Great episode there. Welcome back. You are now the Chief Strategy Officer of Ericom. That being a cybersecurity vendor focused on RBI. Do you want to tell our guests what RBI is?

Chase: That's remote browser isolation. That's the current offering that's out there. What we're talking about there is basically running your desktop, your browser, through the cloud. That's the simplest way I can put it.

Eric: Really getting it off the desktop, getting it out somewhere. Pushing the security envelope out into the cloud to better protect the internal organization systems.

Chase: There’s strategic value there because that's what I always look at, especially around the contest of ZT. The more that I can use the cloud and extend my defensive edge, the better off I am. One reason why I, and I wrote about RBI two years ago at Forrester.

All the Zero Trust Work at Forrester

Chase: As far as an announcement was really, "Look, I'm okay with things going sideways. But I want them to go sideways in a Petri dish that's not my endpoint." That's what we're doing with this particular solution.

Eric: You mentioned Forrester. You’re one of the principal analyst at Forrester, focusing pretty heavily on Zero Trust. In episode 50, we can hear all about your perspectives on it.

Chase: I have a traumatic disorder from all the Zero Trust work I was doing at Forrester.

Eric: Help us understand the move from the analyst side. You're now in industry, a Navy veteran, you used to do red team work. Help us understand what that shift is like.

Chase: Number one, it's very different. I went from industry consulting to analyst, and there you go from conversing, doing, working, whatever. Then you go to an analyst, which is research, plot, plan, strategize, that type of thing. Now I'm going back to doing a lot of what I've been preaching. I was at a stage where everything was going really well with the initiative around ZT that we’d collectively put in place.

Chase: I wanted to see if my own practical application could do what I was telling people they needed to do. It's always okay to tell people to do things until you have to do it yourself. You really get the ground truth whether or not what you're saying is actually achievable.

Eric: And Rachael coming in as the director of communications, you're telling people what our thoughts are on the industry. You're telling people, you agree with that?

The Explosive Growth of Zero Trust

Rachael: Absolutely. Chase, we talked about this a little bit last year when we caught up. Just the explosive growth of Zero Trust with all of the work from home, the distributed environments. The acceleration of enterprises looking to embrace this strategy. How do you move forward, though? That's the big question a lot of people ask themselves because it's so critical. How do you move forward?

Chase: That's the deal. We're moving into a place where this has gone global. I have conversations with folks in Australia, in Japan, in India, in the UK, in the Middle East. The good thing is, we've crossed the chasm as far as adoption. But now it really is about which things are useful in the context of delivering that capability.

Eric: A couple of things have happened. From the government perspective, Zero Trust has really picked up steam in the last 18-24 months, what we’ve seen? 

Chase, does that align with what you've seen?

Chase: It's kind of funny. I never waste a good crisis, and unfortunately, this COVID thing has been a huge crisis. However, it did finally put the nail in the coffin as far as a defensible perimeter.

Chase: Now, if that approach dies, then everyone says, "Well, what is the next strategic approach that makes sense?" It's Zero Trust. I don't have to converse or argue with people anymore about whether they can defend their perimeter. They know they can't.

Eric: They were forced to do something very rapidly, as we've talked about before on the show. We even see NIST coming out with the Zero Trust architecture.
Chase: 800-207.

The Most Secure Zero Trust Infrastructure in the Planet

Eric: The guidelines, the Bible, around Zero Trust last August, we're seeing a lot of evolution in space. In your experience, are we seeing a lot of implementations? Are we learning a lot from them, what's working, what's not, how people are interpreting this?

Chase: We've seen an adoption, first of micro-segmentation and identity and access management, which makes sense. However, that was kind of trucking along somewhat before COVID. Now, COVID has expedited what else is needed there. What we're starting to see is that it's not just big enterprise or big government. Or whatever else that's dialing in on this approach and needing these solutions, it's everybody, everywhere.

Chase: That's a deciding factor too because we forget. Even if you have the most secure Zero Trust infrastructure on the planet, when you're connected to someone else, if they have disregarded their security infrastructure needs, they're going to introduce a threat to you. The connected nature of business is what’ll continue to allow compromises to take place if we don't approach it correctly.

Eric: Really, the weakest link in the chain is where you're going to see the break.

Chase: I'm hesitant to even say the weakest link. I think a lot of folks are doing things that are strengthening their position. However, what I do run into are the folks that aren't deeply entrenched and don't have dedicated resources to security. They don't necessarily get what makes sense along the lines of a strategy.

Chase: They just think they can get stuff, technology, and turn it on and they're better. That's not how it works.

The Only People Making Money in Cyber

Eric: That's been my career-long challenge. I often say the only people making money in cyber are the employees. You go out, and you buy some tech, and you do well with it. Then you go get another job and do well with the same tech. If you don't do well, you just go and get another job. I don't know that it's always about technology, but we spend so much time and focus on tech.

Chase: It's tech. What's really valuable people should look at tech more broadly is, technology is always a dual-edged sword. I wrote in the book I published, "A shovel is a piece of technology. I can use it to dig an irrigation ditch to help people farm and feed families. Or I can take the same shovel and bash you in the skull with it, and it's a weapon." That's the reality of technology. Whatever you use it for, it can be used for a nefarious purpose.

Eric: Or you can buy the shovel and leave it in the shed and never use it.

Chase: You could invest in shovel technology and never even turn on the shovels.

Eric: We see a lot of that. Rachael and I don't necessarily see the integration as much as we'd like in the business. We have a strategy, we have an architecture, we have a plan, or customers do. They're buying technology components to fit in, to solve a component of that stack, that problem set. It's integrated.

Eric: A lot of times, it's, "Hey, I have money," or, "Hey, I was told Zero Trust is important.

A Recommendation Coming From an Analyst

Eric: This is what I'm doing around IdAM, or ICAM, or whatever it may be." What's your recommendation, though? Coming from an analyst side, having been a practitioner, how would you recommend customers approach it?

Chase: First, I always like to solve the physics of the problem. Everybody talks about risk. Where are you most likely to encounter stuff that would cause a compromise? For the record, across the history of cyber, there's never been a single exploit that works just because of some crazy AI that just activated it. It was a human, somehow somewhere, that caused that thing to do whatever it did.

Chase: Whether they downloaded it, or clicked on it, or had a bad password, or whatever, it was human-related. Being able to have the controls and capabilities to secure our users, is first and foremost on this whole thing. There's a whole bunch of different ways to do that. If you don't deal with that, you can firewall yourself until you have one electron at a time bouncing around.

Chase: It doesn't matter. Sooner or later something will go awry. It's really about extending the edge of control, making it where the users are the focus of applied security. Then moving into those other things, which are more difficult to solve, farther along the curve towards maturity.

Eric: If I'm listening as a cybersecurity practitioner, what are some recommendations that either one of you have seen out there where the users are the focus of applied security? What do I do? How do I make that tangible?

Chase: I would say one of the things you've got to do is turn on multi-factor authentication on stuff. All the time, everywhere.

Putting Things in Control Around the Devices

Chase: There are people that say, "Oh, well it's been compromised, whatever." Okay, sure. There are ways to get around MFA. However, it's not a low hanging fruit. That infinitely gives you more ability to have the know with access.

Chase: The next thing that follows along with that is putting things in control around the devices themselves. Patches and whatever else, and then, the monitoring of the individual activity. It's not that Draconian thing of, "I want to know what you're doing at home, and I want to have insight and be creepy."

Chase: But if I want to defend you, I have to know if there's something anomalous going on. You can go forward from there in a whole bunch of different ways. But if you said the first three things out of the bag, in my opinion, it's along those lines.

Eric: Multi-factor authentication, really looking at the endpoint clients patching, making sure all the patches are up to date. Then monitoring user behavior and activity.

Chase: Just making sure that the device itself is somehow protected, that it's got something running on it. At the end of the day, I just want you to at least run some sort of security software on your endpoint. There are things I'd like you to do, but if I have nothing else, at least do that.

Eric: At least give me AV or the modern-day equivalent.

Chase: Don't just let that thing be running naked across the internet.

Rachael: It's a really good point that he's making, though, about securing the user.

The Human Point

Rachael:  Is this a new concept for people to be looking at it from that perspective of securing the user? I know RSA last year, the human point, that was the theme. It seems like in the last 18 months or so, people are starting to come around to it more.

Rachael: But again, do you think the events of the last year really helped make the people perimeter? You really have to secure the people. It's almost a new way of thinking, in a sense. What are you seeing there?

Chase: We're starting to see that that becomes a pretty common point of conversation, which is good. I still think within the technology space, there are some things that folks push because that's their offering, and that's fine.

Chase: Where we're getting to is technology has made it where you can do these things for the user. It's going to have a relatively low impact on them. I'm working on a paper about it. But when I got to my new job and I did all my benefits stuff, I didn't have to contact HR.

Chase: I was able to walk through the wizard, through the UI. I set up all my benefits, all my dental, all my medical, all my other insurance, whatever. It took me about 15 minutes and now I'm good. I feel a little bit better because I know that I've set up those things to take care of me and my family.

Chase: Security should be the same way, where it's driven by the user. It's sort of choose your own adventure. But you are making sure that they operate within the bounds of control that will take care of them. That's where we're going to get to.

Subverting the Zero Trust Concepts

Eric: But we don't manage it like that. We don't update the security controls, the applications and rights that we have. In a manner like we do when we're paying for health insurance and we change a plan somehow.

Chase: We don't currently do that. We're starting to see the inklings that that's becoming a thing. If you look at Duo and some of these other companies that have got pretty good approaches to it. Where if I try and authenticate Duo is going to check and go, "You didn't patch your machine. Here's the patch you need. Click it, do your thing," and then they'll allow you to authenticate.

Chase: Some of these companies are putting those things in place. Where it is driven by the user and their interaction with the apparatus, which is really good. Covering the market like I did while I was at Forrester, I started to see that was becoming more commonplace.

Chase: The other thing we're starting to see is a lot of what we tagged as security technology. We realize if you're effectively approaching the problem, a lot of it's an IT issue. It's not security.

Eric: That's one of the problems I'm seeing. Let's transition for a second to my favorite topic, the SolarWinds breach. We're working with customers. I'm seeing industry talk. Who's responsible here? Is it IT, is it cybersecurity? There's clearly a delineation. A line that's causing some problems when it comes to who is responsible for the patching.

Eric: Who is responsible for understanding what's going on, who is responsible when they do subvert some of the Zero Trust concepts. The adversary is now an admin, a domain admin, or an admin on the system, and can create.

Dealing With Burndown Lists

Eric: They can get around multi-factor authentication, they can create accounts that are trusted. Now, what do we do?

Chase: This is going to be a forest fire that takes years to dig ourselves out of. They're dealing with burndown lists the likes of which we haven't seen. When we went back to this, a lot of folks were, "This is a first, one and done, in the software supply chain."

Chase: Actually, it wasn't. If you look at Maersk and Norsk Hydro, the same thing happened to them. It was accounting software that got those folks because the Russians were able to implant something into that system.

Eric: You're talking back in, what was that, 18? 17, 18, maybe, with Ukraine?

Chase: Yes. What we saw there was an early iteration of what they were planning for this particular approach. They tried it out on a commercial entity, knowing that it wasn't government. And they had a way to practice that skill set. It just happened to work really well, because they took down all of Maersk and Norsk Hydro.

Chase: The other thing that is starting to show up here, and I think we're going to see more of it in the near future. It’s the procurement customers, vendors, third party issue that, on the business side, will become part of the vetting lifecycle. For the approach to ZT, or for infrastructure anywhere.

Chase: So if you look at the government with CMMC, they're actually putting control of a framework in place. To say, "A prime, if you're doing business with a third party or vendor, guess what. They have to do these things or you might lose the contract."

Basic Cyber Hygiene

Eric: Which, as we know, is over 300,000 current day vendors, it may skinny down a little bit when people say, "I can't afford to do that." Or, "I choose not to do that," or whatever, but that's huge. Do we think it will work?

Chase: It's a good step in the right direction. It's a bit heavy-handed by the federal government to have some of those expectations they're levying on small vendors. When I was a consultant, I worked with a group that was doing software for the F-35.

Chase: It was three guys, and it was like they were a sub to a sub on a contract. It's like, you mean that you're going to tell me that they have to be CMMC Level 1 compliant? They'll never do it, they'll just find other ways to work.

Eric: They're pretty basic. Level one, basic cyber hygiene. We talked a little bit before the show started about moving to the underserved markets. How do we make cybersecurity easier so that they can better protect themselves? What you are doing for cybersecurity is pretty simple.

Chase: In a lot of instances. The reason I brought up the underserved market stuff is I had a workshop with a coalition in Horn of Africa. When I started talking to them about what they were doing for cybersecurity, none of them. Nobody had anything going on about what they were doing for cyber.

Chase: These were folks that were running banks, and healthcare organizations, and whatever else in Africa. Their response was, "Well, we don't really know." I’d guarantee you those folks are doing business with other folks outside of Africa that could cause a compromise. You've got to find a way to get to it.

Make Them a Harder Target

Chase: They didn't need a whole lot. What they needed, like we said, are the anti-virus and some of these other solutions to help them out. To make them a harder target.

Eric: Basic cybersecurity, achievable for small companies, subset of universally accepted common practices. We're talking basic stuff on level one.

Rachael: It's kind of remarkable too. If you're just doing the basic cyber hygiene, that gets you pretty far. They kind of make it pretty simple to do that today. So it's kind of surprising to hear that folks aren't even doing that.

Chase: People don't wear seat belts, people smoke cigarettes, people do things. They're willing to accept the risk, even if it's not the best idea.

Rachael: Because it's not going to happen to them.

Eric: Chase, you said the government is pushing pretty hard, pretty overhanded maybe. I'm trying to remember the exact word you used.

Chase: Heavy-handed was what I said.

Eric: Yes. I don't want to misquote you. But when you look at things like HIPAA protections, things like that, the government's doing the same thing to protect your personal data.

Chase: Look at how well that's worked.

Eric: I hear you. But are they overstepping, or is this something that, as a consumer, as a constituent, you should expect? That people and organizations that have your information, that you share information with, are doing something to protect it?

Chase: Interesting point there. There was a study done by Harvard Business School. If you talk to a bunch of consumers and ask them. "Would you be willing to do more business with a company that can tell you how they secure your data? Or one that doesn't have a clearly referenceable approach?"

People Value Security More Than We Think

Chase: 55% of those folks said we would rather do business with someone that can tell us how they secure that information. It is kind of logical, but it means people value security more than we think. So, having that ability is a competitive differentiator.

Chase: But the problem that I have with the government space is we write lots of policies. Lots of legislation by people who are well-intended, but no offense, don't have a technical background. Then we have no way to technically enforce the said policy. Which is where we wind up in the quandary we're in right now.

Eric: Rachael, what do you think was happening with the other 45%? The ones who said, "No, I'd rather do business with people who don't have a handle on their cybersecurity." That blows my mind.

Rachael: I can't believe that it's that high. 45% is insane.

Eric: Chase, did it at least say the price would be higher or it would take longer?

Rachael: Are there benefits?

Chase: There were other things in there. They’re like, "Would you pay more to have access to services that were secure," that type of thing. 45% were like, "No, I'll just deal with what it is."

Eric: What do you think people do in real life though?

Chase: It's all about speed and ease of use. That's why I think security has got to get to that space. We, too, have a generation of folks that are coming into the workforce now. There has never been a day in their life without wifi. They don't even know how technology works, but they use it like it is core to their persona. So we have to make it where it's part of their everyday living scenario.

We’ve Got Zero Trust

Eric: They'll take wifi whether it's secure or not. They just want to get connected, as opposed to really checking, "Hey, is this secure? Is this the best way for me to get on board?"

Chase: You got kids, you want to talk about chaos, turn off the internet for 30 minutes.

Eric: No, I do that when the grades go down. It works very, very effectively. So what does the future look like? Let's talk about that for a few seconds. We've got Zero Trust. Zero Trust has been out for what? 11, 12, 13 years?

Chase: The earliest reference to it was 2009.

Eric: Where do we go in the future?

Chase: We're going to that place where it is going to be more about the user. More about the cloud, more about BYOD and remote work. The last numbers I saw said that 33% of the global workforce will never return to an office full time.

Eric: Rachael, are you going back to the office?

Rachael: I get so much done from home. It's wonderful, I'm able to focus. Aside from the dogs barking every now and then, I get so much done at work. But I do miss the hallway conversations.

Eric: We've clearly poked some holes in that perimeter that we all want, that Maginot Line.

Chase: But we don't have to. That's the thing. We don't, if we do it correctly. Again, you're never going to be bulletproof, but you can be bullet resistant. That's where we're trying to go. And that's why I say more BYOD, more cloud, more of this sort of digital experience is where the power lies. But it does require folks from small businesses all the way up to enterprise.

This Is the Time

Chase: To basically say, "We're going to approach it differently." I'll tell people in speeches, I did a whole bunch of SKOs this year. This is the time. All of the calamity that occurred has made it where this is an accepted approach. Do this now.

Rachael: I love the focus on user experience. That's such an important point that folks are starting to come around to. Because if you have to think too much about it, then you're not going to do it. You just want to get connected, you want to have it be faster. I love that part of the conversation now, it’s more user experience. How do we make security more ubiquitous, so it just works and you don't have to think about it?

Chase: If you want a good relation, look at the modern automobile. If you go back, even let's say five years, you used to have to buy a GPS and put it in your car. You go back a little further than that, you used to actually have to have an option to get an airbag.

Chase: All these things now, you get into a modern vehicle. You push the button to turn it on because they don't have keys anymore. Then you drive wherever you're going to go, and you can talk to Siri, and it's all there for you. It's evolved to that point where you get really modern transit without all the crazy technical requirements. You just drive your car.

Eric: Will we see an evolution of Zero Trust, or will we just see Zero Trust in practice? What's your thought?

The Broader Adoption of Zero Trust

Chase: We're going to have a technology evolution. For the core components of Zero Trust that are more part of that user experience and more inherent insecurity. I think we will see the broader adoption of Zero Trust strategically for enterprises.

Eric: But it should be transparent.

Chase: Enterprise from small biz, all the way to big biz.

Eric: This is one where we were talking about the underserved, smaller end of the business cycle. But the cloud is, in some ways, the great equalizer. I can sign up for a hundred thousand users. Or I can sign up for 20 if that's the size of my business. Now, I may have consulting teams.

Eric: There may be things I can do differently from a large corporate enterprise perspective than I would as a small business. But when the tools are oriented towards me and they work, I've got better protection. Better than I did five years ago when I had to set it up in a data center or a server closet of some sort.

Chase: The cloud is where the power lies. That's where things should be going. However, remember, the cloud doesn't care if you're secure. That's up to you. The cloud is infrastructure. Just like a bridge doesn't care if you drop off of the bridge, it's there to get you from A to B.

Eric: In your work, did you work with any of the CSPs, the cloud service providers, on their thoughts around Zero Trust. Recognizing that they are infrastructure, or a platform, or a software as a service. They've got that shared responsibility model where the end-user, the organization really, is responsible for that?

Organizations Looking At Zero Trust

Chase: I worked with all of them, but I would say, flat out. Microsoft is doing a hell of a job with what they're doing around Zero Trust for their Azure cloud. GCP is also doing a hell of a job with implementation of BeyondCorp and the availability of those technologies.

Eric: And that's Google?

Chase: GCP, Google. Microsoft actually has stood up a work group within Azure, specifically for Zero Trust for their infrastructure, which is super.

Eric: Not only are organizations looking at Zero Trust but the big CSPs. Which is where the computer is continuing to evolve to, is where we're seeing activity?

Chase: It's taking on a mind of its own, which is good. That's when you've done things. It's become bigger than just a few people in a room talking about it.

Eric: Rachael, five years from now, are we better off or worse off as it relates to security? We know we'll be doing more. We'll be more connected. We know there will be more people using more things. But are we better or worse off in your opinion?

Rachael: We're going to be better off. Everything is trending in the right direction.

Eric: More secure.

Rachael: Just because we're thinking about the right things now. It took a while for folks to get there. That kind of, almost like herd immunity, if you will, but for security recognition of we need these things. User experience is critical if we're going to be successful here. We know about the people's perimeter now. We know about securing the user. In five years, think of all the advancements we can make.

Protecting What Matters

Rachael: I'm really excited for what's to come. Will we ever crack the net where it's a silver bullet and we fix all the problems? No. But we're going to a place where we feel really good day to day and not so worried like we are today.

Eric: I look back five years, and I believe we've gone so slowly. The industry just doesn't move fast enough. Dr. Zero Trust, to you, what do you think? 

Better or worse?

Chase: We're going to keep getting better. The herd immunity is becoming more of a realistic thing. The technologies that are in space are becoming more usable than they were. We're getting to a place where you can do these things and not have to be a security engineer to do them. Which is where we need to go. My daughter set up her MFA on Fortnite in about three minutes.

Eric: Multi-factor authentication on Fortnite. Wow. I bet you are a proud dad.

Chase: You know what? I didn't do anything. The funny thing to me when I asked her why she did it, she said, "Well, I'm protecting my V-Bucks." So the value she got was she was protecting what mattered to her.

Eric: That's a great way to end the show. When it matters to you, whether it's your health care benefits that you're checking in on. Or it's your kid on Fortnite, when it protects them, that's what's going to do it. You can't have a few people in cybersecurity protecting the whole organization.

Eric: You need the organization protecting the organization. Chase, awesome having you for Rachael's first show. Rachael, I'm so glad you decided to pick this one up and join us. Chase, where can our listeners find you? Drzerotrust.com?

The Beauty of This Planet

Chase: You can find me at drzerotrust.com, which that site is coming live here pretty soon. You can also find me at ericom.com. And then, C-Y-N-J-A-C-H-A-S-E-C on Twitter. I'm pretty easy to find on LinkedIn as well.

Eric: We'll link to that in the show notes. Rachael, any last thoughts from your first show?

Rachael: I'm excited to be here. Dr. Chase Cunningham for the first guest, I feel like the luckiest girl in the world. So thanks for having me, and I look forward to many more.

Chase: You are way too kind.

Eric: I'm not sure I would have gone quite that far from my perspective, but that's the beauty of this planet. We all have our own perspectives. I love your wisdom, I love your insight into cybersecurity, Zero Trust, and really appreciate your time. So don't take that as a sleigh at all. I'm just not quite at the same level as your fan Rachael there.

Eric: Anyway, to all of our subscribers smash the subscribe button, as Carolyn would say. Let us know what you like. Give us that feedback. We really do appreciate it. And until next week, this has been To The Point Cybersecurity with Dr. Chase Cunningham and Rachael Lyon. Thank you for listening. We'll talk to you soon. Take care.

About Our Guest

Dr. Chase Cunningham is the Chief Strategy Officer for Ericom. He shapes the company's strategic vision, roadmap and key partnerships. Dr. Cunningham previously served as vice president and principal analyst at Forrester Research. Providing strategic guidance on Zero Trust, artificial intelligence, machine learning and security architecture design for security leaders around the globe.

While at Forrester, Dr. Cunningham spearheaded and evolved the Forrester Zero Trust certification program. He was the principal architect for the Zero Trust eXtended (ZTX) framework, which helped drive Zero Trust adoption globally. Prior to joining Forrester Research, Dr. Cunningham was the Director of Cyber Threat Intelligence at Armor. He designed and managed the cloud security and intelligence engine for their enterprise customers.

He’s also a retired US Navy Chief Cryptologic Technician. With more than 20 years’ experience in cyberforensic and cyberanalytic operations. Including time spent working in security centers within the NSA, CIA, FBI, and other government agencies.