Zero trust ridefinisce la sicurezza in un mondo senza perimetro

Rhonda Shantz: Welcome to our webinar today on zero trust security. I'm Rhonda Shantz, the CMO of MobileIron, and I'm here with a guest speaker today, Dr. Chase Cunningham, who's one of the principal analysts at Forrester. He's been focused on zero trust for the last couple of years, which has really been about taking it from it's… the idea of a philosophy into execution. He's actually launched a paper out last year on zero trust acts and a number of blogs and-

Dr. Chase Cunningham: A lot, yeah.

Rhonda Shantz: Writings and inquiries. Just a huge emphasis on this type of a program. So we're excited to have you here today. We will be covering a number of topics. I'm sorry, I'm just trying to figure out the clear. How we're going to cover this webinar today is that Chase is going to go over a couple of topics with you. He's going to talk about the realities of security, some of the things that you should be thinking about in 2019. Also the security dynamics and what CISOs and security professionals are actually worried about and some of their top concerns. He'll share the zero trust framework, and then we'll open it up kind of to a fireside chat approach, and we'll talk about zero trust security and actually a little bit of point of view that we have around a mobile centric view of zero trust. And with that, I will hand it over to you Chase.

Dr. Chase Cunningham: Thanks. So getting into the reality of security for 2019, we've basically continued to see breaches across history. It hasn't stopped, it hasn't slowed down. Last year was I think 3 billion plus records that were actually noted to be stolen, and you started to see organizations that have been hitting have been hit with those major sort of credential stuffing attacks. So it's continuing to get worse. You've got nation states playing... I'm not trying to, toss the threat thing in there because we're all inundated with it, but just speaking up the reality of it. Like the folks that are trying to dial in on this and think that it's getting better, it's not necessarily that the threats are becoming even more amazing or super hackery or whatever. It's just that there's been so much activity that's taken place over the last two decades that now it's pretty much easy to continue these exploitation type of operations.

Rhonda Shantz: Mm-hmm (affirmative)

Dr. Chase Cunningham: Anyone that thinks that they don't have a compromise that's actually active in their network they’re wrong? I mean, the reality of this whole situation is... Do the math, right? There's roughly 300 million people in United States. Last year was two plus billion records stolen, so your odds of having a stolen account or a compromised credentials somewhere within the network is essentially a one in 10. It's almost a given that there's that type of activity there. Tie into that, that people forget that cyberspace is actually a war fighting domain. In 2010, the US DOD declared Cyberspace a war fighting domain. So point there being, every organization on the planet, every user, every mom, every kid, every Roku device, whatever it is. If it sends electrons across the network, it's transiting a live viral battlefield.

Dr. Chase Cunningham: You can't do it at that speed in that area with that type of activity taking place and not expect to catch a round sooner or later. Compromises there like you're hacked. Just realize that. Live with it. Start figuring out how to fix it and not be the continued, hack that takes place. Exploitation is child's play. You don't have to be a computer scientist, you don't have to have a PHD, you don't have to be some amazing Russian hacker to do exploitation. You can go buy the stuff from websites. You can go download it off at github in some instances.

Dr. Chase Cunningham: Exploitation literally is child's play. You can bring down an entire network if you know what you're doing for a few hundred bucks. And Organizations have to realize that, that this is not hard to do and it is not a question of if, but when, and how bad. So you had better start preparing yourself and you'd better start thinking about ways to get past that. Luckily, because exploitation is kind of child's play, there are ways strategically to be ahead of that threat.

Dr. Chase Cunningham: Compliance is something that comes up in my world all the time. In the advisory sessions, in the workshops, people will say, "Well, I just did my ISO 27001 or on this state hundred or on PCI. I was a red teamer for a long time. I can tell you that I love compliant environments because that means they're usually just getting through things. They think that they've got it locked down and we're going to come in and eat your lunch. I just had some friends that were out in the sort of central part of the United States doing a test on an organization that just been through a compliance audit took them 19 minutes doing it. So compliant, fully compliant.

Dr. Chase Cunningham: If you're a compliant you look like that motorcycle. You're sitting there with your helmet on and you've got your bike. I don't know where he's keeping his wallet, if he gets pulled over. But I mean, the reality of it is like he's compliant. Like he's not as good as that guy in the prior slide where he's sitting on a motorcycle, he's got his leathers on, he's got a helmet on. He thought about the reality of, "You know what, if I ride this motorcycle, there's pretty good odds sooner or later I'm going to go down, and I want to walk away. I might have some road rash, maybe I break a bone or something, but at least I'll have the protection I need in place to make sure that I survive." This guy, he's compliant. Like technically a cop probably can't actually pull him over other than lewd him with lascivious behavior. But he's not going to walk away. His road rash will be epic compared to the other guy. That's what compliance gets you, and if you think compliance is going to quote on quote save your ass, this is what you wind up with.

Dr. Chase Cunningham: And when you start talking to organizations about their secure perimeter, this is what you usually wind up with. The permanent base model has categorically failed. Forrester did a study about a year ago where we asked organizations all over the planet, "Do they believe that for perimeter based security has succeeded?" And almost three out of four of them came back and said, "No. We, we understand that the perimeter based model has categorically let us down." This is what you wind up with where there's chains around the fence but somebody who's taken a zip tie and tied it in there because it's sitting there just waiting to be opened up.

Dr. Chase Cunningham: The moment you have a thousand foot wall, someone will put a thousand foot ladder with one extra inch on and climb over the top. It's not enough to think that you've kept things out and the realization that the perimeter based model doesn't exist in a world with a BYOD workforce where people are mobile, where people have devices. It just that the reality of the situation. Perimeter security is a failed model. Understand that. Embrace it. Realize that you cannot defend your enterprise by focusing on a secure perimeter. It's more about security at the edge. It's more about pushing it out to the device, to the user, and knowing that you're actually making sure that they don't have a choice, but the operate in a secure fashion. Firewalls and network and stuff is important, but it is not where you win the security battle.

Dr. Chase Cunningham: The market itself is changing because of this sort of realization of the realities around it. If you go to RSA this year, which we're out here for that, you're going to walk around and see zero trust everywhere. And I think that's a great thing with the caveat that it's a great thing as long as we don't skew the marketing for the reality of the strategy. The growth in the industry around zero trust is the fact that organizations understand that strategy is finally taking hold and technology should align to that strategy to achieve the objectives. And ultimately the market should be enabling people to be more secure so that your business does better. It's not just because you like doing security. Ford Motor Company does not have a SOC because Ford Motor Company wants to do security. Ford wants their customers to think they're more secure so they'll buy more Ford stuff. That's where this thing is going and I think it's a good thing that we're getting there.

Dr. Chase Cunningham: So just to validate that particular point that I was making a little bit earlier, this is the data that actually says from our study that the permanent race model categorically as leadership understands it, it's failed. It is no longer something that we can enforce. It doesn't make sense. You simply cannot exist in the environment that we find ourselves in today and continue to focus on the network being the sole source of enforcement and by keeping people out because your perimeter is locked down. Your perimeter is gone. It's just been obliterated. Get away from it. Start thinking about the edge, and start thinking about how you push controls out there and take care of those entities that are touching that edge.

Dr. Chase Cunningham: When you started out asking the organizations really, where does that edge exist? Like what do they try and fix? Where does that enterprise security start? Like what are they concerned about? It actually starts here with them talking about mobile device and devices and the things that live outside the bounds of the normality of the network itself. The top three things that they're looking for, the IAM, device security and being able to make sure that they know that they have controls pushed out to the boundaries of that edge. And organizations are responding to that. And those aren't low numbers. I mean those are numbers up in the almost three quarters, three fourths of a percentile. It's widely known that this is where they're focusing on. So the organizations that subscribe to this actually adapt to it are the ones that are going to have a leg up in a security posture. And it's good that we're starting to see a trend develop theirs around that particular approach.

Dr. Chase Cunningham: So going a little bit further down into that, you can also see that the tactical side of this, like stepping away from strategy, stepping away from, "I'm an organization that wants to dive in on zero trust, like how do I do that? What are some things tactically that I can get engaged on?" It's application security, cloud based security services, and improving mobile security. And the reason for that is, that is where your workforce continues to grow and evolve.

Dr. Chase Cunningham: You notice that this is not really around the threat side of this equation, this is around the practicality of the workforce. Your workforce uses more apps, they do more stuff in the cloud, and they live and breathe on their devices. So if you understand that and you want to tactically try and fix the problem, you focus where the threat is likely to exist, but you also focus where you can actually implement controls that change the game.

Dr. Chase Cunningham: The good thing is none of the problems that we have in security are really like rocket science. This is basic blocking and tackling that just has to be done in line with the overall strategic side of, "I'm doing this because of X so that I get to Y." No more buying gear and shiny stuff because it does something sexy and cool. You use security technology aligned to a strategy to achieve an objective.

Dr. Chase Cunningham: Organizations win by focusing on enabling and deploying zero trust strategically across the enterprise. Our data at Forester says that this is a massive change in the space is because organizations are getting deeply involved and how they get towards the zero trust architecture infrastructure. And they're starting to figure out that the way that they do that is by focusing on things they can fix granularly based on a framework, which is the ZTX side of the equation and moving towards a gaining ground along the way.

Dr. Chase Cunningham: In other words, they're not solving for security anymore. That's too big. You'll never solve security. However, if I say that my organization subscribes to the tenants of zero trust and I know what the pieces of that puzzle are, I'm going to go back and solve one piece so that I can go back to my leadership and say, "Look, I've taken care of identity and access management, I need money for device security." "Okay, here's money for device security." "Oh, I solved device security. Now I'm going to go solve my cloud workload problem." And you continue to work your way around that rather than saying, "I'm making my network more secure." Like you go talk to a board about that, nobody in the board level wants to talk ACLs. Most of them didn't even know what a firewall is, but they understand strategy, they understand how you align something to get towards an objective and that's where the zero trust pieces is actually playing into that space.

Dr. Chase Cunningham: This is my sort of still iterating on sort of elevator pitch on what I consider a zero trust to be. If you were to say, "You have 10 seconds to tell me what zero trust is." In my opinion, zero trust is never trust, always verify, strategically focused on addressing lateral threatened movement within the network by leveraging micro segmentation and granular enforcement based on user context, data, access controls, location application and the device posture.

Dr. Chase Cunningham: If you can do those things, even if you're not doing all of them all the time and you're not doing everything perfect, you're working towards zero trust. And when I say micro segmentation in this context, I mean micro segmentation everywhere. I mean it on the user, on the device, on the application, on the ACLs, on the network, on the data. So micro segmentation as I speak about it, is much broader in scope than most of the network providers talk about. They mean really small virtual LANs and really small network segments, which is needed, but I mean micro segmentation as far out as you can push it down to every piece of granularity you can get it to function on.

Rhonda Shantz: Okay.

Dr. Chase Cunningham: And ultimately what we need in this space is the death of the password. If we can get to that stage where I live and breathe on my device, I access everything on my device. I get to the network, I do my work or whatever, and you know the context and do the pieces and you can make where I don't need a password anymore, but you're able to enforce it on my device, which is my avenue to get into the network, you categorically changed the game for security, because no more credential stuffing, no more value to two billion plus records that had been stolen. If you can eliminate the password in any way, shape or form. And it functions. You've essentially secured 20 years worth of fail and security space that all of that log in, all that password, all that access is now invalid. The bad guys just lost a nuclear weapon of compromise.

Dr. Chase Cunningham: Last couple pieces here really on the Forester side and the zero trust ZTX fees. You know this is a slide I showed her in workshops when I ask people, "What is zero trust?" And I said, "What is this?" We call it sort of the ZTX Mandela. It's the pieces of the framework that you're doing to get towards security. If you look at any organization that's engaged in security, they're always working on these things. They're securing the data, they're going to have firewalls, they're trying to take care of workloads, they're focused on users and authentication, they have to take care of devices, and they want to automate and orchestrate which gives them better visibility and analytics. So the point being, it's much easier for me to talk strategically about we're doing zero trust using ZTX. With that particular approach so that people understand the pieces of the puzzle than say, "Guys, let's talk about x number of things that we're working on in security."

Dr. Chase Cunningham: You could have that conversation all day and no one ever gets anywhere. I can walk into a room with my security team and say, "Firewall guys, what are you doing on the network?" I can talk to my people on IAM. Say, "IAM folks, What are you doing on that side?" And you can keep coupling that together. So this is as much a piece about translating security from the board level all the way down to the guy that writes the ACLs, to the firewall and vice versa.

Rhonda Shantz: Great. So you've just shared what the problem is, what's happening, why people are actually thinking about zero trust and you've just shared a framework. I'd really like to understand your perspective on when you think about how pervasive this mobile device is, how should you really think about that? The framework that you just shared. How does mobile really fit into that?

Dr. Chase Cunningham: Well, when you look at that framework and you look at the pieces of that puzzle, and you realize the truth of where we're going in the future with the workforce that's coming in, with the millennial generation, everyone that lives on their devices, mobile touches quite a few pieces of that puzzle. It's always going to be something where the user's going to have access, it's going to be something that touches the cloud, it's their device. It's also going to be something that integrates and touches the network at some level. And it's going to have some access to data. So mobile is a key piece of that framework. Mobile is something that must be tied into it and it's gotta be something that you secure. If an organization can't control and secure the mobile device, they won't achieve better security and they won't work all their way towards zero trust infrastructure, period.

Rhonda Shantz: Good. As you know, I, in the last couple of years, I spent a lot of time on the identity side of your trust. And I think one of the things for me was coming here to MobileIron and leading our marketing and looking at at our products and the role that UEM really plays. I know I was really delighted to see how many more signals that a UEM approach, when you look at zero trust, really has. It's not only just being able to look at the apps, at the network, the threat status, the OS status, the vulnerabilities, the time, the location, and more. So really having way more visibility into the signals as you start to think about zero trust. So what I want to share really quickly is we too at MobileIron have really looked at this from a bigger picture standpoint, and we're really trying to have... We've created a point of view where we're thinking about redefining enterprise security but through the lens of a mobile device. And want to share that with you very quickly.

Rhonda Shantz: This is the framework that we're thinking about. We think that by doing that, that the mobile device will be your primary ID and your access into the enterprise. And that when you do that, this diagram that we've created is really, it's kind of four phases, but it's the outcomes, right? It's the outcomes of what you want out of zero trust.

Rhonda Shantz: If I'm a CISO and I'm really thinking about a strategy, these are the things that I'm trying to do, right? So I'm trying to provision, I'm trying to understand what are all the... How do I bring a new user into the environment? How do I make sure that they have secure access to all their tools as policies in place? Then as I move around, I'm going to grant access, but now I'm going to grant access based on many more attributes than if I was just an identity vendor or if I was a gateway vendor. Because I have so much more, I have so much more understanding based on what I know. And I also know who you are, right? So it's user authentication. I know a lot about the device, but I know a lot about the enterprise as well. So that's grant access.

Rhonda Shantz: Then protect, again, it's coming from the identity world and coming from, gateway. They're not even thinking about protecting their data. That's not even part of their zero trust model. It's not in there, but how we look at it from a MobileIron standpoint, we are looking at it through a mobile threat detection, as well as some of the things that the UEM does. And then last, as you kind of come around in force, this is being able to kind of keep that going. How do you enforce those policies in real time across all of those different signals? So this is really our point of view.

Rhonda Shantz: This is our look at at zero trust and really trying to take into account a broader array of signals that we think are really important to the enterprise. So that's my perspective, so I would love your perspective in the sense of how you think this approach weighs against some of the other approaches that are out there.

Dr. Chase Cunningham: Yeah, I think it's a pretty holistic approach to the problem. And I also think that the application of that is being able to do that. It's not an easy problem to solve. I mean, technically, right? You guys have a lot of moving pieces and there's always the possibility that things sort of shifted change. But that ability to make it where... I mean we live where the organization is going to breathe and users live on their device. And if you're able to do those things like provision, control, enforce access, all that, you're touching pieces of the security bubble that makes so much of a difference. If you really boil away from it when you're doing those types of things across the board, you're enabling better data security because data becomes something that you actually have a handle on rather than trying to secure data with stuff that people don't use to access the data. Find me an organization in the next three years that's not going to be highly dedicated to the mobility of the workforce. You won't. So we have to live there.

Rhonda Shantz: But you think whether I'm a CISO or whether I'm heading security and like you said, I'm thinking about that strategy. Do you really think they are imagining that this mobile device can be part of their answer to enterprise security? Do you think there are there?

Dr. Chase Cunningham: I don't think they're there yet. I think that they're starting to realize that that's the reality of what's coming. Just like the realization that virtualization and cloud has become so built into this whole thing. I think that for the longest time people thought their mobile devices is a neat knickknack to do business with. Whereas now people are starting to understand like, "You know what, this mobile device is got more power, more access and more control than I'm comfortable with, and if I'm going to run an enterprise..." I know if I was a CISO, the one thing I would be really focused in on first would be making sure that those devices and their ability to access my network were bulletproof.

Rhonda Shantz: Great. Well, I think this leads to... I pulled this… This was also kind of out of your deck, so again, just kind of double clicking on a few of these things, which is looking at these top initiatives that they have, which is mobile and cloud. Should they be looking at those as separate or again, is this a way to think about?

Dr. Chase Cunningham: I think it really boils down to the capability of the solutions that they're using. If the solutions enabled them to solve those problems with a single punch, then great. Go about it, use it. The truth of the matter is, on the security space, there's not a whole lot of solutions that actually make it easy to do that without adding administrative load and hindering to the organization. So my response would be, yes, you want to do that when they're integrated and optimized, but you have to have a solution that enables you to do that.

Rhonda Shantz: All right. I'm going to move on to this next question. I think I've heard you say that this is probably one of the first questions that the companies have, which is as you're thinking about you're already so invested, you've already... What is the new number? They've spent over $90 billion-

Dr. Chase Cunningham: $90 billion or something-

Rhonda Shantz: $90 billion on security each year. And so you're so invested. How do you really start thinking about zero trust? Is it rip and replace? And if it's not, where do you start?

Dr. Chase Cunningham: So I would say the first place that I think about starting is really focusing on the user side of this equation. On the stuff that you're trying to solve, there's pretty binary. You shouldn't have access to things you shouldn't have access to. You should have mandatory to 2FA and MFA and that type of a approach. And then really from there you should be focusing on the next simple win, which most of the time is going to be on the device side of this equation.

Dr. Chase Cunningham: Devices are relatively simple to control if you have the right capabilities. And that's where you start gaining ground. A good solution should not necessarily require rip and replace. There's probably some things along the way depending on the organization and how they sort of live and breathe in the new generation, whether or not they need to rip and replace. But in the right approach, you should be able to say, "I can live with what I've got. I'm coupling stuff on top of it because it's giving me more capability and I don't need to rip and replace." And the goal of this is to shift people from a CapEx heavy expense to an operation that is the OpEx expense. They can get your money for OpEx but I don't want by any more beer if I don't have to.

Rhonda Shantz: You know, it's interesting actually. Obviously I've been following this space for the last couple of years as well, and if I think about pretty much every company that's in the report, really there isn't anything necessarily new. Right? Companies have looked at the different pieces that they have and they are actually solving a part of that zero trust story. So it really is, it's not rip it out. It's just think about it differently strategically-

Dr. Chase Cunningham: And applying it correctly.

Rhonda Shantz: And apply it correctly. Got it-

Dr. Chase Cunningham: I mean, there's 600 something vendors at RSA this year. There's not 600 problems in the security space. We've technically solved this issue. It's really a matter of using the solutions the right way to solve this problem.

Rhonda Shantz: Good. Well there might be some opportunities for some new ideas. We'll talk about that in the future. Let's see. The other thing is I'm trying to... Is there a characteristic or is there a particular type of organization that would benefit from this approach?

Dr. Chase Cunningham: Well, in truth, all organizations are going to live on devices in the near future. So I would say everyone should think about it from the initial spot of like who should think about it first, would probably be those organizations that have already done a good job of having an established security program, and that have invested in sort of addressing the fundamental issue around users and IAM. Because that's less than be ready to move to that next piece of the puzzle and those solutions actually integrate and work well with the mobile sort of approach. I mean the mobility side of this whole equation is because people use the mobile device. So if you have good IAM, you've got an understanding of the security sort of practices and protocols, it'd be easier to tie into that next piece.

Rhonda Shantz: Got it. Yeah, I think one of the things that I think we're seeing is that organizations that have embraced mobile and cloud in a really big way, I think are more... And they're thinking about their new workforce, right? Millennials and how they're expecting to be able to kind of use their own devices. The task workers that we're seeing today and how they're using mobile. So I think we see some organizations that I think are more likely to kind of think about a a mobile centric approach to enterprise security versus a network centric approach to enterprise security. Kind of the older way of thinking. That’s one of the things that we're seeing, obviously we're a mobile company, and so that's the viewpoint, the lens that we have-

Dr. Chase Cunningham: I think the network is a contested space. The network doesn't matter how amazing your firewalls are and how great your *ACQUALs* are, the moment you shovel electrons, the network is contested space. That's where the bad guys try and leverage to get to things. So yes, you should be using those connections and those protocols and those toolings to do that, but you don't necessarily gain a whole lot of ground by really re-engineering the network.

Rhonda Shantz: Okay, great perspective. All right. I think this is our last question. What's the role of UEM in the zero trust approach?

Dr. Chase Cunningham: Well in zero trust. I mean, ultimately your goal is to have as close to a sort of single throat to choke as possible for everything across the entire of the enterprise. And if you're able to get the UEM solution that enables you to control multiple things with multiple capabilities in multiple areas, you're doing zero trust, you're enabling that capability. So that ability to have as much unification and control and push the edge as far as you can means it's pretty critical to the approach to solving for zero trust.

Rhonda Shantz: All right. Well, I really want to thank you for your time. I think that the zero trust discussion continues to be huge. You shared as the number two topic at RSA this week-

Dr. Chase Cunningham: Thank you.

Rhonda Shantz: Absolutely. It really is. So really appreciate your time and the perspective that you have on the approach that we're taking, taking a mobile centric view, and we look forward to questions. So thank you. Thank you everyone for your time today.