Security for a Zero Trust World

Webinar transcript - View the full webinar

 

Ojas Rege:  Hello, this is Ojas Rege. I'm the Chief Strategy Officer at MobileIron. It's my pleasure to present to you today "Security for a Zero Trust World." This presentation is based on a couple of presentations that I gave at the Gartner Symposiums in 2018.

The focus here is that the world, from an architectural perspective, in enterprise computing has changed. That requires a new model of security. That's what we're going to go through today in this webinar.

Let me first introduce MobileIron. We're a mobile security and enablement platform. What we do is allow organizations to innovate using new mobile and cloud technologies, while still protecting their data, their information assets.

The value proposition of MobileIron has always been around proven security, superior support, and a cross‑stack architecture that works across endpoints and across cloud services.

We also got the Gartner Peer Insights Customers' Choice distinction this year in 2018 for having the highest customer satisfaction amongst the leading companies in our industry. Let's take a step backwards now to talk about the origins of why we have to solve this problem of zero trust, to begin with.

We have two fundamental changes in the enterprise computing architecture over the course of the last decade. The first is that mobile gave us limitless computing at the edge and ubiquitous computing because it could travel with me as an individual wherever I went.

The cloud gave us limitless infrastructure, specifically for the developer. These two elements are intertwined. They don't live without each other. Mobile is the primary mechanism of consumption for cloud services and cloud services are all surfaced through mobile.

This cycle of the new ubiquitous computing on the left and the new services on the right have really driven the transformation of the enterprise or at least the promise of the transformation of the enterprise.

Most people look at cloud on the right‑hand side and they think to themselves that the real value of cloud is efficiency ‑‑ I no longer need a data center ‑‑ or power, scale because now I can do number crunching at a level for artificial intelligence, machine learning‑based applications that I couldn't do before.

Both efficiency and scale are in fact very important benefits of the cloud, but the real value of the cloud, the innovation value of the cloud is that it's reduced the barrier for developers to build services.

It's much faster for a developer with a good idea to get a new application service to the market. That's the real beauty of the cloud, which is that it opens the door for innovation from application developers.

Think about this. If the frontend mobile is the experience, cloud is the engine. What's interesting about this though is that these engines and experiences are popping up everywhere in the enterprise and they're not necessarily managed by the central IT organization.

Different business units and different individuals make decisions around which services they want to use. In fact, Gartner over the course of the last couple of years has said that the average enterprise already has more than 300 cloud services. That's a phenomenal number.

It may almost seem a little bit hard to believe until you start thinking about all the different cloud services that your organization has deployed. In our organization, for example, just our HR department is deployed over 10 cloud services because there's different ones for recruiting, different ones for performance management and so forth.

Then, you start looking at all the different functional units and you realize that regardless of whether the number is 300 or 100 or even 50, the problem is very large and every day, there's new cloud service usage and new mobile experience usage popping up around the company.

It's almost like popcorn. When you turn your head, you turn back and there's five more applications that are out there. The challenge, of course, that if you're an IT professional trying to enable your users with all these new services while actually securing your data, it feels like an almost untenable task.

You feel like the hamster here where you're running, running, running. Just when you think you've caught up, you realize you're still behind.

There's a couple of options to solve this problem. One option is just to say, "You can't use those services. We're going to restrict the ability of the business and the functional leads and the individuals, the employees of the company to be able to utilize these new innovative mobile and cloud services." That's not a viable solution though.

The reason is you run into what we call the Livingstone Island problem. Livingstone Island is that island that you see there that's at the top of Victoria Falls in Zimbabwe.

It's actually a pretty decent‑sized island and it could be two, three, four, five times bigger. No matter how big that island got, the water is going to go right around it and it's still going to fall over the falls.

This is the problem that many times organizations have when they try to put restrictions in place on the individual users. The users just go around those IT organizations and they utilize the services anyway, which creates an even worse security issue than the organization had before.

This is traditional shadow IT multiplied potentially exponentially because of the innovation and the pace of release that happens with cloud services and mobile experiences. Restriction is not the answer and the reason is because at our level, we're dealing with a new model of computing.

Nick McQuire who's a wonderful analyst at CCS Insight coined the term choice computing and it really resonates with me. I hope it's useful for all of you as well. This is putting the user in the middle of the computing model and that end user, that individual, that human being, is saying, "Let me choose the best tools. Don't ever compromise my experience. Always protect my privacy."

That's what the user wants and that's what we as IT professionals need to be able to give that user. Problem though is how are you going to manage your data? It's Friday night, do you know where your data is?

For many organizations in this new mobile cloud world, this modern world, they don't know where the data is. The reason? Data, of course, used to be right there, used to be in the data center and we had all the traditional mechanisms to protect that data in place.

My firewall, my NAC, all my endpoint protection systems and so forth. Now as we know, data's everywhere because it's been spread across a broad set of modern endpoints and a broad set of cloud services.

That data exists everywhere in the organization. You'll, of course, hear people use the word "zero trust" and that was part of the title of this talk. What does that actually mean?

What it really means is that when the data is spread everywhere across that information fabric, the IT organization with its traditional tools has zero visibility into what's happening with that data.

If you have zero visibility, you also have to assume zero trust. If you can't see what's happening to the data, you must assume the worst is happening to the data and that you cannot trust that environment.

Now, that creates a really fundamental user enablement issue because if you can't trust the environment, then how can you provide your users with the capabilities that they need to do their job?

One option is to look at user identity as the centerpiece of that decision process. The question to ask yourself is, "Can user identity alone establish enough trust in that zero trust world?"

I'm going to argue that the answer is no. That user identity is an important and necessary component of establishing trust but it can't do it alone. Let's understand why that is. To do that, let's go back and think about what it means to protect information assets.

There's only two things we need to know. The first thing is, "Where is that information stored?" It's only stored in two places. It's either stored at the edge, which is all those mobile devices, or the cloud. Those are the two places the data exists, the edge or the cloud.

The second question is, "How is it accessed?" It's almost always going to be accessed by an application on the edge. That application could be a native application, it could be a browser, but it's going to be an application that accesses that data.

If you look at them, what you have to be able to do to secure that scenario on the edge and in the cloud, you need to be able to delete the data when it's necessary, for example, if a device is lost, and you need to be able to prevent unauthorized sharing of that data with other applications regardless of whether they're on the edge, where the sharing happens on the edge, or on the backend cloud to cloud data transfer.

These are the two things that I need to do. Then, when I look at access, there's a third thing I need to do. I need to make sure that access to that data storage is only granted from a trusted environment. Not a zero trust environment, a trusted environment.

Let's take a...where data gets lost at the edge because these are the more specific problems that any security architecture you put in place will need to solve. First thing is to understand how application architectures work in this modern world.

Let's say I'm a Salesforce user and I download the Salesforce app to my device. The way mobile applications work to optimize user experience is they will synchronize data from the cloud to the application. That gives the user a better experience.

Different applications will synchronize different amounts of data. That means that that data, those Salesforce records, those customer contacts, those are now on my device. Not all of them, but a subset of them. That's where the data is stored and that's where the data on the backend is accessed from.

The first vector of data loss I have is I lose the device. This is the obvious one. I leave it in the taxi, I drop it off [laughs] the stairs by mistake, whatever it might be. I lose the device or it gets broken or it gets stolen and so forth.

The second vector of data loss is one that sometimes people aren't as aware of. I'm going to call it app filtration. Anyone from the security world, of course, knows what data exfiltration is. It's data going to a place that it shouldn't go.

On the modern edge, that exfiltration happens application to application. It's not usually malicious. This is a user who wants to, for example, open up an attachment in their email.

They want to open it up in their favorite reader, whatever that reader might be. They're not trying to necessarily do something bad, but once that happens, that data is transferred to that other application. It's outside of IP's control and for all intents and purposes, it is lost. It is gone and lost, which is a fundamental security and compliance issue.

The third vector of data loss is an edge attack. No matter how good a job I do of configuring and managing and making sure my edge is secured...by edge, I mean device, OS, network, the entire edge that the organization, that the employee is using to do their work.

No matter how good a job I do there, there's always going to be malware, there's always going to be a zero‑day attack. Something new happens and so I need to make sure that if there's a compromise on the device ‑‑ the application or operating system layer ‑‑ that I can catch it.

The fourth vector of data loss happens when the information leaves the device and now it's going back to whatever cloud service it was. This is where you hit a network attack.

If you want to attack a specific company, it's not efficient to try to put an application in a public app store for the user to download and by chance attack their data because you have no idea if the people in your target are going to do that.

What you do is you go to the nearest coffee shop and you set up a rogue WiFi access point there. You make sure that the people who you're targeting for the attack, when some subset of them connect to your rogue network that you can steal their credentials, you can steal their data, you can get access to the backend resources.

Finally, the last vector of data loss is untrusted access. If I haven't done and I haven't put in place any of the mechanisms to be able to protect against the four things we've already talked about, then my data is going to end up at the edge in an application and on a device that I can't secure.

That's going to open you up to the next probably 100 or 200 vectors of data loss because the tail of attacks is very, very long. These are the five, at minimum, vectors of data loss you need to be able to protect against in this modern edge.

It's important to remember this problem is not specific to a particular cloud service. Many organizations will be deploying Office 365, for example, and so much of their attention is on Office as a service on the backend, as an application on the frontend.

As Gartner said, every organization is in multi‑cloud enterprise. They have 10, 20, 3,300 different cloud services out there. The security model you put in place to solve the zero‑trust problem has to work across the different architecture stacks that are out there. It cannot be focused on one particular cloud stack.

The statement is how do I innovate with mobile and cloud while protecting my information assets at the same time? It could do that in that multi‑cloud environment that I just described.

Let's take a look at the picture. What is the underlying problem, the difficulty of using this? We have a trust problem we got from legacy perimeter world where I had complete visibility. I had locked‑down endpoints. I had a next‑gen firewall.

I could see everything that was coming in and out of my network. I could see every action if I wanted that a user was taking on the endpoint or within the network. I think about this as the information coconut.

The whole point of defense in depth is that I got multiple layers of defense. If I knock down one layer, I've got another layer, and another layer, and another layer. When I get to the center, I can access pretty much anything I want.

The notion of defense in depth is I'm going to make it really hard for you to get to the center. None of that works in a zero‑trust world because once you split out of the coconut, your traditional mechanisms to drive visibility no longer help you.

You now don't have a coconut. You have an information fabric. Information is spread across services. Everything that you have in place offers minimal defense. Let's take also what did you have in place.

The legacy model, the perimeter‑based model had many, many security measures to protect data. You had your firewall on the outside. You had VPN for access. You had desktops that were locked down. Microsoft systems send in other tools to manage them. You had traditional endpoint security, data protection tools, secondary encryption, data analysis tools and so forth.

Then you had network access control, VDI for virtualizing applications and accessing them remotely, network DLP for inspection. It was an entire massive security industry that's based around solving this problem.

What happens in the modern world when you move the mobile on the frontend and cloud on the backend? None of those systems work anymore. The question is what is the new system of record for trust at the edge? What do you need to have in place to be able to solve this problem?

As I mentioned earlier that I steal from "Return of the King," "The Lord of the Rings" movie for those who might be big fans, this is, in my mind, the perfect physical illustration of defense in depth.

Multiple walls to the castle, you have to go up the hill every time. You go through one wall. Finally, if you get to the top, you can get to the treasure tree. It's really hard to get there. That model doesn't work to establish trust, as I mentioned before, in a zero‑trust world.

Here's why. If you want to establish true trust in a zero‑trust world, you need defense in breadth, not just in depth, in breadth. What I mean by that is take the application there. I may do a fantastic job of securing that application, but if I compromise you at the operating system layer, I may not be able to steal all of the data in that application, but I can steal your credentials.

I can steal a portion of the data. I can monitor your behavior. I, as someone who's malicious on your device, on your endpoint at the edge, can do things that you couldn't protect against.

It's not an option to say that you're only going to do one or another of these. All of these has to happen. Now, what's interesting is all of these do happen in a traditional enterprise, but in a very different way.

I still have my user identity and authentication services but my OS, my device, my app context meaning time and location, those are all managed by my lock down endpoint. The network has all the different network security controls that I just described. Doesn't work in that? Let's think about what does work and what are some of the elements to establish trust.

My goal in putting together this slide is to provide a starting framework that might be helpful for you as an organization, a holistic framework, to think about the security model that you will need in this zero trust world. Not all of this might be relevant to you. You might have others but it's at least a good starting point.

Let's start with OS. For each of this, I need to think of prevention and detection. Prevention is reducing the attack surface so that there's less space to hit. It's harder for someone to get in. The detection is no matter how much I reduce the attacks or there's always an attack surface, and how do I detect when someone's coming in.

If you look at an operating system, there are several things that matter. There's versioning and patching that I manage as prevention to reduce the attack surface and then on an ongoing basis, I'm on from privilege escalation, vulnerabilities, and so forth.

If I move to the device level, there's absolutely preventative measures I take. I can ensure a device is encrypted. I can ensure that it's a certain model. I can ensure that it's got a certain ownership maybe it's a personal device, maybe it's corporate device.

Then on an ongoing basis, I need to make sure I'm testing at the station, I'm testing for Jailbreak, route detection and so forth, in case someone does crap the device and then open up the security model inside.

On the network side, there's a host again of prevention mechanisms. If I'm connecting from my application to a service, I'll use per app VPN embedded into the application. I'll make sure that I've got surf base security to reduce the attack surface for man‑in‑the‑middle attacks.

I'll have the right connectivity policy and then on an ongoing basis, I'm actually testing for suspicious behavior in the network ‑‑ rogue APs, fake certs, and so forth.

Now, let's go to the app which is the part of the cycle that the user is directly using. Every single application on the device should be a managed application distributed through an enterprise app store. What that means is that IT remotely can delete that application and prevent sharing. That reduces the attack surface dramatically.

You also want to make sure the application is appropriately configured. Poorly configured applications are the best source for someone to come in and steal your data. Then, of course, across the board, you've got to make sure that all the security is in place. All the DLP control is in place for that app.

On an ongoing basis now, I also need to ensure that the app doesn't have back doors, time bombs, other kind of abuse mechanisms built in.

The next piece of context is location and time. There might be certain countries that you don't want to devices to be accessing your services from. There might be certain times of the week that you don't want to provide access for work rules and so forth. Then we get to the user.

Before I talk of the user, let me just mention everything I've talked about here so far, this does exist in the traditional enterprise. The challenge is that the tools that are used in the traditional enterprise to solve these problems don't work in a zero‑trust world when you're outside the perimeter, when you're not on lock down Windows 7 endpoints anymore.

Now, there are several elements of the user model, though, for true trust that you'll be very familiar with. If I'm looking at what I need to do for prevention, I want a password, I want a pin. There's new models of passwordless authentication that drive credentials that are really interesting.

I might have multi‑factors so think like it's a fundamental biometrics, many of you are familiar with. All these different elements to be able to provide a more seamless authentication experience either single sign‑on or passwordless, off completely.

Then on the backend from a detection perspective, absolutely, I'm looking at behavior. As an IT organization, I'm thinking about what are the entitlements that user have. This cycle here, this entire cycle is critical for organization to have built a solid security model around so that when you do move to the zero trust world which every organization is going to be forced to do.

Otherwise, you will not be able to access all the new enterprise software innovation that's happening out there. Every organization is going to need to have a framework to build their security model around.

You'll notice that I've talked about prevention and detection, but there's a really important piece done in security model which is remediation. When I detect something, what do I do? I have to take an action to mitigate that risk. How does that work in this world?

This world of modern work where I've got mobile and cloud and this zero trust environment, where I'm trying to establish trust, I need to actually build a security automation framework that across that zone of trust that you see highlighted there with the trusted devices, the trusted cloud services, that I can share data and provide data to my users.

At the same time, I can also take it away, if the trust of that endpoint, that cloud service, that user, that context device network app of it, if any of those changes. Automated compliance is critical because these are very dynamic environments.

If there something happens that reduces my level of trust, I need to be able to take an automated action to either ask for another factor, notify the user, block access to other services, or quarantine meaning take away the data that's on that endpoint on the edge to be able to protect it until the actions are taken to remediate the service.

What we've discussed so far in this webinar is hopefully a good starting point for all organizations to put a model of security of trust together for their organization.

Let me share with you the way we look at it from a MobileIron perspective. We ourselves, as MobileIron, we secure the edge. We're the secure foundation for modern work. We establish true trust in that zero trust world by providing those mechanisms I just described.

The only reason for doing this, the only reason ever to put security in place, is to enable who are protecting your data resources. This allows you to enable your users to use the innovation of mobile and cloud while still protecting those information assets.

There's three components to MobileIron, security at the endpoint, threat defense for the detection, and then security at the cloud level to make sure that unauthorized endpoints can't get to the backend services.

Very specific, you're the user, here's the secure user experience from the cloud to the edge through MobileIron.

Number one, MobileIron provisions a trusted workspace to the device, which is all the applications conductivity and configurations that that end user needs reproductive.

Number two is MobileIron protects business data and user privacy, and the way we do this is we separate the business and personal data and make sure that one doesn't flow into the other at the edge.

Number three is we provide a seamless authentication experience. This is absolutely critical. This is more than SSO. This is passwordless authentication, so a trusted user at the trusted edge can access applications without having to do that extra work to try to remember pass codes. This is essential for the user experience.

Number four, got to make sure that the devices and the endpoints applications and so forth that are not protected cannot get to the services in the cloud or on premise. The unprotected edge should never be able to get to your backend data.

Finally, there's always the edge attack to be able to detect that edge attack and remediate it as essential.

These are the five elements of MobileIron, enable the user, make sure that data is protected, provide a seamless experience, make sure that bad edge devices and applications cannot get to your services, and constantly monitor and make sure that if there is a threat, it can be immediately remediated.

The reasons that customers pick MobileIron is for the proven security model, superior support. We're a focused company that specifically spends its time thinking about customer success in this modern world and across tech architecture that is not limited to any one particular cloud service.

We've worked across all the cloud infrastructures whether it's Azure, whether it's AWS, Google Cloud, and so forth and all the different cloud services out there with a consistent security model.

As I mentioned earlier, MobileIron received the 2018 Customer's Choice Distinction from Gartner for customer satisfaction.

Thank you very much for joining us today on this webinar. You can always email us at info@mobileiron.com for more information. You can also follow us on Twitter either MobileIron or myself, O‑R‑E‑G‑E, and we'll always be posting the latest and greatest on how to establish security in a zero trust world.

Thank you, and I hope that your adventure into zero trust is equally innovative [laughs] and secured as what we're seeing in the digital transformation of our customers today.