Welcome to Cyber Security Today. This is the Week in Review edition for Friday, September 9th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Instead of the usual look back at the week’s news I’m going straight into a conversation with my guest, Eric Anderson, director of enterprise security at Adobe. The topic is creating and implementing a zero-trust strategy.
Zero trust is one of the biggest catchphrases in cybersecurity. Broadly speaking, it stands for not trusting anyone just because they have logged into the network. But it can be difficult for some IT and security leaders to understand and design a secure environment that respects the principles of zero trust. A few weeks ago Eric wrote a column for another site with some useful advice, which is why I asked him to be on the show. In his post he’s responsible for overseeing Adobe’s zero trust platform.
Welcome to the show. Eric. First, tell me a bit about yourself.
(The following transcript has been edited for clarity)
Eric Anderson: I’ve been with Adobe for almost 28 years, based in the Seattle area the entire time. I’ve kind of grown up at Adobe. I’ve been part of the development organization for years in product development, spent some time in the IT space as a service manager, did a lot of code management. And in the last seven years I’ve been part of the security organization.
I define zero trust as a philosophy more than anything else. There’s no one solution for it. And as you mentioned in your introduction, finding how to shift from the traditional way of trusting the network for access and getting to data to a new kind of not trusting anybody and verifying as you go along.
Howard: It’s more than, ‘We’ve implemented multifactor authentication and we’ve got a VPN and therefore we have zero trust.’
Eric: Very much. It’s really moving towards the user and the identity and the device as the perimeter and what we need to trust. Then we can let them access the information they may need.
Howard: And there’s more than one zero trust architecture. You have a zero trust model, but it’s got to fit your organization.
Eric: Yeah. And that’s kind of why I say it’s more of a philosophy. You can look at the NIST (National Institute of Standards and Technology) documents [see links at the end] and those from lots of vendors around zero-trust architecture. But as you dig into them, it’s really more about ‘here’s some ideas and how to approach it or ways to think about it.’
Howard: Zero trust has become more important than ever because the pandemic has increased the number of staff working from home.
Eric: Very much. We at Adobe were very lucky that we had started our zero trust journey about a year and a half before the pandemic. We’d already been experimenting with it and finding ways to have a great [user] experience. One of the things I really like about our zero trust implementation — and I encourage people to approach it this way — is you can have a better user experience while increasing security, which is kind of a rare unicorn in the security world. We’d already been experimenting with deploying it to small user bases. When the pandemic came we were in a position where we could just say, ‘Well, we’ve gone from this small user base. We’re just going to turn it on for everybody in the entire company over a weekend.’ And to our amazement, and gratitude, it went off without a hitch. We had 16,000 employees working at home over a weekend and they didn’t miss a beat.
Howard: And it and it doesn’t merely support teleworkers. The idea of zero trust, or the advantages of zero trust, is that it protects resources anywhere they are, whether it’s on-prem or in the cloud, so it also limits the insider threat. And, hopefully. it improves IT’s visibility into who’s on the network.
Eric: Absolutely. And that’s one of the key things: It helps build that visibility, because the way we approached zero-trust was it’s really about the device and the user. So as long as we can see the user, we’re following their behavior in locations or in something we expect them to be doing with their device. We’re able to pair that together in our architecture to build a trust score or behavior model. ‘Hey, it’s Eric, he always is coming from this location or from this device at this time, so we have high assurance that it’s really Eric and we’re going to let him go in and do his thing.’
Howard: Before we get into the details, is there a size of company that zero trust doesn’t apply to?
Eric: I don’t think so. An executive order [from President Bident] came down talking about deploying zero trust across the federal government and the agencies … I really don’t see a scale where this doesn’t work. It could go from the one or two- person company up to hundreds of thousands of workers.
Howard: Where should a leader start when crafting a zero-trust strategy?
Eric: They should start with what their goals are. What’s the current state of things [in your IT environment] and what’s the outcome you’re looking for? We believed we had a majority of the tools in place to deliver zero-trust. So we were looking at identity and user devices, and then where our data sits. We had mechanisms in place that most companies have. Then you assess the risk that you perceive you have — where’s your workforce located? How are they configured? Do you have [identity and authentication] standards for devices? And start looking at ways you can standardize and centralize. Again, start assessing what your current risk is, then start working towards a goal of what would step 1 or step 2 be. Getting visibility into that risk and where is it coming from and so, that’s kind of the starting place — and you have to be open to that conversation to even get going.
Howard: Where do you think IT leaders go wrong?
Eric: I think they go wrong because they get set in their ways. It’s really hard to change, and zero trust is a fairly significant change in how you approach anything from your network — from centralizing identities and how you authenticate to how you authorize . It feels very different because you’re talking about things like moving away from VPNs and allowing people to access data from a remote location without a VPN. I don’t want to call it a leap of faith, but it is a significant change in how you approach your philosophy.
Howard: You created a platform called ZEN, which is ‘zero trust enterprise network.’
Eric: We love our acronyms and so we called it ZEN. Our philosophy had a couple approaches: The first one is how could we improve security while improving the [employees’] user experience. We’re all about our users and their experience, and we apply that internally as well. So we asked, could we do something to make on-premise applications, as an example, be more cloud-like? Fifty per cent of our users use the cloud, and they weren’t even coming into the network. When they did have to come into the network they had to use VPV. So our big initial push was let’s make on-premise feel like the cloud. Eliminate the need for VPN, and improve the user experience.
Howard: As I understand, the platform evaluates the security posture of each device that attempts to access the network. Managed devices receive a unique ZEN certificate for authentication. And that reduces the need for employees to provide their username and password multiple times to access the resources they need.
Eric: Yeah … We issued a device-specific certificate that represented, ‘We trust this device and the user has already been verified on this device,’ and we were then able to present that as a way to do passwordless authentication into the system. We told users, ‘We’re going to increase the security of a device. What we ask you to do is make sure it’s managed, make sure you’ve got the proper clients on there and the security settings that we desire, and by doing that we’re going to give you a better login experience or authentication experience where you don’t ever have to enter your password again. We will prompt you for additional factors if you go into more restricted or confidential areas. But over time we’ll be able to leverage your behavior and make your authentication experience almost something that’s in the background.’
Howard: So identity and access management is vital on your solution — and in fact, in any zero trust solution.
Eric: Absolutely. Our identity and access management is a fundamental core component. You know, one of the things we were very lucky on at the start of our journey is we had already been fairly seasoned with our identity and access management mechanisms. We had a central system, and we had access to all that information as part of being an engineering company. We kind of started playing around with building user behavior analytics and things like to access systems. So we could start having an idea of what users were doing and we could verify them through our centrally managed identity system.
Howard: There’s an access proxy component of your solution. Can you talk about that.
Eric: It goes back to the idea of how can we make on-premise access feel more cloud-like and avoid the need for a VPN. One of our big selling points, the way we were able to build excitement around it, is we were able to leverage existing investments in our identity system, in our device management and in other components. The one component that we didn’t have at the time was the access proxy. So we were able to partner with a couple of smaller companies and we kind of discovered a way to build this access proxy, which effectively exposed our trusted and secured on-premise services externally. They could only be accessed from a device that had the certificate and met the requirements that we set for our zero-trust platform. It was four years ago when we made that investment. The technology has definitely grown over the years and a lot service providers are now offering something similar. But the real key to making ZEN successful was being able to deliver that experience of an internal application, exposing it externally and eliminating the need for VPN. That access proxy is what makes that possible.
Howard: One of the things that confuses me about zero trust is the idea is you shouldn’t automatically trust a device, a user who’s logged in. But the goal is not having users repeatedly log in to access different assets. So you still have sort of a single sign-on once you log in. How does that seeming difference get reconciled?
Eric: The key to making that work is having a central identity manager. We have well over 3,000 applications that are configured using the very same identity provider. So when you log into one application the session token that you receive can be used for other applications. What we have done, and what we’re continuing to do, is classify different applications into things like ‘Every employee should have access to this, and ‘This application is really only for system administrators.’ So we rank and classify applications as to risk and the type of data they store. And then based on your user behaviour and your device posture, we can assess a score to say, ‘You’re behaving in a way where we’ll allow you access to the highest level of data.’ That’s the first piece: This device and this user, should they have access to it if they’re authorized for it in the first place? We also work with the service owners to build a least-privilege model.
The other kind of shift that is continuously in progress is making sure that employees and roles and teams are built in such a way that they only have access to the applications they need to do their work. I start my day and get a session token. If I decide I need to access something else, our secrets vault will authenticate me because I have my token — but it will do an additional check to see if I’m authorized to actually access it. So there’s kind of a double check there. The other piece that I’m excited about is moving more towards a continuous authentication, which is kind of the magic sauce where I think a mature or an advanced zero-trust environment gets to, where authentication is happening behind the scenes constantly because it’s looking to see if the device or the user behavior changed from the last time it checked. The idea being, I’m at home this morning and I’m on my device. Maybe this afternoon I go over to Starbucks. The system may decide it can recognize that my location has changed and maybe make a decision: ‘I should recheck and have Eric enter his MFA [multifactor authentication] one more time just make sure it’s still him and somebody didn’t take his device and move it to a new location.’
Howard: To help listeners so that they don’t think Adobe wrote all the code, you have partners including VMware and Okta.
Eric: At Adobe our approach is to take best of breed of products and stitch them together. Either having the vendors partner together, or we can work with them and integrate along the way. So in our ZEN architecture the starting point is at the device that has device management software on it. Today our partner for that is VMware WorkspaceOne, making sure we have the security tooling EDR [endpoint detection and response], patch management and all that. Today our centralized identity provider is Okta. Okta does the authentication for the users. It can check back into the managed device and into our EDR software and verify, ‘This user still should have access.’ And we can then integrate our certificate authentication from WorkspaceOne.
Since it is part of the WMware family, it’s got some good integrations to also call back to the device management piece. Once all that stuff is then verified then we are able to hand that off to the access proxy if needed to get to on-premise. If it’s a cloud app it will continue on and allow the user access to the cloud-based apps.
Of course, there are plenty of other options, other vendors out there.
I would argue that most companies have most of these components in place. It’s just how do you put them together into a flow that can enable a zero-trust environment that works for you.
Howard: You’ve written that there are five things that IT security directors should consider when creating their zero trust strategy.
Eric: First, have a centralized identity provider. We’ve been very, very rigid about any application that employees access. They must go through our identity provider solution, and that allows us to make sure that you know it’s meeting minimum security requirements to be onboarded. Having that centralized gives you a single place where you can do some checks. It’s a bottleneck, for lack of a better term, but it makes it really easy to see what you’ve got in the environment, you can see where users go — whether it’s on-premise or in the cloud. Making sure that everything is living in one place is a really key piece. If you don’t have everybody going through a single authentication solution it’s really hard.
Next is prioritizing endpoint security which is EDR for malware detection and response.
As I mentioned a key to zero trust is really having insight into the device, and so if we can’t make a determination of the posture or the stance of the device it makes it really difficult to have a zero trust model.
The third one is device management … You need something on the device where you can get visibility to help push the proper software and security controls, making sure that the device meets the minimum requirements say from an OS and patch level perspective.
We touched on the fourth one which is the access proxy. A lot of people may be surprised but their firewall perimeters may have that capability today. Over the last few years a lot of the big vendors are now kind of putting some sort of an access proxy as part of their firewalls. That’s the piece that allows you to provide the on-premise access in a cloud-like experience, which will help relieve the burden on the VPN. The network traffic and the VPN team are able to focus on some other things.
The final one is certificate authentication. The certificate provides a couple of things: We can issue the certificate to a device that we have trusted and can continuously update it. So we can do background checks and make sure we’re seeing the right behaviors in the right locations. And we can push and pull and revoke certificates on the endpoints, and make the assumption that if the certificate is present there’s a certain level of implied trust on that device already. The bonus to that it allowed us to then deliver a completely passwordless user experience for authentication. That was the big carrot: ‘If you’re willing to get on board with us you’re going to get this great passwordless experience.’ And what they didn’t know at the time was we were also dramatically increasing the security of not only their device but being able to know what’s on our network and reduce that risk.
Howard: Here are a number of free resources on zero trust:
–the U.S. National Institute of Standards and Technology’s 800-207, and the NIST Draft Practice guide.
–the U.S. Cybersecurity and Infrastructure Security Agency has this zero trust maturity model.
–the U.K. National Cyber Security Centre has this blog on starting a zero-trust journey.