Avoiding Speed Bumps on the Road to Zero Trust

On March 7th, ExtraHop hosted a virtual wine tasting event for an exclusive group of cybersecurity executives. The event featured Herb Kelsey, Industry Chief Technology Officer – Government and Director, Project Fort Zero, of Dell Technologies and retired Air Force Colonel Sarah Cleveland, Senior Strategic Advisor at ExtraHop.

At Dell Technologies, Kelsey has overseen the development of the company’s zero trust security offering. It brings together more than 45 leading technology and security companies, including ExtraHop, to make it easier for organizations to implement zero trust by creating a unified solution across infrastructure, platforms, applications, and services based on U.S. Department of Defense’s zero trust security architecture.

Prior to joining ExtraHop, Cleveland served for over 26 years in the United States Air Force as a cyber officer, having led operations in highly contested areas. She has also instructed partner nations and special operations forces on communication tactics, techniques, and procedures (TTPs). In her final military role, she oversaw the operation, maintenance, and sustainment of the global nuclear command and control sensor network, spanning all 7 continents.

The pair led a rousing discussion about zero trust that attendees agreed was enlightening and entertaining.

“Excellent discussion - timely and on point!” wrote one attendee in chat.

Attendees had provocative questions about implementing and enforcing zero trust policies in non-standard IT environments and about the challenges of implementing zero trust in public clouds. Read on for Kelsey’s perspectives on those questions and a recap of the discussion.

The Foundations of an Effective Zero Trust Strategy

Kelsey began the discussion by defining the core capability of zero trust: the ability to automate security responses to threats so that organizations can repair their infrastructure faster than adversaries can attack it. He says organizations can gain this capability by establishing effective policies and by introducing artificial intelligence (AI) and machine learning (ML) into cybersecurity.

Kelsey’s point of view on the core capability of zero trust sparked questions from attendees asking how they can implement elements of a zero trust strategy into their current environments, many of which don’t fit in the mold of a corporate office where all endpoints are owned by the organization and sit inside a firewall. Kelsey says that for zero trust, the security perimeter extends beyond just the devices on the network. What matters is the person behind the device. Or in some cases, the API.

The post-COVID era has been defined by remote work. As both Cleveland and Kelsey astutely observed, that means an explosion of endpoints on the network you might not be aware of. Some of these endpoints are what Kelsey calls “mixed-use.” Under a bring-your-own-device (BYOD) policy, the laptop an employee uses to do their job might be the same one their children use for homework. This is why the person behind the device—and their behavior—matters.

But humans and laptops aren’t the only endpoints that need defending. One attendee asked how they could enforce a zero trust policy when, “we have no users, no PCs, nothing on which to place an agent.” Kelsey recommended rethinking what an endpoint is. “A human being doesn’t need to be the endpoint,” he says. “Instead, identify APIs and define your policies around what APIs are allowed.” In this type of environment, the data itself can be considered the customer whose experience should be protected—data shouldn’t be kidnapped or prevented from doing its job.

Public Cloud Environments at Odds With Zero Trust

Another throughline of conversation was how to handle the challenges seen when implementing zero trust in a public cloud. The shared responsibility model of security, where the cloud provider is responsible for certain, agreed-upon, elements of security, while the customer is responsible for all else, is foundational to public cloud environments. While there are certain benefits to this model, it is incompatible with achieving a full zero trust solution per the Department of Defense (DoD) specifications. A true zero trust solution doesn’t have the vulnerabilities or unknowns in its architecture that are inherent to the shared responsibility model. It adopts a unified security approach, providing protection not only across the infrastructure layer but also across the users, devices, and applications within an enterprise’s environment.

One attendee asked if there was a pragmatic middle ground to be found between the shared accountability model and zero trust. “I’d like to say yes,” Kelsey replied. “But as a security professional, I have to say no.”

The core of the issue, as he sees it, lies in a lack of full visibility and access to the underlying infrastructure. “To get to real zero trust, you have to be able to segment the network around the access request, but you just don’t have this access [or visibility] in a public cloud environment,” Kelsey said. Not to mention, you’re unlikely to receive threat data on the public cloud infrastructure, leaving you ill-prepared to defend against them. According to Kelsey, these issues have led many organizations to repatriate their data out of the cloud.

Visibility and Monitoring Are Crucial to Zero Trust

Throughout the session, Kelsesy emphasized the importance of policy enforcement and solutions powered by AI and ML. But neither of these things are possible without visibility into networks, devices, and users, which is precisely what RevealX provides. “Visibility is crucial to zero trust because you need signals to respond to,” Kelsey said. “Even the most well-considered policy will be ineffective if you don’t have the visibility to enforce it.”

Learn how RevealX supports zero trust.