Using a Zero-Trust Framework to Make Sure Everyone is Part of Security
One of the briefings during my onboarding at Duo was from our Corporate Security team. At the beginning of the brief, a question was asked: “Who here is from security?” We all kind of looked around waiting for someone to raise their hand. I was thinking “ awesome! I need to figure out who the security gurus are so I can make sure to engage them during future sales cycles.” I tightened the grip on my pen, got my notebook in position, and put a big star on the line just waiting to record who these super important people were. Well, nobody raised their hand. This is where our Corporate Security presenter curled a smile and she stated emphatically that every one of us is part of security. At the time, I was like “hmm, ok, noted – makes sense. I can sort of see that.”
But this has kind of exploded my brain for the past year.
I’ve spent the better part of a 25-plus-year career helping to build the moat around the castle. Firewalls, VPNs, Intrusion Detection, Intrusion Prevention, Intrusion Deception, SIEM, Next Generation Firewalls, Threat Intelligence, Network Access Control, Web Application Proxies, WPA2, Wireless Intrusion Detection, Mobile Device Management, Mobile Threat Detection, etc...The list is a mile long. There is no shortage of super sophisticated security tools available. As an example, see the following chart.
I’m not discounting any of the tools in this chart one bit, but I do feel like we are continuously chasing the “shiny object” – hopeful that we can push a button to be magically “secure.” However, I do feel like the chase is making us miss some of the basics, and the framework. According to the Verizon 2018 Data Breach Investigations Report, the biggest security vulnerabilities are users’ compromised credentials (yes, phishing is still a thing) and vulnerable devices (yes, we’re still running old beat up and busted vulnerable versions of software). The zero-day vulnerabilities Google just announced is just the latest example.
I wish we had some framework available to us that validated a user’s identity, validated the machine they were using, and applied some policy and context for everything they tried to access. That would be pretty cool! Such a model would move the moat (or perimeter) to anywhere an access decision is made. Right, Wendy Nather? There would be no inherited trust just because you were already connected to a particular network, etc... Whether you were at work, at home, or at Starbucks; we could treat every access attempt as equally suspicious and validate user + device + context for every access attempt. To everything!
Such a framework does exist. It’s often referred to as zero trust. Yep, the latest buzzword that makes people’s eyes glaze, and seek extraction. I completely understand. I think a fair comment and question for those trying to sell you zero trust is “Cool, can you show me how your company is using zero trust?” That should help cut down on the noise...
Anyway, back to the topic...
Federal agencies, including the DoD, are working to deliver a really useful, useable, capable, and secure bring you own device (BYOD) program beyond basic OWA, etc... We know that users are using personal accounts and devices to get their jobs done. Sending emails with sensitive attachments from their .gov or .mil accounts. The challenge so far has been more of a policy challenge vs. a technology challenge. It’s a balancing act between protecting the data and addressing user privacy concerns. It’s impractical to deliver GFE or Virtual Desktop across the entire population. It’s impractical for the government to manage personal devices even if users would allow it, which they won’t. Users don’t want a “spy” agent on their personal devices. I do think there is some middle ground. Would it be comforting for the government to know their community of users kept their software up to date on their personal devices? And that users weren’t running vulnerable versions of software? I think so. I would argue that could be the most impactful security tool the government has.
So how could the government do it? I see two base paths:
Develop a user security manual that explains why keeping software up to date is important, do periodic user training, ask them to keep their software up to date, and hope that they do.
Deliver some capability for users to access an application or data from personal devices, and enforce that they can only access it from a machine that has up to date software. Do basic health checks like OS versions, browser types and versions, java and flash versions, screen lock enabled, not rooted or jailbroken, disk encryption enabled, etc...as part of the authentication workflow to the application. Without an agent! And for critical agency applications, require that the device is part of the GFE fleet of equipment.
Duo’s trusted access platform can enforce such a policy and can be used to gently nudge users to keep their software up to date.
If you think really big about it – increasing lethality of the of the force big – it’s a way to up-level OPSEC and PERSEC across the entire federal government by making sure that everyone is part of security.