Best Practices for Implementing Zero Trust Security
Presented by: Matthew Prince, David Holmes
Originally aired on June 21, 2022 @ 12:00 PM - 12:30 PM EDT
Cloudflare One Week Fireside Chat
Cloudflare co-founder and CEO Matthew Prince sits down with special guest David Holmes, Senior Analyst at Forrester, to discuss Zero Trust security, common roadblocks, and what the most successful deployments have in common.
Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
English
Transcript (Beta)
Hey there. Welcome to Cloudflare TV. I am so honored to be joined by David Holmes from Forrester.
David is an analyst that that I've really admired for a long time, is one of the leading experts in the Zero Trust space.
And we're going to have a conversation about that.
But David, you just got back from what sounds like a world tour. What... Where were you?
Where were you traveling around and what did you learn?
Sure.
So, hey, Matthew, this is a mutual admiration society. I've been a huge fan of yours since probably the early days in Defcon when I saw you speak in some of the conferences there.
I did just get back from kind of a world tour. I circumnavigated the globe, which the first time I've ever done that, I went to Denver, to Manila, where I had a lot of family stuff going on.
And then from there I went to Dubai, London, Helsinki, no, Dubai, London, Stockholm, Helsinki, and then San Francisco for RSA and then finally back to the States.
And I think one of the things we have in common is we both got Covid at RSA.
- So...
- Yes. Anyway, that's...
I kind of thought we were done with this, but I guess I guess we're not.
You got to see some of our team in Singapore. I did so when I was when I was over in the Philippines, I asked my management chain, I said, hey, I'm practically right next to Singapore.
Why don't I go up to the the Forester office up there and we have a new analyst and I could train him up.
And while I was there, I thought, you know, who who's around?
I'm like, oh, Cloudflare has got an office here.
So I came over. Beautiful office. I'm sure you've seen it. Yeah, just absolutely gorgeous.
And I met with, I think, Jonathan Dickson is his name?
A great guy. Great guy.
So had a really good conversation around SASE. Yeah.
Well, he's he's been he's been terrific. He came to us from AWS and he's been he's been really great.
I would not say that the Philippines are all that close to Singapore, though.
That's sort of like saying New York is - close to San Francisco.
- Well, you know, relatively speaking, globally, it's close. Same time zone, seems like it's far from just about everything.
But but I'm excited.
I'm going to be headed out there to visit our team likely in September. So excited about that.
Well, we're going to spend a little bit of time today. You're one of the leading experts in Zero Trust.
I think that there's been a lot of of excitement around Zero Trust.
I think there's been a lot of confusion around Zero Trust.
It seems like every company today is calling themselves a Zero Trust company.
You know, talking about this term SASE. What I wanted to start out with is, is what, what what does this term mean and what are...
why are people excited about it? And what is it that it's, that that we're trying to accomplish as we all move to a Zero Trust world?
Sure.
Sure. So to kind of address one of those points.
Yeah, there are there is a lot of sort of, I don't know, people upset about all the hype and the marketing around it.
And we recently released a paper that gives a short, concise, definable, sharable definition of Zero Trust.
And in the paper we talk a lot about one of the problems with Zero Trust is when Forrester wrote the initial papers back in 2008, 2009, John Kindervag wrote those.
I had dinner with him at RSA. They were just behind the Forrester paywall, so all the Forrester clients could see them.
But that's not everybody in the world, but every vendor in the world could see them.
And so they would they would read the papers and then they would kind of talk about Zero Trust, obviously, where it aligns through them.
And so most people saw Zero Trust through this sort of stained glass window of vendor marketing, and it really kind of turned a lot of people off.
Right. And to this day, I don't want to call them haters or anything, but you'll see a lot of Zero Trust skeptics out there.
And and that is what it is.
But ultimately, it's an information model of security that tries to protect data and use identity to provide access and effectively deny by default and rely on explicit policy.
That's what we're trying to do with this model, and it's got a huge uplift from the work that the federal government has been doing over the last two or three years.
So there's... it's it's busy times if you're a Zero Trust analyst.
So if you just...
is explaining it to, to my dad, like what, what did the sort of pre Zero Trust security model look like?
And then if you sort of had the ideal Zero Trust implementation in the future and let's skip the messy middle, but from what is yesterday to what is tomorrow, what is that?
How would you describe that?
Yeah.
So my dad's a big history buff, so if I was explaining it to my dad, I would say, Dad, all those castles that we visited in Scotland, they were very much defense in depth, high walls, slits in the wall and sometimes a moat, really trying to keep the stuff on the inside, keep all the good on the inside, the people protected, and then assume everybody on the outside is bad.
That's that's the the computer security model that we all used to have, the perimeter defense and that no longer works.
One of the reasons is both in the physical example of that and in the cyber example or today being inside a castle during a pandemic.
It's actually a terrible place to be.
Right? So people had left that model behind.
And so in the... if that's the old model where you had a perimeter and firewalls, perimeter defense, the new model of the future is more the identity is the perimeter.
We're trying to provide access based on not where you're coming from or where you are, but who you are and what are you trying to provide access to, which is clearly a lot more work because you have to understand, well, what are all the things and who are all the people?
And not everybody should have access to everything.
So it's it's transitioning to that model. And the good news is that the world has been moving in this direction anyway, right?
I mean, we all recognize at least privilege access is, that's the right thing to do.
And so it increasingly gets built more and more and more into frameworks and platforms.
You know, I've struggled to figure out an analogy that works.
The only one that seems to somewhat resonate for me, and I'd be curious if this and again, no analogy is perfect, but it's sort of like to me it's the difference between once upon a time we built ships and the ships had, we tried to make the hulls as strong as possible, but if there was a leak anywhere in the ship, like if you didn't have bulkheads, then the entire ship sank.
And so Zero Trust is at some level, it's almost like trying to install a bunch of bulkheads.
But if there's a there's a hole anywhere in the ship, you know, obviously you want to patch that hole and the things.
But but the sort of the blast radius, which, mixing metaphors, that that starts to get a lot, a lot smaller.
And that's been one of the few things that when I've kind of explained this, people are like, Oh, now I get it.
Is that, does that align?
No, that is a good one.
Zero Trust is so big that it's difficult to find a single analogy.
You can take, you can carve off parts and say, oh, if we go back to the castle right, then Zero Trust is not like guards at the gate.
It's more like a guard at every door.
Yep. Inside the castle. And they know who everyone is and who's allowed inside every door, etc..
But you're right, there also is the concept of blast radius and hey, these servers should only talk to each other in this particular direction.
No one else should talk to them. Right? And that's explicit. That's least privilege access on a sort of a network path.
And that's harder to talk about in a convenience analogy.
So one of the things that I think is, is I mean, we're we're we know this space pretty well.
And and and even we are sort of struggling to describe what it is. And it's not, you know, it's not like a firewall.
You can't just buy it. Right. It's a it's almost a just a different, different philosophy.
If you're a company and you're you're still in that sort of castle-and-moat world and you've heard about this Zero Trust thing.
And, you know, you eventually want to have a guard at every door or a bulkhead at every seam.
But that seems like it's daunting in terms of getting getting to that.
What's the...
how how, as you as you think about this, where do you tell people that they should start this journey if they're just starting it?
What's the what's the beginning of the Zero Trust journey?
Oh, so I got some great news for you here.
One is that because of all the activity around Zero Trust with the Biden executive order, the CISA maturity model, there's a lot less people coming in and saying and being and saying, I'm so daunted.
I don't know how am I ever going to get there.
I used to call those people like end-stage nihilists who would say it's a it's an ideal and you can never get to an ideal.
So why even try, right?
We're leaving those people behind and people are starting to recognize it is a journey.
And I think one of the things that's instrumental in that, in getting people to realize that is the CISA maturity model where people can understand, Hey, I'm at this mark and then there's this level of maturity and then there's this level of maturity.
So clearly it's some kind of journey that I can go on.
And people always used to ask, the number one question they used to ask me, or probably any Forrester analyst is Where do I start?
And I'll tell you that in a second.
But but the questions that they've been asking lately are after I give them the first answer, they say, okay, and then what?
And I tell them the next one.
And then they're like, okay, then what? Actually, that's a that's a roadmap discussion.
Most of the conversations I have today, to be honest Matthew, like almost every single conversation I have today, it's give me the Zero Trust roadmap, which is great.
It means that people are beyond the Oh, I don't know what to do.
They're now saying, look, I've got my I've got the backing to do this.
I just need to know what to do and in what order to do it. So the so where almost everybody starts is with identity.
And part of it, there's a couple of reasons for this.
One is there's dependencies on that. Does that make sense? So as you go through the other parts of the journey, dependencies on We need to be able to integrate with your identity providers.
This is a great place to do multifactor authentication.
and SSO, and these are broad wins across your organization that are very high in visibility.
So if you haven't done these already, right, you start with these and then the whole organization can see because obviously they're going to know, right, as they as they use their SSL portals and their MFA, things are happening.
And these are relatively easy to roll out these days.
I don't know if you remember, Matthew, the old days when it was really, really hard to do single sign on.
It's like it's so easy now that we have things like Federation and OAuth.
So typically we start with those and the change I've seen over two and a half years is a lot of the organizations we go in and they're like, Yeah, we did that already.
And that's great. I'm like, Okay, well then you kind of have like one of the big first ones done.
And so then they'll say, What's the second one?
I'm like, Well, very often it's devices. You need to have some kind of protection on your devices so you know which ones are sanctioned.
And then you can decide, well, this one's relatively trusted and we're going to give it this level of access and this one's a BYOD and we're going to give it less access.
We're going to give it RBI or some... We're going to put a security, compensating control in there.
And then probably the third one is something around access to applications.
And this is a really big one where you might provide Zero Trust network access to applications you have either on-prem or in the cloud.
And so you see, I'm already building this roadmap for you, and then there's just a few other ones after that.
You know, it was it was really interesting because you mentioned CISA and I and I and I've worked with them and Jen Easterly there and and we, you know, when we saw, especially as the conflict in Ukraine kicked up, that there was there was real risk to critical infrastructure in the US, and so I called George over at CrowdStrike and Andre at PingIdentity and said, you know, we should do something around this because it really does feel like the three components that you need are, as you outlined, you've got to have identity which which Ping does a great job and a number of others as well.
You've got to have some sort of endpoint security which which CrowdStrike and then again, a number of others as well.
And then you've got to have network security, which is which is something that Cloudflare has been a big piece of it.
And so we launched the Critical Infrastructure Defense Project and it was, was really interesting.
The thing that has been the most valuable that has come out of that for us has been actually the very specific roadmap where we said, here are the things that you should do today, here are the things that you should do this week.
Here are the things that you should do this month. Here are the things that you should do this quarter.
Here are the things that you should do this year.
And as we've worked with hospitals, energy companies, people who are providing what are really the absolute critical infrastructure, it was that roadmap that was that was really they were like, aha, you know, and, and now I've got kind of a path to doing that.
So I think the fact that you're that you're giving that to your clients is, it seems like it's really absolutely critical that's there.
Do you have to get to the end of the journey to be to be better off? Like, is it is it okay to only guard some of the doors or how how much is enough?
I'm I'm a big believer in incremental progress.
And with cybersecurity, of course, you can never be done, right?
Every now and then, an Uber driver will ask me, hey, so you're you're a computer security guy, right?
Like, when is all the cyber stuff going to be fixed?
Yeah. And I'll say it's the same week when we don't need lawyers and police.
That's when this is all going to be done. And the, I think, a realistic way to look at it is like if you're looking at the system maturity model, they have one called Optimum, where every every different part of the seven pillars or seven or eight pillars that they've defined is very, very intense as far as what it's doing around trust and explicit policy and all this stuff.
And I think most organizations are not going to get there. And one could argue that would be an inappropriate use of funds to try to get there for for their entire organization.
I think the right approach is, is you have to identify what is the really high value data that you're trying to protect, the high value resources, and then maybe you try to get to an optimum Zero Trust around those things.
And then maybe you're more advanced, you're more just kind of a "Demands Zero Trust" for the rest of the organization.
I think that's a much more realistic way to do it.
And if you, but part of that is predicated on you have to know what is your high value, what are your high value assets?
And while that sounds like a real simple question, for many organizations, the larger the organization, it's not always obvious what they have as far as data and assets and inventory, etc.
It's a constant problem for them.
Do you see that too? Well, yeah.
And I mean, I think we see examples recently where some things that that you might not expect to be high value or you might not expect to have, that need protection do.
I mean, I think with the Log4j incident, it turns out that there's a lot of places you were logging data and if you've and if and if you if those then have privileged access to other parts of your organization, that was, that was a real threat that that could come in.
So it's not only understanding where is that data, but then it's understanding how is that data accessible or how are those applications accessible across across the board?
I think same thing with Confluence. Recently, there might be a lot of organizations say, Oh, we've got some running somewhere, but now here, here's this.
And so I think it's you know, I think there is there really are challenges in figuring out how much is enough.
But I think the message that we try to communicate whenever we're, when we were doing some of our public service work is any step on this journey puts you in a better place than you were before.
Agreed.
Agreed. I'd much rather see people making progress rather than continuously planning for some end state they're not going to get to.
And there will, there'll all....
then again, there's there's an iceberg that's big enough to sink any ship, no matter how many bulkheads you put, you put in it.
And we can't just always worry about the giant iceberg. We've got to start building building those bulkheads.
What are some of the... you've seen a lot of companies go, start down this road map.
What are some of the mistakes or common roadblocks that that companies run into as they as they sort of progress through their Zero Trust journey?
You know, in the...
three years ago, it used to be not getting enough buy in. If you didn't go high enough up the chain and get somebody from the C-suite to be your champion, then you would run into...
I suppose, very often this is a security-led conversation, obviously.
Right? But if the rest of the IT work was only grudgingly trying to go along with it, you know, people would drag their feet and it became an organizational problem rather than a technical problem to solve.
We don't see so much of that anymore, again, because of the Biden executive order.
And so we used to recommend Hey, you got to go get a C-level champion.
Well, most of the time now people people coming to talk to us are, it's the CISO.
So it's almost always the CISO.
And there is that champion now. So that's great. So what's an implementation? Knowing the roadmap, like we talked about before, not being sure where to go and how...
what are the steps to do this.
I think there's an opportunity... So my number one research priority, when I'm not talking to you, Matthew, is in this roadmap, there are hidden dependencies throughout these things where where you have some task that you're pretty sure this is a Zero Trust task I have to go and do.
But you didn't realize, oh, that's actually dependent on this other task, where I need to at least have started that.
And so I'm trying to draw. Do you have an example of where you've seen that recently or your favorite sort of hidden dependency?
So there might be one around, let's say you are trying to define your paths for how how you think data's going to flow and then how you're going to explicitly say this data is going to flow.
Maybe you didn't realize that you don't actually know what devices are on the networks or you don't know how many networks you have.
Right. I've run... I've talked to companies who are like we discovered a whole new network that we own that we didn't even know.
And so it turns out that that asset discovery, network discovery needs to take place before you do that part.
And that might not be what people want to hear. But I think it's what they need to know is that there needs to be a lot of groundwork that you need to be laying at least concurrently while you're trying to go through this.
That's...
Are there companies or industries that have really done this particularly well?
I think some have some advantages.
So, for example, highly regulated industries, so very often will be called in to do an assessment, to say, they'll say, hey, we want to know where we are and then what it would take to get to a state, like what's a recommended good state for us and how would we get there?
And so I have found that in, say, a regulated environment that they seem to have more foundational building blocks that they can build on.
And not everyone's regulated, but in general, I think that's been a benefit.
Oh, clearly the organizations that are kind of more cloud-first.
So there's an - intersection...
- So there are sort of two different extremes. It's sort of we've got a... Oh, yeah, right.
- Yeah.
whatever the 2-humped camel problem is. Yeah.
Yeah, absolutely. So so the the people, the ones who are more distributed, more in the cloud, they can take advantage of more kind of more modern API-driven things and if their applications are hosted in the cloud, all of that stuff's programable.
If you need to change the topology of something up there, it's terraform.
We try to change the topology of the local network, man, that is not something you want to go and do.
So.
So, yeah, there's and but many organizations are not one of either of those two humps.
Yeah.
It's how do we get that, that middle to... Because that's exactly what we're seeing.
And I think we've seen, in terms of adopting Cloudflare, in our Zero Trust solutions, real strength in those cloud- native, cloud-first, those people know us, they like us, they work with us.
I think we're increasingly working with those sort of regulated industries, but I think it's that that middle part in between that that is still, feels a little bit like deer in the headlights that are as they're...
Yeah. Absolutely.
Yeah. What...
you talked about buy in from sort of the C-suite and how that's, how the executive order and and and I think also just the excitement around the spaces has got people thinking about it.
Are you seeing much pushback from the practitioners these days?
Are there still people who are out there who really want to hug their VPNs and and and and have them...
Yeah.
Yeah.
Yeah.
But I see that with almost any new technology, right.
There's always people who don't want to move forward or who are maybe skeptical too long would be a...
still run into cloud skeptics.
Are you seeing...
how much how much are you seeing people starting to, even as cloud skeptics, when they can't get...
if you try and buy a VPN right now, it's nine months if you're lucky for one to be to be delivered from a lot of the providers that are out there, physical piece of hardware.
Is that is that pushing many people to, that were cloud skeptics before, to start to look at some of these solutions?
Well, there was a ton of that during the pandemic, right.
Because of my network security background, I took all the calls from Forrester clients who were really struggling during the early days of the pandemic, and one of the first calls I took was, of course, a client that had 150,000 employees.
And they said, Yesterday we were 5% remote.
Today we're 95% remote and nothing is working. And it was all about their VPN infrastructure.
And I told them, I said, the VPN is not the way out of this.
Zero Trust is the way out of this. They didn't want to hear that, but it wasn't, it was probably three or four months later they came back and they said, okay, we're ready to do more of this Zero Trust stuff.
So, so yeah, it was a huge accelerator into that whole that whole thing that Forrester calls the Zero Trust Edge, but you and others call SASE.
And so since you guys use the term, I'll use that term for this as well.
And, this is your SASE week, isn't it?
Yeah, this is...
we call it Cloudflare One Week, but it's a lot of how you use all of the different Cloudflare products to get to that Zero Trust outcome that that that people that people want, want to do.
And again, I think we're one piece of it.
You've got to have identity, you've got to have some sort of...
security as well. But but that's yeah, that's what we've been, we're focusing on that this week and really trying to show how how our our our solutions compare with with some of the vendors that are out there.
To that end, how is your, if you're a customer and you're evaluating different Zero Trust vendors, are there things that, because again, it seems like there's a lot of noise in this space.
How... what are the things that you would recommend a customer look at in order to pick one Zero Trust vendor versus another?
Oh, so that's a multiple-part question here.
So if... So I'll cover the sort of the easier one first.
The... Sometimes in the vendor community especially, there are people or vendors would like to be known as we are the best Zero Trust company.
But in my experience, that's not actually how people buy things.
People are trying to solve a problem. So so if we're going back to the VPN example, if my VPNs aren't working.
What's a better way to do this? The problem they're trying to solve is I need to keep remote employee productivity up and I'm going to use Zero Trust and ZTNA to do that.
So that's where I focus my research is how can you...
or for example, in a local network, how can I use Zero Trust to reduce the blast radius?
And that's micro segmentation. So I did a wave on that one as well.
The... but it's different in the in the SASE landscape, right? Because you're talking about, well let's take all of the security stuff...
One of the reasons I'm a huge advocate for the model is, and I see this as a truly disruptive, and I liken the SASE model...
it's like it could do for IT and IT security what public cloud did for apps.And if you think about the old, old days, again, the cloud skeptics..."Cloud is just somebody else's computer." It took like 15 years to get to where we are today, but people don't really deploy apps on-prem anymore.
It's pretty rare. If you're going to deploy an app, it's going to be in the cloud and this SASE model could do for IT what public cloud did for apps.
And it might be as long, might be another 15 year arc. And these are still, we're maybe on year three or something, but the early adopters are going to see the benefits early on.
But one of the things that they have to do is accept that you're you're buying into a platform here.
You're buying into a portfolio of security solutions, of security capabilities.
Yeah. Now, where it where it works out, I think is... At Forrester, we survey 3000 security decision makers every year and we ask them all kinds of questions, but we ask them a set of questions.
How would, for security capability X, how would you prefer to consume that?
It doesn't matter what X is, 75% of the time they say, I want that as a service.
I don't want to rack a box, I don't want to install software or train anybody.
I just want, I just want that.
Just give it to me as a service and I'll pay you a monthly or yearly. SASE is the per...
it's just take all of IT security practically and deliver it like that. And that's why the stakes are so huge, that's why it's going to be so disruptive, and that's great.
But you have to get people away from the concept of, Well, I want to buy best-of-breed in everything because that's opposite, because I don't think that in the in the end state of this that you can have multiple vendors processing your SWG and your CASB and you're going to want that all to go through one edge.
So that's one of the questions I had for you is, is in the States especially, people want to buy best-of-breed, which is great if you're a Forrester and you do all these reports on best-of-breed stuff and you get to pick the best of breed.
But in a system like this, where where people really need to choose a portfolio, how are you overcoming that best-of-breed preference, Matthew?
Yeah, well I think the goal is we should just be best of breed.
I mean that's...
and it's, you know, and I think that what we have done a good job of, throughout Cloudflare's history, if you look at all of our products, is we get them to market early, we enter in the markets, we use the unique programable extremely flexible network that we have then to deliver the solutions to make sure that customers can get whatever they want.
So once upon a time, we weren't the best of breed DDoS mitigation vendor.
By far now, we are. You know, once upon a time, we weren't the best at Web Application Firewall.
Now we, by far are, in terms of in terms of doing that as a service.
And so I think in the SASE space, we're seeing the same thing.
I think what our question is, is where are the natural seams?
Like we think identity is different than endpoint security is different than network security.
But you could, you could actually cut the world up in different ways.
And I'd be curious, where where do you think, like if you...
I think people are going to take best of breed within these big categories like they'll pick best-of-breed of identity provider, they'll pick best of breed-of-breed endpoint security.
They'll pick best-of-breed of network security. But do you think it gets finer, more fine-grained than that or more expansive?
Where do you think the natural seams are in the Zero Trust space?
Oh, that's a really good question.
You know, so in the Forrester model, right, we've got sort of four things that interact with data: people, devices, networks and workloads.
And you can basically expect to see different technologies, different security controls around each of these.
And in really large organizations, those are all different teams or they can be all different teams.
And so those are kind of the natural seams, I guess you could call it.
But I was recently having a conversation with a CISO and she said, You know, I really want to do a lot of this stuff, but I want it to be the same vendor that manages my endpoints.
I want it to be the one who's already throughout my network, like somebody like a McAfee or a vendor like that that she had been using for a long time.
And she was really, really excited.
And then their thing happened where they don't even exist by that name anymore.
And then they took their their sky-high and spun that out and she was like, Well, I don't even know what to do now.
That's not this... So there's going to be buyers like her, and I feel for her.
I still have...not still have to, I still, I get the opportunity to work with her again soon to help her try to navigate this, you know, navigate this landscape, I guess.
Well, one way or another, we're either going to have to start building a lot more things if, if, if there are a lot more buyers like her or, what I hope will happen is, partner with with great, great other organizations in order to create solutions that really solve problems.
I think it's probably going to go what you just said, it's going to be more partnerships, going to be much more API-driven so you can get better signals from the client side.
It won't matter if it's a CrowdStrike or Carbon Black or whatever. And then I'll just have to tell her like, hey, there's a, there's a split here.
These things are handled by different vendors and maybe rightly so.
It's really interesting, it's developing client software is just a different skill set than developing centralized...
You structure your dev teams differently, you structure your QA organization differently.
So it's it's it's actually been part of the reason why working with Carbon Black or CrowdStrike or others has always been a very natural thing for us because it's, and because I think it's, it is, those are very different skills and....
It's hard to imagine somebody doing them all well.
Well, David, I really appreciate you taking time.
Thank you for coming during Cloudflare One Week. I think this has been a great, great example of of how...
While Zero Trust might have a lot of sort of noise around it, it's actually something which is, you can wrap your heads around, there is a realistic roadmap and every step you take down the journey is going to make you more secure.
I'm really happy to be on here.
Anytime, Matthew, you want me to come on Cloudflare TV, just give me a week's notice.
I appreciate it.
Thanks, David. I hope you feel better. All right.
Thanks, you, too. Bye bye.