Best Practices for Implementing Zero Trust Security
Presented by: Matthew Prince, David Holmes
Originally aired on July 5, 2023 @ 6:00 PM - 6:30 PM EDT
Cloudflare One Week Fireside Chat
Cloudflare co-founder and CEO Matthew Prince sits down with special guest David Holmes, Senior Analyst at Forrester, to discuss Zero Trust security, common roadblocks, and what the most successful deployments have in common.
Visit the Cloudflare One Week Hub for every announcement and CFTV episode — check back all week for more!
English
Zero Trust
SASE
Transcript (Beta)
Hey there, welcome to Cloudflare TV. I am so honored to be joined by David Holmes from Forrester.
David is an analyst that I've really admired for a long time, is one of the leading experts in the Zero Trust space.
What I wanted to start out with is, you know, what does this term mean?
And what are, why are people excited about it?
And what is it that we're trying to accomplish as we all move to a zero trust world?
Sure, sure. So to kind of address one of those points, yeah, there are, there is a lot of sort of, I don't know, people upset about all the hype and the marketing around it.
And we recently released a paper that gives a short, concise, definable, shareable definition of Zero Trust.
And in the paper, we talk a lot about one of the problems with Zero Trust is when Forrester wrote the initial papers back in 2008, 2009, John Kinderbug wrote those, I had dinner with him at RSA.
They were just behind the Forrester paywall, so all the Forrester clients could see them.
But that's not everybody in the world, but every vendor in the world could see them.
And so they would, they would read the papers, and then they would kind of talk about Zero Trust, obviously, a lot, you know, where it aligns through them.
And so most people saw Zero Trust through this sort of stained glass window of vendor marketing, and it really kind of turned a lot of people off.
Right. And to this day, you'll, I don't want to call them haters or anything, but you'll see a lot of Zero Trust skeptics out there.
And, and that that is what it is.
But ultimately, it's an information model of security that tries to protect data, and use identity to provide access and effectively deny by default, and rely on explicit policy.
That's what we're trying to do with this model.
And it's got a huge uplift from a lot of the work that the federal government has been doing over the last two, three years.
So there's, it's, it's busy times if you're a Zero Trust analyst.
So if you just is, you know, explaining it to my dad, like, what what did the sort of pre Zero Trust security model look like?
And then if you sort of had the ideal Zero Trust implementation in the future, and let's skip the messy middle.
But from what is yesterday to what is tomorrow? What is that?
What? How would you how would you describe that? Yeah, so my dad's a big history buff.
So if I was explaining it to my dad, I would say, you know, dad, all those castles that we visited in, in Scotland, there were very much defense in depth, high walls, slits in the wall, and sometimes a moat, really trying to keep the stuff on the inside, keep all the good goods on the inside, people protected, and then assume everybody on the outside is is bad, right?
That's, that's the computer security model that we all used to have the perimeter defense.
And that no longer works.
One of the reasons is both in the physical example of that, and in the cyber example, or today, being inside a castle during a pandemic, it's actually a terrible place to be.
So people had left that model behind. And so in the, if that's the old model, where you had a perimeter and firewalls, perimeter defense, the new model of the future is more, the identity is the perimeter, the we were trying to provide access based on not where you're coming from, or where you are, but who you are, what are you trying to provide access to, which is clearly a lot more work, because you have to understand, well, what are all the things?
And who are all the people?
And not everybody should have access to everything.
So it's, it's transitioning to that model. And the good news is that the world has been moving in this direction anyway.
Right? I mean, we all recognize that least privileged access is, that's the right thing to do.
And so it increasingly gets built more and more and more into frameworks and platforms.
You know, I've struggled to figure out an analogy that works.
The only one that seems to somewhat resonate for me, and I'd be curious if this, and again, no analogy is perfect.
But it's sort of like, to me, it's the difference between once upon a time, we built ships, and the ships had, you know, we tried to make the holes as strong as possible.
But if there was a leak anywhere in the ship, like if you didn't have bulkheads, and the entire ship sank, and so Zero Trust is at some level, it's almost like trying to install a bunch of bulkheads.
But if there's a, there's a hole anywhere in the ship, you know, it obviously you want to pass that hole and that things but but the sort of blast radius, which, yeah, mixing metaphors, that that starts to get a lot, a lot smaller.
And that that's been one of the few things that when I've kind of explained this, people are like, Oh, now I get it.
Is that does that does that? Yeah, no, that is a good one. Zero Trust is so big that it's difficult to find a single analogy, right?
You can take you can carve off parts and say, Oh, if we go back to the castle, right, then Zero Trust is is not like guards at the gate.
It's more like a guard at every door. Yeah, you know, inside the castle, and they know who everyone is, and who's allowed inside every door, etc.
But you're right, there also is the concept of blast radius. And hey, these servers should only talk to each other in this particular direction.
No one else will talk to them.
Right. And that's explicit. That's least privilege access on a sort of a network path.
And that's harder to talk about in a convenience analogy.
So one of the things that you know, I think is is I mean, we're, we're, we know this space pretty well.
And, and even we are sort of struggling to describe what it is.
And it's not, you know, it's not like a firewall, you can't just buy it, right?
It's, it's a, it's a almost a just a different, different philosophy.
As if you're a company, and you're, you're still in that sort of castle and melt world, and you've heard about this Zero Trust thing.
And you know, you eventually want to have a guard at every door or a bulkhead, you know, at every seam.
That but that seems like it's daunting in terms of getting getting to what's the how is as you as you think about this, where do you tell people that they should start this journey if they're just starting it?
What's the what's the beginning of the Zero Trust journey?
Oh, so I got some great news for you here.
One is that, because of all the activity around Zero Trust with the Biden executive order, CISA maturity model, there's a lot less people coming in and saying and being set and saying, I'm so daunted, I don't know how, how am I ever going to get there?
I used to call those people like end stage nihilists, who would say, you know, it's, it's, it's an ideal, and you can never get to an ideal.
So why even try, right?
We're leaving those people behind, and, and people are starting to recognize it as a journey.
And I think one of the things that's instrumental in that, in getting people to realize that is the CISA maturity model, where people can understand, hey, I'm at this mark, and then there's this level of maturity, and then there's this level of maturity.
So clearly, it's some kind of journey that I can go on.
And people always used to ask, the number one question they used to ask me, or probably any Forrester analyst is, where do I start?
And I'll tell you that in a second. But, but the questions that they've been asking lately are after I give them the first answer, they say, okay, and then what?
And I tell them the next one, and then they're like, okay, then what? Actually, that's a that's a roadmap discussion.
Most of the conversations I have today, to be honest, Matthew, like almost every single conversation I have today is give me the Zero Trust roadmap, which is great.
It means that people are beyond the, the, oh, I'm where I don't know what to do.
They're now they're now saying, look, I've got my, I've got the backing to do this, I just need to know what to do and in what order to do it.
So the so where almost everybody starts is with identity, right?
And part of it, there's a couple reasons for this. One is, there's dependencies on that.
Does that make sense? So as you go through the other parts of the journey, dependencies on, you know, we need to be able to, integrate with your identity providers.
This is a great place to do multi factor authentication and SSO.
And these are broad wins across your organization that are very high visibility.
So if you haven't done these already, right, you start with these, and then the whole organization can see because obviously, they're going to know, right as they as they use their SSO portals, and their MFA, things are happening.
And these are relatively easy to roll out these days. I don't know if you remember, Matthew, the old days was really, really hard to do single sign on.
It's like, it's so easy now that we have things like federation and a lot.
So typically, we start with those and change I've seen over two and a half years is a lot of the organizations we go in, they're like, Oh, yeah, we did that already.
Yeah. And that's great. I'm like, okay, well, then you kind of have like, one of the one of the big first ones done.
And so then I'll say, what's the second one?
I'm like, well, very often, it's devices, you need to have some kind of protection on your device.
So you know, which ones are sanctioned, and then you can decide, well, this one's relatively trusted, and we're going to give it this level of access.
And this one's a BYOD. And we're going to give it less access, we're going to give it RBI, or, you know, some, we're going to put a security control compensating control in there.
And then probably the third one is something around access to applications.
And this is a really big one where you might provide Zero Trust network access to applications you have either on prem or in the cloud.
And so you see, I'm already building this roadmap for you.
And then there's just a few other ones after that.
You know, it was it was really interesting, because you mentioned CISA.
And and I and I and I've, you know, worked with them, and Jenny's really there.
And, and we, you know, when we saw, especially as the conflict in Ukraine kicked up, that there was there was real risk to critical infrastructure in the US.
And so I called George over at CrowdStrike and Andre at Ping Identity and said, you know, we should do something around this, because it really does feel like the three components that you need are, as you outlined, you've got to have identity, which which ping is does a great job.
And there are, you know, the number of others as well, you've got to have some sort of endpoint security, which which CrowdStrike, and they get a number of others as well.
And then you've got to have network security, which is which is something that, you know, Cloudflare has been a big piece of it.
And so we launched the critical infrastructure, defense project.
And and it was it was really interesting, the thing that has been the most valuable that has come out of that for us, has been actually the very specific roadmap where we said, here are the things that you should do today.
Here are the things that you should do this week.
Here are the things that you should do this month, here are the things that you should do this quarter, here are the things that you should do this year.
And as we've worked with hospitals, you know, energy companies, people who are providing, you know, what are really the absolute critical infrastructure, it was that roadmap, that was that was really they were like, aha, you know, and now I've got kind of a path to doing that.
So I think the fact that you're that you're giving that to your clients is it seems like it's really absolutely critical.
That's there. Do you have to get to the end of the journey?
To be to be better off? Like, is it is it okay to only guard some of the doors?
Or how? How much is enough? I'm, I'm, I'm a big believer in incremental progress.
And, you know, with cybersecurity, of course, you can never be done.
Right? Every now and then an Uber driver will ask me, hey, so you're a computer security guy, right?
Like, when is all the cyber stuff going to be fixed? Yeah.
And I'll say, it's the same week when we don't need lawyers and police. That's when that's when this is all going to be done.
And the, I think a realistic way to look at it is like, if you're looking at the system maturity model, they have one called optimum, where every every different part of the seven pillars or seven or eight pillars that they've defined, you know, is very, very intense, as far as what it's doing around trust and explicit policy and all this stuff.
And I think most organizations are not going to get there.
And one could argue, that would be an inappropriate use of funds to try to get there for, for their entire organization, I think the right approach is, is, you have to identify what is the really high value data that you're trying to protect the high value resources.
And then maybe you try to get to an optimum Zero Trust around those things.
And then maybe you're more advanced, you know, you're more just kind of advanced zero trust for the rest of the organization.
I think that's a much more realistic way to do it.
And if you but part of that is predicated on you have to know what what is your high value?
What are your high value assets? And while that sounds like a real simple question, for many organizations, the larger the organization, it's not always obvious what they have, as far as data and assets and inventory, etc.
It's a constant problem for them. Do you see that too? Well, yeah. And I mean, I think we see examples recently where some things that that you might not expect to be, you know, high value, or you might not expect to have at need protection.
Do I mean, I think with the log for j incident, it turns out that there's a lot of places you were logging data.
And if you've and if and if you if those then have privileged access to other parts of your organization, that was a real threat that that could come in.
So it's not only understanding where is that data, but then it's understanding how is that data accessible?
Or how are those applications accessible?
across across the board? I think same thing with no confluence.
You know, recently, there might be a lot of organizations say, Oh, you know, we're running somewhere.
But now here, here's this. And so I think it's, you know, I think there is, you know, there really are challenges in in figuring out, you know, how much is enough.
But I think the message that, you know, we tried to communicate whenever we're, you know, when we were doing, you know, some of our public service work is, you know, any step on this journey, puts you in a better place than you were agreed, agreed, much rather see people making progress, rather than continuously planning for some end state, they're not going to get to.
Yeah. And there will and you'll always there all again, there's there's an iceberg that's big enough to sink any ship, no matter how many bulkheads, but you put in it.
And we can't just always, you know, worry about the giant iceberg, we've got to start, you know, building, building those bulkheads.
What are what are some of the, you know, you've seen a lot of companies go start down this roadmap, what are some of the mistakes or common roadblocks that, that the companies run into as they as they sort of, you know, progress through their Zero Trust?
You know, in the three years ago, it used to be not getting enough buy in.
Like, if you didn't go high enough, up the chain and get somebody from the C suite, to be your champion, then you would run into, you know, suppose, very often, this is a security led conversation, obviously, right.
But if the rest of the IT org is was only grudgingly trying to go along with it, you know, people would drag their feet and, and it became an organizational problem, rather than a technical problem to solve.
We don't see so much of that anymore, again, because of the Biden executive order.
And so we used to recommend you, hey, you got to go get a C level champion.
Well, most of the time now people, people coming to talk to us are, it's the CISO.
It's almost always the CISO.
And there is that champion now. So that's great. So what's an implementation? Knowing the roadmap, like, like we talked about before, not being sure where to go and how, what are the steps to do this, I think, you know, there's an opportunity.
So my, my number one research priority, when I'm not talking to you, Matthew, is, is in this roadmap, there are hidden dependencies throughout these things where, where you, you have some tasks that you're pretty sure, like, this is a zero trust task I have to go and do, but you didn't realize, oh, that's actually dependent on this other task, that where I need to at least have started that.
And so I'm trying to draw an example of, of where you, where you've seen that recently, or one of your, your favorite sort of dependency.
So there might be one around, let's say you are trying to define your, your paths for how, how you think data is going to flow, and then how you're going to explicitly say this data is going to flow.
Maybe you didn't realize that you don't actually know what devices are on the networks, or you don't know how many networks you have.
Like I've run, I've, I've talked to companies who are like, we discovered a whole new network with a wheel that we didn't even know.
And so it turns out that, that asset discovery, network discovery needs to take place before you do that part.
And that might not be what people want to hear.
But I think it's what they need to know, that there needs to be, you know, a lot of groundwork that you need to be laying, at least concurrently while you're trying to go through this.
That's, are there companies or industries that have really done this, this particularly well?
I think some have some advantages.
So for example, highly regulated industry, so very often will be called in to, to do an assessment to say, they'll say, hey, we want to know where we are.
And then what it would take to get to a state, like what's a recommended good state for us?
And how would we get there? Right. And so what I have found that in, say, a regulated environment, like they seem to have more foundational building blocks that they could build on.
And not everyone's regulated, but, but in general, that I think that's been a benefit.
Who else? Oh, clearly, the, the organizations that are kind of more cloud first.
So there's an intersection.
There are two different extremes. It's sort of, we've got a, whatever the two humped camel problem is.
Yeah, yeah. Absolutely. So, so the, the people, the ones who are more distributed, more in the cloud, they can take advantage of more, kind of more modern API driven things.
You know, if their applications are hosted in the cloud, all of that stuff's programmable.
We need to change the topology of something up there.
It's Terraform. It's, you try to change the topology of the local network, man.
That is not something you want to go and do. So, so yeah, there's, and you know, but many organizations are not one of either of those two humps.
Yeah. And that's how do we get that, that middle to, cause that's exactly what we're seeing, you know, and I think we've seen in terms of adopting Cloudflare and our Zero Trust solutions, real strength in those cloud native, cloud first, you know, that those people know us, they like us, they work with us.
I think we're increasingly working with those sort of regulated industries, but I think it's that, that middle part in between, you know, that, that is still feels a little bit like deer in the headlights that are as they're.
Yeah, absolutely.
Yeah. What do you, you talked about, you know, buy-in from sort of the C-suite and how that's how the executive order and, and, and, and I think also just the excitement around the spaces has got people thinking about it.
Are you seeing much pushback from the practitioners these days?
Are there still people who are out there who really want to, you know, hug their VPNs and, and, and, and, you know, have them sleep every night?
Yeah, but I see that with almost any new technology, right?
There's always people who don't want to move forward or who are maybe skeptical too long would be a, I still run into cloud skeptics.
Are you seeing, how much, how much are you seeing people starting to, you know, even this cloud skeptics when they can't get, you know, that if you try and buy a VPN right now, you know, it's, you're, it's nine months, if you're lucky for one to be, to be delivered from a lot of the providers that are out there, you know, physical piece of hardware.
Is that, is that pushing many people to, to that were cloud skeptics before to start to look at some of these solutions?
Yeah, well, there was a ton of that during the pandemic, right?
Because of my network security background, I took all the calls from Forrester clients who were really struggling during the early days of the pandemic.
And one of the first calls I took was a Forrester client who had 150 ,000 employees.
And they said, yesterday, we were 5% remote.
Today, we're 95% remote, and nothing is working. And, and it was all about their VPN infrastructure.
And I told them, I said, the VPN is not the way out of this.
Zero Trust is the way out of this. They didn't want to hear that.
But it wasn't, it was probably three or four months later, they came back. And they said, okay, we're ready to do more of this Zero Trust stuff.
So yeah, so yeah, it was a huge accelerator into that whole, that whole thing that Forrester calls zero trust edge, but you and others call sassy.
And so I'm since you guys use that term, I'll use that term for the for this as well.
And you is this like, this is your sassy week, isn't it?
Yeah, we're, this is we call it Cloudflare one week. But it's a lot of how you use all of the different Cloudflare products to get to that zero trust outcome that, that that people that people want want to do.
And again, I think we're one piece of it, you've got to have identity, you've got to have, you know, some sort of security as well.
But, but that's, yeah, we're, that's what we've been focused, we're focusing on that, that's this week, and really trying to show how how our our our solutions compare with, with some of the vendors that are out there to that, to that end, how is your if you're a customer, and you're evaluating different Zero Trust vendors, are the things that because again, it seems that there's a lot of noise in this space, how, what are the things that you would recommend a customer look at, in order to pick one Zero Trust vendor versus another?
Oh, so that's a multiple part question here. So if it's so cover the sort of the easier one first, the sometimes, in the vendor community, especially there, there are people or vendors would like to be known as we are the best Zero Trust company.
But in my experience, that's not actually how people buy things.
People are trying to solve a problem. And so for going back to the VPN example, like my VPNs aren't working, you know, what's a better way to do this?
The problem they're trying to solve is I need to keep remote employee productivity up.
And I'm going to use Zero Trust and DTNA to do that. And so that's where I focus my research is how you know, how can you, or for example, in a local network, how can I use Zero Trust to reduce the blast radius, and that's micro segmentation.
So I did a wave on that one as well. The but it's different in the in the sassy landscape, right?
Because you're talking about, well, let's take all of the security stuff.
One of the reasons I'm a huge advocate for for the model is, and I see this as a truly disruptive, and I liken it, the sassy model to, it's like, it could do for it, and it security, what public cloud did for apps, right?
And, and if you think about the old old days, again, the cloud skeptics, you know, cloud's just somebody else's computer.
It took like 15 years to get to where we are today, but people don't really deploy apps on private.
It's pretty rare.
Yeah, you're going to deploy an app, it's going to be in the cloud. And this sassy model could do for it.
What public cloud did perhaps, and it might be as long, you know, might be another 15 year arc, and these are still maybe on year three or something.
But the early adopters are going to see the benefits, you know, early on.
But one of the things that they have to do is accept that you're, you're buying into a platform here, you're buying into a portfolio of security solution of security capabilities.
Yeah. Now, where it, where it works out, I think is, is, you know, at Forrester, we, we survey 3000 security decision makers every year, and we ask them all kinds of questions.
But we asked them a set of questions, how would for security capability x, how would you prefer to consume that?
It doesn't matter what x is 75% of the time, you say I want that as a service.
Yeah, I don't want to rack a box. I don't want to install software or train anybody.
I just want, I just want that. Just give it to me as a service, and I'll pay you a monthly or year.
Sassy is that it's just take all of it security practically, and deliver it like that.
And that's why the stakes are so huge.
That's why it's going to be so disruptive. And that's great. But you have to get people away from the concept of, well, I want to buy best of breed and everything, because that's opposite.
Because I don't think that in the in the end state of this, that you can have multiple vendors, you know, processing your Swig and your Caspi, and you're, you're going to want that all to go through one edge.
So that's one of the questions I had for you is, is, you know, in the states, especially people want to buy best of breed, which is great, if you're a forester, and you do all these reports on best of breed stuff, you get to pick the best of breed.
But in a system like this, where where people really need to choose a portfolio, how are you overcoming that best of breed preference, Matthew?
Yeah, well, I think I think the goal is we should just be best of breed. I mean, that that's it.
And it's, you know, and I think that what, you know, we have done a good job of throughout Cloudflare's history, if you look at all of our products, is we get them to market early, we enter in the markets, we use the the unique, you know, programmable, extremely flexible network that we have, then to deliver the the solutions to to make sure that customers can get whatever, whatever they want.
So once upon a time, you know, we weren't the best of breed DDoS mitigation vendor by far now we we are, you know, once upon a time, we weren't the best, you know, at web application firewall.
Now we by far are in terms of in terms of doing that as a service.
And so I think in the SASE space, we're seeing the same thing.
I think what our question is, is where the natural seems, like we think identity is different than endpoint security is different than network security, but you could you could actually cut the world up in in different ways.
And it's it I'd be curious, where do you think, like, if you I think people are going to take best of breed within these big categories, like they'll pick best of breed of identity provider, they'll pick best of breed of endpoint security, they'll pick best of breed of network security.
But do you think it gets finer, more fine grained than that?
Or more expensive? Where do you think the natural seams are in the Zero Trust space?
Oh, that's a really good question. The, you know, so in the Forrester model, right, we've, we've got sort of four things that interact with data, people, devices, networks, workloads, and you can basically expect to see different technologies, different security controls around each of these and really large organizations, those are all different teams, or they can be all different teams.
And so those those are kind of natural seams, I guess, you could call it, but I was recently having a conversation with a CISO.
And she said, you know, I really want to do a lot of this stuff.
But I want it to be the same vendor that that manages my endpoints, you know, I want it to be the one who's like, already throughout my network, like somebody like a McAfee, or, you know, a vendor like that, she had been using for a long time, and she was really, really excited.
And then, you know, their, their thing happened where they didn't even exist by that name anymore.
And then they took their, their sky high and spun that out.
And she's like, Well, I don't even know what to do now. Like, that's not this.
So there's going to be buyers like her. And, you know, I feel for it, I still not still have to, I still get the opportunity to work with her again soon, to help her try to navigate this, you know, navigate this landscape.
Well, one way or another, we're either going to have to start building a lot more things, if there are a lot more buyers like her, or what I hope will happen is partner with with great, great other organizations, in order to create solutions that really solve.
I think it's probably going to go what you just said, it's going to be more partnerships going to be much more API driven.
So you can get better signals from the client side, it won't matter if it's a CrowdStrike or Carbon Black or whatever.
And then I'll just have to tell her like, Hey, there's a there's a split here, these things are handled by different vendors, and maybe rightly so.
It's really interesting.
It's developing client software is just a different skill set than developing centralized.
You structure your dev teams differently, you structure your QA organization differently.
So it's, it's, it's actually been part of the reason why working with, you know, Carbon Black or CrowdStrike or others has always been a very natural thing for us, because it's and because I think it's, it is very, those are very different skills.
And, yeah, and it's hard to imagine somebody doing them all.
Well, well, David, I really appreciate you taking time. I'm really happy to be on here.