Status Go: Ep. 206 – Zero Trust as Strategy

Are you concerned about the security of your organization’s data and systems? Look no further than the Zero Trust security framework. In this episode of Status Go, we sit down with George Finney, author of “The Zero Trust Project,” to discuss the ins and outs of this powerful security approach.

Finney shares his expert insights on how Zero Trust can help prevent cyber-attacks and protect sensitive information, even in the face of evolving threats. He breaks down the core principles of the framework and provides actionable tips for implementing it within your own organization. Don’t miss out on this informative and timely discussion. Tune in to Status Go today!

Episode Reference Links:

About George Finney

George Finney is a Chief Information Security Officer, author, speaker, professor, consultant and founder of Well Aware Security that believes that people are the key to solving our cybersecurity challenges. George is the bestselling author of several cybersecurity books, including Project Zero Trust and the Book of the Year Award winning, Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. George was recognized in 2021 as one of the top 100 CISOs in the world by CISOs Connect and has worked in Cybersecurity for over 20 years helping startups, global telecommunications firms, and nonprofits improve their security posture.

Episode Highlights:

[00:00:36]: Welcome and Introduction

[00:02:30]: Career Journey

[00:06:12]: Inspiration for the book, “The Zero Trust Project”

[00:09:29]: Zero Trust as a Strategy

[00:12:34]: Trust is a Vulnerability

[00:16:42]: Daniel Thomas May and The Walking Dead

[00:18:08]: The Principles of Zero Trust

[00:20:44]: The Process: How to implement Zero Trust

[00:31:25]: Listener Call to Action

[00:34:07]: Thank you and Close

Episode Transcript:

Jeff Ton  00:44

Jeff Ton [00:00:36]:

Welcome to status. Go. I’m your host, Jeff Tun. You may recall in one of our first episodes of 2023, we talked with Brian Jackson of Info-Tech Research, and one of the trends that he encouraged CIOs and IT leaders to focus on this year is Zero Trust architecture. Heck, even our president, President Biden, got into the action, issuing an executive order for government agencies to adopt the Zero Trust stance.

In this episode, we are going to focus on Zero Trust. Many developers and many technology executives that I know, and the listeners of our show are familiar with the book “The Phoenix Project.” In that book, the author teaches us about DevOps through a fictional story. In the same vein, author George Finney has given us “The Zero Trust Project.” In that book, Dylan, the new IT director for March Fitness, wakes up on his first day to learn the company has fallen victim to a ransomware attack. In the days and weeks that follow, Dylan learns about Zero Trust, and therefore, so do we. As the reader, I’m thrilled to have author George Finney as our guest today. George is the chief security officer for Southern Methodist University and the CEO of a brand-new company called Well Aware Security, and we’re going to talk about both of those today.

So, welcome to Status. Go, George.

George Finney [00:02:13]:

Jeff, thank you so much for having me. I’m excited to talk to you today.

Jeff Ton [00:02:17]:

I always love for our guests to share a little bit about their background, their career journey, how they got to where they are today. So, if you don’t mind, kind of give us that journey that you’ve experienced.

George Finney [00:02:30]:

Yeah, I had a weird path to get to security, so my undergrad was in liberal arts, so studied philosophy and mathematics and languages. And after that liberal arts degree, I thought I wanted to be a stockbroker. So, my senior year, I went add interviewed on Wall Street over spring break. That was my fun trip over spring break.

Jeff Ton [00:03:01]:

Some kids go to Florida, you go to New York to interview.

George Finney [00:03:04]:

There you go, right? This is how industrious I was. But I quickly kind of realized that that probably wasn’t the right path for me. So, it’s a good thing I figured that out quick. And unfortunately, I didn’t have a backup plan. So, when I came back to Dallas to resume my adult life, quickly, I kind of realized technology is where I want to go because I kind of studied languages.

I’ve got a natural affinity for technology. It feels like just learning a new language. I got a job working on DSL lines back, kind of dating myself a little bit, but from there started focusing on networking, worked at a couple of telecommunications companies, got the Cisco Certs, and had an opportunity to go work at a startup with some friends of mine from college. They were doing custom software development for folks. So, I also kind of took on the role after having been on the network side, I became a sysadmin and really kind of started to understand Linux and email admin, DNS, all of those other sides of the technology world.

And then I came back to Dallas and got this job at SMU, really, because I kind of wanted to play more of a role in the business. And SMU had just reopened their evening law program, so I thought, okay, cool, now I’m going to make another detour and be a lawyer. And as it turns out, I stayed at SMU to be their security leader. And it made so much sense having a network background combined with a sysadmin background combined with the legal compliance policy, regulatory contract kind of side of things.

And I think really security is the common thread through all of those little detours that I made just to do the job of protecting folks before something bad happened rather than after. And as I’ve kind of led the security program at our university, that’s really been my focus is how do we be proactive rather than reactive? How do we prevent bad things from happening? The more that I did that, you know, the more I kind of got to know about zero trust. And it just turned out that the guy that coined the term zero trust lives, john Kindervag, lives here in Dallas, and we met at a conference or a workshop or something and just became good friends and yeah, that’s kind of led to a lot of things, like the book.

Jeff Ton [00:06:12]:

To this concept of zero trust. What inspired you to turn this into a book and then kind of part two of that is why in the storytelling mode, a la Phoenix project. So, two parts.

George Finney [00:06:29]:

Yeah, after “WellAware” came out, it took a lot out of me. It took three years to write, and I thought I was done writing books. And I got a call one day from Wiley and Sons, my publisher, to ask, hey, did I want to write a book on zero trust? And I’m like that’s interesting. Have you talked to John Kindervag? I happen to know him, and he’s a really good dude, and he’s been talking about writing this book for as long as I’ve known him, and it turned out well…he just wasn’t taking their calls because he was too busy with his new startup, which is awesome, by the way. They’re a zero trust MSSP.

He and I sat on his couch one day and kind of workshopped a little bit. He said, you know what? Take all my notes. Here’s my design methodology, here’s my maturity model, and you do it the way that you wanted to do it. And he talks about this in the forward, but I was like, cool, I want to do something like “The Phoenix Project”. And he was like, you’re crazy. And we kind of stayed with it a little bit.

And really, so many of the people in cybersecurity today have been in the industry for a short period of time, like five years. Right. The industry has exploded with growth, and not everybody has that kind of well-balanced background of networking and security and architecture and help desk support, like an identity. The field has become so broad, it’s hard to kind of understand everything that you need to know.

And so, because we wrote it as a story, you as a human can kind of picture yourself in Zero Trust. Whatever your role is, there’s someone Dylan builds an inter-disciplinary team around him from all of it to help make the Zero Trust journey happen for their company. And so, I think no matter what your role is in it, you have a role to play in Zero Trust.

I think that is one of the things that gets lost when you look at the NIST standard for Zero Trust 800-207, or when you look at some of the other reference manuals on Zero Trust that had already been done. All of that info is out there, and I think really making it resonate. Right. Connecting with people, that’s how we both bring them into security and welcome them in, but also give them the big picture and help them understand really what problem we’re trying to solve when it comes to security.

Jeff Ton [00:09:29]:

Well, I learned so much. My background is not in cybersecurity. I’ve been in IT for 40 years. But security was always somebody else’s job, right? I was on the app dev side and all it did was slow me down. Right. No, I’m kidding. I’m kidding. But going into reading the book, I thought Zero Trust was a technology. Right? I’m going to go buy a box that sits in my data center and I’m going to have Zero Trust. I love the way you describe it as a strategy. So, when you think about cybersecurity strategy, what are the things that are coming to your mind that our listeners need to think about differently than maybe they were thinking about it before?

George Finney [00:10:30]:

Yeah. So, I totally hear that. So many people think security is for the security guys to do. That’s their job. If Zero Trust is only for us security nerds, we’re not going to be successful. Everybody has a role to play when it comes to Zero Trust at a high level, I think Zero trust is a strategy. And I actually happen to think it’s the only really security strategy that actually meets the definition of strategy, because you have to have two things when it comes to a strategy. You have to have a goal that you’re trying to reach, and you have to have a plan for getting there.

As a leader in your organization, you need to get everybody on the same page to do whatever it is you need to do. And zero trust is really that rallying cry that I think everybody can understand. We’ve simplified it down as simple as we can make it. It’s about trust and removing trust relationships from digital systems. And everyone can go out into their respective areas, whether it’s identity or network or architecture or cloud DevOps, whatever part of the organization you find yourself in. There are trust boundaries or trust relationships that we need to think critically about how and why we leverage those and what controls we can wrap around them.

Because from experience, John Kindervag was a leader of a pen testing team. The common denominator on all of the adversary attacks that go on is they exploit the trust relationships we have. That’s the one central vulnerability. And if we can address that organizationally all across the board in every area, then we’ve got a much better chance of preventing our container breech.

Jeff Ton [00:12:34]:

Well, and you just said it, George. That was another one of the light bulb moments for me, was I think you dedicated a whole chapter to trust is a vulnerability. We’re so used to vulnerability patching and what is it? Microsoft releases the latest version, and the next day you get all the patches coming out to fix the vulnerabilities. And where did that begin to crystallize for you as trust as a vulnerability? Is that something directly from John, or is that something that as you were studying this, you kind of put those pieces together?

George Finney [00:13:18]:

Yeah, again, that was one of the things that was in John’s notes when he was at Palo Alto networks. I think it was 2018. Somebody made him a shirt with his picture on it, just his head that said, “Trust is a Vulnerability”.

Gosh, it makes so much sense as you look at all of the different areas of it. We keep running into the same challenges with, oh my gosh, we had this blind spot. We thought we were good because we connected this API to something else. Wait a minute, you’re giving access to an API to read data? We know as you look at the common breaches that have happened over the years, just looking at APIs, think of the Parlay or Peloton breaches. That’s how the bad guys got in. And any device in the world can access your API through your app in the app store, and potentially reverse engineer that and pull all of your customer data out. That’s a trust relationship that we had in our APIs.

So wherever everybody has a slightly different environment. Maybe you don’t have APIs in your environment. Maybe you’ve got websites. Is there a vulnerability in your website that you’re getting attacked with? The answer is yes. If you’ve got a website, you’re being scanned right now for Website, SQL injection or cross site scripting for sure. If you don’t have a tool for that, if you’re not finding a way to know what your blind spots are, that’s a pretty significant gap.

And it’s easy in IT to just be blissfully ignorant and just keep putting out the fires that we have to face every day. Zero Trust is different. Zero Trust is about problem management, not incident management. So, we got to get out of that firefighting mode every day and eliminate whole categories of problems that are sucking up all of our cycles. Zero Trust is designed to do that. And again, being an iterative approach, right? You do it again and again and you get fewer and fewer issues that you have to go firefight every day.

Jeff Ton [00:15:48]:

Yeah, it gets to be back to the old adage, it’s not really a destination, it’s a journey. Right? And even in the book, you talk about starting small and continuing that iterative process to build up.

 Jeff Ton [00:16:42]:

Without giving away a lot of the book, because I do want our listeners to grab a copy. You talk in there about the principles of Zero Trust and then that segues into the methodology. So, what are the principles when it comes to implementing Zero Trust as a strategy?

George Finney [00:17:18]:

Well, let me first say if you’re on the fence about the book and you listen to audiobooks, my favorite part of the whole journey of writing the book is I didn’t get to pick the narrator. So, the day it came out, I’m like, oh my gosh, I’m listening to it like, this guy did a great job. And it turned out that Daniel Thomas May, he’s the narrator, he was one of the actors on The Walking Dead. I’m like, oh my God. I tried to reach out to him and I’m like, oh, wow, I got to go through his agent. Man, it’s just been such a fun and cool journey again.

Jeff Ton [00:18:04]:

And that was the version that I air quoted, “read”. Yes, right.

George Finney [00:18:08]:

Exactly. The very first principle of all of Zero Trust. And we’ve been talking about this for a long time in the abstract and the security world, but we’ve got to align security and the business. That’s the number one guiding principle of all of Zero Trust. I love that that is captured in John’s design methodology, and that’s one of the things that’s missing from, like, a NIST standard where it talks about architecture, it doesn’t talk about aligning security in the business.

So, I think that’s incredibly important because every business is different. The way you do things, the processes you have in place, the risk tolerance, what products you produce, all of that you’ve got to understand before you start your Zero Trust journey, in part because step two is you’ve got to understand what’s important, right? What are your crown jewels? If you’ve done a business impact assessments, what are your top ten apps that you have or services to protect to keep your business running? Start with those and you work your way from the inside out.

So, again, the traditional process was to start from the outside in, build the castle walls, and work your way inward. We want to protect what’s most important to the business first. Then you go to the least privileged model, only assign permissions or access when they’re needed.

And finally, as you know, the final design principle is log everything. And that, I think, is one of the biggest challenges, just in general with logging, in part because capturing everything is expensive, making sure all the services are being logged and getting audit logs from applications, right? Not just the server logs or not just the network logs.

Cloud visibility is a huge challenge. Getting those same logs out of the… totally one of the most challenging parts of Zero Trust to do. Right? But in order to do Zero Trust, right, and to find issues and to be able to proactively identify them and do something about them, you’ve got to have that captured in a log somewhere that’s at a high level. The four pillars, if you will, of Zero Trust. Yeah.

Jeff Ton [00:20:44]:

I love those, because, again, it goes back to that iterative approach of, hey, let’s start small. And even with logging, you can start with gathering the logs around the crown jewels. Right. You don’t have to start with every single log file that is ever created, and the important thing is you have to use them. Just logging, you got to take that next step. Right? So, what is the process? And I know our hero Dylan goes through this process, but what is the methodology that you’ve laid out in the book that people should follow?

George Finney [00:21:27]:

Yeah, man, I feel like I’m on the hot seat. This is a pop quiz.

I think, again, having a repeatable methodology is one of the best things you can do to start your Zero Trust journey. Again, I’m guilty of this as a CISO, right? I know I need a new antivirus tool, right? And I’ve got to go deploy that antivirus tool everywhere. And you almost treat everything as equal. That’s cool. Definitely get some modern EDR tool in your environment. Don’t use the old antivirus from ten years ago. Right?

That’s definitely a quick win if you’re still using the old out of date. I’m not going to say any company names, but your repeatable process starts with this concept of a protect surface. So, identify your protect surfaces. Right? Again, when you start to do the work of designing from the inside out, that’s the core principle. So, focus on the things that you need to protect. A protect surface is a service or application that you might consider your crown jewels, but don’t try to boil the ocean.

So again, that’s one of the things that one of the mistakes I learned on the way is we probably have five times as many protect surfaces in my organization as maybe some of the banks that are out there that John works with. So, you got to understand what resources you have available and do your security accordingly.

So, if you don’t have the staff or you don’t have the budget or tools, you still can do zero trust. But orient your process to focus on what you can accomplish. So, start with a protect surface. An attack surface. Right? There’s a whole category of products in the security world called attack surface management. That’s cool, but I think, honestly, that’s a distraction. I don’t think you can manage your attack Surface, right? Especially if you’ve got an app in the App Store and anybody can download it in the world. Any potential device in the world could be a part of your attack surface.

It’s hard to manage, but again, as a concept, that’s an important concept to understand. The protect surface is different, right? It’s the opposite of an attack surface. As a defender, that’s all I can do is manage what I have control over. So, for each protect surface, and this is part of John’s overall kind of philosophy, there is a maturity model when it comes to zero trust. So, the maturity model, you can apply at each Protect Surface level so that there is a different maturity model for every service that you have.

It’s not one organizational service, it’s not your PCI scoped environment, and that’s all you really care about. You do that for all of your services. And again, each step in the design methodology, there’s five steps that we’re on, step one for those of you following along. But each step in the design methodology can also be in its own maturity curve. So, protect surface, define your protect surfaces.

The second step is to map your transaction flows. There should be no concept of unknown traffic flowing through your network. If it’s unknown, it should be blocked. But understanding how applications work is a challenge because generally speaking, vendors don’t always do great documentation. Generally speaking, when you run into a company that I will name, say, Microsoft and their documentation, if it tells you can’t have a firewall in the service, right? That’s a problem that vendors need to address. Microsoft’s big enough where I think they can take the heat and they can do something about it.

So, finally, the third step in the design methodology, we’ve defined protect surfaces. We’ve mapped our transaction flows. Now is finally the time when we start thinking about architecture. So, architecting our controls. What controls do we need to have what’s appropriate, right? So, if you’re familiar with Adam Shostack’s threat modeling process, right? Adam wrote the book on threat modeling. Highly recommend you check it out.

We want to assign the specific controls for our specific protect surface. So, it’s not a one size fits all. We apply all of our EDR or firewall tools equally everywhere. We want to custom tailor that approach. And really, this is why zero trust is one of the most effective and efficient strategies for success in security, right?

An ounce of prevention is worth a pound of cure, but I think that’s what separates zero trust from defense in-depth. Where zero trust, we’re defining custom bespoke controls, only the ones we need. Whereas some people call defense in-depth, expense in-depth because what’s the answer? You just add a bunch more layers. Well, how many layers do I need? I don’t know. That’s why I argue that defense in-depth is not actually a strategy. It’s a tactic for deploying specifically under your zero trust umbrella, where you know that there’s a failure state that’s common to one of your controls. So, say email, email, you need defense in-depth because not all of our controls are super effective there.

So, step four in the design process, after architecture is finally where we start to assign policies and permissions, again, you want to be very controlled. And in the book, John came up with this idea of a Kipling method. So as a shout out to Rudyard Kipling with the poem from 100 years ago, where he coins the term who, what, where, when, how, and why. So, I love this as an approach, right?

So, you’ve got your architecture, you’ve got your controls, but today we know that if you’re in a security role, you probably have heard, like, okay, firewall policy. We have policies. So, source port, destination, port, source, IP destination. Most people think of policy, but your EDR tools, your modern antivirus, you configure policy. Your identity systems, you configure policy. So, all across the board, everybody needs to be on the same page with what we’re trying to accomplish when it comes to policy.

So, this idea of a Kipling method policy, again, we’ve got an inter disciplinary team at the table. We’re all talking about what we’re trying to accomplish. So, your identity person is there. Your EDR person is there, your app owner, your DevOps people, your firewall admin. When we talk about it generically, what we’re trying to accomplish now, everybody can see, okay, this is why we’re trying to do this. This is how we want to accomplish it. Let me go back to my own individual systems and then configure that policy specifically in my tool, so it’s not just an IP kind of rule set.

And then finally, the last step is monitor and maintain. Again, a lot of organizations have outsourced their security operations to manage security service provider that does a SOC or what have you. So that’s great. You want that feedback loop. Again, I think some of the challenges with SOC, there’s a whole chapter dedicated to SOC in the book, which is one of my favorite chapters in the book. But you got to have skin in the game with your outsourced provider, right? They have to be able to send you a heads up to say,

“Hey, we’re getting a lot of X kind of log. If only you check this checkbox and this other application, that would make this whole category of problem go away. Because we understand how Active Directory is configured, or how web servers are configured, or how this specific ERP system is configured, we see these events coming through. And this means that you have some sort of insecure configuration. Take care of that and we get fewer alerts. We get more effective at the alerts that we’re monitoring. And we can again, iterate and say, okay, now that we’ve eliminated that amount of noise, we can focus more on this other thing and then eliminate more noise and then eventually get your monitoring service focused so that when we do see alerts, we’re very aware of what our environment is like. We’ve built a playbook or runbook, maybe we’ve automated some responses.”

And hopefully again, as we get further on the maturity curve, we can take that next pass and define better what additional controls, what transaction flows we might have missed. And again, it’s an iterative process wherever you’re at on your Zero Trust journey, right? You don’t need to buy a new tool. You can start today. The tools might be helpful in the long run, but again, if all you have are firewalls, you can start doing zero trust. If all you have is an EDR tool, you can start doing zero trust. So don’t let “I don’t have an identity team,” if that’s where you’re at, prevent you from starting on that journey. We all can iterate and keep improving. It’s like that movie “What About Bob?” If you’ve seen that baby steps. I’m just taking baby steps. That’s all I can do.

Jeff Ton [00:31:25]:

Well, that is a great segue, George, because we are running up on time here and one of the things, we love to do here on Status Go, is we love to leave our listeners with a very clear call to action. I’m going to insert one here and say my call to action for our listeners is to buy the book. I recommend the audiobook. It’s phenomenal, but I’m sure the print version is just as good. George, I want to ask you, what are one or two things that our listeners should do tomorrow because they listen to us today.

George Finney [00:32:03]:

Yeah, thank you for that. I would say for sure, think about how you can work together as a team. You’re not going to go on the Zero Trust journey alone. Selfishly, go buy 50 copies of the book for everybody in your IT.

Absolutely, short of that. Think about how everyone plays a role in security, right, and how you can bring your team together to make that real. So, one of the things I did, I’m the CISO for a large university, but I consider I’ve got a small team. A lot of universities don’t have huge security teams, but I think every IT employee, every employee at the university, frankly, is a security team member of mine. And the way that I recognize that is by giving out challenge coins. So, it doesn’t matter if you’re on the IT team or if you’re a professor, if you play a role in security, if you report a security incident, if you report a phish, whatever it is, I want to recognize that you’re a part of a team.

We’ve done different events over the years. We like to say our employees are our cyber superheroes. So, one year we made capes with the SMU logo on the back, right? Bring people into the fold again, it might be like herding cats. You’re only going to be able to accomplish Zero Trust together as a team. People are the most important part of Zero Trust. So, think about how you can educate, how you can have conversations with them. Think about how you can get your leadership team just to say, I value security to their groups and see what kind of difference that’s going to make for you.

Jeff Ton [00:34:07]:

I love that as an action, figuring out how you can work together as a team. But now I do have this mental image of my psych professor back in my college days walking into a lecture hall wearing a cape. Now, that would be cool.

George, I have to thank you so much. I enjoyed the book. I loved meeting you even more than the book. I’ve enjoyed our conversations. Thank you for carving out time to talk to our listeners today.

George Finney [00:34:43]:

Thank you so much for having me. It’s been an honor to talk to.

Jeff Ton [00:34:45]:

You all today to our listeners. If you have a question or want to learn more, visit intervision.com. If you want to go right to the podcast, that’s at intervision.com/status-go. As you know, it’s also available on all your popular podcast platforms, including Apple, Google, Spotify and others. The show notes that we put out there will have links and contact information. This is Jeff Tun for George Finney. Thank you very much for listening.