CDSA

Zero Trust is revolutionizing network security architecture because it is data-centric and “strategic approach to stopping data breaches,” John Kindervag, field CTO at Palo Alto Networks and creator of Zero Trust, said during the Dec. 8 virtual Content Protection Summit.

Kindervag previously spent 8 ½ years at Forrester Research and, “when I got there, what I felt was missing from cybersecurity was strategic engagement or the idea of strategy,” he pointed out during the Identifiers, Policy & Zero Trust breakout session “Win the Cyberwar with Zero Trust.”

During the session, he discussed the concept of Zero Trust and explained why Zero Trust is the world’s only true cybersecurity strategy and how a Zero Trust strategy will achieve tactical and operational goals for an organization.

There are generally considered to be 4 Levels of Strategic Engagement, he noted:

1. A grand strategy, which is the “ultimate goal any entity is trying to achieve.”
2. A strategy, which is “the big idea used to achieve that grand strategy.”
3. Tactics, which are “the stuff – the things we have, the things we use. And almost everyone in the world confuses strategy and tactics, [which] is a fundamental problem everywhere but it’s especially true in cybersecurity.”
4. Operations, which are “the way we use the things we have in order to execute on the big idea so that we can achieve that ultimate goal.”

“These four levels must work together, and if they don’t we will fail — that’s just the bottom line,” Kindervag said.

“There are no suburbs on the Internet and so we are all fighting the exact same cyber war,” he told viewers, adding: “The grand strategy of cybersecurity must be to stop data breaches.”

The term breach “causes some problems because it doesn’t mean that somebody got into our network and they’re poking their nose around inside there,” he pointed out. Rather, he explained: “It has been redefined by legal and regulatory entities” including the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA) “to mean that data… has been exfiltrated from our networks or systems into the hands of a malicious actor. So it’s always about stuff going out” that you didn’t want to get out.

And “the only strategy in  the world is Zero Trust,” he said, adding: “Everything else is a tactic because Zero Trust is designed to meet the grand strategy and stop data breaches.”

While tactics are the tools and techniques used to do that, operations are the platforms and policies used, he noted.

Kindervag pointed to the infamous Target data breach of the 2013 Black Friday weekend in which about 110 million customer records were stolen, calling that  “Day Zero of cybersecurity” – the most important event in its history and the event that “defined cybersecurity.”

Everything else before that event was “BT” (“Before Target”) and we are now in year 7 “AT” (“After Target”), he said. Further explaining the significance of that breach, he said: “For the first time in history, the CEO of a major organization was fired because of something IT did or didn’t do, which was allow a data breach.”

Now, Zero Trust is “eliminating trust,” which is a “human emotion that we have injected into digital systems for absolutely no reason and, therefore, trust becomes a vulnerability,” he explained. Trust is “the thing that is the root cause of every data breach ever,” he said. “Trust is a dangerous vulnerability that is exploited,” according to a slide he showed during the session.

“Malicious actors don’t need to create new malware to exploit trust – they just need to be on the network,” he pointed out, warning: “As a former penetration tester, I can tell you they will always be able to get on your network. Therefore, the only entity who gets value from trust in your organization are the malicious actors who are going to exploit it. So we need to get rid of trust [and have] no more trust in network systems — and we do this by focusing on four design concepts and then five steps. So there’s only nine things you need to know. Zero Trust is very simple.”

Those 4 Zero Trust Design Concepts, he said, are:

1. Focus on business outcomes.
2. Design from the inside out.
3. Determine who or what needs to have access. “We give too much access to too much data to too many people for no reason.”
4. Inspect and log all traffic.

Kindervag compared the Zero Trust system to the Secret Service protecting the president of the U.S., noting Secret Service agents know who the president is, they know where the president is, and they know who should have access to the president. The main protection by the agents is done on the “protect surface” – in the case of the president’s vehicle, they are right on top of it and not the uniformed ones on the perimeter who are “there as theater to intimidate,” he said.

They are also constantly monitoring everything in real-time to make changes based on any new potential threats, he noted, adding: “They use a Zero Trust concept [and] we need to do this in our network systems.”

Kindervag went on to point to the 5 Steps to a Zero Trust Environment:

1. Define your protect surface. What is being protected are Data, Applications, Assets and Services (DAAS).
2. Map the transaction flows.
3. Architect a Zero Trust environment.
4. Create a Zero Trust policy.
5. Monitor and maintain the network.

“In Zero Trust, there is no unknown traffic” on your network, Kindervag pointed out at the end of the session.

Presented by Microsoft Azure, the Content Protection Summit was sponsored by SHIFT, Genpact, Akamai, Convergent Risks, Friend MTS, GeoGuard, PacketFabric, Palo Alto Networks, Richey May Technology Solutions, Splunk, Zixi, EIDR, Cyberhaven and Xcapism Learning.

The event was produced by MESA, CDSA, the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.