Cybersecurity is a team sport
The RSA Conference is a wrap. My first in-person show in several years, I logged 15+ miles over four days at this sprawling event.
Coming from Twingate, it’s no surprise that Zero Trust was the signal I picked up on in all the noise. I heard some great soundbites as they organically sprang forth from the energy only a live event can generate, so I’ve used them to organize my RSA conference 2022 learnings:
The RSA conference Program Committee highlighted 2022 security trends based on the call for speaker submissions. Zero Trust was at the top of the list and, well, everywhere at the show, and reflected in many sessions and vendor solutions on the show floor. As the committee described it, ‘breadcrumbs of Zero Trust could be found far and wide.’
At one session, the speaker circulated the mic, asking the audience to define a Zero Trust security model. Answers varied, causing a general chuckle to run through the crowd as we all understood the point. The term Zero Trust can be a bit vague even for this highly knowledgeable group. The speaker submitted that part of our confusion is that the goal really isn’t zero trust. The goal is eliminating implicit trust.
While the definition of Zero Trust may be unclear to some, I was also surprised to discover that not everyone was on board the Zero Trust train. Some attendees who visited our booth expressed skepticism about a Zero Trust security model. Will this philosophy really work? Is this movement real or just a temporary fixation? The Executive Order on Improving the Nation’s Cybersecurity should have lent weight to the validity Zero Trust, but clearly, there is a long road ahead to gain ubiquitous support.
In one of the most popular Zero Trust sessions, Microsoft shared their learnings as they execute a multi-year Zero Trust implementation. The journey has been documented for collective learning. Their structured approach is based on four Zero Trust goals:
Verify identity: Passwords are eliminated in favor of biometrics and access is limited to the minimum required for the job function.
Verify device: Users don’t have admin permissions and unmanaged devices have secure alternative access methods.
Verify access: The internet is the default network and network segmentation (a mantra heard over and over in RSA sessions) is based on role and function.
Verify service: Application and service access is conditional and can be accessed directly from the internet.
According to RSA, software supply chain attacks are expected to quadruple over the next year. A growing list of high-profile attacks has heightened awareness of the vulnerability. As one speaker noted, ‘dev environments are where you often let your guard down’ from a security standpoint.
The WAF is not viewed as the weakest link anymore. Attackers are now exploiting the explicit chain of trust development teams have established with their 3rd party vendors. Vendors can include outsourcing firms, software vendors, and hosted cloud services.
One speaker provided this statistic: the average number of software vendors used by Fortune 1000 enterprises is 110. His point was that those 110 vendors equate to 110 attack vectors. The implicit trust with these vendors is wrong for today’s threat level. The supply chain should always be zero trust, where all servers and software are continually verified.
Best practices provided by many speakers emphasized the need for a multi-layered approach to defend against supply chain attacks. For example, a defense-in-depth strategy applies Zero Trust principles and architecture, as well as:
- Monitoring both east/west and north/south traffic
- Implementing static and dynamic code analysis
- Verifying every vendor coming into your network
- Downloading a copy of open-source libraries rather than fetching them from GitHub for every build
This question kicked off a lively and informative session on data security. I could relate because that question often crossed my mind during the conference, especially in the sessions discussing supply chain attacks. Understandably, most of these sessions focused on securing code as described above. But DevOps environments are also a prime target for accessing customer information, as seen in the breach of TMobile test environments last year.
For testing to be effective, application dev and test environments have to reflect the production stack. If an application touches a backend database, then a database is deployed into a non-production environment and hydrated with data. Often that data is pulled from the production database, then copied over and over again into test environments such as SIT, UAT, and staging. The result is that a lot of sensitive data resides in non-production environments.
Given the number of test environments needed to support the pace of CI/CD pipelines, one can argue more sensitive data sits in non-production environments than in production. But even stringent privacy regulations like HIPAA and GDPR don’t seem to comprehend the need to protect Personally Identifiable Information in non-production.
How do you implement Zero Trust for resources in DevOps environments? Protection has to address data at rest, not just data in transit or when queried. When hosted CI/CD services or outsourced development teams access data resources, are Zero Trust principles applied? Broad permissions for dev & test environments have traditionally been granted as DevOps teams often view security as a barrier to development velocity.
To put a wrap on this RSA wrap-up, I’ll end with an interesting panel discussion that included special agents from the FBI’s Cyber Branch who are responsible for cyber investigations, digital forensics, technical operations, and private sector engagement.
Here again, they highlighted the vulnerability of the software supply chain. ‘The faster we can apply the principles of a Zero Trust architecture to create islands of trust within the network’, they said, ‘the faster we can address supply chain vulnerabilities.’
They also emphasized how ‘cybersecurity is a team sport’ that requires a collective defensive posture to better prepare and respond faster when a breach occurs. And by collective, they mean the government is leaning into cyber security and they want to foster collaboration with the private sector.
Public policy is shifting away from a ‘victims are to blame’ mindset, and government agencies are looking for ways to assist. They encouraged businesses to contact their local FBI agent to establish a partnership with federal law enforcement. They quoted the West Point leadership principle that teaches ‘we all cross the finish line together,’ and how the spirit of teamwork is imperative in winning the cybersecurity battle.
Check out how Twingate customers have successfully implemented a Zero Trust architecture that continually asks the question: Should this user on this device under this context be allowed to access this resource?