Home » Security Bloggers Network » Why Zero Trust is a watershed moment for authorization | Dynamically Speaking

Why Zero Trust is a watershed moment for authorization | Dynamically Speaking

by Kelly O'Dwyer-Manuel on April 15, 2022

Axiomatics chief product officer Mark Cassetta joins us to dive into the reasons why Zero Trust has risen to become a critical component to a modern authorization solution.

Learn more about why it matters and what you can do to ensure you meet Zero Trust best practices as your organization scales.

Kelly: Hi, and welcome to another episode of Dynamically Speaking! I’m your host Kelly O’Dwyer-Manuel. With me today is the chief product officer for Axiomatics, Mark Cassetta. Welcome, Mark, thank you so much for joining us!

Mark: Thanks, Kelly. Great to be here!

Kelly: Excellent. So, what we want to talk about today is a subject that I know is near and dear to your heart because we’ve talked about it many times over the years, which is Zero Trust.

So, I’m going to dive right in here because it seems like we’re not the only two people talking about Zero Trust.

Certainly Zero Trust is everywhere right now, which leads me to my first question: We know that Zero Trust isn’t new. It’s been around for, gosh, I think at least ten years. So, why are we at this kind of tipping point in 2022 where you can’t go online to any security site or or information site without hearing something about Zero Trust?

Mark: Yeah, I mean, it’s a great question, Kelly.

I think that if we rewind the tape and think about when did Zero Trust start to really come to fruition, and some arguments go back to 2007, 2008. Often, they lead to a paper that John Kindervag wrote in 2010 called No More Chewy Centers.

What’s really interesting is, when you read that paper, what John talks about when he talks about the broader call it activity happening on market, the cybercrime, the reasons why we need to change, and you parallel that to what’s happening today, it’s almost like the paper was written last week when in fact it was written twelve years ago.

Of course, when we talk about the technology and all that goodness, that’s all certainly evolved over the last twelve years, but the fundamental challenge and the pain and the essence of what Zero Trust is looking to solve is directly at the center of what we are living today.

So the question is, well, why is it taking twelve years?

Like anything, there’s an adoption. We talked about the adoption, or the maturity of dynamic authorization or centralized authorization. Well, we can apply the same logic to Zero Trust. And yes, Zero Trust is a strategy. It’s not one technology, it’s multiple components that come together to deliver on a strategy.

But if we think of it through the lens of a technology adoption curve, there’s the there’s the innovators, and those innovators we’re the ones that we’re picking up on on sort of this message probably back in 2010, 2011, 2012. And at the time, Zero Trust conceptually made a lot of sense.

But practically speaking, how do we get there? How do we how do we actually implement this? Well, that’s where you got to go from the innovators into the early adopters, and the early adopters are the ones that started to kind of bring this into into an organization. Some maybe were successful, some some fail, maybe maybe some more reliant on some change in technology, especially when we think of the evolution of of of the perimeter or the evolution of, of the endpoint, the evolution of cloud.

And then we hit the chasm. And the chasm, of course, is where, you know, there’s a question of is, Are people really going to adopt this and something I that I always sort of tested going back to my days at Titus, because you know, Titus is as much as we were about data and unstructured data and less about the network.

The ultimate goal of zero trust is data protection. And so we were always trying to have a conversation with Titus in the context of Zero Trust.

I’d ask customers, are you are you thinking about a Zero Trust strategy? Have you thought about zero trust? And I would test this in all the calls we have, and frankly, between 2015 and 2020, it wasn’t coming up as much. It was, yeah, this sounds like something we’ve got to think about.

But you know, there wasn’t that mass acceleration towards Zero Trust.

And then we fast forward to 2020 and what happens?

Well, you know, what, what the essence of Zero Trust was, was, look, let’s think of a world where people are everywhere, where access is everywhere.

And seemingly that happened overnight, within a matter of weeks, and all of a sudden, the entire kind of world stood up and said, Wait a second, I’ve got to rethink how I’m securing information.

And Zero Trust was that playbook. And all along, we had great analysts like Dr. Chase Cunningham, who was picking up on John’s research, after he left Forrester and started writing out playbooks and maturity models, but how to get there.

And so I think it was kind of a perfect storm, we had this kind of forced push to say, okay, the reality is your, your current security model isn’t going to work anymore. There was a lot of great research to say, okay, here’s how you’re going to do it.

And then the cybersecurity market, you know, being driven by innovation was already building technology to get there. And so I think that sort of perfect storm over the last couple of years has led organizations to realize that adopting a Zero Trust strategy is actually much more of a reality than it may have been two years ago, three years ago.

And so we’re not just seeing people talk about it through one product lens, we’re seeing organizations talk about it as a strategy.

And so today, in every single customer call that I’m on, I ask the question, all right, confirm, are you aligning, in the conversations, we’re having, dynamic authorization or externalized authorization, or Zero Trust? And the 100% of the time it’s yes, this is about a broader Zero Trust strategy. And then I think in parallel, you know, frankly, when you see sort of the White House directives on this, that just adds to the momentum. And that’s what’s brought us here today.

Yes, Zero Trust is a strategy. It’s not one technology, it’s multiple components that come together to deliver on a strategy.

Kelly: That makes that makes a lot of sense.

So, talking about and that’s interesting to me that you’re saying that you’re getting that almost at, you know, to a person feedback, that authorization is being considered within a broader Zero Trust security initiative.

Do people then really understand because we’ve also talked in conversations about the fact that this is also, you know, really a watershed moment for authorization for a lot of the same reasons that you’ve seen that you just cited?

For Zero Trust, we’re seeing that mirrored in authorization more often than not. So with that in mind, do people understand what role authorization plays as part of a Zero Trust strategy? And maybe more specifically, what’s your opinion as to the role authorization plays as part of a Zero Trust strategy?

Mark: I think that the market is being better educated on the role that authorization plays, and even having discussions like this, hopefully will be helpful to folks as they try to figure it figure that out.

The really interesting thing is when you look at the core principles of Zero Trust around things like continuous verification of access at all points of the resource, leveraging, models such as attribute-based access control, and this isn’t just about authorization, this is across users devices, data, endpoints networks, workloads.

Those core principles have always been the foundation of externalized authorization.

So let’s externalize the enforcement point, let’s apply attribute-driven policies, attribute-based access control, let’s get granular fine-grained policies, let’s pull you know contexts and sources in at all levels of of the of the application and all resources to make sure that the individual or the machine that’s trying to access this resource is, in fact, a lot to do it at this point in time.

It’s not about, hey, you know what they’re allowed to do yesterday, so they can do it today.

It’s not a well, can they do it right now? Because the context around them may have changed. They move locations that are no longer at the office, they’re working from a coffee shop, whatever whatever it might be.

So I guess the the going back to your question, do people understand I think, if you understand conceptually, the idea of Zero Trust, and if you bring that to authorization, specifically, there’s really two ways you’ve got to think about it.

There is this need to manage authorization, and there’s this need to deploy authorization policies or runtime authorization policies, and that’s where the confusion sometimes lies because when it comes to managing authorization, that’s where we start to see things like privilege access management solutions, or I call it sort of the brains of, of identity and access management that are helping to maintain least privilege or just in time, just in time access.

Whereas there’s also actually building the physical policies for applications for at runtime, which is where, for example, Axiomatics fits in, and so try to kind of decipher those two worlds a little bit, and sometimes causing confusion, but I think the market is getting better at understanding that.

Kelly: That’s interesting. So, I’m going to tweak the I had a question for you, I’m going to tweak it a little bit here.

We’re, in terms of the maturity of the conversation that’s around Zero Trust, we’ve moved to your point from the conversation of years and years ago, as to what is Zero Trust, and why should people consider it now to where do I start?

And I do want to ask you where people start, but I think more importantly, Mark, where are people getting it wrong when they start in on these on these implementations of Zero Trust, leveraging authorization? What’s the best way to start and end? Are there times where people are getting off on the wrong foot here?

Mark: Yeah. Well, I’m gonna answer that question by actually completing one of the, the answer to the other question that I didn’t get to fully complete, because I forgot about it, which is because he said, I said, all of a sudden Zero Trust, enter the chasm. And he talks about it actually coming out of the chasm.

Well, the momentum in 2010 is what brought it out of the chasm.

Well, so now, okay, so the question is, where are people getting it wrong? So we’ve gone from the chasm, right? And how do you get out of the chasm?

Well, you have proven a repeatable process, you’ve proven that this can be done, you proven that this is all problems, you’ve established best practices, you know that and the people that are going to adopt this, as the early majority, though, aren’t going to want to take risks, right?

So there is there going to be looking for making sure that they they follow best practices to be successful.

So now coming to your question, what are some of those best practices and where, you know, I’m part of that early majority, that doesn’t have any appetite for it to fail? And, you know, and I want to be successful Zero Trust.

I think the first thing is to not boil the ocean and that seems maybe obvious for any kind of strategy, or any kind of deployment or change you want to bring to an organization.

But the challenge is Zero Trust because it’s so widely dispersed. It’s not just about one part of the security reference architecture, it is your security strategy.

And so where do you start and if you try to take Zero Trust and deploy it, wholeheartedly across the entire organization itself as a bow shell, you know, apply this strategy to everything. I think you’re you can create confusion and and you know, and probably not bring the clarity that you’re hoping to bring with with the strategy or have the impact you want to have.

So that I think is where people can go wrong.

So how do you address that?

Well, that’s where I’m a big fan of compartmentalizing and anything that we do and when it comes to Zero Trust itself compartmentalizing into what is that crawl stage? And what is it? What does it mean to crawl walk, crawl means proving that you can get value out of the strategy and being able to do this in a rinse and repeatable fashion.

It’s not about deploying something, or deploying your Zero Trust strategy to multiple components of your reference architecture.mIt’s about getting it right in one of those components and showing the business that you can be successful in that in that activity and then taking that momentum into props and other components and building up from there and look like you know, when you think I always find this interesting.

There are no quick wins with Zero Trust.

It’s like you were just gonna turn on MFA. I talked to some organizations, that’s a two year journey. Right? And so maybe if you’re a 200 person organization, okay, that might be a little bit a little bit different.

But I would hesitate to say that there’s going to be quick wins, I think that the the objective is to get the right wins, and do it in a way that, that people that that brings clarity to the strategy that that you’re trying to deploy, and shows the impact and the value that it can bring it from there.

We’ll pull on the Canadian analogy, there’s, there’s a bit of a hockey stick opportunity, right? So you can get that momentum and start, you know, prove that you can make it happen, and then wrap up from from there as needed.

Kelly: That’s good. Because one of my questions was going to be what does winning in Zero Trust look like?

So I think you’ve actually answered that, which is great. So I want to move on to speaking you know, of strategies and success here. I don’t think I think it’d be hard pressed to name a security vendor that isn’t talking about how they fit into Zero Trust.

So for Axiomatics, what does a Zero Trust strategy look like? What is the company’s point of view on Zero Trust and how are we uniquely positioned them to deliver on that for customers? What does that look like?

There are no quick wins with Zero Trust.

Mark: If want to take it down specifically to authorization and talk about what’s happening.

What we have to consider around building Zero Trust into or adopting Zero Trust principles and strategy into into authorization.

It starts in a couple different ways. So the first thing first key principle to me is continuous verification. So that’s by design and externalize authorization strategy is going to do that. It’s at runtime, it never sleeps. It’s continuously verifying, verifying access. That’s the first thing.

The second, though, is your building policies, based on as John Kindervag says, The Kipling method, right. So who, what, where, when, why, and how.

And so that becomes the next thing now. Are you going to get all of those attributes every single time? Maybe, and maybe that would be great.

In some instances, you might not have that information but I think that’s kind of a model that you want to think about as you’re starting to build out policies.

The third, though, is when we start thinking about those policies are the types of attributes that we’re pulling in.

When I start to think about Zero Trust, I mean, it’s all about risk, right? You’re never you want to you don’t trust anybody.

So you’re gonna have to make a decision at some point about whether or not someone’s allowed to have that entitlement within it within the application. So what’s an attribute that can give you that confidence or that degree of confidence?

Well, that to me comes down to risk.

And so how do you define risk?

Well, risk can come from a whole bunch of different things, right? Risk could be something as simple as how did the person access the app? Where did they access the app from that might be one way to define risk.

But we’re also seeing risk come in the form of its own attributes, when you think of things like user behavioral analytics solutions that came to market in 2013, 2014, most of them probably got acquired or built into a lot of the platform players, so many of the platforms that I would say most organizations have probably have, as I’d say, enterprise organizations probably have some semblance of a risk attribute that they that they can deliver on.

So being able to pull those kinds of attributes into your policies is important. That to me would be would be the key places to start.

Kelly: Well, thank you, Mark. I think that’s all the time we have today but that was excellent. And I’m sure I’m going to have lots of follow up questions, which will mean another conversation about Zero Trust because certainly with the landscape evolving as quickly as it is, I think there’s lots more to chat about. But thank you very much for your time and look forward to speaking again soon!

Mark: Thank you, Kelly. It’s always a pleasure!