Kevin Kerr, Lead Security Principal Consultant at Trustwave, participated in a discussion on Zero Trust with Steve Riley, Field CTO at Netskope during SASE Week 2021.
The importance of Zero Trust is derived from how it functions. Instead of focusing on protecting a physical network, a Zero Trust network works by focusing on securing the resources that reside on or have access to the network such as data, identities, and services.
The research firm Forrester defines Zero Trust as: “A Zero Trust approach to security, security architecture, and operations becomes workload-first, data-driven, and identity-aware rather than static and perimeter-based.”
In this conversation, Kevin and Steve dive into the differences and unlikely similarities of a Zero Trust approach to security in the public and private sectors.
Riley: Kevin, you recently shifted from being the CISO of Oak Ridge National Laboratory to being a Lead Security Principal Consultant at Trustwave. I'm curious what's been different and perhaps unexpectedly similar between the work you did around Zero Trust in the public sector and what you're doing now in the private sector?
Kerr: There are some differences, but as the former CISO, I was looking for partners in the industry to help. To have skin in the game and also to help us as a force multiplier because there's no way a cyber team within an organization can keep up with the rapidly evolving threat landscape. As a new security consultant at Trustwave, I am working to bring this point of view to our team and clients.
Riley: Are the challenges facing public and private completely different when it comes to Zero Trust?
Kerr: From a threat risk point of view, I would have to say no. The threats and the risk are the same, but the impact is dramatically different depending on the mission. So, for example, someone that has a website that only shares static information, not so much, but if you're doing something that people are relying on for health or safety, then the impact is different.
2021 Email Threat Report
Email remains a security problem for organizations. Cybercriminals continue to favor email to distribute malware, phishing scams, and spam because email gets delivered to the end user, wanted or not, and email can be easily faked to appear legitimate.
The Trustwave 2021 Email Threat Report, featuring data and analysis from the SpiderLabs Email Security Research and Malware Analysis Team, details some of the most significant email threats organizations face, and provides insight on the tricks and techniques cybercriminals are using to snare their victims.
Riley: Does that mean the approach needs to be different for each sector?
Kerr: When it comes to Zero Trust, I would say yes, and no. And the reason I say that is it's going to depend on your mission, the criticality of your systems, and what appetite your organization has in regards to cyber risks and threats and the impact.
Riley: Historically, the National Labs have been very open and collaborative across the public and private sector and even internationally. What are some of the best practices you think others from both sectors could benefit from?
Kerr: Within the National Labs our mission was open science and to share and collaborate. Whether we were doing next-generation green power, COVID-19 solutions, or even something like suicide prevention in real-time with supercomputers. We were always working to protect the data while sharing it. Because if you don't make it easy, people are going to find a way around you. So, you have to give them the right way to do things. We used risk-based practices to drive our cyber solutions. As such, we had multi-factor authentication across the board by 2016 at most sites. We had remote work solutions. When COVID hit, there was very little impact on the facility and the workforce.
We were using machine learning and artificial intelligence for monitoring and automating the process. That's the same whether you're in public or private. And these are all concepts of Zero Trust.
The other thing we were doing with the labs was improving the categorization and labeling of data. Because data is key to everything and that it, as we know, is a major component of a Zero Trust architecture. At the labs, we realized we had legacy systems no different than industry. And there was data sprawl. In our world of a remote workforce, plus the huge inclusion of the cloud, an organization's data is everywhere. So, the message I want to share here is that we recognize that both the public and private sectors need to build partnerships to make the complex environment easier.
Riley: Speaking of data. Data is at the core of Zero Trust, not just protecting data and limiting access to it but using data to provide a context in the security decision-making process. Tell us about what you view as the best practice for putting context-based controls around data?
Kerr: I realize that data is core, especially since in the world today, almost everybody's fully digitized. I've been thinking about data all the way back to the '80s when you had the Rainbow series and the Orange Book. It's important to understand its importance and sensitivity, and then, as security practitioners, we control who, what, where, when, and the how of its use. To do this, cybersecurity teams and the business need to work together from the start. It's something we've all heard. You can't throw security in on top of a cake once you've baked it. You have to got to start it from the beginning.
My philosophy is, if you have a good partnership between business and security, it's going to work. I would always emphasize the business aspect of it in regard to business impact analysis (BIA). And of course, as security practitioners, we're worried about confidentiality, integrity, and availability (CIA). If you have a good BIA plus CIA, then you're going to have a good method of covering your assets. And I think this is key to ensuring optimal and appropriate security for a Zero Trust architecture.
Riley: What's the role that Zero Trust can play in making sure that critical infrastructure remains protected, especially given the recent Executive Order on Improving the Nation's Cybersecurity released earlier this year?
Kerr: The executive order drove a lot in the public sector, and it's also driving a lot in the private sector because a lot of our critical infrastructure is managed by private companies or pseudo-government agencies. Zero Trust architecture is tough when it comes to critical infrastructure because you're talking about the convergence of operational technology (OT), the Internet of Things (IoT), and traditional information technology (IT). And I think the hard part here is that OT are legacy systems and weren't designed to work with a lot of the things in the executive order. They weren't designed to work with multi-factor authentication or software-defined networks or least-privilege access. When I did penetration testing of critical infrastructure systems, those systems were on 24/7, and sometimes they had shared user IDs and passwords because you can't log off and log on between shifts.
And then there is IoT. It's so radically new and being thrown in at a breakneck pace, so traditional IT people can't keep up with it. From a critical infrastructure/OT standpoint, Zero Trust will have to be at the front end because I don't think IoT is there to integrate fully into an OT environment.