{"id":28167,"date":"2022-09-09T16:04:52","date_gmt":"2022-09-09T20:04:52","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=499282"},"modified":"2022-09-12T12:43:15","modified_gmt":"2022-09-12T16:43:15","slug":"cyber-security-today-week-in-review-for-friday-september-9-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-september-9-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, September 9, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition for Friday, September 9th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24170019\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">Instead of the usual look back at the week\u2019s news I\u2019m going straight into a conversation with my guest, <a href=\"https:\/\/www.linkedin.com\/in\/andersonericrobert\" rel=\"noopener\">Eric Anderson, director of enterprise security at Adobe.<\/a> The topic is creating and implementing a zero-trust strategy.<\/p>\n<p data-ar-index=\"4\">Zero trust is one of the biggest catchphrases in cybersecurity. Broadly speaking, it stands for not trusting anyone just because they have logged into the network. But it can be difficult for some IT and security leaders to understand and design a secure environment that respects the principles of zero trust. A few weeks ago Eric wrote a column for another site with some useful advice, which is why I asked him to be on the show. In his post he\u2019s responsible for overseeing Adobe\u2019s zero trust platform.<\/p>\n<p data-ar-index=\"5\">Welcome to the show. Eric.\u00a0First, tell me a bit about yourself.<\/p>\n<p class=\"western\" data-ar-index=\"6\"><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p class=\"western\" data-ar-index=\"7\"><strong>Eric Anderson:<\/strong> I\u2019ve been with Adobe for almost 28 years, based in the Seattle area the entire time. I\u2019ve kind of grown up at Adobe. I\u2019ve been part of the development organization for years in product development, spent some time in the IT space as a service manager, did a lot of code management. And in the last seven years I\u2019ve been part of the security organization.<\/p>\n<p class=\"western\" data-ar-index=\"8\">I define zero trust as a philosophy more than anything else. There\u2019s no one solution for it. And as you mentioned in your introduction, finding how to shift from the traditional way of trusting the network for access and getting to data to a new kind of not trusting anybody and verifying as you go along.<\/p>\n<p class=\"western\" data-ar-index=\"9\"><strong>Howard:<\/strong> It\u2019s more than, \u2018We\u2019ve implemented multifactor authentication and we\u2019ve got a VPN and therefore we have zero trust.\u2019<\/p>\n<p class=\"western\" data-ar-index=\"10\"><strong>Eric:<\/strong> Very much. It\u2019s really moving towards the user and the identity and the device as the perimeter and what we need to trust. Then we can let them access the information they may need.<\/p>\n<p class=\"western\" data-ar-index=\"11\"><strong>Howard:<\/strong> And there\u2019s more than one zero trust architecture. You have a zero trust model, but it\u2019s got to fit your organization.<\/p>\n<p class=\"western\" data-ar-index=\"12\"><strong>Eric:<\/strong> Yeah. And that\u2019s kind of why I say it\u2019s more of a philosophy. You can look at the NIST (National Institute of Standards and Technology) documents [see links at the end] and those from lots of vendors around zero-trust architecture. But as you dig into them, it\u2019s really more about \u2018here\u2019s some ideas and how to approach it or ways to think about it.\u2019<\/p>\n<p class=\"western\" data-ar-index=\"13\"><strong>Howard:<\/strong> Zero trust has become more important than ever because the pandemic has increased the number of staff working from home.<\/p>\n<p class=\"western\" data-ar-index=\"14\"><strong>Eric:<\/strong> Very much. We at Adobe were very lucky that we had started our zero trust journey about a year and a half before the pandemic. We\u2019d already been experimenting with it and finding ways to have a great [user] experience. One of the things I really like about our zero trust implementation \u2014 and I encourage people to approach it this way \u2014 is you can have a better user experience while increasing security, which is kind of a rare unicorn in the security world. We\u2019d already been experimenting with deploying it to small user bases. When the pandemic came we were in a position where we could just say, \u2018Well, we\u2019ve gone from this small user base. We\u2019re just going to turn it on for everybody in the entire company over a weekend.\u2019 And to our amazement, and gratitude, it went off without a hitch. We had 16,000 employees working at home over a weekend and they didn\u2019t miss a beat.<\/p>\n<p class=\"western\" data-ar-index=\"15\"><strong>Howard:<\/strong> And it and it doesn\u2019t merely support teleworkers. The idea of zero trust, or the advantages of zero trust, is that it protects resources anywhere they are, whether it\u2019s on-prem or in the cloud, so it also limits the insider threat. And, hopefully. it improves IT\u2019s visibility into who\u2019s on the network.<\/p>\n<p class=\"western\" data-ar-index=\"16\"><strong>Eric:<\/strong> Absolutely. And that\u2019s one of the key things: It helps build that visibility, because the way we approached zero-trust was it\u2019s really about the device and the user. So as long as we can see the user, we\u2019re following their behavior in locations or in something we expect them to be doing with their device. We\u2019re able to pair that together in our architecture to build a trust score or behavior model. \u2018Hey, it\u2019s Eric, he always is coming from this location or from this device at this time, so we have high assurance that it\u2019s really Eric and we\u2019re going to let him go in and do his thing.\u2019<\/p>\n<p class=\"western\" data-ar-index=\"17\"><strong>Howard:<\/strong> Before we get into the details, is there a size of company that zero trust doesn\u2019t apply to?<\/p>\n<p class=\"western\" data-ar-index=\"18\"><strong>Eric<\/strong>: I don\u2019t think so. An executive order [from President Bident] came down talking about deploying zero trust across the federal government and the agencies \u2026 I really don\u2019t see a scale where this doesn\u2019t work. It could go from the one or two- person company up to hundreds of thousands of workers.<\/p>\n<p class=\"western\" data-ar-index=\"19\"><strong>Howard:<\/strong> Where should a leader start when crafting a zero-trust strategy?<\/p>\n<p class=\"western\" data-ar-index=\"20\"><strong>Eric:<\/strong> They should start with what their goals are. What\u2019s the current state of things [in your IT environment] and what\u2019s the outcome you\u2019re looking for? We believed we had a majority of the tools in place to deliver zero-trust. So we were looking at identity and user devices, and then where our data sits. We had mechanisms in place that most companies have. Then you assess the risk that you perceive you have \u2014 where\u2019s your workforce located? How are they configured? Do you have [identity and authentication] standards for devices? And start looking at ways you can standardize and centralize. Again, start assessing what your current risk is, then start working towards a goal of what would step 1 or step 2 be. Getting visibility into that risk and where is it coming from and so, that\u2019s kind of the starting place \u2014 and you have to be open to that conversation to even get going.<\/p>\n<p class=\"western\" data-ar-index=\"21\"><strong>Howard:<\/strong> Where do you think IT leaders go wrong?<\/p>\n<p class=\"western\" data-ar-index=\"22\"><strong>Eric:<\/strong> I think they go wrong because they get set in their ways. It\u2019s really hard to change, and zero trust is a fairly significant change in how you approach anything from your network \u2014 from centralizing identities and how you authenticate to how you authorize . It feels very different because you\u2019re talking about things like moving away from VPNs and allowing people to access data from a remote location without a VPN. I don\u2019t want to call it a leap of faith, but it is a significant change in how you approach your philosophy.<\/p>\n<p class=\"western\" data-ar-index=\"23\"><strong>Howard:<\/strong> You created a platform called ZEN, which is \u2018zero trust enterprise network.\u2019<\/p>\n<p class=\"western\" data-ar-index=\"24\"><strong>Eric:<\/strong> We love our acronyms and so we called it ZEN. Our philosophy had a couple approaches: The first one is how could we improve security while improving the [employees\u2019] user experience. We\u2019re all about our users and their experience, and we apply that internally as well. So we asked, could we do something to make on-premise applications, as an example, be more cloud-like? Fifty per cent of our users use the cloud, and they weren\u2019t even coming into the network. When they did have to come into the network they had to use VPV. So our big initial push was let\u2019s make on-premise feel like the cloud. Eliminate the need for VPN, and improve the user experience.<\/p>\n<p class=\"western\" data-ar-index=\"25\"><strong>Howard:<\/strong> As I understand, the platform evaluates the security posture of each device that attempts to access the network. Managed devices receive a unique ZEN certificate for authentication. And that reduces the need for employees to provide their username and password multiple times to access the resources they need.<\/p>\n<p class=\"western\" data-ar-index=\"26\"><strong>Eric:<\/strong> Yeah \u2026 We issued a device-specific certificate that represented, \u2018We trust this device and the user has already been verified on this device,\u2019 and we were then able to present that as a way to do passwordless authentication into the system. We told users, \u2018We\u2019re going to increase the security of a device. What we ask you to do is make sure it\u2019s managed, make sure you\u2019ve got the proper clients on there and the security settings that we desire, and by doing that we\u2019re going to give you a better login experience or authentication experience where you don\u2019t ever have to enter your password again. We will prompt you for additional factors if you go into more restricted or confidential areas. But over time we\u2019ll be able to leverage your behavior and make your authentication experience almost something that\u2019s in the background.\u2019<\/p>\n<p class=\"western\" data-ar-index=\"27\"><strong>Howard:<\/strong> So identity and access management is vital on your solution \u2014 and in fact, in any zero trust solution.<\/p>\n<p class=\"western\" data-ar-index=\"28\"><strong>Eric:<\/strong> Absolutely. Our identity and access management is a fundamental core component. You know, one of the things we were very lucky on at the start of our journey is we had already been fairly seasoned with our identity and access management mechanisms. We had a central system, and we had access to all that information as part of being an engineering company. We kind of started playing around with building user behavior analytics and things like to access systems. So we could start having an idea of what users were doing and we could verify them through our centrally managed identity system.<\/p>\n<p class=\"western\" data-ar-index=\"29\"><strong>Howard:<\/strong> There\u2019s an access proxy component of your solution. Can you talk about that.<\/p>\n<p class=\"western\" data-ar-index=\"30\"><strong>Eric:<\/strong> It goes back to the idea of how can we make on-premise access feel more cloud-like and avoid the need for a VPN. One of our big selling points, the way we were able to build excitement around it, is we were able to leverage existing investments in our identity system, in our device management and in other components. The one component that we didn\u2019t have at the time was the access proxy. So we were able to partner with a couple of smaller companies and we kind of discovered a way to build this access proxy, which effectively exposed our trusted and secured on-premise services externally. They could only be accessed from a device that had the certificate and met the requirements that we set for our zero-trust platform. It was four years ago when we made that investment. The technology has definitely grown over the years and a lot service providers are now offering something similar. But the real key to making ZEN successful was being able to deliver that experience of an internal application, exposing it externally and eliminating the need for VPN. That access proxy is what makes that possible.<\/p>\n<p class=\"western\" data-ar-index=\"31\"><strong>Howard:<\/strong> One of the things that confuses me about zero trust is the idea is you shouldn\u2019t automatically trust a device, a user who\u2019s logged in. But the goal is not having users repeatedly log in to access different assets. So you still have sort of a single sign-on once you log in. How does that seeming difference get reconciled?<\/p>\n<p class=\"western\" data-ar-index=\"32\"><strong>Eric<\/strong>: The key to making that work is having a central identity manager. We have well over 3,000 applications that are configured using the very same identity provider. So when you log into one application the session token that you receive can be used for other applications. What we have done, and what we\u2019re continuing to do, is classify different applications into things like \u2018Every employee should have access to this, and \u2018This application is really only for system administrators.\u2019 So we rank and classify applications as to risk and the type of data they store. And then based on your user behaviour and your device posture, we can assess a score to say, \u2018You\u2019re behaving in a way where we\u2019ll allow you access to the highest level of data.\u2019 That\u2019s the first piece: This device and this user, should they have access to it if they\u2019re authorized for it in the first place? We also work with the service owners to build a least-privilege model.<\/p>\n<p class=\"western\" data-ar-index=\"33\">The other kind of shift that is continuously in progress is making sure that employees and roles and teams are built in such a way that they only have access to the applications they need to do their work. I start my day and get a session token. If I decide I need to access something else, our secrets vault will authenticate me because I have my token \u2014 but it will do an additional check to see if I\u2019m authorized to actually access it. So there\u2019s kind of a double check there. The other piece that I\u2019m excited about is moving more towards a continuous authentication, which is kind of the magic sauce where I think a mature or an advanced zero-trust environment gets to, where authentication is happening behind the scenes constantly because it\u2019s looking to see if the device or the user behavior changed from the last time it checked. The idea being, I\u2019m at home this morning and I\u2019m on my device. Maybe this afternoon I go over to Starbucks. The system may decide it can recognize that my location has changed and maybe make a decision: \u2018I should recheck and have Eric enter his MFA [multifactor authentication] one more time just make sure it\u2019s still him and somebody didn\u2019t take his device and move it to a new location.\u2019<\/p>\n<p class=\"western\" data-ar-index=\"34\"><strong>Howard:<\/strong> To help listeners so that they don\u2019t think Adobe wrote all the code, you have partners including VMware and Okta.<\/p>\n<p class=\"western\" data-ar-index=\"35\"><strong>Eric:<\/strong> At Adobe our approach is to take best of breed of products and stitch them together. Either having the vendors partner together, or we can work with them and integrate along the way. So in our ZEN architecture the starting point is at the device that has device management software on it. Today our partner for that is VMware WorkspaceOne, making sure we have the security tooling EDR [endpoint detection and response], patch management and all that. Today our centralized identity provider is Okta. Okta does the authentication for the users. It can check back into the managed device and into our EDR software and verify, \u2018This user still should have access.\u2019 And we can then integrate our certificate authentication from WorkspaceOne.<\/p>\n<p class=\"western\" data-ar-index=\"36\">Since it is part of the WMware family, it\u2019s got some good integrations to also call back to the device management piece. Once all that stuff is then verified then we are able to hand that off to the access proxy if needed to get to on-premise. If it\u2019s a cloud app it will continue on and allow the user access to the cloud-based apps.<\/p>\n<p class=\"western\" data-ar-index=\"37\">Of course, there are plenty of other options, other vendors out there.<\/p>\n<p class=\"western\" data-ar-index=\"38\">I would argue that most companies have most of these components in place. It\u2019s just how do you put them together into a flow that can enable a zero-trust environment that works for you.<\/p>\n<p class=\"western\" data-ar-index=\"39\"><strong>Howard:<\/strong> You\u2019ve written that there are five things that IT security directors should consider when creating their zero trust strategy.<\/p>\n<p class=\"western\" data-ar-index=\"40\"><strong>Eric:<\/strong> First, have a centralized identity provider. We\u2019ve been very, very rigid about any application that employees access. They must go through our identity provider solution, and that allows us to make sure that you know it\u2019s meeting minimum security requirements to be onboarded. Having that centralized gives you a single place where you can do some checks. It\u2019s a bottleneck, for lack of a better term, but it makes it really easy to see what you\u2019ve got in the environment, you can see where users go \u2014 whether it\u2019s on-premise or in the cloud. Making sure that everything is living in one place is a really key piece. If you don\u2019t have everybody going through a single authentication solution it\u2019s really hard.<\/p>\n<p class=\"western\" data-ar-index=\"41\">Next is prioritizing endpoint security which is EDR for malware detection and response.<\/p>\n<p class=\"western\" data-ar-index=\"42\">As I mentioned a key to zero trust is really having insight into the device, and so if we can\u2019t make a determination of the posture or the stance of the device it makes it really difficult to have a zero trust model.<\/p>\n<p class=\"western\" data-ar-index=\"43\">The third one is device management \u2026 You need something on the device where you can get visibility to help push the proper software and security controls, making sure that the device meets the minimum requirements say from an OS and patch level perspective.<\/p>\n<p class=\"western\" data-ar-index=\"44\">We touched on the fourth one which is the access proxy. A lot of people may be surprised but their firewall perimeters may have that capability today. Over the last few years a lot of the big vendors are now kind of putting some sort of an access proxy as part of their firewalls. That\u2019s the piece that allows you to provide the on-premise access in a cloud-like experience, which will help relieve the burden on the VPN. The network traffic and the VPN team are able to focus on some other things.<\/p>\n<p class=\"western\" data-ar-index=\"45\">The final one is certificate authentication. The certificate provides a couple of things: We can issue the certificate to a device that we have trusted and can continuously update it. So we can do background checks and make sure we\u2019re seeing the right behaviors in the right locations. And we can push and pull and revoke certificates on the endpoints, and make the assumption that if the certificate is present there\u2019s a certain level of implied trust on that device already. The bonus to that it allowed us to then deliver a completely passwordless user experience for authentication. That was the big carrot: \u2018If you\u2019re willing to get on board with us you\u2019re going to get this great passwordless experience.\u2019 And what they didn\u2019t know at the time was we were also dramatically increasing the security of not only their device but being able to know what\u2019s on our network and reduce that risk.<\/p>\n<p class=\"western\" data-ar-index=\"46\">Howard: Here are a number of free resources on zero trust:<\/p>\n<p class=\"western\" data-ar-index=\"47\">\u2013the U.S. National Institute of Standards and Technology\u2019s <a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-207\/final\" rel=\"noopener\">800-207<\/a>, and the <a href=\"https:\/\/www.nccoe.nist.gov\/projects\/implementing-zero-trust-architecture\" rel=\"noopener\">NIST Draft Practice guide.<\/a><\/p>\n<p data-ar-index=\"48\">\u2013the U.S. Cybersecurity and Infrastructure Security Agency<a href=\"https:\/\/www.cisa.gov\/zero-trust-maturity-model\" rel=\"noopener\"> has this zero trust maturity model.<\/a><\/p>\n<p data-ar-index=\"49\">\u2013the U.K. National Cyber Security Centre has this blog on <a href=\"https:\/\/www.ncsc.gov.uk\/blog-post\/zero-trust-migration-where-do-i-start\" rel=\"noopener\">starting a zero-trust journey<\/a>.<\/p>\n<p data-ar-index=\"50\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-september-9-2022\/499282\">Cyber Security Today, Week in Review for Friday, September 9, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion with Adobe&#8217;s director of enterprise security on planning and implementing a zero-trust a<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[654,389,604],"class_list":["post-28167","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-adobe","tag-cyber-security-today","tag-zero-trust"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/28167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=28167"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/28167\/revisions"}],"predecessor-version":[{"id":28258,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/28167\/revisions\/28258"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=28167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=28167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=28167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}