Oct 23, 2024

Mastering Zero Trust: A Comprehensive Guide with Dr. Natalia Semenova

TLDR;

Zero Trust is a continuous journey. It’s not like a set it and forget it type of program. Organizations need to invest not only to set it up initially but also to keep monitoring and improving the program.
For adoption of zero trust, some of the biggest challenges arise from Assets discovery and Identities discovery. Having a clear picture of all the assets, identities and their role in the overall organization.
Identity is a core component of Zero Trust. IAM Assessment and Segregation (between Humans, Non-Humans and External Identities) help organizations understand the Attack Surface and plan for the best possible Zero Trust Policy.

Transcript

Host: Hi everyone, this is Purusottam and thanks for tuning into Scale To Zero podcast. Today's episode is with Dr. Natalia Semenova. She's a cybersecurity professional with over 15 years of international experience in the industry. Throughout her career, she has worked as a security consultant for Microsoft, Deloitte, and Google. Her current professional interests include IAM and MLSecOps governance. Thank you so much, Natalia, for joining with me today.

Before we start, do you want to briefly share about your journey? How did you get into security? What do you do today and like any highlights from your career?

Natalia: Yes. So I have been, as already mentioned, in cybersecurity for over 15 years, closer to two decades. I started my career in an academic environment. I completed my master's study in mathematics, and I started my PhD in cybersecurity and cryptography.

At some point, I decided to leave academic sector for commercial and my first assignment was in the area of identity and access management. I worked as a developer and as a consultant with multiple vendors. After a successful career of over eight years in this area, I moved on to a broader area. I was very interested in the cloud operations, so DevSecOps and in general architecture. And I also enjoyed my work for leading consultant companies such as Microsoft and Deloitte.

And in the past two years, I am excited to step a little bit aside and learn about machine learning, AI and MLSecOps. It's something in the intersection of my PhD in mathematics and the cloud, which I'm always excited about.

Host: Lovely, lovely. So now that you spend more time on ML, AI and the operations part of it, what does a day in your life look like? So we generally ask this question to all of our guests and we get unique answers. So what about you? What does a day in your life look like?

Natalia: So, as we talked just before this podcast started, I enjoy working and traveling. So here I am in my travel vehicle. I usually spend part of the day moving around, at something new. Then I do my work assignments. It usually takes eight to 10 hours, depending on the load.

And of course, I'm trying to have a good night's rest.

So as when it comes to my work, and working assignments, I am an architect. So I'm getting an assignment from a customer who has some specific questions, some specific issues relevant for their business. If we speak about ML AI is that they want to leverage one or more cloud providers to do some analytics, to do voice assistance, or even to see how machine learning can help them with their security operations tasks.

But they want to ensure that whenever they onboard this, they won't create any new security holes. And that's when they need a security architect to guide them through this journey.

And my working day is combined from speaking with a customer on the phone, analyzing their documentation and writing lots of documents as well. Anything from RFPs to step -by -step guidance, how to set up the environment to presentations, of course.

Host: It looks like you're working with many customers. You're learning from them. You are helping them get better at their security posture. That has a lot of impact to the customers, right?

So today, we are going to talk about Zero Trust and security maturity models. So let's dive in. So before we start, why don't we set the stage with some basics?

How would you define Zero Trust? Like in a very simplistic way if you can help our audience understand what is zero trust.

Natalia: Many people think that Zero Trust is rather an architecture, so something that they can set up once and for all and just review periodically to keep up to date. In my opinion, Zero Trust is rather a journey. So it's a constant improvement and constant assessment.

A lot like DevOps. There are some key components there. That is why many companies have published their approaches how to engage in this zero trust journey. That usually all starts with identity and access management.

Because the key point of zero trust is that you cannot use just firewalls like before to limit access to your environment. You have to use identity which you're constantly verifying. So if you do not have this way to identify the identity, you cannot onboard to the Zero Trust journey.

Host: So you highlighted a good point which is around the network perimeter earlier, right? Like traditionally if you look at data centers that was more focused on firewalls, network layer, and it was more focused on perimeter defense.

How does Zero Trust fundamentally different from this approach? I know that you touched on IAM slightly, but any other things you want to highlight how Zero Trust differs from network based perimeter defense we use to follow earlier?

Natalia: Yes. So the traditional network based security relies on the fact, first of all, that there is an enterprise network, usually limited to the office. And most of the employees are working from the office. And once somebody is in the office, they are fully trusted because they can only connect to the resources within.

Now when during COVID, more and more people started working remotely. The network became less defined. So anybody who connects from home becomes the part of the network. We don't know anything about their provider. We don't know anything about what kind of routers and servers are on the way, but we need to ensure that this person is working in a secure manner and their connection does not introduce new way of data exfiltration or potential attack vectors.

And another point is that a lot of companies are now working in the cloud. So their assets are now not only in the data center, but just anywhere around the world. And you cannot limit on your firewall, the ability to connect to or from the cloud. So there is no golden firewall rule that will help you in the same way as with office -based network.

Host: And also, yes, and also folks who are working from coffee shops or any place they can, right? So that also adds becomes another attack vector where you have no idea you are using a public internet anyway.

Natalia: Yes, exactly. So no matter how many times you tell people avoid using public internet access point, use your mobile hotspots. Of course, it's very lucrative because say it's free internet. You don't have to pay for the traffic.

Host: Mm -hmm. Yeah. Totally!

So you have extensive experience in it and you have likely seen many organizations transition to zero trust. Now that we understood what zero trust is, how does it differ from traditional approaches?

Can you maybe help our audience understand what are the challenges companies face when they adopt the approach?

Natalia: So the biggest thing that would prevent organization from even starting zero trust journey is a simple fact that the organization doesn't know what are their assets and where those assets are located. You can no longer assume at least they are somewhere in the office They may be anywhere. So that's the first point. They need to understand what are their assets, how important every asset is. Are there any so -called crown jewels? So really valuable assets.

And the second point I already mentioned, it's identity and access management. If they don't have visibility into how they manage their identity; if they have very low maturity process for identity management with lots of manual operations. They would have to close the gaps in this area before they can proceed any further.

And that can be really a challenge because there are lots of... So I have experience working at projects with the customers who have lots of identities they don't know who owns those identities, including a lot of highly privileged accounts. Then they have highly privileged accounts that are also being used as day -to -day accounts, which is a very significant security risk.

And then some companies tend to occur other companies with completely different identity management practices. And they try to have some kind of coexistence and usually that doesn't end well.

Host: Yeah, agree, totally. So for some of these challenges, let's say asset discovery or having the right set of IAM practices, these make a lot of sense, Especially you are not in a data center. You don't have your own data center, rather you're using cloud. Folks are working from anywhere and everywhere.

So how can organizations tackle these challenges?

Natalia: So if the organization is big enough, it can hire some consulting company, which is usually what happens. And that is how I could keep my job. So there is one set of consultants doing the asset management and another set of consulting, checking the processes and identifying the gaps.

For the mid or small sized organizations, there is usually a smaller amount of assets. But still they need to dedicate a team to do this. Usually IT is responsible for IT asset management and security team is responsible for identity management.

At least three factors are satisfied. That is, we know where our assets are, who has access to those assets, and how the identities are managed. We can start the journey towards achieving a higher level of zero trust maturity.

Of course, everything requires resources. So resources are time and money. And it would be naive to expect that if the security team is already overloaded with, let's say security operations, responding to incidents, that they would have time to do them like asset management. organizations may still want to consider to hire a separate person who would do this.

Host: So I like how you segregated the work, Like from an asset management perspective, IT should own it. Of course, they need to work with security and other parts of the organization, but they own it. And when it comes to IAM, it's the security team's responsibility to own that. Now, let's say I understand the basics. I understand the challenges.

Now a lot of organizations have started adopting Zero Trust. And when it comes to zero trust, there are many pillars, like identity, devices, you have network, application and workloads. And now, what should be my starting point when I am trying to start my zero trust security set?

Natalia: So the starting point is always identity. Perform identity assessment, perform segregation, understand how you manage human accounts, how you manage non -human identities. That includes computer accounts, so machine accounts, and service accounts. Because very… very often all the concentration is on human accounts because we all know this mantra that human is the weakest link in our cybersecurity.

So we invest a lot in MFA, we invest a lot in training, but at the same time there could be a service account with really high privileges which has some key which is just stored on some public server and it hasn't been rotated in two years.

And in that case, so the security posture is only as weak as the weakest link. And in that case, the security account would be the weakest link.

Host: Yeah, absolutely. mean, a lot of marketing goes into paying attention to the human element, right? Like as you rightly pointed out, human is the weakest link. So we pay a lot of attention to MFA, to phishing attacks, to social engineering attacks. But we don't talk a lot about service accounts or non -human accounts. So yeah, thank you for bringing that up, highlighting that rather.

Now, how should I prioritize across all the areas? identity, network and all those ideas, when I go to leadership, how do I show them what's my priority to work on when I want to implement Zero Trust?

Natalia: So I would say the top priority is on the asset management to understand what kind of data do we have? What kind of systems? Where are those systems? Are those on-premise or cloud? So how much control over them we have and how much responsibility? One example is this cloud shared responsibility model. In certain cases, we are not even responsible for anything except for access management to our data.

So, because unless you know how much you have to defend and how many gaps you have, you cannot come up with a really good roadmap and you cannot estimate how much effort, how much money you would have to invest.

And one thing I would like to warn about is just to buy some kind of magical solution from some vendor who says it's like total zero trust, just buy it, Install it, and you will achieve zero trust. So it's not going to happen.

Host: Yeah, yeah, absolutely. I mean, there is a lot of work that comes with it, right? It's not just about the tool. It's about your process. It's about as you highlighted, like your IAM discovery, asset discovery, understanding where they are and setting the right policies. That is more important than just buying a tool and then that making use zero trust 100%.

Natalia: And as for budget requests, that's a traditional process. So risk management, can say, we have this and this data, let's say PII. If we get breached, the average cost of PII is so and so thousands of dollars per record.

And we can implement certain safeguards towards achieving zero trust. And then our risk of being bridged would be significantly lower. We can demonstrate everything in some numbers. So if we see that the cost of those safeguards is lower, that would be money talks. So clearly benefits the business to have this implemented.

Host: Right, absolutely. So we spoke about IAM. I want to dig a little deeper into it.

So we spoke about IAM and how it's one of the, or identity, one of the primary components of, or core components of Zero Trust. Now, during COVID, we touched on that as well, right? During COVID, a lot of folks had to work from remote, like work remotely from home or coffee places and things like that.

So we got this question from a security leader from a healthcare startup, say, I'm in healthcare, we have a remote first culture.

How should I provide access to data in a secure manner to my employees?

Natalia: So in that case, I would recommend enforcing tighter controls over where data is stored because it's health data. Some solutions that can help is using remote desktops. So that means data is never being copied to the physical machines of employees. It always stays in a secured cloud or at least in the data center.

And in case the employee leaves the company for one reason or another, they would lose access to their remote desktop. that means, yeah, that means they will not be able to access it anymore or to make any unauthorized copies of it.

Host: which makes sense. Any other tools that you can think of which should be put in place as well. Like things like VPN or anything else that comes to your

Natalia: Yes. So VPN makes more sense in the traditional perimeter network. Or if we have everything concentrated in the office or in the data center, that it makes perfect sense to set up VPN client on every machine of the user.

But it's important to understand if the user connects via VPN directly from their physical machine, you have less control on if they can copy the data to their machine or not. And let's say for some reason this user is working from the country where you prefer not to have your data physically. Then it's like a breach. So if the data is never being copied, if they are using this virtual workstation, then you are always compliant.

VPN is good when you have some partner and you want to establish a channel between two offices or two data centers to ensure that the data is never traversing public internet.

So for other tools that are worth mentioning is because in zero trust, by definition, we never trust or always verify. We do monitor certain patterns of how users are accessing the data. What resources are typically accessed by this particular user. If we found any anomaly, we can ask users to re-authenticate or perform some kind of challenge to verify that their account has been not compromised.

Host: Yeah, it makes a lot of sense. So now I want to move to the next topic, which is around security maturity models and how we interpret it. To get started, can you maybe help our audience understand what are maturity models? And if you can give some examples, that will help.

Natalia: So the reason of why maturity matrix has appeared is because everybody was asking but how would I start my journey into zero trust and how do I understand where I am in this journey?

So certain public organizations like NIST, like Cloud Security Alliance and some others came up with their frameworks to define, What is the current stage of zero trust implementation that the certain organizations belong to? I have been mostly working with NIST maturity matrix, but it doesn't mean that it won't work with similar frameworks or matrices.

So, Matrix maps certain controls such as network security controls, identity and access management, automation, and so on to different stages of zero trust maturity.

So, one can always understand by ticking those boxes and checking the Matrix where they are. Are they at the very beginning? Are they already somewhere mid-stage or are they quite far in their journey? Just remember that this little trust is a journey that never ends. There is always something that you can improve. As the attack surface shifts and there are new compliance requirements and new zero days are discovered and so on.

Host: Right, right. Yeah, I think that's how you started as well, right? That it's not a one-time config and forget about it kind of scenario, but rather you have to constantly monitor and keep improving.

Natalia: Yes, exactly. But you can compare yourself where you started and how it's going. Are you even moving to the next maturity level or is there still something missing?

Host: Right, right. And now speaking of the levels, there are many levels, right, when it comes to maturity models, like initial, repeatable, defined, things like that.

Can you briefly explain what are different levels of the maturity for zero trust?

Natalia: Yes, so most of those maturity matrixes and models are based out of the capability maturity model which has typically one to sorry three to five levels. So all of those matrixes have initial level. So that is where you stand when you started.

Then they may have repeatable levels, some matrices don't have it. That usually means that the organization is moving towards infrastructure as a code in whatever practices they picked up from the initial level.

Most of the matrices have defined levels. That means you don't only have everything automated, but you also have everything documented and well defined. And there could be also the next stage, which is managed level, which means that you have some kind of quality assurance methods to verify where you are standing at, not just, so to say, gut feeling.

And the final level which is never final because it never ends, it's optimizing. So you're constantly improving. You have set up all the necessary controls. You have documented them so people know how to use it. And you have total control of those processes and you're just looking if there are any gaps, if something should be improved as a result of some incident response or as a result of the new vulnerability being published and so on.

Host: OK. Thank you for categorizing them based on different levels. Now,

How do I interpret those levels, or how do I map them to my overall cybersecurity program?

Let's say I'm going to the leadership to show the progress. How do I map them to the cybersecurity program so that my leadership understands the progress that we have been making?

Natalia: So, there are certain types of controls that should be in certain state. If we talk about the basis, about identity and access management, initial level would be manual or ticket -based identity management. When employee is coming to a new role in the organization, then there's service ticket is created and then administrators use manual labor or just some scripts to create all the necessary accounts and assign permissions. So that's initial level.

In that regards, the infrastructure as a code or some kind of automation. So the next level would be to have a system that looks into a chart database looks at the position of this person and automatically without creating a ticket assigns some rights. And if this employee is changing their position, the system looks again and revokes the rights that should no longer be assigned and assigns some new set of rights. That would be this second level, repeatable level.

Then the next level would be that you have everything defined and documented. it's just, you don't copy, let's say Jane's access rights from Maria's access rights. Just because they look like they do the same, but you have a well-defined role and you can explain why they have the rights they have.

And what to do if you have to have some exception, let's say Maria is now assigned to some temporary project within the company, which requires that she has some rights for, for two months. And how do you document this exception? Otherwise it may be lost and she may still have those rights long after the project has ended.

Then Managed level would be that you are able to provide the proof to the auditors when they come to assure them that yes, you have the OZOS process defined, here is the proof, I am secure and I am compliant. And finally, everything that comes after this, any kind of improvements would be then optimizing.

Let's say you have your MFA based on text messages and you decide you want to have USB keys for MFA. That would be optimization because it would bring you to the next level of security.

Host: Yeah, thank you for again categorizing them and how do you map your security programs to the different levels of Zero Trust. So you mentioned about NIST, you use NIST matrix for the Zero Trust. Any other cybersecurity frameworks that you have used which have helped in the Zero Trust journey?

Natalia: So what I mentioned I use NIST framework, let's say for the cloud and the Zero Trust Maturity Model that is published by CISA. So that is a cyber defense agency of the US. The most recent matrix of CISA maturity model for Zero Trust is 2.

It has been published in January 2022 and it helps you to understand for each control which level of maturity you are in. I provided an example for just identity and access management. There are more controls. are network controls. There are user behavioral analytics. There are asset management controls. And so on.

So each one of those controls can be at different maturity level independently from others, more or less, to say. So your overall maturity level is the lowest level among those components usually. So if you have identity management at level four, let's say but your asset management is at level 2, then you are most probably at level 2.

Host: Yeah, yeah, makes sense. Like this goes back to what you said earlier, right? Like you, your security is as weak as the weakest link in your, in your organization. So it's very similar.

So for this podcast, had reached out to a few folks for the, to see if they have any questions for you. And we got some questions and I'll go one at a time.

So, We reached out to Kalyani Pawar and she has asked, how does one transition to AI security domain? So any thoughts on how can a, let's say, a security engineer or security leader transition to AI security domain?

Natalia: I would say that each career path is individual, so one may learn from somebody's experience, but one may not necessarily want to or be able to copy it. My strengths was always a strong mathematical background. So when I realized that I can...

I can do a lot of interesting tasks in the area of machine learning security. It was easier to grasp the initial mathematical concepts, like statistics. Because machine learning has a lot of things to do with statistics, like when you have to, yeah.

In particular statistics because mathematics is just like cyber security. It's like a very very broad area But particularly statistics So I I saved myself I would at least the six to eight months on not having to Learn the basics of statistics and then of course, it's like reputation.

So If you come to your manager and you say, I have worked successfully in this role, but now I would like to try working in some other role. Would you trust me enough to support me in my transition?

And if you have good relationship, if they know that you are competent, they would most probably trust you and support you.

And from the training perspective...

Host: So it's like having that honest conversation with your manager.

Natalia: Yes, because for the manager in the end of the day, it's important to see their subordinates motivated and the people are motivated not only by material things, but also by being interested in what they are doing at the moment.

But from training perspective, I do not see any issues here because most of the major cloud vendors have free training available. So AWS, Azure, GCP, everything you need is just to create an account on the platform and you can learn. then there are some, so from the security-specific trainings, There is a good class on free class on API security available at least from several providers. I can provide the link separately because probably it's a bit hard to comprehend from what I'm speaking, but it is there.

So I don't see any… need right now to invest in a very expensive training if you just want to try yourself in this area.

Host: OK. That's a good feedback. Similarly, Kim Woods had a question around how should someone get started on threat modeling? Any pointers to get started on that?

Natalia: So the good starting point would be to learn about the STRIDE technique. It's a very popular technique. was introduced stride. S -T -R -I -D -E. So every letter stands for some kind of attacks that hackers can do against your system.

For example, S stands for spoofing and T stands for tempering and R stands for repudiation and so on. So it has been around for quite a while. It's quite popular and it has been published by Microsoft and certain people who know of work for Microsoft still continued development of this framework and the tools that can help anybody who's doing threat modeling to do their threat model against this framework. That's a good starting point.

And after this, there are lots of threat models that are specific to certain property. Because for example, Stride doesn't categorize data to PII or confidential or whatever data, it just says we need to protect data.

There are some frameworks like Linton that concentrate particularly on the fact that not all data was created equal.

And then there are some frameworks that are specific, let's say to AI. And they understand that machine learning models are not only data, but also the code. So those kinds of hybrid frameworks. But if one starts learning everything at the same time, they will become overwhelmed. So I would say stride.

Host: Okay, so it's a good starting point. Yeah, thank you for that recommendation. So that brings us to the end of the podcast.

Learning Recommendations

But before I let you go, one last question, which is any reading recommendation that you have for our audience? Like it could be a blog or a book or a podcast or anything.

Natalia: So I have been recently reading quite a lot of books and one that came to my mind is called Chaos Security Engineering. So it helps you in effect that yes, chaos is indeed a part of security, because a lot of things come from zero days or absolutely unexpected vectors, no matter how much threat modeling do you do.

And this book contains some scenarios in the same way as chaos engineering in software development, randomly impact certain parts of your infrastructure. So how can you be better prepared to zero days.

Host: So yeah, that brings us to the end of the episode. Thank you so much, Natalia, for joining and sharing your learning with us.

Natalia: Thank you for inviting me!

Host: Absolutely. Thank you! And to our audience, thank you everyone for watching. See you in the next episode. Thank you.