In today’s threat landscape, much of the tools and knowledge, we use to protect ourselves and our business is outdated or even misinformed.
Greg: Welcome to today's episode of "Defrag This." I'm your host, Greg Mooney, and today we are gonna be talking about today's broken data security models when it comes to perimeter defense. In today's threat landscape, much of the tools and knowledge we use to protect ourselves and our business is outdated or even misinformed. The media does a poor job describing the how and what of data security and thus making IT's job that much harder. The truth is is that just installing Malwarebytes or Norton Antivirus or entrusting your firewall to protect you just isn't enough anymore. Once a breach has occurred on your network, everyone on that network is vulnerable regardless of what perimeter defenses you have in place.
I'm joined today with Evan Gilman, an operations engineer with a background in computer networks, and Doug Barth, a software engineer who regularly speaks about monitoring systems and failure injection practices. They both have a book coming out called Zero Trust Networks: Building Secure Systems in Untrusted Networks and were happy enough to join us on "Defrag This" on the phone to talk about their upcoming book about perimeter defenses are not enough anymore. Thanks for joining us today, Evan and Doug.
Evan: Thank you.
Doug: Thanks a lot.
Greg: So I like to think about perimeter defense with an analogy. The network is your castle, and your firewall is your moat. But the problem with moats is the enemies can still build a raft and scale the castle wall. Now you both discuss in your book about the principles behind zero trust networks. Can you explain what this is and how it relates to the perimeter defenses?
Doug: Yeah, sure. I think your analogy is pretty good. It's definitely...agrees with what we think of networks right now. You really shouldn't trust your private network at all. And so if you don't trust it, how do you actually start building systems that you do trust on those networks? And that's what the book explores.
Greg: So this is an interesting concept. It seems that much of how the majority of IT teams operate today is a bit archaic. But I must ask how do you change the way IT teams think about data security models when it used to be that your firewall and your antivirus used to be your first line, and most likely, your only line of defense.
Evan: Yeah, this is Evan. You previously heard from Doug. This is an interesting question, you know? It's definitely like a disruptive change of the thinking, you know? And you're spot on. It's not an easy pill to swallow, you know?
Evan: But it's just like a natural step. It's a natural progression, you know? As Doug was talking, you know, like...it's becoming pretty clear that even with a perimeter firewall, things behind that firewall can still be owned, whether that be from phishing attacks, whether that be from bring-your-own-device (BYOD) or whatever it is, right? So it's kind of just a natural extension to say like, "Hey, look, we need to do more." Like, until now, that reaction is that, and I quote, "Just put in more firewalls."
But this is kind of like a paradigm shift of saying, "Well, look, you can't have the security way over here when the thing you're trying to protect is on the opposite side," right? So this advocates kind of putting the security where the resource is, where the data is, and then building out from there. So that's kind of the... You're right. It's a very hard thing to kind of change that way that people think, which is part of the reason we wrote the book, and it's why we're on this podcast today is to try and just get that word out.
Generally speaking, like once we talk to someone and present the idea, the general reaction is just like, "Oh, wow, this makes a lot of sense. This makes way more sense than what we're doing today." And it's that kind of reaction and attitude that we're hoping will kind of, you know, spread, essentially, and people will kind of wake up and see. And we're starting to see some commercial options come out now which support this kind of model and this way of building systems. So we're hopeful that, you know, kind of the snowball is growing as it rolls down the hill.
Greg: Yeah, it seems a lot of these things are starting to catch on, especially with in the media now, it seems every week there's another data breach or something going on. So it's definitely in the forefront of most people's minds, I think, especially in the IT space. So what types of tools...and when I say tools, I mean this could be tools of the trade or specifically maybe even open source tools...any type of tool that an IT pro could use to implement to a zero trust network?
Doug: Yeah, so I think there's a lot of open source tools that people know things about. I mean we've talked to companies where maybe they start small and they're putting like an NGINX proxy in front of all their services, doing some really deep authorization checks. But that's only just a beginning. I think one of the projects that came out recently that's probably most exciting is a project from Lyft called Envoy, which is this layer 7 and layer 4 TCP proxy load balancer thing. And the idea is that you run this sidecar, this daemon, on every single bit of your infrastructure, and you route all network communications through it.
And so the nice thing about this is it gives you like a kind of focal point to actually put all of this...these security checks and observability systems in place. And they've been seeming to get a lot of momentum from other tech companies. So there was an announcement from Google just this past week or so about a project that they've been working on called Istio. And this is meant to, like, kind of give you much deeper policy management and authorization systems on top of Envoy. And so I think keeping your eye on those tools as like as a potential future for deploying an infrastructure is probably a good idea.
Evan: Yeah. And then there's also...there's all the open source stuff we're talking about. There's also some commercial options. Like VMware NSX has got some...a lot of features that kind of echo the zero trust principles where you can attach policy to a VM container, and that policy will follow it around and everything that is authenticated and encrypted under the covers at the VMware layer. So we're excited about that. And Microsoft has a feature called Windows domain isolation or Windows server isolation that also echos a lot of that. So where it uses the domain joined with that computer certificate in order to identify itself to all the other computers it speaks to, and then they negotiate IPSec in this encrypted channel. So there's some commercial options there.
And also, you know, the story changes a little bit on what you use to solve the problem if you're talking about inside the datacenter or if you're talking about like clients in the field accessing datacenter resources, enterprise resources. And on that one, you see kind of different people playing. There's a company called Joe Security who has a product, a company called ScaleFT who has a product trying to solve this client access. We talked to someone today at a company called Cryptozone, who also provides kind of a controller-based solution to secure access from clients in the field to the datacenter in like a zero trust mode. So there's quite a bit of momentum there, for sure.
Doug: I think one of the kind of true things about building a zero trust network that maybe doesn't get a lot of attention and probably needs more attention is... Like, the whole idea of zero trust networks is that you have some sort of truth that you can leverage to actually authorize your requests. You don't just assume that anything behind the particular perimeter must be allowed. You actually enumerate everything. So if you're looking for like building these networks in your systems, I would also kind of pay attention...well, how do you capture that enumeration of endpoints and applications in a maintainable format? And I don't actually know any projects that do that very well, that give you like a way to just say like, "Here is my database of literally every application and expected flow. And from that I can, you know, back my way into policy and check things."
Evan: Yeah. And then that's super critical for your zero trust network because the idea...when you build systems in a network which is untrusted... And we call them "untrusted" just because we simply know that things behind the perimeter are gonna be owned. And when you're sitting on a network with other hostile devices, like, you simply can't call it trusted. And so when you go to build these systems on top of these untrusted networks, it's really, really critical to know who talks to who, how, and where. And all those...that's the only thing that is allowed, you know? And so you need some sort of database that Doug is describing kind of in order to drive the policies and realize that enforcement into the network.
Greg: Now...so this is all great stuff, and this actually... I had a list of four questions here. Now I literally have like 10 other questions I want to ask you based on this. So I just wanna ask you...so you were talking about, like, figuring out, you know... Obviously, IT stacks nowadays are getting just bigger and bigger. So the holes in which somebody could attack these attack vectors are...they're exponentially rising, based on the amount of apps. I mean, we're not even gonna get into IoT devices or anything like that. But how do you...I mean how do you like basically build these policies? Is there an easy way? I mean every single person's network is obviously...you know, every network is gonna be unique. So what would be the first steps that you would tell somebody in order to find out what are the most important vectors of attack to actually protect against?
Evan: So there's a few ways that you can kind of go about tackling that problem, you know? And the cool thing about zero trust network is you don't set out to say, "Well..." I mean you set out to say, "These kinds of adversaries or these classes of attacks you want to prevent, and you do it like this." But, you know, opposite to the way that some other like security stuff currently does like, for instance, IDP, IDS, antivirus, all these things are signature-based. They say, "This is what the attack looks like, and we will block that thing."
And in a zero trust network we block everything and we allow only things that have this policy as sort of we've been talking about, right? So the way that...building up that policy can potentially be very, very difficult. It depends on where and what you're writing the policy for. So it's funny you ask this question. Doug and I literally had an argument about this over lunch today where, you know, for instance, inside the datacenter, if you're using VMware, if you're using Kubernetes or some other kind of container scheduling or virtual machine that's scheduling infrastructure, you probably have a pretty good spot to look at that already. You know, you're gonna have virtual machine data that might even have port policies attached and how it speaks, or you're gonna have container information available to you that describes kind of the workloads and what ports they listen on and all that kind of information.
So in the datacenter, you know, depending on your infrastructure, it might be easier. Client-based then, you tend to wanna do the enforcement at a very high level, like Layer 7, where you're authorizing like, you know, HTTP requests by request basis. And there it can be a lot more difficult. So Doug and I have discussed systems which might, you know, go in learn-only mode or something like that and kind of log all the requests and then bucket them together in order for you to better understand what is being accessed.
You know, the way that Doug and I did this and our experience when we've built zero trust networks is we started by putting everything in a log mode. So we put in all our firewalls like default deny everything. And then when you get to the end, log it, log what had been denied, but don't actually deny it, right? And then we went through all those logs, and we started kind of looking at the logs and saying, "Okay, this thing is talking to this thing. This thing is talking to this thing." And you slowly kind of write policy which says...which describes those relationships that you find. And then as you apply that policy, still in log-only mode, you can see kind of like the amount of traffic that would have been dropped will dwindle off at a certain point, you know, "Okay, you captured X percentage of the network flows."
Greg: And, for the sake of time, I'm gonna ask the last question. Why would somebody buy your book?
Doug: Yes, I think that the value that our book gives you is that it's really a year-long effort of thinking about, "All right, well, if we don't trust the network, how do we re-architect a system in that type of environment?" So I think the value of it is having just written down like kind of a mental model of how you should think about these problems. It doesn't really try to, like, say, "Oh, just do this and this and this and this, and you'll be secure, and you'll be done," because I honestly don't think that will ever be the case. But what it does do is it gives you a guiding light to like try to work towards this ideal, build up systems in this shape, and you're at least like following along with a lot of the forward-thinking organizations and companies and therefore positioning yourself well to defend against attackers.
Evan: Yeah. And to add to that, I think Doug and I believe that the zero trust model is going to be kind of like the predominant model sometime in the future. And, you know, by understanding the model now... And we believe that just because, you know, look at the rate of cyber attacks going on. All this stuff is, like completely crazy.
But, you know, if you read this book now and kind of understand, look, this is the architecture we're talking about. This is how we solve some of these massive cyber security problems you've been seeing. A lot of them are associated with perimeter networks, and people don't realize it. So if you read that now and, you know, as Doug says, I don't know, like inch towards that architecture and just kind of have that right mindset, you're gonna find yourself in a lot better place a couple years down the road when everyone is doing this, and you'll just be that much closer, right, and hopefully, maybe you have even already beat them to it, you know? So I think that it's a good read for anyone who plans to be in the industry for another five years or so.
Greg: Great, great. You know, thanks so much for creating this book. I can't wait to read it. When exactly is it going to be released?
Doug: It's supposed to be released just prior to BlackHat, so end of July.
Greg: Oh, are you gonna be at Black Hat, by the way?
Doug: Yeah, we will be at Black Hat. We're gonna be...
Evan: We're doing a signing there actually.
Greg: Oh, I'll have to stop by your guys' booth. Yeah, I'm gonna be there myself.
Evan: Yeah, totally. Yeah, the booth is a company called EdgeWise. It's sponsoring us, and we'll be doing a book signing there. So just pass by the EdgeWise booth if you're coming to Black Hat and ask about the signing, and there'll be some set hours.
Greg: Oh, great. So there you have it, folks. Thank you so much for sharing your insight on the, you know, a very important topic. I know from all the IT people I talk to, I would say only about 50% are actually thinking this deeply about security, which is kind of frightening in, you know, today's landscape, but it's definitely... You know, you guys...you know, you're fighting the good fight trying to spread awareness around this. So thank you guys both. And you can preorder Doug Barth's and Evan Gilman's book, Zero Trust Networks on Amazon. And I wanna thank you both for coming in today. It's been a pleasure.
Evan: Thank you very much.
Greg: All right. And I'm your host, Greg Mooney, and this is Defrag This. And remember you can follow us @Ipswitch or @defrag_this on Twitter or you can go to blog.ipswitch.com.
Until next time, stay safe out there.