Interview. ‘The path to Zero Trust is not just one step’

The first principle of Zero Trust is nothing is allowed on the infrastructure unless it’s authenticated. No application, no workload, no user, no device. Everything must be authenticated and continuously authorised. You can’t do that if the identity management framework is fragmented. The second principle that we discovered on the journey is, and this is going to sound provocative...there are no examples of Zero Trust infrastructure in the commercial market today. There are places like the National Security Administration that have Zero Trust infrastructure. Not even the Department of Defense in the US is Zero Trust yet. They are committed to it. We are helping them do that.  It’s also very hard to take a brownfield enterprise and make it Zero Trust. If for 20 years you were just letting random things happen and you don’t even know what’s going on in your infrastructure, the idea that it’s going to suddenly authenticate everything, have policy rules that only allow the known good activity to occur, and this is important because in security there’s only three things that exist...the known bad, the known good, and the unknown. That’s what you deal with. 

Today’s security architectures focus on preventing the known bad and finding new known bad in the unknown. They don’t really care about the known good. Zero Trust flips that on its head and says, no, no, we’re going to define the known good and prevent everything else. It’s very hard to apply that type of policy to an infrastructure that’s got 1,00,000 users on it, that has no controls and is really just chaos. So what we learned on the journey, especially with the US government on this, is that the likely path for an enterprise is that you’re not going to convert your brownfield clouds that can’t do Zero Trust today to be Zero Trust by adding a box to them. That’s not going to happen. And even if you fix the control plane problem, it’s still not going to be enough. So maybe you shouldn’t even try because you have multiple clouds. Maybe you should put some new clouds in that to meet the Zero Trust requirements.

And just like in a multicloud environment today where you have Google and Amazon and an on-prem environment, you make a conscious decision which applications go in each cloud. And we think what will happen is as Zero Trust architectures become viable, you can actually build Zero Trust clouds. You will simply set up new ones and you will put them in your multi-cloud environment and you will make a conscious decision to migrate the workloads and users that are most important into those Zero Trust environments. And you will leave the other stuff in the other clouds, at least for a long period of time because pragmatically a large enterprise can’t just flip a switch and make it Zero Trust. 

If your multi-cloud system is running well, adding two more clouds that are Zero Trust compliant is not hard because everything else is already horizontal. You can move data between them, you can use the same Edge, you can have them under the same control plane. We think the journey most enterprises will go on will not be non-Zero Trust to turn it into Zero Trust. Instead, you’ll take your multi-cloud environment, which primarily is not Zero Trust compliant anywhere, and you will carefully add a few Zero Trust infrastructures in co-location or private or somewhere, and then you will use application workload migration tools, which you use all day long today, to move your most important devices and users into those environments to protect them. 

Yes. If you look at a nation, let’s say India for example, India’s cyber posture is a mixed bag. There are probably lots of things in India that are not well protected, and if there was a, let’s say a massive cyber attack on the country...hope it doesn’t happen... but if it did, it’s very likely the energy grid, the banking systems...everything would stop.

And the reason it would stop is because, you know, a sophisticated cyber attack against an environment that’s got just reactive security against it will likely fail. And now, it will eventually recover. The path to Zero Trust in a place like India at the governmental level is not to try to instantaneously turn all of that into Zero Trust to protect it. You can’t do that. It’s just too big. But if on the other hand you looked at India and said, well, what are the things that we need to survive that cyber attack? We don’t need everything. 

If Netflix goes down, the world’s not going to end. If Bollywood stops, I’m pretty sure people would be upset, but it’s not going to cause a problem to the country, at least in the near term. But if I understand that there are critical infrastructure like the control system for my energy grid, or my Department of Defense, or the core banking transaction network, not the other stuff, the other stuff can go down, we can recover it in a few days. But the core... you want to make sure it survives, and we move those in the multi-cloud environment into Zero Trust environments first. Even that step, where maybe only 5 per cent of the country’s infrastructure is Zero Trust, if it’s the right 5 per cent, and that massive cyber attack occurred, you would probably survive. Because the lights would stay on, the trains would keep running, the banking system would not collapse...a bunch of other stuff would go down. But because those core systems were running on a better class of infrastructure, were more protected, it would just be a matter of time to do the recoveries and bring everything else back online, but the country wouldn’t stop.

And so the path to Zero Trust is not one step. The path is, first we have to develop it, that’s what we’re doing right now in the US... to basically develop the reference architectures, make it commercially viable, get it into the market. That will happen over the course of the year. And then the second, and that will allow people to deploy Zero Trust clouds, in addition to all their other clouds. And the next step will be to migrate, carefully migrate, the most important applications that must survive into those infrastructures. And then over time, maybe everything will end up in a Zero Trust environment. But in a place like India that could be decades. It’s just very big. 

But on the other hand, you can start the journey very quickly. In the next year we’ll be able to do that. From a national security and a resiliency perspective, we inevitably are losing the cyber war right now, because we’re reacting. A lot of people say the rules are the bad guy only has to win once. We have to win every time. Zero Trust changes that. It basically says, even if you penetrate a Zero Trust network, who cares? You can’t do anything. You can only do what the policies allow you to do.  If somebody breaks into my account on a Zero Trust environment, there’s no lateral movement. They can’t go from being John Roese to being Michael Dell. It doesn’t happen. And so it’s a very interesting technology. It’s been very hard to implement over the years because it was just an architecture. Our goal is to try to industrialise it and deliver it as a viable architecture based on what the US government has defined and then make that commercially available.