Zero Trust is quickly becoming one of the most widely adopted security frameworks for enterprises today, with a recent survey finding that 80% of C-Level cybersecurity professionals had Zero Trust on their top list of priorities.
Both the desire and the need for a better approach to cybersecurity is clear in an increasingly turbulent security threat landscape. But while many organizations are keen to implement Zero Trust, they face a struggle to understand what Zero Trust should actually look like in their organization and, crucially, what the first step on a Zero Trust journey should be.
PJ Kirner is the Chief Technical Officer and Co-Founder at Illumio, a leading Zero Trust segmentation provider headquartered in Sunnyvale, California. We spoke to him to discuss the background behind the Illumio platform, the importance of Zero Trust Segmentation, and his advice for how organizations can get started on their Zero Trust journey.
What was your vision when founding Illumio, and what challenges did you see in the market that needed to be addressed?
The founding story is interesting, and it ties into some wider trends. Illumio’s mission is to prevent breaches from becoming cyber-disasters. There were three trends that I saw back in 2013.
One was that compute was getting more and more dynamic. AWS was just coming on the scene, so was VMWare, and so on. I’m not saying I predicted containers, but the trend was clear, we were trying to get faster with compute.
The second thing happening was that applications were becoming more and more connected. The extreme example is the Netflix architecture; that giant map of hugely interconnected microservices. But even if everybody wasn’t doing what Netflix was doing, they were moving in that direction. You can call it the API economy; you can call it microservices; people were adopting these technologies and things were getting more interconnected.
And then I saw a bunch of customers who saw lateral movement as a problem in their environments. Back in 2013, these were more often nation state actors, a large organization, or companies with some sort of compliance reason to separate services. So lateral movement was a problem back then.
Illumio was started out of the question: how does security need to change to adapt to a faster moving, more highly connected environment, where lateral movement is a bigger security concern?
If we fast forward to today, what has changed? Ransomware is probably the top issue today. And ransomware takes advantage of lateral movement—or the lack of lateral movement controls—from inside people’s environments. And the thing about ransomware is that it’s changed from just stealing people’s data, to impacting people’s availability.
You can take out an organization’s ability to do its job. Maybe you didn’t steal their data, but you locked it up. In locked up systems, people can’t work! So, for your CEO and your board, yes these are security issues, but they’re also operational and business-impacting issues.
So, none of this I could have predicted back then, but these are the trends, and why Zero Trust Segmentation has become so important.
How does Illumio’s platform work to prevent these lateral movement ransomware attacks; how does your mission around stopping breaches becoming disasters work in practice?
Let me use a metaphor: think about how we build submarines. How does the submarine have physical resiliency in its environment? Well number one, it has redundancy.
But the other thing is that it is built with a set of watertight components inside so, when there is a breach—and they plan for the inevitability of a breach—they can seal off the watertight compartment. And the breach might have an impact, but the submarine doesn’t sink. That’s what Illumio does with Zero Trust Segmentation. It’s like putting those watertight walls up inside the submarine, so that your organization has cyber resiliency.
If you think about what’s changed over the years in the industry, at first, we focused on prevention. And prevention in terms of the submarine is like trying to make the hull thicker. Okay, there’s a torpedo coming, let’s make the hull a bit thicker and hopefully it doesn’t get through. But you can imagine an arms race now, where the people who make torpedoes make better torpedoes, and now you need an even thicker hull. That was the problem with the era of prevention.
And then the next phase was the EDR phase. And that’s like getting a better radar for the submarine. Let’s see if we can just stay away from the torpedoes and avoid them. And again, it’s an arms race; you have a better radar, they have better torpedoes.
So, this third wave of cybersecurity is really about containment. It’s about knowing there’s been a breach, and this idea of assumed breach. And so, we now think about what we need to do to survive the disaster, as opposed to trying to avoid the person clicking on that link in the phishing email—which they will do at some point.
You still need that outer wall. You need all of these things together; you still need to be able to defend yourself. But having that way to contain something so it does not become a disaster is what we’re focused on, and is where Zero Trust Segmentation comes into play.
There’s a huge amount of interest around Zero Trust in the industry today, but we’re finding a lot of organizations are struggling to define Zero Trust and what it should actually mean for them in practice. How do you define this concept of Zero Trust, and where does Zero Trust Segmentation fit into that broader framework?
Zero Trust is a philosophy and a framework first of all. You don’t buy it, there’s not one vendor who gives it to you. It’s a philosophy or strategy, and it has to be absorbed by the whole company. That means there’s some organizational change needed around it. It’d be much easier if there was just a button to press, some money to spend. But that’s not what it is, because you’re changing how people think.
The first Zero Trust change is from implicit trust to explicit trust. Implicit trust is the perimeter. There’s a wall around accessing these things, but inside those walls, trust is implicit; everyone pretty much has access to everything, and you’re just trusted to do the right thing. When you have an insider threat, or something like that, what is exploited is that implicit trust.
Explicit trust is when you have to define exactly what is allowed. You have to build up an allow list, where you have to enumerate what is allowed.
That’s one element of it, moving to an explicit trust model. The second part is least privilege. You can cheat explicit trust a little bit, by saying, “Yes we have explicit trust, we just allow everybody.” So, you have to couple that with a least privilege model. And least privilege is not a new thing; we’ve been doing it for years, but it’s been reinvigorated, as some of those large perimeter controls have failed.
Least privilege does require that there are processes in place. For example, if everybody only has access to what they need to do their job, what happens when someone needs to get access to a new system? If getting access to anything new takes seven weeks to accomplish, you’re not actually being dynamic and agile enough to achieve a Zero Trust philosophy.
And then the other part is that Zero Trust needs to be continuous. You have to continuously verify. Every time you log in, every time your applications are running, there needs to be a continuous process that goes along with that.
And then the final thing is that the “assume breach” mentality has to be there. We did some research, and we found that people said they did assume breach. But when we asked them how likely they thought they were to be attacked, the numbers went way down.
So, I don’t think people have really understood and internalized what “assume breach” is, even though they say they believe in it.
You’ve touched on this, but why is assume breach such a fundamental part of Zero Trust; why is focusing on surviving attacks the superior approach to the traditional security framework of strengthening perimeter defenses?
There’s some recent research we’ve done which is really interesting here. In this research, we partnered with Bishop Fox to put a red team and blue team together, an attacker and a defender. We found that when there was no segmentation in place, an attacker could breach the environment and reach all the hosts in 2.5 hours. They had basically full access without segmentation.
If we put EDR in there, to give the defender a little bit more help, it took 38 minutes to stop the attack, and the attacker did move beyond its initial entry point. When we put Zero Trust Segmentation in there, it took ten minutes to stop the attack, and the attacker could not move beyond the first entry point in the environment. In other words, Zero Trust Segmentation made it four times faster to identify and prevent attacks.
So, your question was, why do I think assume breach should be the first thing to do. It’s because there is evidence that proves that taking those proactive steps will help you when you run into that situation.
In terms of Zero Trust, we’re also seeing a lot of interest in other new product categories such as Zero Trust Network Access. Where does Zero Trust Segmentation fit with these services? Do they complement each other?
They are complements; they are not interchangeable. There are some people who fall into the trap of saying, “We did Zero Trust Network Access, and now we’re done.”
Zero Trust Network Access does follow these kinds of principles: least privilege, always verify, being sort of dynamic. Except they still set up somewhat of a perimeter. Once you get in, without Zero Trust Segmentation to help the interior of the network, you can still pivot from one place to the other.
ZTNA takes an “outside-in” approach. It lets the users in but then it ends at a certain point. Zero Trust Segmentation is an “inside-out” approach, which is focusing on the data and the applications, and putting the controls there.
So, we advocate for people taking that “inside-out” approach. It’s not that you shouldn’t do one or the other—you probably need to do both of these things. But we do think that Zero Trust Segmentation is the thing that can help you prevent that disaster.
Humans are fallible. But there’s a whole other part of the system that you need to consider where there is no human involved. So how are you going to solve that problem?
Those with the assume breach mindset realize the limitations with what ZTNA can provide and understand the need to complement with Zero Trust Segmentation.
What is your advice to organizations who are starting out on their Zero Trust journey, what are the best first steps to take?
Zero Trust is a philosophy and something that has to be infused into the organization. One of the challenges is that people try to go too big, too early. But you really need to start with the small steps. You need to have early wins and prove to executives that you are reducing risk.
And one way of doing that is by starting with visibility. We have had customers who have showed how an application is working to their application team, and they have said, “We didn’t know that!” You haven’t even done the segmentation yet, but you’ve gotten some business benefit by understanding your attack surface and understanding how your applications fit together– that’s an early quick win.
Another quick win is something we have called Enforcement Boundaries. And this goes back to some of the ransomware attacks, where we say, “Let’s just look at remote desktop protocol (RDP), and how we can limit the attack surface of RDP.”
Because that is the one protocol that’s often used and exploited during ransomware attacks, and only IT administrators need to do RDP. Normal users don’t need just RDP, so let’s just cut that one little thing out. And that’s a tiny little slice. It’s applying Zero Trust to just a simple protocol, but that’s a way to get started.
You can find out more about Illumio here: https://www.illumio.com