In this vlog, our Chief Strategy Officer and Co-Founder, Mike Engle, joins our Chief Marketing Officer, Michael Cichon to discuss how a zero trust architecture can be defeated. They also discuss how to go beyond 2FA and MFA to prove identity and prevent breaches.

 

Hello, everybody. This is Michael Cichon, chief marketing officer at 1Kosmos. I’m here again today with Mike Engle, our co-founder and chief strategy officer, to discuss zero trust. Mike, welcome to our vlog.

Thanks, Michael. It’s great to be here.

I got to tell you, I read recently, I think it was a tweet from an IT person that said, “The next vendor that mentions zero trust, I’m going to stab them.” At the risk of getting stabbed, what is zero trust? Can you get us started?

It’s actually been around for a long, long time. I think I read that the concept was first coined in 1994 by some professor in some doctoral thesis or something and then Google made it pretty popular. There was some organization called the Jericho Forum that talked about it 10, 15 years ago. It’s been around for a while but it got really popular, I’d say in the last eight to 10 years or so. And the idea is that your perimeter is disappearing.

It used to be, back when I was running infrastructure for a large company doing the security, you’d have firewalls and harden your external systems and you’d have DMZs and all this stuff. Well now with all the compute resources going to the cloud and everybody having 10 computers on them, half of them managed half of them not, you have to assume that the bad guys are going to get visibility into kind of all of your compute resources. And so they say, you always have to verify. You can’t just trust that somebody has gotten in the right way, which is the way it used to be back in the old days before I had gray hair.

A little bit of gray hair. Unverified trust, I guess that’s the vulnerability then.

It is. Imagine again, going back to say in the 2000s, somebody would VPN into your network and then it’d be very simple. You’d have file shares open, you’d go grab your files and things like that. Anybody who could get in through that perimeter could just kind of have their way with what’s on the inside so you made that outside really hard.

Because IT is trying to make the environment secure but at the same time convenient for users. It’s this balance between convenience, I guess, and safety or security. But I guess while everybody seems to be peddling zero trust now, while a lot of security practitioners, network administrators want zero trust, maybe they know more what they don’t want than what they do want and maybe the architecture is not that clear to them. Can you talk a little bit about the architecture that supports a zero trust environment?

There’s six pillars of zero trust and some examples are the identity, which we’re going to talk about here today of who’s coming in, the security of the endpoints themselves. Do you have the proper security on the workstation or on the phone or whatever it is on the servers? There’s an kind of an auditing component. There’s also authorization. What are you allowed to do once you get in? All of them need to be addressed as part of zero trust and it’s a journey. It’s a continuous kind of business process analysis but arguably the most important pillar of those six is identity. Because imagine if I absolutely knew it was Michael coming in and doing something inside the infrastructure, then I’m a little more comfortable with what is happening after that fact.

1Kosmos, we’re an identity verification solution as well as an authentication solution, so I think the critics will say, “Well, every SSO, every identity provider is going to claim that zero trust is the same as identity.” You just said, it’s maybe one of six pillars. Can you step into that a bit and differentiate maybe what part of zero trust is identity and what is not?

Yeah, exactly. We all know that usernames and passwords are not identity because anybody can, if they have your username and password, they can get in and they can get access to whatever it is you had. What a lot of people say is, “Well, I’ll put 2FA or MFA on and that’s zero trust.” But it’s not, it is better security but it’s not zero trust because those other things, whether it’s a token or a one time code or whatever, can also be used by somebody else. And that’s to me, the real definition of zero trust is can somebody else use it? Can I unlock my iPhone and go give it to a colleague or let them enroll, their our phone is me?” And the answer is typically with most traditional or even the newer MFA systems, the answer is yes. The only way to do zero trust is with a biometric.

Well, because you got me thinking now because the network administrator or the network security guy, he’s going to say, “Well, I’m getting identity from my IDP.” But I guess the acid test is, can that identity be reused by somebody that isn’t that person?

And the term IDP is often misused as well. People confuse SSO systems with IDP because let’s say you put an SSO system in and there’s a handful of big vendors out there that we all know and love and they single sign on super easy. You get into this one front door and now you don’t have to log into Slack or Salesforce. The SSO system just kind of passes a, it’s okay signal and they take it. But if you compromise that single sign on system, because there’s no identity there, there’s username, password 2FA. Now you’ve actually kind of made your security worse. Imagine now you have access to those 200 downstream systems because you got one username and password. If that SSO system said, “Who is this? I really need to know,” and you could prove it, now you’ve got a match made in heaven. Now you have identity coming into the SSO and can be used over and over again.

You’ve kind of hinted at this in a couple ways. The question is, what then is identity? You mentioned biometrics, you just mentioned proofing, I think. Can you bring it all together and describe when you talk about identity as a critical pillar supporting zero trust, what is identity then?

Identity is a credential matched to a biometric. And the word biometric is also a little subjective because the biometrics that are on our phones and laptops are not linked back to a real world identity. It is somebody’s finger or face on the scanner. What we do to implement real zero trust is something we call live ID, which is a live selfie that has been matched to a source of truth about me. For example, if here’s my corporate photo, which I enrolled, and this is my face and they match, then let me in. That is the only way to do true zero trust as part of the identity pillar.

If you will, just drill down for that on me, device biometrics, real biometrics, they’re not one and the same?

That’s right. Apple and Google have done yeoman’s work and they’ve made everybody using biometrics on their device ubiquitous, billions of times a day. And it’s much more secure than typing in a pin or password but it doesn’t match your face or fingerprint or voice print, whatever, back to something authoritative. When I set up this iPhone, you don’t know if it’s me or a spouse or my kids or a coworker. That’s the difference. And if it’s a real biometric, of course, it’s almost like looking somebody in the face and saying, “Yeah, I can prove that that person is who they think they are.”

Well, you mentioned Google and Apple. There’s another little company called Microsoft, which is doing biometric login. What about that? Obviously environments are a little bit more complex than Microsoft so how does zero trust work in a highly complicated or complex environment?

Again, if you have a true identity provider, some system that you can go ask and say, “Tell me who this is authoritatively?” It doesn’t matter if it’s Microsoft, Apple, Google, if it’s Okta Ping, 4drop, you’re going into Azure AD. It doesn’t matter, as long as you have an authoritative source and that’s what we provide. And the authoritative source is linked back to a real world identity and verified with real biometrics. If you have this critical who is it, question answered everything else downstream becomes a lot easier.

Well, before we wrap, any closing thoughts that we haven’t covered?

Well, one is a little selfless promo for a webinar we’re doing on June 16th on how to defeat zero trust, at least the zero trust that’s been coined in the industry. We’ll have some real world examples of how, call it Fortune 100 type clients could have their current infrastructures bypassed. And some of these have happened in the real world as well. 1kosmos.com, click on the webinar link and sign up and we’ll talk more about it there.

Well, that’s all the questions I have, Mike. I think you dug into the difficult questions that I could throw your way. I appreciate your time this morning.

No, thanks for having me on. Fun as always.

Have a great rest of your day.

Thank you.