What Does Zero Trust Tell Us About Cybersecurity? A Q&A With Wandera’s Michael Covington
At this year’s RSA conference, Early Adopter Research’s Dan Woods sat down for a podcast conversation with Michael Covington, VP of product strategy for Wandera. They discussed a number of topics, including an overview of what Wandera does. Woods also asked Covington about his three key cybersecurity questions for 2019. This is an edited version of their conversation and you can listen to the podcast here.
Woods: Could you provide a simple description of what Wandera does for the cybersecurity world?
Covington: We essentially offer mobile security for the mobile-enabled enterprise. We offer an endpoint protection tool called Mobile Threat Defense, and we complement that with some technology at the network layer. Think IoS devices or Android devices, as well as Windows 10 tablets which might have SIM enabled connectivity. We protect them as they leave the corporate perimeter. We complement the technology that’s on the device, or on that endpoint with some network-based technologies to prevent things like phishing attacks and crypto-jacking from reaching those mobile endpoints.
The first question I have is about zero trust. Now, when you think about the big idea of zero trust, you usually think we’re going to be able to implement a better security system inside what is currently the zone of trust. That better security system will do a better job of understanding who is inside, and will dynamically create a segmentation around that person so that they can do their work but will do it only inside of a very precise cybersecurity umbrella. It sounds like you’re going to be more secure if you do that. But then when you think, wait, if we’re not trusting those people inside the security perimeter, does that mean we can have less of a perimeter? Does that mean we can have different types of security or maybe less security here or there or the other place? It turns out zero trust is completely additive, every way I’ve ever seen it being implemented. There’s nothing that goes away. And so this doesn’t seem like the way it should be according to the concept. When you talk about applying more security and trusting less, shouldn’t you be able to get a break somewhere else? What does zero trust mean in practice, and why is it just another additive responsibility?
I think zero trust is a really interesting concept. For me it’s forcing a conversation with enterprises who’ve made some decisions in the past, and providing us with an educational moment to really own up to some decisions that the industry has made and that customers have made as they’ve enabled their workforce with a whole bunch of new ways of doing technology. Mobility is not new, but I think mobility is one of the first trends that we saw that led to a change in the perimeter. You had devices that left that corporate space and still needed to access some sensitive content. But then, cloud-hosted applications happened as well. We started seeing not just the devices leaving and the people leaving the perimeter, but the applications as well. And now we have a whole bunch of other things that go along with that. Applications that are no longer being developed in house. You need to now enable these people who are no longer within this trusted space to access applications that are also not in that trusted space, and you need to do so with some kind of security assurances. I think the concept of zero trust is the industry’s way of saying to the customer, “You know, you made some decisions. You still need people to access sensitive data. How are you going to do it?” We need to give you some tools in order to enable you to start building trust back up. Because right now you don’t have any.
What were the decisions that were made that made this requirement more important?
One of the very first decisions that was made from my perspective was a decision around how to purchase these devices that were going to leave the corporate perimeter. We saw a trend about five to ten years ago with BYOD that the industry thought was going to just take off. The end user would buy their own device, they would manage that device themselves, and they would still be able to access these sensitive corporate resources. Allowing a device to have access to sensitive content that was completely unmanaged and unprotected by the enterprise I think was a game changer with the way IT was delivered and is delivered still today.
So you’re saying the wrong way to think about zero trust is only to think about it inside the trust perimeter. Zero trust becomes a lot more important when you think about how it deals with people who are outside the perimeter accessing applications that are outside the perimeter. That’s where it actually delivers this new value. It’s not replacing anything, but it’s actually providing something that’s actually genuinely new.
That is where it is absolutely, genuinely new. I think that some of the models that I’ve seen in the industry have come from people who’ve tried to take this kind of broader approach to building up trust and apply it in a small microcosm within that trusted perimeter, so they could get rid of certain things like firewall appliances that they had at the edge of their corporate network. But the reality is that what they were trying to enable was users with laptops who didn’t want to use VPNs because VPNs provided a bad experience. That, I think, has just exploded as we’ve seen certain device ownership models come out, new platforms from Apple and Android, and new ways of accessing content online.
You’d argue that zero trust is also about a better experience when you’re outside the perimeter.
One hundred percent. I think one of the things we’ve had in the past is that security has not been an enabler. It has been something that has gotten in the way of the end user. When users are forced to change their password, for example, every month, what do they do? They choose weaker passwords by default because they need to remember a new password on a more frequent cadence. And I think that zero trust is kind of trying to leapfrog where we were with users just having all of these things forced on them. Zero trust is really meant to provide the company with more security assurances, while making it easier on the user, to unburden them with taking on a lot of that security responsibility on their own.
The next question I want to ask is about portfolio pruning. It seems that the entire world of cybersecurity has been additive. Every RSA, every time a new trend comes up, there’s a new solution. And there is never a time in which the old solutions seem to get pruned and replaced by the new solutions. People have been saying for a long time that antivirus is dead, but people still have antivirus systems of the kind that they said were dead in their environments. Newer, better antivirus systems that do more have come up, but they haven’t replaced the ones that they said should go away. Do you see any chance that we’re going to get to a point where cybersecurity portfolio pruning actually starts to happen?
I wouldn’t even know where to begin to suggest to start the pruning. One of the core pillars of our business is around visibility. We help companies really understand a lot of things about their mobile users, their mobile devices. Where in the world do they go, how much data are they consuming, what threats are they being presented with, what networks are they utilizing regularly? Every security tool that’s in the tool kit—and I’m thinking more around the defensive types of tools adds visibility that the company purchased for some reason to begin with. I don’t see many organizations willing to give up insights into a particular aspect of their information technology footprint. So when it comes to tools on the endpoint, tools on the network, those I don’t see getting pruned. They might get consolidated so where you had endpoint detection and endpoint response, those may come together. I think where we have the biggest opportunity to consolidate, to collapse, to prune, is going to be on the analytic side. We’re already overwhelmed with so many different events and so many different consoles that the more we can drive toward that one view into the security world of the enterprise, I think the better. So opportunities I think are there on the analytic side for pruning, once we get the right tool and console in place.
The next question I have is about cybersecurity in the cloud. If you think about cybersecurity in the cloud, there are a couple ways to consider it. One is the idea of part of the implementation of services being in the cloud. Companies are dumping data to the cloud, they’re doing processing across all of the implementations in the cloud to make everything smarter, and their moving things back to the on premise system so it can run better. That’s a cloud enhanced system, but the actual cybersecurity is being provided on premise. What do you think the prospects are for actual on premise cybersecurity solutions to effectively move more toward the cloud? Do you think that any such migration will take place?
Yes, it’s a great question. I do think that it will take place, but keep in mind the perspective that I have. I have one from a mobile security provider. And so we see a tremendous move just in the last couple of years for enterprises to adopt mobile technology across the workforce. It’s not just the c-suite and the board any more. It’s everybody in the organization. And, yes, there are a lot of different ownership models that are in place but we see just a ton of devices that are leaving that trusted perimeter. As these devices leave that perimeter, they are accessing a whole bunch of cloud services, and those cloud services need to be protected. I think one of the interesting things that we need to keep in mind here when we talk about security assets that the company wants to protect, it’s not just the data that’s often at rest in a database. It is the data that is being utilized on a regular basis by the workforce on their laptops that they take out to a coffee shop, on their cell phones that they travel around the world with. And when that data is being pulled out of a data center, whether it is on prem or on the cloud, and it is being consumed by an employee who is remote and outside of that security perimeter, we need a security tool that is going to be able to protect them wherever they are. The only way I see that being able to be delivered in a cost effective, performant way, is with cloud-based services. No corporation that I can think of wants to backhaul every mobile user’s data and bring that through a set of on prem services, and so I think you do need cloud services to help support that move out of the enterprise.
I have three bonus questions that are all about difficult issues for CISOs. The first one is about operational discipline. How many CISOs do you think would be better off if instead of buying a new solution, they took that money and they increased the automation or their ability to create and configure their environment? How many CISOs would be better off if they shifted money toward operational discipline?
I think all of them. I think that choosing how and when to spend a budget—there’s a process around that. One of the things that I see seriously underrepresented in budgets these days are people. Analysts to actually go through logs and events and understand what the company is already technically seeing through the investments that they’ve made and/or the compute automation tools to help them proactively assess the events that they are sitting on top of. I think that so many companies do risk assessments once every two to five years. If they simply had the processes in place that allowed them to do that more often—it’s not the new whiz-bang tool that’s going to keep them protected. It’s that visibility into their own deployments that I think will help them turn security into an enabler, if you will, rather than more than just a reactive kind of tool.
The next question is about cybersecurity culture. We have a lot of people who rightly point out that the people are the perimeter, and that so much of the de facto security of a company comes from having people who are making good decisions when they’re using computers. But it’s not easy to train people and have them maintain the awareness. What have you seen companies do that has been effective to really make cybersecurity education and training part of every day life so it becomes something where if somebody sees a bunch of passwords written on a post-it note, it’s not the auditor who gets mad, they say, “You shouldn’t be doing that.” How have you seen this implemented effectively?
I think one of the more effective approaches I’ve seen have been with companies that have hired social engineers to come in and essentially penetrate their way into the company and do a proper two-to-three-hour presentation afterward to the whole company. I think it helps everyone become aware of what it is the often low-hanging fruit. Holding the door open for the person behind you so that they don’t have to badge in. Leaving the stickies on the monitor that have passwords on it. Falling victim for a simple phishing attack. I think having the visuals, having that conversation, is the way that’s done most effectively. Not shaming people into feeling that they’ve done something wrong because they have fallen victim for a phishing attack. One of the least effect methods that I’ve seen used with companies around security education has been the phishing trials that they do where they purposefully phish their employees and essentially force them to go through multiple hours of cybersecurity training if they fall victim. We’ve all fallen victim.
I know a lot of CIOs, CTOs, CISOs who have been essentially strongly encouraged or forced to buy cybersecurity insurance by their CEO or board. Very few of them have confidence that it will actually be a good investment. What arguments can be made by CISOs that cybersecurity insurance, which is a form of insurance that’s new, that’s relatively unstandardized, that tends to have lots of escape hatches to avoid paying a claim—all of these things make it less likely that it’s going to actually provide the protection that’s needed. What would your advice be to a CISO who is trying to argue against it?
I’ve simply heard too many anecdotes from those in the industry who have had the insurance and have had it not pay out. Whether it be for a ransomware attack, and the company wasn’t willing to pony up the money that the company felt needed to get paid, or a data breach that the company actually had to go and spend hard dollars on to clean up after the fact. I think what I’ve seen quite effective with some CISOs have been those that have been able to take their existing security investments, use them to obtain some form of insight into the business—how’s the business performing? What are the new applications that the employees want to use, i.e. where is their shadow IT that we can turn around and enable end users with as a new tool, rather than treating them as if they’re doing something wrong. And use those insights and the reports that get built out of them as something that you can hand in to the board for how you are utilizing the existing cybersecurity investments to improve your overall security posture and the overall health of the business. I think that’s probably a better way to spend the funds that are at hand. Cybersecurity insurance is a good idea on paper, but I haven’t seen it work out well for those that have had to cash in.
When do you think the performance crisis will become real? How can cybersecurity systems be made exponentially faster?
On one hand, I would say that we have probably hit up against a performance crisis now. I see us on the cusp of broad deployment of 5G technology. We already know that mobile data rates are doubling year over year. The number of devices that users have in hand is right now around three, and that’s within the enterprise. As consumerization trends increase it’s likely going to be more. IOT, especially on manufacturing floors is just going to make this huge. It’s a massive problem, right? The number of devices that are out there that are generating data at very high speeds and consuming it 24/7. We are at a point now where the traditional approach of security has not been able, or will not be able to keep up with monitoring all of this traffic. But I think that’s where things start to shift for me. If you look at the problem a little bit differently, we may be in a wait-and-see moment right now. Security used to be about scanning everything. We used to invest in firewalls or secure web gateways that would sit at the perimeter edge, and they would look at every last bit that would go back and forth to the internet. Big data pipe means big firewall, big firewall means you’ve got hardware performance gains from certain big vendors that are needed, but I think that there’s another theme that’s growing here and it’s one of privacy. As we look to mobile devices in particular, where privacy has become a really big theme where we see separation of the consumer side, and the business side of the device, you can’t live in a world where you can scan every last bit anymore. And if we think about this, if we think about this concept of zero trust and distributed policy enforcement and context– using context to help us make informed security decision. We might be at a place where we can actually make smarter decisions about what we do scan, rather than scanning everything.
Do you think that hardware acceleration is going to be a big part of what makes this work?
There’s no question. As you look further out toward the edge of the network, hardware acceleration and any form of optimization, whether it’s in software or hardware, is going to be very, very important. I think as we work our way closer in to the users, the applications that are being accessed, there’s an opportunity to make smarter decisions at those different enforcement points.