People tend to trust too much, and that’s especially true when it comes to security. TechRepublic’s Dan Patterson spoke with Centrify chief product officer Bill Mann to discuss why companies need to adopt a zero trust model if they want to protect against today’s cyberthreats. Below is a transcript of the interview.

Patterson: As the cybersecurity landscape changes, as new threats evolve and emerge, companies need to do a lot to stay on the bleeding edge. One of the things companies need to do is forget trust. For TechRepublic and ZDNet, I’m Dan Patterson, with Bill Mann. He is the chief product officer at Centrify.

Bill, thanks a lot for your time today. I wonder if we could start with the zero trust model. That sounds a little counterintuitive, but I wonder if you could bring us in. Help us understand what zero trust means, and how this keeps organizations secure in the future.

Mann:Hi Dan, thanks for the time. Yeah, it does sound odd, the zero trust model, because we all think about trust and trust is so important for all of us. And just the name of this thing kind of is an oxymoron in terms of making sure people understand what it is.

But let me explain what zero trust is in very simple terms. We inherently trust too much in our environment and our inclination to trust too many things has really led to us relying upon forms of security which are really not helping us in the new world order. Think of it in the old world order, you had a firewall which was a perimeter. We used to trust that the firewall was going to keep the bad guys out, but the reality is that the bad guys are already in our environment. Also, the reality is that we’ve got a lot of mobile workers and outsourced IT and we’re using stats and infrastructure as a service so a danger is also not residing within the walls that the firewalls were previously protecting.

So that model has got to change. And going back to the word trust, we cannot trust a firewall anymore, and we’ve got to now really think of a world where we can’t trust these elements of security and we’ve go to go to a model where we explicitly trust things. So instead of implicitly trusting, we’ve got to go to explicitly trusting.

Let me give you a kind of a funny example, but it may help the audience. When you’re at home and you’re sleeping in bed, you inherently trust your environment because the front door’s locked, the windows are locked, and so forth. But just imagine now that the windows were open and the doors were open. How would you think about security at home? And I’d like to think that we’d probably put a lock on our bedroom door, right? And that’s kind of the mindset that the IT professional has to think about now as well. Instead of relying on that firewall, which I’m not saying get rid of the firewall, but instead of relying on that firewall, we have to start explicitly trusting things within our environment.

So, having explained what zero trust is, I can walk you through kind of the major elements of zero trust. But let me hand it over to you.

Patterson: Yeah, in fact I’d love to hear the elements of zero trust, and coupled with, we’ll get to in just a moment, but coupled with how this sounds great on paper, but how we can get organizations at large scale and large scale organizations, like enterprise companies, to institute something that is kind of fundamentally different than how we have practiced cyber in the past.

Mann:Sure. So let me first walk you through the key components of zero trust. So the first component of zero trust is knowing the user, really understanding who the user is in your environment. And as you know, we typically understand users today by their username and password, which is a really primitive way of understanding who a user is. What we really need to implement within our environment is better ways of understanding who that user is. Technology is like multi-factor authentication. It can help us understand who this particular person is coming into the environment. So that’s the first element of zero trust, understanding the user. All about identity.

The second element is knowing their device that they’re using to connect into the network. So typically we use one of these things to access our network. So it’s coupling knowing the user and knowing their device. So when I say know their device, understand the security posture of their device. So if you’re using a mobile phone, let’s make sure it belongs to Bill. Let’s make sure it hasn’t got any kind of vulnerabilities on it. If you’re using a Windows machine, let’s make sure it hasn’t got a virus on it.

So fundamentally it’s about making sure that that end point that’s used to connect in to your environment is got a certain amount of security posture, and it’s worthy within the environment. So that’s the second element. First one, knowing the user, second, knowing the device.

The third element is once the person has access to something, let’s say this person Bill has access to, or let’s say this person Jane has access to a Unix machine running on AWS, let’s make sure that there’s least amount of access and privilege on that said resource. So if Bill’s a salesperson and he’s just a salesperson, that he’s not a regional manager, he should not be able to see everything within Salesforce. Similarly, if Jane is an IT developer and she only has scope to do management for Oracle, she should only be able to do management for Oracle. She should not be able to log in to a route account and make other changes and so forth.

But it’s a very simple concept. It’s a concept that most security professionals understand from, kind of, like from university courses, the concept of least privilege. Giving people the least amount of access to do their job.

And then lastly is learning from all these three elements – the user, the device, the least privilege, and adapting your policies. So it’s a constant learning and adapting, changing the policies. For instance, if Jane never executes certain commands on a Unix machine, let’s dial down the policies so she can never run them. If Bill never accesses certain reports on, let’s dial them down as well. So it’s really a concept of least privilege. And going back to trust, that’s what you need to have in an environment because the world we’re living in today, as we all know, is very heterogeneous, it’s very cloud, it’s very mobile, and the only way to have some semblance of security and trust, right, is to start making these kind of shifts in organizations.

Now, the second question was how do organizations shift to this model. So unfortunately, a lot of organizations are spending a lot of their IT security dollars on classic security technologies, you know, firewalls, anti-virus, intrusion detection, et cetera, vulnerability management, and so forth. But if you look at all the data out there, Verizon breach report states that 80% of most breaches are due to compromised credentials. In other words, like stealing our passwords to log in to an environment and then steal information and so forth.

SEE: Cyberwar and the Future of Cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

So the fundamental first part of what I talked about was knowing the user, was implementing controls around the user. And a lot of large organizations understand this problem, but have not really implemented it throughout their whole organization. And a lot of mid-size companies are still grappling with just simple passwords. So that’s the first thing I would recommend everybody needs to do within their organization is implement least privilege. And then secondly, implement the least privilege model where you really limit access and privilege within the environment.

Patterson: Bill Mann is the chief product officer at Centrify. Bill, thanks for your time today. I wonder if you could leave us with some advice. As we look into the 2018 threat landscape, there’s a lot of shifting sand. How should companies, whether they’re SMBs or enterprise companies, prepare for threats that may not exist yet, or they could be underprepared for?

Mann: Security is a complicated landscape, and trying to answer the question of what to prepare for, which we don’t even know about, is even more difficult. I mean, just look at the news over the last couple of weeks about the microprocessor threat.

So I think the only pragmatic approach that organizations really need to apply today is to follow the zero trust model. It’s a very prescriptive model. It’s based upon real data in the marketplace, from companies like Verizon and others which are really assessing a lot of vulnerabilities and a lot of breaches, and are fundamentally coming down and trying to say to the industry that they need to focus on the identity problem. So I think that if I was a security professional out there, I would look at my budget for 2018 and I would start allocating more of my IT investment dollars towards identity and identity-based security, and making that shift as soon as possible this year is probably the best advice I can give to anybody.

Also see