Implementing Zero Trust

Thirty years ago, I needed a Russian alphabet for Unix troff (yea, I know – but please don’t ask). Online search tools didn’t exist back then, so finding a workable package was tougher than you’d expect. After some poking around, I managed to locate a colleague at Bell Labs – Eric Grosse – who had what I needed. He possessed a library of Cyrillic glyphs that could be easily mapped to our troff text input. It worked perfectly for our stealthy project.

Twenty years later, I needed a case study for a concept I was describing called “rings around things” (yea, I know – dumb phrase). We had Google search by then, so you’d think that finding workable examples would be easy, but it wasn’t. After some poking around, managed to bump into Eric Grosse (yea, the same guy) at a meeting in DC. He was the head of cyber security at Google, and he pointed me to what I needed. It was called BeyondCorp.

By now, you have probably heard of Google’s security project in the context of that misleading moniker called Zero Trust. Coined at Forrester, this weird slogan seems to state the exact opposite of what it means. That is, when an organization adopts a Zero Trust methodology, their hosted workloads demand full verification before communicating. I think a better name would have been Maximal Trust, but no one at Forrester asked for my opinion.

Anyway, I had the great pleasure to spend time earlier this month with my new friend Katie Teitler. Katie works for a creative new start-up called Edgewise, and our original connection involved our mutual interest in security content development. After setting up some time to talk, Katie began taking me through the specifics of the Edgewise offering, and I started to get seriously excited about what I was hearing. Let me share what I learned:

“Edgewise provides a solution for organizations that wish to implement zero trust,” she explained. “We do this with offerings that support the methodical, step-by-step transition of enterprise applications to cloud-hosted workloads. The key security control in this process is that Edgewise uses identity to ensure that only software which can be verified by its attributes can communicate with hosted apps – hence, a Zero Trust framework.”

I asked Katie about how all this worked and she explained that Edgewise is a dynamically loadable kernel module that sits in line with calls from applications into the kernel network stack. This module is designed to collect data directly from the kernel. “This embedded security approach,” she said, “allows us to not have to rely on weaker firewall technology such as IP tables or a Windows firewall.”

She explained further that Edgewise validates software using a fingerprint for applications, which is based on approximately thirty different attributes such as the SHA 256 hash, file path, UUID of the underlying BIOS, serial number of the CPU, and on and on. “Because this fingerprint is application focused rather than location focused, security protections travel with the application and are independent of environment or network constructs,” she said. “Policies automatically adapt to cloud, container, or on-premises data center environments.”

Perhaps the most valuable aspect of our conversation involved Katie’s sensible explanation of the steps followed by Edgewise customers to transition securely to cloud – and the company has solutions for each step. The first step involves a data flow mapping for any applications being transitioned to Zero Trust. This provides a communication profile for establishing policy rules upon re-hosting to a virtualized cloud or on-premise environment.

The second step involves support for the cloud migration, where the critical control involves constraining communications to Zero Trust apps by software that has been specifically designated as acceptable from the data flow mapping. The control implementation then ensures that only verified software can gain access, and this results in a highly secure and greatly simplified security policy environment.

Subsequent steps support compliance obligations, micro-segmentation in virtual cloud environments, and even support for emerging DevSecOps lifecycle processes. The Edgewise solutions seems perfectly suited, in my opinion, to the needs of the modern organization operating in a hybrid cloud environment. Transition to Zero Trust using Edgewise seems more feasible than I’ve previously seen with any other platform.

Obviously, migrating to Zero Trust is easier said than done – even with the fine support from the Edgewise team. Existing audits can be invalidated, existing workflow can be disrupted, and existing politics within an organization can be strained. Anyone expecting a lay-up will be severely disappointed: Transitioning to Zero Trust will require the type of attention commensurate with projects such as the Y2K Change two decades ago.

But if you are serious about wanting to obtain the benefits of Zero Trust, especially in the context of transition to public cloud hosted processing, then you’d be wise to be in touch with the fine team at Edgewise. Ask Katie Teitler to take you through the company’s methodology. I suspect you will find it much easier to follow than trying to awkwardly push Russian characters through an old Unix system.

As usual, let us all know what you learn.