At Forrester Research Inc.'s Security Forum 2010 in Boston, Andrew Jaquith, senior analyst with Forrester, spoke with SearchSecurity.com about the research firm's Zero Trust Model for endpoint security management.
Jaquith tells why no enterprise endpoint should be trusted, details the five design patterns for securing data on untrusted endpoints, and explains why it doesn't necessarily cost a lot of money to implement the Zero Trust Model.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Jaquith on Forrester's endpoint security management Zero Trust Model
Eric Parizo: Andrew Jaquith, Senior Analyst, Forrester Research. Thank you so
much for your time today.
Andrew Jaquith: Pleasure. Thanks for having me.
Eric Parizo: First question for you. In a recent article on SearchSecurity.com,
you made the case that enterprises shouldn't trust any endpoints. Why is
Andrew Jaquith: Well, endpoint services are inherently suspicious, they're tricky,
but more importantly, they're also owned by people that may or may not be
part of your employ. One of the things that we see as a future trend is
that employees are very interested in using bring-your-own PC programs or
the use of personally owned iPads, for example and this makes it a little
more difficult for enterprises to really have some assurance that the
device it's on, the network is actually theirs. I think it's historically
true that when it comes to the PC form factor, you tend to manage these
almost in the same way that a rental car fleet manages its rental cars.
They're all the same, you image them, you apply the same management
controls to them. When they're infected, you can simply just take your
goal and master out and change them; but when you're looking at the
emergence of some of these new connected devices, iPad would be a great
case in point, potential laptop replacement for many companies may or may
not be owned by the firm and so the key thing that we recommend is that
if you want to future proof your investments, then you need to sever the link
between ownership and control. You can still exercise control over the
endpoint, without necessarily having to own it. So that's essentially the
key point around the article that I wrote, and in the article I described
five ways of making that happen. So, if you want, I can recap them.
Eric Parizo: Sure.
Andrew Jaquith: Alright. With that kind of lead in, why don't I go ahead? So, I
call these design patterns, security design patterns. For securing
information on devices that you don't own. And I use these design patterns
deliberately in the same way that if you're an application developer, there
are application design patterns. The gang of four design patterns, for
example, and these have names and everybody who has read the book knows
what it refers to. So, we've presented five and we've tried to name them.
Whether or not they stick, we'll see, but one of them is very well known to
most people, and that's thin client. It's a key security design pattern
where you essentially provide a view port into a server or device that's
processing perhaps sensitive information and all you're really doing is
rendering that on the endpoint device. So that's certainly a key one and
it's one that we think is really dominant for a lot of enterprises that
want to be able to use an Android device or an iPad. Easy enough to just
put up a Citrix or thin client on it. View the information to work with
it and nothing gets stored in the device, so very popular. So, thin client
is one. Thin device is another. And what this means is, using a device
that only stores a limited amount of information and you can exercise
remote kill or wipe over it, so that if it's stolen or left in a cab, then
you have some recourse.
So, all of the smart phones that you can manage as a part of your corporate
environment, the BlackBerry, your iPhone, even some of the newer Android
devices. They're all thin devices in the sense that you can kill them when
they're stolen and you're really not storing that much on it anyway. It's
a fairly thin, limited storage device for really just things like email.
So that's the second one. The third is what I call Protected Process and
what we're talking about here is a hypervisor type of environment where you
can distribute it down to a hostile endpoint and then distribute your image
out to it, allow you to process information in that environment and then,
again, wipe it, kill it, get rid of it. Manage it as you would, recognizing
that the device that it runs in may or may not be owned by you and could be
hostile. So, providing a secure bubble in which that information is still
processed, that's the third one.
The fourth one is what I call Protected Data, and this means rather than
worrying about the endpoint where the environment that it's processed in,
putting in an envelope around the data. So, encryption does this,
enterprise rights management tools do this, but it's wrapping your word
document or excel spreadsheet, your PDF's with a wrapper, that exercises
some control over what their recipient can do with it, whether they can
copy it, forward it, print it, and so forth. That's four. Then the fifth
one is really an accessory pattern that goes with it, and that is Eye in
the Sky. Now you can think of this as data leak prevention. So, where you
may or may not be able to control where it runs, but you know when it
leaves the span of your control. So you know that when it traverses
outside of your enterprise, you can record that. You know what happens, you
can apply appropriate protections, or you can monitor the distribution of
it inside. So all of these things can be used together. And, again, the
goal was not necessarily to break any new ground. I think all of the
technologies are known and understood. But really to put a label to them,
make it easy for enterprises to understand and then more importantly
provide a use-case that says you can use, mix and match these, for exactly
the scenario we're talking about, devices you don't own where you still
want to control the data. So that's it in a nutshell.
Eric Parizo: And these strategies together are what encompass this zero trust
Andrew Jaquith: That's right. That's right, and so this is really a part of a
broader Forrester Research initiative around zero trust. So, my colleague,
John Kindervag, is giving a presentation, today actually, called No more
chewy centers- - Introducing a zero trust network and this is a complement
to the model that I just described. Whereas, if you don't trust the
client, that's certainly step one. Step two is, not necessarily trusting
the network, either. So these two things when you take them together, what
we're really talking about is you're trusting, you're authenticating the
users, and you're trusting and controlling the data. And ultimately that's
really what matters at the end of the day. The devices that are processed
on, they may not matter to you that much. The networks that it passes
over, that shouldn't matter either. Ultimately, at the end of the day, you
really want to secure the information and that is what this is called
Information Security. So it's both these initiatives, zero trust network
and zero trust client, is really about putting the information back in
Eric Parizo: To play devil's advocate with you for a minute, for some
organizations you can certainly say that there might be a significant
technology investment required to go down a number of these roads. Is that
the case and alternatively, can organizations pick and choose the methods
that work for them in order to save money and be effective?
Andrew Jaquith: Yeah, I think you can. You can definitely save money depending on
what your style of investment is. But when you look at what one of the
dominant themes in the client base, for example, it's moving to bring your
own device strategies, moving to employee owned phones, for example. That
actually saves the company tons of money because you're not paying the
capital to buy those devices; and you're probably not even paying the
support. You might be. But that's a cost win right there, but if you
employ some of the methods like thin client, for example, it probably
doesn't cost you much, if anything. You probably have a license to Windows
Terminal Server, you probably a license to Citrix that you can reuse. So,
I think depending on how you want to do it, you can either save money or
spend money depending on your philosophy. I mean there are certain types
of things that you could do. If you go the protected data route and want
to employ ERM if you don't have that already, then certainly that would
cost you some money. But I think it's flexible and the key is to keep the
goal on mind. It's protecting the information with a design goal of not
owning the assets that it's processed on, and using that as a jumping off
point for making these security, buying and deployment decisions.
Eric: Are there any key bullet points, if you will, for getting from Point
A to Point B to a point where an organization maybe today, where it doesn't
have any of these philosophies in place, to where it has several in place?
How do they get started?
Andrew Jaquith: Well, I think part of this is you need to follow where the energy
is. So, I'm a big believer in looking at where the demand really is and
starting there; finding motivated individuals who can help you. A great
case in point would be around the iPad, for example. It's been an inquiry
magnet for me over the last six months, where I'm getting tons of inquiry
about enterprises who want to use it to develop their own apps, they want
to use it as an information access device, and they want to know how
employees are going to work in an environment where many cases it's the
employees owned device. So that's a great example of starting with
something that's hot and then pursing that to its logical conclusion.
If you accept that these devices may not be owned by the enterprise, what
measures do you need to put in place in order to make that strategy real?
So, go ahead, take that, iterate on it, get the data controls to a point
where you're comfortable, and then you can start expanding to the broader
set of endpoints that you already have. So, maybe your PCs, you might
choose to put in a BYOPC program, you might choose to think about the
network side of things as well. I think that would be a first practical
step. I think the second practical step that you could take as well is,
know where the data is. That should be your guide post and if a lot of it's
centrally based, shouldn't be distributing, shouldn't be circulating, then
you can start to put thin client rules in place or a structure whereby you
don't require as much access. I think that when you take a data centric
approach, where it lives, where it's located, where it's supposed to be,
you can ultimately build a strategy around it using that as your guide.
Eric Parizo: And finally, in terms of understanding the zero trust model for our
listeners. Is it safe to say that it really dovetails or complements the
things that [Colin] spoke about this morning? In terms of the maturity
model which is a little bit more strategic, but this is a little bit more
of a tactical approach to support that.
Andrew Jaquith: Well, in a way, yes, I would agree that what I've described here
is somewhat more tactical in the sense that it's really trying to solve one
particular bounded problem around how do you secure information on networks
that might not be yours or devices you don't own. So, somewhat of a
bounded problem. Not that bounded, but more bounded than the broader of
questions of information governance and maturity that Colin was addressing.
Now tomorrow, not to advertise too much, but a little is OK, I'm actually
giving a talk called Moving Information Control which is applying the
Forrester information maturity model to this whole data security topic that
we've been discussing. So there is a more strategic way to look at this
and I'll be talking about that in more detail tomorrow.
Eric Parizo: Andrew Jaquith, Forrester Research, thank you.
Andrew Jaquith: Thank you very much for having me.