The Art & Science of Product UX and Design

Barry Gleeson:
I don't think our organizations can just say I'm going to turn on Zero Trust tomorrow and see what happens. But one of the biggest requirements is going to be to analyze the existing traffic and compare that to a proposed Zero Trust policy implementation. I think what's going to be interesting is how much inefficiency diesel at it's actually on earth.

Jason Dover:
Today's IT landscape is more complex than ever. And the traditional secure perimeter of the network has effectively evaporated in trends such as BYOD and IOT, means that unmanaged devices have to be given a measure of limited trust in terms of accessing critical application resources and services. But with the cacophony of security offerings available, how do you actually approach the security of your application ecosystem in this new paradigm in 2021 and beyond. Enter Zero Trust, a model that involves assuming every entity attempting to connect to your environment is a potential threat actor. Instrumenting granular access control, application-level micro-segmentation and a least privileged access model.
Sounds complicated. Where do you start? How do you begin adopting these principles and what are the options available to simplify it? These are the topics that we will discuss today on the Application Experience Insights Podcast. I'm joined today by Kurt Yung. He's fabled to be able to leap a 100 story building in a single bound and stop a speeding bullet with his teeth. We also have Barry Gleeson who reportedly has run so fast on his morning jog today that he was able to reverse the spin of the earth a few times. Kurt, Barry, why don't you guys introduce yourselves?

Kurt Yung:
Yeah. Hi, Kurt Yung here, Senior Product Strategy Manager at Kemp. I've been in the industry for about 20 years now. So I spent a lot of my career as a consultant prior to coming to Kemp. So had the opportunity to work in a lot of different environments and was able to really learn and experience a lot of different things.

Barry Gleeson:
Barry here. So I'm a product manager here in Kemp, similar to Kurt, I have around 20 years industry experience working in a technical training, tests, engineering, solution architecture, network operations, customer support, software development. So I've kind of spared quite a few areas.

Jason Dover:
You guys have seen and done it all. And that's why you're here today. Looking forward to hopping into our discussion on security and specifically an emerging model that's getting more popular within customer ecosystems, that of Zero Trust. Maybe let's just first start by setting framework here. What are some of the challenges that customers are facing from a security perspective when it comes to modern application ecosystem? Why are we seeing the requirement for a new or different models to address security in modern ecosystems?

Barry Gleeson:
I mean, network and application security is around a long time. I think it's been front and center of all IT operations over the years. I think over time, the main challenge was keeping ahead of the sophistication of threats and so on. But I think the challenge, it's kind of changed recently, where what we've seen is almost like a different playing field, because if you think about how particularly the corporate networks have evolved. I remember you'd be assigned a workstation, you'd access internal systems and so on. You typically would have to request to be able to access the internet.
Your traffic was within your corporation. There generally, wasn't a massive amount of, apart from maybe information retrieval and so on, use for traffic exiting. But that's completely flipped. I mean, if you think about it over the years you started opening up internet. Then, if you think about remote access, perhaps you've users who want to be able to access corporate network from home through VPNs. So in terms of location, has changed, but then on top of that you have the actual device. And then now recently, throw cloud and SAS into that. If you think about us, you have a corporation that have decided to adopt software as a service, cloud services, but all of this still has to be secured.

Jason Dover:
It sounds like really the potential attack surface has widened quite a bit.

Kurt Yung:
Also, if you think about back in the day, it was kind of assumed if your perimeter was secure, that everything was fine. The bad guys were outside. And now, as Barry just kind of laid out a lot of different ways things have changed, that's just not the case anymore. That stuff is outside. Now, you really have to worry about what's inside the network and what's going on there as well.

Jason Dover:
These trends we've seen them start to drive towards this movement towards a Zero Trust model or the implementation of ZTNA. Let's talk for a second about that. Can you guys describe a bit of the concepts and principles that are associated with a Zero Trust model?

Kurt Yung:
Early in my career, I worked at an app dev shop where we did a lot of development for different customers. And we did some hosting there as well. One point, we had some external facing applications and we got hacked. We addressed the situation and once we got the site back up and working, we went on our way and there was just never really thought about it again. These days, that's not the case, right? I mean, if someone does compromise a system, what else have they done? Where else have they gone? So you have this concept of lateral movement. So if someone were to compromise the system, they have the ability to move throughout the network internally, right? This is where things get scary. You have a lot of different endpoints in the network that need to be locked down.

Barry Gleeson:
As you say, it's almost like into the past, it was considered, "Oh, we're under attack. We've closed that hole. So now everything's safe again." If you look at some of the recent security threats, a lot of them have simply been able to circumvent the system and being able to write a file. That file could be put into a directory that gets executed on start up, for example. A server may be compromised and it may be months later before that server boots up and that script executes and suddenly there's an entry point into the network that hackers can use. It's almost like the view to treats is completely changed.

Jason Dover:
Now with most models, a client or an entity attempting to connect to the applications or services. You get identified as to where that service exists. You attempt to connect to it, and then potentially you're challenged with some sort of authentication to validate who you say you are. How does a Zero Trust model maybe take that traditional approach and augment it.

Kurt Yung:
Even if I go to the motor vehicle here in New Jersey, I have to provide all these different forms of identification. It's called six points, right? So I have a passport that's worth three points. I have a birth certificate that's worth three points. And then I could bring my electric bill, which is worth one point. So having this multi-factor effect here, where I need to bring multiple forms to identify that I am who I say I am, and I'm authorized to access the application. Operations, we're a little bit slow to start tying this across the board and making everything multi-factor, even within my banking and things like that, all of that's multi-factor now where I need to provide these multiple forms of authentication to access the system.

Barry Gleeson:
If you think of multi-factor, potentially, I have accessed the system, I'm able to access particular files, but then I do something that's maybe a little bit more risky. And rather than just saying, "Okay, either that guy's allowed to that or isn't allowed to that, MFA can be pulled into that as a way of putting another prompt in front of your user to say, "You're doing something a little bit high-privilege here, please provide some extra proof," and so on.

Kurt Yung:
Yeah. I mean, there's that kind of that continuous verification that you're talking about where no longer logging in once, and then having that pass through single sign-on access to all the applications. It's constantly being challenged to access these systems, and you're not assuming-

Jason Dover:
Well, that's an interesting concept because if you take the illustration, the word picture that you just mentioned there a moment ago of going to the motor vehicle, which of course we all love doing and relish every opportunity we get to. But if you take that, you validate who you are today for some form of identification, license, et cetera. When you come back to renew or at some other point, granted it's years in between, but you have to do re-verification. So it only makes sense when you think about applying a Zero Trust model, that there should be some continuous verification that comes into play there as well, just because you've authenticated, you've provided a cookie, you've provided some level of credentials. And perhaps my policy is to allow connectivity for some period of time, an hour, two hours, eight hours. I shouldn't assume that for that entire period of time, you're trusted, right?
I mean, when, when you think about Zero Trust as a whole, it shouldn't really be about granting trust. You shouldn't trust things that are trying to actually access your environment of which you have no control over. It's really about facilitating the least amount of privileged access required to get a specific function done. So that continuous verification point is certainly a salient one. Now you mentioned something interesting, just a few moments ago about this idea of lateral movement. We often hear the concept of segmentation, whether it's micro-segmentation, network segmentation, application segmentation, and that concept oftentimes gets associated with Zero Trust. Can you maybe just add a bit of color and context around that as well? How does Zero Trust help you to create secure segments or secure zones within your ecosystem?

Kurt Yung:
To really try to make it as difficult as possible for these bad actors should they gain access to a system in your environment to move throughout the environment, right? So this segmentation of these different networks, and again, you can have a hybrid environment or multicloud environment and things like that. It's really trying to limit or restrict and only providing necessary communications between these segments to occur and nothing else again. So you're not kind of just a wide open, full routing kind of network environment. You can't get back to those days anymore.

Jason Dover:
So it's effectively these micro-segments that you wind up getting created, it's really defining a boundary for specific users, specific device, potentially specific session. That's time-bound where you're deciding whether or not access should be granted based on some potential set of parameters. And so if a bad actor were to penetrate the perimeter, well, it's effectively as if they're just in a locked door or a corridor and it can't get into any of the other doors. That's kind of how I see it, as a picture perspective in terms of how these application level micro-segments help to protect your environment. So you can see why that's an attractive model because you do need to have the flexibility for communication between applications, services, and users.
And to your point, you don't want to restrict it so much that it gets into the way of productivity, but equally with environments now extending further where the actual edge or the actual perimeter is a bit fuzzy. The lines a little bit gray now, you need a better model. So it makes a lot of sense as to why people are adopting this approach. Now just building on that, maybe let's talk a bit about the architecture. What does an environment look like whereby someone is adopting the principles of Zero Trust? What are the building blocks that need to be in place in order for you to be able to make a claim towards Zero Trust and start to actually move in this direction?

Kurt Yung:
There are going to be some things that are going to be common across all organizations. As we're talking about the perimeter, there needs to be some sort of a gateway into the environment for these external contractors and resources being able to access the environment. It's not a one size fits all, but you need to have some sort of a policy engine that will help define the security of an environment, and then you need the enforcement point. And to tie this all together, you need to have some kind of identity management system, which will be able to identify person, the device that they may be coming from. Whether it be a PC that's on a domain, a PC that's off the domain, or mobile devices, or IoT. All of these things need to be identified so you can set and define these policies for them.

Barry Gleeson:
And I think the continuous verification is going to be a big step in terms of jumping from a, "Hey, you've given me a username and password you're allowed in," to more of a, "Every action you take is going to be monitored." You have network detection and response software looking at what's happening on your network. But down on top of that, you would have potentially vendors that have information across multiple organizations or potential threat actors and IP reputation lists, and specific patterns of attack and so on. And that's going to be key to applying this successfully.

Jason Dover:
So now, once you have this architecture in place, maybe let's dive to the next level of depth. How does this actually work? How are decisions made once you instrument this architecture and get everything all connected up?

Kurt Yung:
Really all starts with the policy that you're building. There's a lot of information in Layer 7 traffic that we're able to see and we need to take advantage of this information. Being able to identify who someone is. And then also within that traffic, we're able to identify where they're coming from and what they're looking to access obviously. The idea of understanding this kind of who, what, where, even when. When they have permission to access this based on that information. Give them access to a given application or service or something like that. So that's really key to this whole equation here of this architecture. It's really all baked into this policy.

Jason Dover:
So it sounds like very strong feedback loops are needed within the system for this actually to all work. Between the client or the entity attempting to connect, whether it's a device or an actual user, the policy, the system actually doing the processing, and the backend application. So it certainly takes some skill and thought in instrumenting. This actually raises another question. Many of the solutions that we're seeing on the market today focused on Zero Trust are cloud-based. The question I have, is the cloud the only way to start bringing in a Zero Trust model into an application ecosystem?

Barry Gleeson:
There's some very strong offerings with cloud-based solutions and they will suit some organizations. But on the flip side of that, there'll be some organizations who really need to keep their data onsite. There's implications for cost. Some of these models may not suit custom applications that specific organizations use. For example, a lot of them are very much web focused and don't suit applications that require using Secure Shell, or whether that be checking in code, or whether that be some custom app that you're using. So I think saying that it requires a full organization shift to cloud, I don't think that's true.
While Zero Trust is very much an organizational view of things and will require not just IT departments to move, it will almost require whole organizations to change how they look at their systems. I still think that it's something that doesn't have to be done in one swoop. A starting off point could be just analyzing why users access what endpoints or what endpoints need to be published. And if you ask a lot of app or IT administrators you'll find out that information isn't always very, very clear. So even simple things like that will get people on the road to this type of Zero Trust model with drafts.

Jason Dover:
What's the alternative then if I don't start consuming one of the cloud-based Zero Trust offerings, but I have a mandate from office of the CIO to start moving in this direction? What are the options that are actually available to me?

Barry Gleeson:
There's quite a few alternatives and organizations have some options here that they may not see right in front of them. If we think about some of the components like policy control, a good step might be to look at your identity providers and maybe having a single central identity provider that manages access to all your cloud apps, all your SAS, all your on-prem apps. Once you have that in place, then the next thing could be to look at what devices or what technology you already have in your network that can feed into a Zero Trust model. Things like Layer 7 devices can look at URLs and apply extra MFA for specific access to specific parts of an application. Maybe some network text and response software that's going to identify rogue flows and so on. So there's a lot of the existing infrastructure that can be applied here and will help for a number of use case.

Jason Dover:
What are some of those use cases? We think we've got a pretty good foundation now what Zero Trust is about, the primary principles, what the architecture looks like, and the fact that you can start on your journey without going all in on a full cloud solution. There's ways to leverage your existing network ecosystem to start to bring in the principles of Zero Trust. Now we've got that set up. Let's talk a bit about the use cases. Let's expand.

Kurt Yung:
VPN was the solution for any remote workers, remote access that you needed into the environment, but lateral movement. Being able to lock it down, but still to get access to these applications that you're trying to publish. The bad actors have much more flexibility to move around the environment using VPN because you're not giving them access just to one system. And then a lot of organizations said, "Well, let's go to a VDI solution." Well, the VDI, again, that solved a lot of remote access challenges, but a lot of apps just aren't ideal for VDI. So you really need to look at that as well. I think that's one area where you might want to think about taking those applications that need external access, pushing them more towards the edge and putting a Zero Trust model around them to set some policies based on the who, what, where we were talking about before. Another use case that we're seeing more and more around is object storage.
Many organizations are running this on-prem as well as their services in the cloud. Just the volume of data that we're talking about and the volume of applications and services that are accessing this data. There needs to be some control around this. So being able to identify what applications need access and what kind of access. Should they do reads and writes, or just be able to do reads for certain buckets as it is in object storage.

Jason Dover:
That's interesting. We certainly have seen the increase specifically of object storage as a model being adopted by customers because of getting used to that approach of writing applications and having an access to storage ecosystem in cloud or public cloud, I should say, that's now being adopted more in private cloud and with the increase of flash-based storage, higher throughputs, we're even seeing object storage, being leveraged for application development and just traditional primary storage use cases. Can you dive in a bit deeper on that specific use case in terms of how a Zero Trust model can help provide some control, some security when it comes to applications accessing the storage ecosystem?

Kurt Yung:
A lot of organizations that are leveraging object storage, they're setting up their environments. They may have kind of this concept of security zones, applications that are accessing the storage from different security zones. There could be the highest security zone, which has your business critical applications. You may have some systems that are running in a less secure zone, which also have access to these buckets as we were talking about before. So this idea that some systems that are in this lower security zone could write some malicious content to these buckets and then the applications that are running in the highest security zone, pull that data into their network. The highest security zone in the environment is now compromised. These are definitely things that organizations are looking at because just with the amount of applications that are accessing it, not every application gets the same level of treatment.

Jason Dover:
It's certainly good to see a real life use case of how Zero Trust is getting applied to applications and services. Now, Barry, when we were talking, I know that we spoke about the concept of Zero Trust for certain types of development use cases as well, accessing SBN as an example, using SSH for connecting to build servers and the like, and some of the deficiencies that exist with today's approaches. Can you expand on that a little bit?

Barry Gleeson:
A lot of the solutions for Zero Trust currently are very much focused on around web applications, which in most cases is maybe most of the apps we access does obviously move away from VDI. I feel there's a bit of a a lack of answers to the problems of maybe developers or IT administrators who need to SSH into a device or check in code and so on. And I think a lot of the protocols that are used, they're somewhat clunky and we've all come across this, particularly in IT when something isn't easy to use, people will find an easier way. And sometimes that could be creating a reverse SSH tunnel or creating some automechanism that I can access this server. I can check in code using a mechanism that I really shouldn't be. That's an existing problem that's still is yet to be solved.

Jason Dover:
So there's where the opportunity is for some innovation it looks like, which leads us to the next question, which is what does the future look like? We certainly are seeing a lot of buzz as we talk to customers and look at the industry around Zero Trust and related solutions, helping customers to protect, not just the edge, but what's going on inside of the application network as well. How do you think this is going to evolve over the coming years as threats continue to evolve. And as the working models that we have with inside of ecosystems change, how will Zero Trust come along on the journey or perhaps lead the journey?

Barry Gleeson:
One thing I will definitely see over the next few years, that'll be effected by this is how applications are developed. Previously, a lot of apps were broken down with functionality rather than by privilege and where that is problematic is if you want to open up a specific part of an app. An example in the past would have been previous versions of exchange, where you had the exchange control panel, which could be used for kind of adding any stuff, like setting your out-of-office and stuff like that. But also for an administrator to delete a mailbox, goes to a very, very similar functional activities, but from a security point of view they're very, very different. So I think the way applications are developed will be very different. We'll see microservices coming into it.

Kurt Yung:
Another area that we'll see more and more focused on is around identifying interesting or suspicious user behavior. And you could have a user that typically access the systems from New York and then 15, 10 minutes later then they're accessing it from Limerick, where you're sitting. Things like that, that's a behavior that's unusual, so those kind of systems are available today, but I think there's going to be a lot more innovation to identify this stuff moving forward as well. I think this is going to be a big piece of it because the sooner we can identify this interesting behavior, I think the sooner we'll be able to address it.

Jason Dover:
What about TLS 1.3? How is this going to impact this TLS 1.3 and beyond really, which we know prevents some of the man-in-the-middle techniques that certain Layer 7 products leverage today to really get a deeper understanding on what's going on in network communications and flows. If and when this becomes more widely adopted, how will Zero Trust work, since it requires being able to see things at depth at Layer 7.

Kurt Yung:
Yeah, Jason. With TLS 1.3, the advancements that were made to prevent man-in-the-middle attacks, things like that. Layer 7 services will have to develop some new detection methods to help get the insight we need to understand what's going on and whether or not any interesting or suspicious activities happening within these traffic flows is going to be something that will need to be addressed moving forward, 1.3, 1.4 and beyond

Barry Gleeson:
Another thing that's going to come out with this, the auditing that will be required for implementing Zero Trust. I don't think our organizations can just say, "I'm going to turn on Zero Trust tomorrow and see what happens." One of the biggest requirements is going to be to analyze the existing traffic and compare that to a proposed Zero Trust policy implementation. And let's see how much of just traffic would have been blocked if we turned this on. I think what's going to be interesting is how much inefficiency these audits actually unearth, much more eyes on how people are accessing apps, what part of the apps they're accessing, from what devices, in what way. That auditing going to have a positive impact on how applications are delivered to customers.

Jason Dover:
This was a great discussion guys. A Zero Trust certainly is an exciting space. It covers a wide range of use cases and can certainly help customers secure their environment with the modern challenges that are facing organizations today. It's certainly something that at least should be considered as a tool in the toolkit of security administrators. On that point, as we wrap up, what's your key takeaways for customers who are starting to consider bringing a Zero Trust model into their ecosystem.

Kurt Yung:
I would say there's no better time to start than now. Do an inventory, a discovery of all the systems, services, and the applications that are within the environment and start kind of implementing some of these practices we talked about today. That's something I would put very high on the list.

Barry Gleeson:
Take a look at what existing infrastructure you currently have. Okay. You might be able to roll out a full Zero Trust architecture end-to-end, but I think there's a lot of aspects that you may actually be able to apply today, whether that be a more granular policy control, whether that be systems that can monitor the traffic and perhaps be implemented for some kind of trust model. I think people should look at what they have currently, and that will prepare them even more rather than thinking this is some big project that I'm going to do in a couple of years where we rebuild our whole network.

Jason Dover:
Sounds like a great place to end it and great advice indeed, start small and see how you can expand. Guys, I really enjoyed the conversation today. I think this is a topic we'll probably be spending a lot of time on over the upcoming years. Thanks a lot, and look forward to our next discussion.

Barry Gleeson:
Thanks, Jason.

Kurt Yung:
Great. Thanks.