Dr. Chase Cunningham and Elliot Volkman explain how to implement Zero Trust in your business

To get some perspective and clarity on what a Zero Trust approach actually entails, Michael “Roo” Fey, Head of User Lifecycle & Growth at 1Password, talked with two Zero Trust experts on the Random but Memorable podcast:

• Dr. Chase Cunningham, the Forrester analyst who popularized the concept of Zero Trust and is the host of the Dr. Zero Trust podcast, and who is now building G2’s Cybersecurity Analyst program.
• Elliot Volkman, a journalist, cybersecurity brand builder, and host of the Adopting Zero Trust podcast.

Read our interview highlights below or listen to the full podcast episode for strategies for how to apply Zero Trust (try it on your kids!) and why these experts say if you embrace Zero Trust, emerging threats like AI won’t keep you up at night.

Editor’s note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee don’t represent the opinions of 1Password.

Michael Fey: What is Zero Trust and what is it in the context of cybersecurity?

Chase Cunningham: Zero Trust is a strategy that’s been evolving for quite a long time. It’s about removing trust relationships from within digital systems. It’s that simple.

MF: Lots of security companies advertise themselves as offering Zero Trust solutions, but they all have a slightly different interpretation of what it is and what counts as Zero Trust. Why is that?

CC: I would say that most security companies could help enable a Zero Trust strategy, and they’re not wrong by saying that they could help you decide how to enable the strategic side. But there is no Zero Trust product, and that’s the issue that we run into.

MF: So the concept of Zero Trust is somewhat left up to interpretation. There isn’t a standard that companies can rally around and say, “Yes, it’s this thing” like they can with two-factor authentication?

CC: I wouldn’t call them standards but there’s lots of documentation, publications, and really good guidance on this. There’s been entire books written on the subject.

Elliot Volkman: Yeah, I can agree with that. I think the other piece is about differentiation. Companies want to be recognized and aligned with Zero Trust. Ultimately it can be down to semantics like, “Yeah, we align with Zero Trust,” instead of, “We offer this Zero Trust solution.”

We recently did an episode on my podcast with the head of enterprise security over at Canva. He’s been doing MVP (minimum viable product) approaches for Zero Trust for forever. Today, he feels like there are now solutions that you can actually buy to align with Zero Trus, but ultimately there is nothing you can just plug into your system and say, “Yeah, now I’ve got Zero Trust.”

That’s kind of the issue of the semantics of the equation.

MF: To recap, Zero Trust is a model that you can adopt within your infrastructure, but it’s also not this overarching thing?

CC: That’s a good way to think about it. I always tell folks that I don’t even think about cybersecurity any more from a defensive posture. I think about it from whether what I do is valuable in the context of removing the bad guys' capability to be continuously successful. I know that I’m going to get compromised. I know that there’s a reality around breach. I know that there is no perfect solution.

“What I can do is put tools, technologies, and strategy in place that make it so that I’m not a soft target for an adversary."

But what I can do is put tools, technologies, and strategy in place that make it so that I’m not a soft target for an adversary. They’ll realize it’s not worth their time and go somewhere else.

MF: What are the fundamental principles behind the Zero Trust security model? And how does it differ from traditional security approaches?

CC: You need to think about Zero Trust from the perspective of: What would you need as an adversary to be successful inside of a system? You need trust relationships. You need access. You need machines that talk to one another freely. You need shared tokens. You need people to use bad passwords. With Zero Trust, if you figure out how to remove those things or at least make sure they’re not the low-hanging fruit, you’re doing it right.

“As long as you remove the easy stuff for the bad guy, you’re doing it."

This is 100% about an organization selecting what works and what matters for them. That’s why some of us have been so adamant about not coming up with a kind of prescriptive line item, or whatever you call it. Because then everybody will gravitate to “We have to do X or we’re not Zero Trust.” Like no, you can do Zero Trust. It’s just how you do it for you that works. As long as you remove the easy stuff for the bad guy, you’re doing it.

MF: We’ve been speaking in a lot of generalities around Zero Trust. Can you give some examples of a Zero Trust model that may exist in an archetypical workplace somewhere?

CC: If you remember, Google got kind of curb stomped with Operation Aurora back in the day (2010). When it happened, they realized that they had some pretty glaring flaws in their overarching security posture and strategy. I’ve talked with the folks that actually did this work and who led everything. They took a step back and said, “Okay, ZT makes a lot of sense. How can we align to Zero Trust? But we’re not going to call it Zero Trust.” Because, honestly, who cares? I don’t care, from a strategy perspective, you call it cyber tiddly winks. Whatever works for you, go nuts.

They called it Beyond Trust. And what did they do with Beyond Trust? Well, they moved towards a Zero Trust architecture where basically the network is treated as if it’s online all the time. It’s a Starbucks sort of network. They issued everybody Chromebooks that could use a Chromebook because Chromebooks don’t have the same operating system that would allow compromises from malware and whatever else. They moved to mandatory multi-factor authentication. They pushed everybody’s stuff into the cloud with really good policy controls and you have not heard of a breach on the corporate side of Google since.

If you can think of an organization that has 200,000-plus global employees and lots and lots of technology and they’re doing Zero Trust, what additional proof or evidence does an organization need that it’s the way to go? I mean, yeah, they’ve got infinite money and resources to throw at the problem but they also aligned to it. It took them about 2.5 years to roll it out and make it a thing but it’s there.

George Finney, a CISO at Southern Methodist University, wrote a book called Project Zero Trust. It’s a narrative of how an organization went through and engaged in Zero Trust. He crawls through what the organizational challenges were, how they put things in place, which technologies they selected. We could spend the entire podcast talking about that.

MF: Are there specific steps or best practices that you recommend for folks to get started as they’re considering adopting this architecture?

CC: What I always tell people in my engagements is that the first thing I’m going to do is a red team. Because a red team will tell us where we have weaknesses, who’s going to click links if our Wi-Fi is jacked up – all the things that an adversary would do. That’s what a red team should be built for.

“Why would you not do a red team and then plan your strategies around the gaps that you identify?"

If your goal in this space is to fend yourself from an adversarial attack, why would you not take a kind of get-out-of-jail-free card and do a red team, and then plan your strategies around the gaps that you identify?

The other thing that I’ve done with a lot of organizations is walk into the executive suite or boardroom with a ransomware scenario. I just drop it on the table and say: “Ready, go.” And that’s literally all the guidance I give, and then I just watch what happens.

MF: Have you seen organizations that are resistant to a Zero Trust approach?

CC: Oh yeah, many times. Usually, I just say: “Okay, cool, here’s my card because you’re going to be calling me. Let me know when you feel like this is a doable thing.”

I’ll never forget when I was working with an organization and the sort of bill that we put in front of them to get their Zero Trust stuff in place was $17,000 or something like that. They said: “No, that’s too expensive.”

Fast forward maybe 90 days and they got hit with a big-time ransomware deal that was a very defensible problem. It wound up costing them, I think, $3.5 million to get their system back online. I’m no math whiz but $17,000 is a lot cheaper than $3 million.

EV: I can expand upon that a little bit. We recently had a conversation with Dave Holmes, a research analyst at Forrester who advises security professionals about Zero Trust. He said the primary issue for Zero Trust used to be getting buy-in.

But in recent years, especially after the pandemic, buy-in is less of a concern. Now, it’s more about implementation. “I need a roadmap. I need to be able to have a clear path of how to install and build and incorporate this into everything that we’re doing.”

That is definitely one aspect of the tides turning. We’re also seeing other things like the executive order that looped in Zero Trust about a year or two ago. Other organizations like NSA just released new reports about how they’re adopting Zero Trust. CISA said that they are going to create a new office focused on Zero Trust.

I could be getting all of those backwards and mixed up, but the bottom line is that on the federal side, if there are high marks and focal points of making this a priority, it has snowball effects that often trickle down and show validation of how important this philosophy and concept are for the private sector.

MF: What challenges do organizations typically face when adopting a Zero Trust model? And how do they overcome them?

CC: Number one, you should educate and train your people on cybersecurity risks. However, that’s not a technical control. Cybersecurity is a technical space with technical risk. Put technical controls in front of people before they can interact with malicious content, and you will exponentially reduce your potential for being compromised.

“Put technical controls in front of people before they can interact with malicious content."

Like multi-factor authentication. Is it perfect? Absolutely not. Is it better than nothing? Absolutely. I’m a big fan of browser isolation. Why? Because where do people get fished? It’s on the internet by clicking links. If they can’t interact with the content, problem solved.

Move to the cloud. Use the suite of tools that are available to you to take care of the policy side. This stuff is not rocket science but it does require people to take a step back and say: “Okay, what do I need to do? What actually makes a difference? Where can we apply a control?”

Until we stop treating people like technology, we’re never going to get towards an end state that makes things better.

EV: To put a wraparound what Chase just said, this is just cybersecurity 101. It’s “defense in depth”, creating layers upon layers to prevent people from being in those scenarios.

“I cannot imagine a world where social engineering is actually solved for."

But I cannot imagine a world where social engineering is actually solved for. That will be a day that unicorns are roaming among us.

MF: How does Zero Trust adapt to new threats and technologies like AI? What should people keep in mind as they’re moving towards this security model?

CC: Let’s be real. None of this is AI. This is large language modeling and machine learning with process and compute and good algorithms tied behind it. That’s part of the problem. We keep calling this AI, that’s not the case.

“Zero Trust doesn’t actually adapt or change based on what’s going on with the newfangled, cool, shiny thing that’s on the market."

My response is that a really good strategy like Zero Trust doesn’t actually adapt or change based on what’s going on with the newfangled, cool, shiny thing that’s on the market because, at the fundamental level, it deals with the realities of what those things do to cause compromise.

I don’t care if they come up with quantum-powered, robot-enabled unicorn something-or-other. Sooner or later, it’s got to do something to cause an exploit. How do I get in front of that and how do I mitigate its risk?

EV: That’s why a lot of us love Zero Trust. You don’t have to have the adaptation. It’s designed at the core to be unmovable.

Now, there are no goal posts so there’s no finish line, and that’s why things like AI and new threats and AI taking over our voices and cloning them or impacting social engineering – it doesn’t matter. At the core, you still have no implicit trust, or you remove as much as possible, bit by bit. So, I love that take.

MF: It’s not technology-dependent. It’s a best practice at that point. It’s something that you put in place.

EV: Yeah, as the language goes, it’s trust but verify, and keep verifying continuously.

MF: What advice do you have for people who are considering implementing Zero Trust in their organizations? How can they make the transition as smooth as possible?

CC: The biggest one is to just make sure that everyone understands that real strategic change is going to be uncomfortable at first. It doesn’t matter what it is that you do. Whether you want to grow a business, run a marathon – whatever it is in life that you try and do, understand that real commitment to a long-time strategic win requires discomfort.

“You need to let stakeholders and users know that things are going to change and there may be some bumps."

In your business, you need to let stakeholders and users know that things are going to change and there may be some bumps. But in the end, this will be better for everyone. If you make this very clear and you line up what’s coming their way, you’d be surprised at the level of – I would call it technical discomfort – that people are willing to deal with.

EV: If you want organizational alignment with something as impactful as a new cybersecurity strategy, you need to make sure it aligns with the business.

A low-hanging fruit example is: You want to bring chat GPT in your organization and to use it for purpose X. That’s cool. But there are obviously no regulations right now, so it’s up to the organization to build policies. What can go into it, what can’t go into it – those kinds of concepts.

The other piece is that a quick win is really helpful. It’s hard to do that for something like this but adding multi-factor or two-factor or SSO – something of significant impact that has high visibility and low risk to fail – is a really good entry point as well.

Otherwise, red teaming and doing an audit to identify the biggest risk and biggest impact, that’s the right way to go. If you actually want organizational buy-in, you also have to get visibility and win people over.

MF: What would it look like for a family or an individual to implement Zero Trust?

CC: I’ll give you an example because my house is Zero Trust-y. Matter of fact, my kids are so sick of it, they walk by my office door and they just say, “ZT,” like they’re making fun of me about it.

My kids aren’t developers, they don’t need computers with Pentium chips and everything else, so they have Chromebooks. Chromebooks solve a lot of the issues of an operating system that can get hit by malware. If I know anybody’s going to get hit, it’s going to be them on Discord and playing games and those types of things.

On the phone side, everybody runs on the wireless network that is not the same as my business wireless network. I’ve got browser isolation running on everybody’s machines as well. And then, I have to approve any application that my family uses. And when I do approve it, the first thing we do is turn on multi-factor authentication.

I had the conversation with my kids and told them why we’re doing this and why it matters. Everybody had a little bit of griping and moaning to begin with, but now it’s just the way life works, and everybody’s tracking along.

It’s a very doable thing, and it didn’t cost me anything. As a matter of fact, moving away from very expensive laptops to Chromebooks saved me some money because those are $200. Even if the worst happened and those things got just totally bricked, I’d take it out in the yard and use it for target practice and get them another one.

EV: I went a slightly different route. I do have segmentation, so all of our IoT devices are either not connected to the internet and it just looks like they are, or we have a work line and a “not work line”.

Outside of that, I think Chase alluded to a Doberman as a solution. I don’t have a Doberman, but I do have four dogs, and at least one of them is big and scary enough to be my preventive measure.

MF: Where can folks go to find more about you or tune into your podcasts, and go read any specific literature that you put out in the world?

EV: It’s adoptingzerotrust.com, which is also on every standard podcast channel on YouTube. Also, for Zero Trust tools and services, I created a website called TopZeroTrust.com.

And Chase, I want to make sure you also highlight that really awesome thing that you recently launched, which aligns with this technology site, which is not a cybersecurity solution because I think the world needs to definitely see that.

CC: Oh, I think you’re talking about Demo-Force, correct? We launched Demo-Force into the market back in January. It’s basically a way for buyers to try out vendor software and never have the risk of your data or passwords or usernames winding up in somebody’s trial instance. For vendors, it’s a great way to get your software optimized where you can put it in front of a lot of people really easily. That’s kind of the Skunk Works thing I’ve been working on for the last couple of years.

You can find my podcast on all the podcast stuff. It’s called Dr. Zero Trust. I’m on Spotify as well. As far as publications, NIST (U.S. Department of Commerce National Institute of Standards and Technology) has got a bunch of great ones. There’s books by a bunch of really smart people around Zero Trust. Look all those up.

Jenn Marshall

Contributing Writer