Welcome to what that means with Camille morehart.
Camille Morhardt 00:04
Hi, and welcome to this episode of what that means. Today we’re going to talk about zero trust, particularly during and after a pandemic. My guest today is Kathy Spence, she’s a senior principal engineer at Intel in chief architect in the business client platform division. So Cathy, welcome to the show.
Cathy Spence 00:25
Hi, Camille. Good to be with you.
Camille Morhardt 00:28
Yeah, it’s good to be talking to you. Again, we’ve worked together a little bit in the past. Kathy, what you do as senior principal engineer and chief architect for the business client platform group is you lead architectural direction and design for features that are in commercial PCs, specifically, or in particular, for Intel v Pro, which is a premium platform. You’ve got a lot of deep technical expertise in it. This includes modern device lifecycle management, and also cloud computing. And you’re responsible for and your team are responsible for driving the commercial requirements into Intel platforms. Correct?
Cathy Spence 01:09
When we say commercial PCs, what we mean is laptops and desktops that are used in business settings. And those platforms in a commercial sense, have additional requirements, especially around security and manageability. My team focuses on specialized features that usually involve security and how those devices are managed. Can we start by you just defining for us pretty briefly, what is zero trust?, I’ve heard buzzword used quite a bit recently.
Cathy Spence 01:38
In plain English, the zero trust is when you don’t trust anything, you think about that in terms of your computing environment, your enterprise resources, your commercial resources, you don’t want to trust just any client endpoint that wants access to those services. And think about it also from the client standpoint, as well, the endpoint doesn’t want to trust anything, either. And it doesn’t matter what network you’re on, I could be on an enterprise network, or I could be in the cloud. And I need to be able to survive in that kind of environment, especially when there’s a pandemic, and everyone’s working from home.
Camille Morhardt 02:16
Zero trust is not about not trusting people, it’s about not trusting devices, or networks. Is it hardware focused or human focused?
Cathy Spence 02:25
It’s a little bit of both actually, when you set up your environment for zero trust, it’s about protecting your assets and protecting your data. And that involves understanding the identity of who’s asking for that data, what’s the identity of the devices requesting that data, different aspects of authentication that’s involved here, and authorization, those strong identities, and then there’s this continuous validation of that, of what access is being requested? What are the identities and other context that goes along with that, in order to provide that access.
Camille Morhardt 03:06
And you’re working a little bit also on identities or access changing over time. So if you have a device that starts with one kind of an owner, or one sort of provisioning, and it’s allowed to get access to, let’s say, the payment systems of a retail store, and then it’s repurposed after that, to do something else, maybe now it’s controlling the temperature within the building or something. Now, you don’t want to have access to the payment system anymore. So how are you transitioning these different kinds of access that you’re providing the system?
Cathy Spence 03:42
Oh, wow, that’s like an advanced use case to meal. Even in the basics. Think about when you log in, you log into your device, and you connect to a particular network, that check of your identity happens one time when you do your login. And if you’re logging in through a VPN to a corporate network, or they’re in the office and you’re on a network, you can have unfettered access to a lot of different corporate resources. But in a zero trust model, we’ve changed that to where we’re going to check at multiple places, we’re going to check continuously. What network are you on? Do you really need the access that you’re asking for, it’s about taking those resources and limiting those resources, so that it has a very narrow scope, you only have access to really what you need. That’s called a least privilege model. And it’s really about setting up your environment. So that you can do this on a wide basis because if one piece of the puzzle, the the resources or the device doesn’t follow the rules for zero trust, then your model has broken down. You can go get a guide to how to set up a zero trust model from the government that talks about this even in more detail. You Question about, well, what if I take a machine and I repurpose it? And I want to have it take on maybe a different identity? Once you get the first part set up, then you can address those advanced use cases.
Camille Morhardt 05:11
It’s different than digital rights management, because that’s just about it. Can you explain where it takes off from there? That’s kind of an older concept we’re all more familiar with.
Cathy Spence 05:22
Yeah, that’s true. So they call it like I dam identity and access management. That’s a core part of how you work in a zero trust model, ensuring that your identities are up to date, and that you have strong authentication in place. There’s a lot of trends right now to about how do you make that easier with multifactor. And maybe like a passwordless approach. That’s where things are developing. So the core concepts are the same, and they’re very important. It’s up to date. And there’s additional roles that could be defined that could help you create this offense in depth approach was zero trust.
Camille Morhardt 06:01
was digital rights management or item more focused on the user and authenticating the user. Whereas zero trust incorporates the hardware as well, or is that a false dichotomy there?
Cathy Spence 06:15
I think that a lot of it is based around the user for that identity. But in the future, we can see that being improved by having more device identity, so that you really understand what devices should be connecting and what shouldn’t be connecting. I think, like, the big reason why you need more of the device identity is that Well, number one, some devices don’t have users for things like zero touch provisioning, which is another modern technique, especially when everybody’s working from home, in a pandemic, he sent a new device, because you’ve had like a PC refresh or something like that. And I want to be able to use more automation in order to be able to provision and set up that device, remember the devices most vulnerable before you provisioned it and put all your security on there as well, the identity of the device and how that gets managed does that what we mean by provision, when I say provision, I mean, setting it up for the first time, so somebody can use it to do work. And normally what provisioning means is a device arrives with may have like a base operating system on it. And when you log into that device, for the first time, I want to be able to phone home, and then enroll in some kind of a management service, which will then set that device up. And as part of that there are secrets there, there may be corporate Wi Fi credentials, there could be other corporate keys and things that you need. There’s a device identity portion of that. And then there’s a user identity portion of that. And when you enroll, then you get all of your apps in your data and that sort of thing.
Camille Morhardt 07:52
And any of these things connect the user to the device,
Cathy Spence 07:55
That all depends, typically when you talk about provisioning, and I’m talking about modern provisioning, and regardless of whether you’re using a Microsoft stack, or maybe a Google stack, the approach is the same. It’s about the OEM may register that device on your behalf in a provisioning system. Google has one Microsoft has one, then that may be connected to the user, or the user kind of claims that when they log in,
Camille Morhardt 08:23
I don’t think we’re out of the pandemic. But how did things change in this realm with the pandemic in the sense that everybody was outside of the corporate network, by definition physically? And then what about that do you think is maybe going to continue, even as pockets of people are returning?
Cathy Spence 08:41
Everybody was set up for folks to work from home when there’s like a bad snowstorm or a hurricane. It’s another thing when you have everyone working from home for a year, basically, everyone had to rewrite their business processes to make people more productive when they work from home. And really think through some of these challenges. Depending on the enterprise and how far along they got in terms of adopting more modern management techniques, and modern security, they may have been in a better position for something like the pandemic to be happening. When the pandemic struck. It really accelerated a move to modern, and some companies were better positioned than others to survive in this environment.
Camille Morhardt 09:31
One of the things I think of is everybody had mobile phones. And a lot of companies were managing at least mobile phones that were provided or paid for by the company. And that was having to occur differently than I think our PCs were previously. So were it was it a matter of the PCs converting to this mobile phone style of manageability? Or was there something else created? When you say modern, what do you mean?
Cathy Spence 09:57
When I talked about that provisioning model That’s a very modern provisioning model in the past, all of the PCs would get sent to it. And it would reimage them, they put on what’s called a corporate build, which is an older style. And people are converting from that to being able to trust what’s on the PC, and use that as a starting point for the provisioning. Some of it is driven by what applications are being used, if you have a very heavy corporate build with a lot of local or custom applications versus adoption of cloud and SAS type applications. This is all kind of part of the modernization, everyone’s trying to adopt in many SaaS applications as they can, as opposed to writing your own. A modern includes over the cloud, lightweight self service, I’m getting my updates maybe from the cloud, as opposed to the IT department on maybe OS updates. It involves those things, I’m using management tools that are more cloud based versus on premise based. So when I say modern, a lot of that centers on use of the cloud, and this on demand pay as you go kind of model.
Camille Morhardt 11:11
So does that make us more vulnerable in some way, because now everybody’s kind of going through the cloud, as opposed to classic it tried and true and tested?
Cathy Spence 11:23
When you go to the cloud, you have to be able to survive there, you can’t do an old style of scan the network for all the devices to look for devices that are not yours, because you can’t scan the internet for all your devices. So there’s a lot of fundamental things that change. The zero trust security is super important. When you’re out on the internet, when everyone’s working from home, even those same principles are being used within an enterprise as well, it just becomes super important out on the internet. But you have even value within your enterprise applying those principles. Because if you have one device that gets infected, you don’t want that infecting your whole network. So these same techniques are going to be used there. But as I was saying, 2021 is the year for zero trust of people really fully embracing the zero trust kind of model. And it’s because of these challenges that are beyond basic security hygiene.
Camille Morhardt 12:23
You’re saying, partially because a pandemic forces everybody to go work from home, everybody’s now outside the firewall, it may be impossible to have sufficient VPN tunnels for 1000s and 1000s of people to work concurrently. Globally, you might have had some isolated incident where you could support that if there were a snowstorm, like you mentioned. But now, because everybody’s now in this new environment, from home and outside the confines of the walled garden and the security, we have to have a different kind of security. And this security is like trust, nothing, trust no one, check every time assume the worst is happening. And that’s how we protect ourselves. Now, because we haven’t got any kind of shield around us.
Cathy Spence 13:10
It’s like paranoia on steroids, limiting access in double checking, who is connecting and having the proper isolation among your resources. And it’s monitoring, it’s a new style of monitoring, is bringing all of that together so that you get the best security. And as you know, Camille, the security is always an arms race. Because as you address certain security problems, the attackers find a way to get around those and you have to keep upping your game. This kind of approach really provides a great foundation for you to protect yourself.
Camille Morhardt 13:48
What do you think’s going to happen after zero trust, we all understand the need to embrace it, we’re going there with software as a service applications, increasing cloud applications. What’s after that?
Cathy Spence 14:01
There’s a general trend in the industry. And in it in particular, to think about AI. What’s the use of AI, we see some of this right now with threat modeling, and so forth. Were in the cloud first kind of a model. And in the future, it’s going to be more of an AI first kind of a model.
Camille Morhardt 14:20
Oh say more. What does that mean?
Cathy Spence 14:23
Well, it’s really about setting yourself up so that you can take better advantage of AI. What the pandemic has taught us is that the world’s becoming less and less predictable. You predicting who’s going to be on campus today, when we get into a hybrid model after the pandemic. The terminology that gets used in an IT department is called AI ops. It’s really taking it and the operations of it and automating that so that it not just opportunistically takes advantage of AI, but it’s really set up for it.
Camille Morhardt 14:58
I hadn’t thought of that. Like If you take 1000s and 1000s of people, and you look at their calendars, essentially, you being AI, so you’ve got to somehow maintain their privacy, but also potentially predict, most likely, Kathy and Camille, they usually come in on a Tuesday, either because we’ve allowed it permission to know that or because it’s looking at the calendar and seeing that we have a lot of, say, project meetings or staff meetings on a Tuesday, so likely will be there. And then perhaps even alerting us to working groups that would also be present on site. You’re talking about complete freedom in the sense of when you go, how you show up, but yet this like digital tracking, and assistant to try to assess the pattern so that we can better connect. That’s crazy.
Cathy Spence 15:49
I don’t know that it goes that far to Big Brother kind of tracking. But I’m thinking more in terms of the office environment, for example, I think that we’re going to move away from more static office layouts, and they’ll become more flexible, more flexible workspace configurations. And how could I do that? In the short term, you can ask people about or try to do something with your hybrid model of understanding who’s going to be there who’s not going to be there, and how do I address maybe I need more meeting space on a particular day or something, I don’t necessarily need to know who it is, if I have a sense of what the traffic looks like, I could potentially reconfigure that. So that’s just an example. With security, I know you want to get back to more of security aspect of it, we can see more use of things like robots to help us with security, as well, and how they need to utilize some AI in learn as well. I’m talking about physical security on your campus, where they’re checking on the security, that doesn’t have to be a person in the future that could potentially be some form of a robot, keeping an eye on that and reducing human contact post COVID. So you may look for opportunities to reduce human contact in different areas.
Camille Morhardt 17:06
Okay, so we’re not talking about bots flying around measuring people’s temperature in drones over and over, okay.
Cathy Spence 17:13
I don’t think we want to do that. I don’t think we want to make people feel like they’re under surveillance. We want to keep people safe and healthy. And we want the environment to work for them. You’re really getting at an interesting question, too, about tracking and having strong identities, and yet still preserving people’s privacy. And we’re going to have to take care, as we implement new solutions to make sure that we have that right balance.
Camille Morhardt 17:38
Do you have a mantra or something you remind yourself of, or keep front and center? When you’re architecting? For security, it’s along those lines of privacy.
Cathy Spence 17:49
We’re very sensitive about privacy at Intel, we have a process for that. We check ourselves, we go through a privacy review. And we make sure we’re doing the right thing when it comes to people’s privacy.
Camille Morhardt 18:02
Are there any major disagreements in the field of security and manageability? When it comes to zero trust or this migration to home offices? Or at least I guess we should even say mobile offices? Because we don’t know where people are going to be necessarily. I’ve been hearing more and more this Yes, there’s this big rush to the cloud now, whereas there might have been reservations previously. None remains. And now we’re all in agreement that zero trust is a big model that we’re moving toward Is there anything that IT departments or enterprises are disagreeing about right now?
Cathy Spence 18:42
I haven’t heard a lot of disagreement can be all the general consensus. And that’s why I’m saying that this could be a really big year to drive more adoption in this space. It’s because the world has changed over the past year dramatically. it’s here to stay, we’re not going to go back to working the way that we used to work, we’re not going to look backward to old security models. If you don’t really implement the full model and you let certain applications or certain things skirt, the guidelines around zero trust, then it really does fall apart. You really want to embrace that.
Camille Morhardt 19:13
Thank you so much, Kathy, it’s been fascinating having a conversation with you about this and long time since we’ve delved into the manageability of things. I’ve really appreciated the conversation. Thank you.
Cathy Spence 19:25
Subscribe to what that means with Camille morehart