Zero trust security has become a topic at the forefront of IT and security-related conversations. Zero trust puts an end to compromised identities. In today’s hybrid work environment, CIOs and security leaders must understand zero trust strategies and architecture to ensure the safety of networks, devices, applications, and users.

To learn about zero-trust, CIOs must understand how traditional networks operate, the challenges involved in becoming a zero-trust network, and techniques that work with the zero trust model.

In this conversation, Anand Oswal from Palo Alto Networks, explains how zero-trust security transforms the way applications and users are protected from internal and external threats.

The conversation includes these topics:

Anand Oswal serves as Senior Vice President and General Manager at cyber security leader Palo Alto Networks where he leads the company’s Firewall as a Platform efforts. Prior to this he was Senior Vice President of Engineering for Cisco’s Intent-Based Networking Group and he holds more than 60 U.S. patents.

Transcript

Anand Oswal: A zero trust approach wants us to move all notions of implied trust for users, for applications, and for infrastructure.

What is zero trust security?

Michael Krigsman: We're talking about zero trust network security with Anand Oswal. He is senior vice present and general manager of Palo Alto Networks.

Anand, what does zero trust security actually mean?

Anand Oswal: When you're in the office (depending on which office you are in – in some cases) you're able to access the applications, and you just go through a firewall – at the most, right? In most. And not most. In many enterprises today.

When you're home, you get authenticated, two-factor authentication. You may go through a proxy. You may have a CASB for SaaS security, and then you go to a cloud-based firewall. You're having different notions of implied trust because you're in the office or you're at home. That's what I mean by implied trust.

Based on the fact that I was able to get into the office where I had a badge, and I'm able to get onto the office network, I had a certain notion of implied trust that gave me access to certain things. We don't want to have any notion of implied trust.

I still remember, many years ago (20 years ago or so) when we had guests come into the office and they would just plug in their ethernet cable. If you remember those, before Wi-Fi was prevalent, they would get access to the corporate network. That's implied trust because you are in the building, and you could connect to the ethernet port (that was there in the conference room) to your laptop and get access.

Michael Krigsman: Implied trust is you're in the building and you make the assumption that the perimeter security is all working properly and, therefore, anything you do within the confines of that building is safe.

Anand Oswal: It's just one example around users getting access to the network, but it could be also around me accessing a certain application because I belong to a certain group, et cetera. Any notion of implied trust – just because of who you are, what device you have, what group you belong to – we don't want to have any of that.

Michael Krigsman: Why has this term received so much attention recently? As you told me, the White House recently put out a press release using the term zero trust.

Anand Oswal: If you think about the evolution of networking and security, everybody was in the office accessing applications sitting in your data center. That was the world.

When we look at it today, your applications are everywhere. They're in the data center. They're in private clouds, public clouds, and SaaS applications.

Think about us as the users. We're no longer confined to our offices. Not just the pandemic, but generally speaking, the workforce has been going hybrid.

Users are everywhere. Your applications, your data is everywhere. How do you ensure that all of this is done securely, not just for me the user trying to access a cloud application or me (an IoT device) trying to access something in the data center, but every single combination of that?

That's really accelerated every single aspect of digital transformation in the industry. That's why it's so relevant right now.

Enterprise security challenges and zero trust

Michael Krigsman: What kind of feedback do your customers tell you regarding the challenges that they face?

Anand Oswal: If you think of the zero trust approach, there are really four key principles that we want to apply from a zero trust.

  • First, I need to understand who the user is. Are you really Michael?
  • How do I ensure that a device you are using is the right device?
  • How do you ensure that your access is secure, that when you are accessing an application (in the data center, a cloud application) that access is secure?
  • Fourth, the content, the transaction.

These four key blocks I talked about applies to users, applies to applications, as applications talk together. It applies to infrastructure. If IoT devices or your routers or your switches are talking to different entities, we need to ensure that we do all these four on a continuous basis, and that's how we get a true end-to-end zero trust enterprise.

Michael Krigsman: Give us some context. Where does zero trust fit into the broader scope of security?

Anand Oswal: zero trust is an architectural approach. It's not a single point product or a solution. It's across everything that you do to protect your users, to protect your applications, and to protect the infrastructure.

Let me give you one example for that. When you are in the office, you get your badge and you enter the office. You have different access when you are in the branch or headquarters, as you would have when you are at home.

The answer is that, in many cases, it's different. When you are home, you authenticate. You go through a proxy. You go through a CASB for SaaS applications, maybe a cloud-based firewall. But when you are in the office, I have a notion of an implied trust just because you are in the office. A zero trust approach wants us to remove all notions of implied trust for users, for applications, and for infrastructure.

How can CIOs create a zero trust environment?

Michael Krigsman: How do you do it? What are the components of a zero trust environment?

Anand Oswal: zero trust is an architectural approach. In many cases, it's a journey for our customers. What we need is to ensure that all users, all applications, and all the infrastructure of a given enterprise have a zero trust approach, which means that I need to know who the user is and authenticate them through whatever mechanism I have: password, two-factor authentication, et cetera.

The identity of that device or the identity of the workload, am I actually who I am? Do I have malware on my device? Because I have "bring your own devices" in the enterprise as well, I want to make sure that the access that the user, the application, or the infrastructure does is secure.

The transaction, which means that the content and inspecting the content. Do I have a right to access that data? Do I have malware in that data? That is done.

All of this is done on a continuous basis, which means that every single digital transaction should be secure. That's really where we want to get to for the entire enterprise to make sure the entire enterprise has a zero trust approach to security, has the right security posture as we continue to work from home, work from everywhere, applications moving to the cloud, and make sure that all of this is really secure.

Michael Krigsman: You said that your customers are taking the zero trust journey. Why do you call it a journey?

Anand Oswal: The journey aspect is more because the world is hybrid. The users are everywhere. They're no longer just in the office or in the headquarters. They're everywhere.

We have IoT devices coming up in the enterprise. Our applications are everywhere. This journey requires us to ensure that we can transition this.

It's not going to be everywhere in the office or everybody remote. It's not going to be applications only in the data center or only in one cloud. It's everywhere. We need to ensure that we are able to help our customers in this transition.

For example, if they are moving their applications to the cloud, it will take them time. If they're moving applications in the private data center and some applications in the cloud, they have a hybrid environment. That's just the reality.

Michael Krigsman: Your customers have complex environments and shifting, moving, evolving simply takes time. From a zero trust perspective, you have to be able to handle all of it all the time.

Anand Oswal: And different customers also have different requirements for regulatory and compliance; where the data should reside, et cetera.

Two big transitions happening for the industry right now (for our customers right now) are the hybrid workforce and the movement to multiple clouds. Applications and data are everywhere.

What it means is that users are everywhere. Applications are everywhere. Data is everywhere. They're accessing the applications over a plethora of different networks.

A zero trust is required for the entire enterprise: for your users, for your applications, and for your infrastructure. You need to do this on a continuous basis. Verify every single digital interaction and transaction. That gets you to a zero trust approach, no notion of implied trust.

Michael Krigsman: What are the components of creating a zero trust environment?

Anand Oswal: First of all, a zero trust approach requires (for many of the organizations) also a culture approach to ensure we remove any notion of implied trust. If you look at it historically, when you are in the office you had different privileges to access certain things compared to when you were at home. It required more stringent requirements when you were at home in terms of how you were able to access the applications or, in many cases, you weren't allowed to access those applications.

In today's world of hybrid workforce, we want to make sure (like you said) any user, any location, through any device – IT-managed device or bring-my-own device – is able to access any application and data securely. But I also want to make sure that I verify every single digital interaction that I have as a user, as an application, as an IoT device, et cetera.

Michael Krigsman: Are there common standards that govern zero trust security?

Anand Oswal: There are best practices. You can get that through professional services from various security organizations like Palo Alto Networks to help customers on this journey.

Michael Krigsman: Obviously, you're designing, you're building products relating to this. Can you give us a little glimpse behind the scenes as you think about the product design? What features need to be added, included? What do your customers care about? How do you make those decisions when it comes to zero trust?

Anand Oswal: There are three key tenants of zero trust in terms of zero trust for users, zero trust for applications, and zero trust for infrastructure. I talked about the four key blocks for each of these, which are common. Those are constructs that we have in terms of endpoint security, network security, et cetera.

Access: How do you ensure that you have the right secure access to the application that you want and that you're authorized to access the application? What can you do with the application (the content, the data that you're accessing or sending across)?

All of these aspects apply across uses, applications, and infrastructure. Really making sure that the right user with the right identity having secure access, inspecting the content, and doing that on a continuous basis.

Michael Krigsman: The technology components (the hardware, the software) combined with the business process changes create a kind of safety net or a shield. Would that be a correct way to put it?

Anand Oswal: It's a platform approach. Whether you're using applications that are in your data center or cloud or SaaS applications, how do you ensure that, no matter where you are, you have visibility, you can access the applications if you have the right permissions, and what data you can access? What are the rules that can be enforced on you to access applications, data, et cetera?

Advice to Chief Information Officers on zero trust strategy

Michael Krigsman: What advice do you have for CIOs that are listening about implementing a zero trust environment for security?

Anand Oswal: My advice to CIOs, as they look to their enterprise for a zero trust approach, is to think back and see; do I have a complete zero trust enterprise architecture across my users, my applications, and the entire infrastructure?

Then you need to make sure that you think of it from a platform approach. How do you ensure that you have this done holistically?

Then figure out how to get there. Which means, how do you ensure that (all users, no matter where they are) I can identify who the users are through whatever mechanisms I have in my enterprise? Identity of those users, how you secure access of the users to applications in the private data center, in the cloud, or SaaS applications.

How am I continuously verifying the content that I'm trying to access for the applications? Does it have malware? Is it the right URL? Is it the right application (like we talked about)? How do I do that on a continuous basis?

The same thing for applications. Applications are talking to each other. They're in the cloud. Can I talk about it? Is the right DevOps engineer having access to the applications? So on and so forth.

The same thing for infrastructure, my IoT devices or my network nodes, et cetera.

We want to make sure that all of this is done through a very thoughtful process where we have, like I said, the four key principles like can I know who the user is, identity of that, access, secure access, content, and then, on a continuous basis, is really what gets you to a complete zero trust enterprise, which covers all users, all applications, and all the infrastructure that you have in the organization.

Michael Krigsman: The first step then really is doing an assessment or an analysis of your devices, your users, their locations, the applications. Is that correct?

Anand Oswal: In addition to that, also ensuring how you ensure that you remove any notion of implied trust as you deploy a single platform solution across it all.

Michael Krigsman: Anand, you've really emphasized the notion of the platform approach, so what are the pitfalls of not adopting a platform approach and doing it piecemeal, you know, here, here, here, and we'll get to the rest as we get to it?

Anand Oswal: What happens is that when you have point solutions for different aspects of your security – so a point solution for how I want to access applications in the cloud, and what do you do when applications are accessed in the data center – all it means is that basically, you have different rules or sets of policies when you do it. You're not consistent, and then you don't have this notion of implied trust because you're having a different notion if I'm accessing a cloud application, a different security posture if I'm accessing an application in the data center, or a different accommodation of accessing it from a certain device, which is maybe ID issued versus not.

We want to make sure that we do not get into this trap of having these point solutions because then you're going to have inconsistencies and that may be exploited.

Michael Krigsman: Inconsistencies create potential gaps.

Anand Oswal: Inconsistencies create potential gaps and can create certain shortcomings in terms of your entire approach to having the right security posture for the entire organization.

Michael Krigsman: Anand, thank you so much for taking time to speak with us today.

Anand Oswal: Thank you, Michael. Great talking to you.

Anand Oswal: A zero trust approach wants us to move all notions of implied trust for users, for applications, and for infrastructure.

What is zero trust security?

Michael Krigsman: We're talking about zero trust network security with Anand Oswal. He is senior vice present and general manager of Palo Alto Networks.

Anand, what does zero trust security actually mean?

Anand Oswal: When you're in the office (depending on which office you are in – in some cases) you're able to access the applications, and you just go through a firewall – at the most, right? In most. And not most. In many enterprises today.

When you're home, you get authenticated, two-factor authentication. You may go through a proxy. You may have a CASB for SaaS security, and then you go to a cloud-based firewall. You're having different notions of implied trust because you're in the office or you're at home. That's what I mean by implied trust.

Based on the fact that I was able to get into the office where I had a badge, and I'm able to get onto the office network, I had a certain notion of implied trust that gave me access to certain things. We don't want to have any notion of implied trust.

I still remember, many years ago (20 years ago or so) when we had guests come into the office and they would just plug in their ethernet cable. If you remember those, before Wi-Fi was prevalent, they would get access to the corporate network. That's implied trust because you are in the building, and you could connect to the ethernet port (that was there in the conference room) to your laptop and get access.

Michael Krigsman: Implied trust is you're in the building and you make the assumption that the perimeter security is all working properly and, therefore, anything you do within the confines of that building is safe.

Anand Oswal: It's just one example around users getting access to the network, but it could be also around me accessing a certain application because I belong to a certain group, et cetera. Any notion of implied trust – just because of who you are, what device you have, what group you belong to – we don't want to have any of that.

Michael Krigsman: Why has this term received so much attention recently? As you told me, the White House recently put out a press release using the term zero trust.

Anand Oswal: If you think about the evolution of networking and security, everybody was in the office accessing applications sitting in your data center. That was the world.

When we look at it today, your applications are everywhere. They're in the data center. They're in private clouds, public clouds, and SaaS applications.

Think about us as the users. We're no longer confined to our offices. Not just the pandemic, but generally speaking, the workforce has been going hybrid.

Users are everywhere. Your applications, your data is everywhere. How do you ensure that all of this is done securely, not just for me the user trying to access a cloud application or me (an IoT device) trying to access something in the data center, but every single combination of that?

That's really accelerated every single aspect of digital transformation in the industry. That's why it's so relevant right now.

Enterprise security challenges and zero trust

Michael Krigsman: What kind of feedback do your customers tell you regarding the challenges that they face?

Anand Oswal: If you think of the zero trust approach, there are really four key principles that we want to apply from a zero trust.

  • First, I need to understand who the user is. Are you really Michael?
  • How do I ensure that a device you are using is the right device?
  • How do you ensure that your access is secure, that when you are accessing an application (in the data center, a cloud application) that access is secure?
  • Fourth, the content, the transaction.

These four key blocks I talked about applies to users, applies to applications, as applications talk together. It applies to infrastructure. If IoT devices or your routers or your switches are talking to different entities, we need to ensure that we do all these four on a continuous basis, and that's how we get a true end-to-end zero trust enterprise.

Michael Krigsman: Give us some context. Where does zero trust fit into the broader scope of security?

Anand Oswal: zero trust is an architectural approach. It's not a single point product or a solution. It's across everything that you do to protect your users, to protect your applications, and to protect the infrastructure.

Let me give you one example for that. When you are in the office, you get your badge and you enter the office. You have different access when you are in the branch or headquarters, as you would have when you are at home.

The answer is that, in many cases, it's different. When you are home, you authenticate. You go through a proxy. You go through a CASB for SaaS applications, maybe a cloud-based firewall. But when you are in the office, I have a notion of an implied trust just because you are in the office. A zero trust approach wants us to remove all notions of implied trust for users, for applications, and for infrastructure.

How can CIOs create a zero trust environment?

Michael Krigsman: How do you do it? What are the components of a zero trust environment?

Anand Oswal: zero trust is an architectural approach. In many cases, it's a journey for our customers. What we need is to ensure that all users, all applications, and all the infrastructure of a given enterprise have a zero trust approach, which means that I need to know who the user is and authenticate them through whatever mechanism I have: password, two-factor authentication, et cetera.

The identity of that device or the identity of the workload, am I actually who I am? Do I have malware on my device? Because I have "bring your own devices" in the enterprise as well, I want to make sure that the access that the user, the application, or the infrastructure does is secure.

The transaction, which means that the content and inspecting the content. Do I have a right to access that data? Do I have malware in that data? That is done.

All of this is done on a continuous basis, which means that every single digital transaction should be secure. That's really where we want to get to for the entire enterprise to make sure the entire enterprise has a zero trust approach to security, has the right security posture as we continue to work from home, work from everywhere, applications moving to the cloud, and make sure that all of this is really secure.

Michael Krigsman: You said that your customers are taking the zero trust journey. Why do you call it a journey?

Anand Oswal: The journey aspect is more because the world is hybrid. The users are everywhere. They're no longer just in the office or in the headquarters. They're everywhere.

We have IoT devices coming up in the enterprise. Our applications are everywhere. This journey requires us to ensure that we can transition this.

It's not going to be everywhere in the office or everybody remote. It's not going to be applications only in the data center or only in one cloud. It's everywhere. We need to ensure that we are able to help our customers in this transition.

For example, if they are moving their applications to the cloud, it will take them time. If they're moving applications in the private data center and some applications in the cloud, they have a hybrid environment. That's just the reality.

Michael Krigsman: Your customers have complex environments and shifting, moving, evolving simply takes time. From a zero trust perspective, you have to be able to handle all of it all the time.

Anand Oswal: And different customers also have different requirements for regulatory and compliance; where the data should reside, et cetera.

Two big transitions happening for the industry right now (for our customers right now) are the hybrid workforce and the movement to multiple clouds. Applications and data are everywhere.

What it means is that users are everywhere. Applications are everywhere. Data is everywhere. They're accessing the applications over a plethora of different networks.

A zero trust is required for the entire enterprise: for your users, for your applications, and for your infrastructure. You need to do this on a continuous basis. Verify every single digital interaction and transaction. That gets you to a zero trust approach, no notion of implied trust.

Michael Krigsman: What are the components of creating a zero trust environment?

Anand Oswal: First of all, a zero trust approach requires (for many of the organizations) also a culture approach to ensure we remove any notion of implied trust. If you look at it historically, when you are in the office you had different privileges to access certain things compared to when you were at home. It required more stringent requirements when you were at home in terms of how you were able to access the applications or, in many cases, you weren't allowed to access those applications.

In today's world of hybrid workforce, we want to make sure (like you said) any user, any location, through any device – IT-managed device or bring-my-own device – is able to access any application and data securely. But I also want to make sure that I verify every single digital interaction that I have as a user, as an application, as an IoT device, et cetera.

Michael Krigsman: Are there common standards that govern zero trust security?

Anand Oswal: There are best practices. You can get that through professional services from various security organizations like Palo Alto Networks to help customers on this journey.

Michael Krigsman: Obviously, you're designing, you're building products relating to this. Can you give us a little glimpse behind the scenes as you think about the product design? What features need to be added, included? What do your customers care about? How do you make those decisions when it comes to zero trust?

Anand Oswal: There are three key tenants of zero trust in terms of zero trust for users, zero trust for applications, and zero trust for infrastructure. I talked about the four key blocks for each of these, which are common. Those are constructs that we have in terms of endpoint security, network security, et cetera.

Access: How do you ensure that you have the right secure access to the application that you want and that you're authorized to access the application? What can you do with the application (the content, the data that you're accessing or sending across)?

All of these aspects apply across uses, applications, and infrastructure. Really making sure that the right user with the right identity having secure access, inspecting the content, and doing that on a continuous basis.

Michael Krigsman: The technology components (the hardware, the software) combined with the business process changes create a kind of safety net or a shield. Would that be a correct way to put it?

Anand Oswal: It's a platform approach. Whether you're using applications that are in your data center or cloud or SaaS applications, how do you ensure that, no matter where you are, you have visibility, you can access the applications if you have the right permissions, and what data you can access? What are the rules that can be enforced on you to access applications, data, et cetera?

Advice to Chief Information Officers on zero trust strategy

Michael Krigsman: What advice do you have for CIOs that are listening about implementing a zero trust environment for security?

Anand Oswal: My advice to CIOs, as they look to their enterprise for a zero trust approach, is to think back and see; do I have a complete zero trust enterprise architecture across my users, my applications, and the entire infrastructure?

Then you need to make sure that you think of it from a platform approach. How do you ensure that you have this done holistically?

Then figure out how to get there. Which means, how do you ensure that (all users, no matter where they are) I can identify who the users are through whatever mechanisms I have in my enterprise? Identity of those users, how you secure access of the users to applications in the private data center, in the cloud, or SaaS applications.

How am I continuously verifying the content that I'm trying to access for the applications? Does it have malware? Is it the right URL? Is it the right application (like we talked about)? How do I do that on a continuous basis?

The same thing for applications. Applications are talking to each other. They're in the cloud. Can I talk about it? Is the right DevOps engineer having access to the applications? So on and so forth.

The same thing for infrastructure, my IoT devices or my network nodes, et cetera.

We want to make sure that all of this is done through a very thoughtful process where we have, like I said, the four key principles like can I know who the user is, identity of that, access, secure access, content, and then, on a continuous basis, is really what gets you to a complete zero trust enterprise, which covers all users, all applications, and all the infrastructure that you have in the organization.

Michael Krigsman: The first step then really is doing an assessment or an analysis of your devices, your users, their locations, the applications. Is that correct?

Anand Oswal: In addition to that, also ensuring how you ensure that you remove any notion of implied trust as you deploy a single platform solution across it all.

Michael Krigsman: Anand, you've really emphasized the notion of the platform approach, so what are the pitfalls of not adopting a platform approach and doing it piecemeal, you know, here, here, here, and we'll get to the rest as we get to it?

Anand Oswal: What happens is that when you have point solutions for different aspects of your security – so a point solution for how I want to access applications in the cloud, and what do you do when applications are accessed in the data center – all it means is that basically, you have different rules or sets of policies when you do it. You're not consistent, and then you don't have this notion of implied trust because you're having a different notion if I'm accessing a cloud application, a different security posture if I'm accessing an application in the data center, or a different accommodation of accessing it from a certain device, which is maybe ID issued versus not.

We want to make sure that we do not get into this trap of having these point solutions because then you're going to have inconsistencies and that may be exploited.

Michael Krigsman: Inconsistencies create potential gaps.

Anand Oswal: Inconsistencies create potential gaps and can create certain shortcomings in terms of your entire approach to having the right security posture for the entire organization.

Michael Krigsman: Anand, thank you so much for taking time to speak with us today.

Anand Oswal: Thank you, Michael. Great talking to you.