Sign-up for the latest Lookout news and threat research
While Zero Trust is a popular framework, it doesn’t come with a user manual. On this week’s Security Soapbox, Ashish Kathapurkar and Nikhil Sinha from Google join Hank Schless to discuss how securing your cloud apps requires an approach that goes beyond the apps’ capabilities.
Try the Lookout Zero Trust Solution
Lookout Continuous Conditional Access (CCA) provides a modern approach to Zero Trust. With insights into endpoints, users, networks, apps and data, Lookout provides unprecedented visibility to organizations, enabling them to effectively detect threats and anomalies, support compliance requirements and stop breaches.
Hank Schless 00:10
Hi, everybody, welcome to Security Soapbox. My name is Hank Schless. And today we're going to be chatting with a couple of our friends from over at Google, who I'll introduce in just a minute here. We're going to be talking about how the reliance on accessing data in cloud based applications from really any device is making security teams rethink the way that they protect their organizations and protect their data. I think, as we all know, employees use all sorts of devices; Android, iOS, Chrome OS, you name it; to access productivity apps like Google Workspace, in order to be productive outside the office, especially as we kind of move deeper into hybrid work and people coming back into the office. It's really rendering the whole idea of the security perimeter obsolete. I think everyone pretty much accepts that at this point. So for that reason, security really needs to be extended out into every endpoint. And that includes, like I mentioned, Android, Chrome OS, and iOS on top of your traditional Mac OS and Windows systems. So before we jump to the thick of it, I do want to introduce Ashish and Nikhil, who are joining us from Google. She has over 20 years of experience driving top line growth at some familiar companies like Google Cloud, AWS, and Cisco. And Nikhil heads up product management for workspace security, and really helps enable secure collaboration for some of the top organizations in the world, really focusing on bridging that security across users, devices, apps, and data. So gentlemen, thank you both for hopping on with us today.
Ashish Kathapurkar 01:37
Thank you, Hank. Glad to be here.
Nikhil Sinha 01:39
Yeah, thank you for having us and excited to be here.
Hank Schless 01:42
Yeah, always excited to chat with you guys. So thinking about the challenges that come along with sort of everything that I've been describing so far, in brief, IT and security teams are really thinking about how they can take a modern approach that delivers zero trust strategy, right? Because zero trust, it's become a bit of a buzzword in the industry, but it is important. It's critical. And being able to kind of understand how to approach it in a way that makes sense for your organization is really, really critical. So, an important part of that is making sure that access to the corporate data, to corporate resources for mobile devices is allowed only when those devices have sort of a permitted risk level. So to make sure that the state of those devices doesn't change, admins really need to kind of be continuously monitoring the risk level in order to sort of modify those access privileges and protect their data and application. So that's a lot to take in. So before we dive in, Ashish, Nikhil, I would love to just understand a little bit more about what you're doing at Google Cloud, and then we'll get more into the zero trust side of things. So Nikhil, why don't you kick us off?
Nikhil Sinha 02:49
Sure. So my work at Google Cloud revolves around workspace security. If you have used Gmail, Google Docs, or any of the other productivity apps, you have likely used a built-in security feature from Workspace. Our largest customers tend to be enterprises who want to turbocharge productivity for their employees. And for my team, what that means is, we ensure that users can collaborate safely from home, office or anywhere in between. As you can imagine, that's easier said than done, which is why we offer a broad set of tools in this space. But I'm gonna pause there and hand it over to Ashish, for the introduction, before we get to zero trust.
Ashish Kathapurkar 03:26
Yeah. Thanks, Nikhil. So I'm in the strategic security partnerships team at Google. And I work with strategic security partners, and then technical and engineering folks on the Google side, to see how we can bring differentiated solutions to the marketplace to help solve the evolving challenges of security for the top customers that Google has.
Hank Schless 03:48
Awesome. Thank you guys. It's always good to know kind of what you're really focused on, especially as you dive into the deeper context of the conversation. So let's start talking about zero trust here. And Google has been a leader in zero trust for a long time, right? People know about BeyondCorp and other initiatives that have taken place within Google. But even outside of your role there now, Ashish I might kick this one over to you. What would you define zero trust as, on kind of a broader spectrum?
Ashish Kathapurkar 04:15
Sure. So zero trust essentially is a term for an evolving set of cybersecurity paradigms that move defenses from static, network based parameters to focus on users’ assets and resources. So what I mean by that, Hank, it goes down to basically three different things. Zero trust assumes that there is no implicit trust granted to resources, including users, devices, applications, services, and assets, based on physical location, network location, or assets ownership. The second critical piece of the zero trust is authentication and authorization. These are discrete functions that must be performed on a session basis, before access to enterprise resources is granted. And the third most important thing is zero trust focuses on protecting resources, not network segments. That is the key here; network location is no longer a core component of enterprise security posture.
Hank Schless 05:21
Right. And you think about that, even as –– especially as –– we embrace hybrid work truly. Because, before, it was a lot of people sort of testing out hybrid, and now it's in practice. You have people implementing return-to-office states. The network is no longer a place that you can rely on. I really like the first part that you mentioned about removing implicit trust. That's sort of the really short version, I usually tell people when they ask me the same question, because I think that just sort of looks at it at a higher level. It all makes sense. And Ashish, again, to look at it more from the Google perspective, what's Google's unique approach to zero trust?
Ashish Kathapurkar 05:53
Yeah. So before we get to Google's unique approach, the NIST organization, which is the National Institute of Standards and Technology, has defined a crisp set of rules or principles or tenants for zero trust architecture. And these principles use the framework that I defined earlier on zero trust to plan industrial enterprise infrastructure and workflows. What they assume is, again, no implicit trust granted to assets or user accounts based solely on their physical network location. And Google's approach to that is the BeyondCorp enterprise solution that Google has developed. Essentially, it’s based on some of these principles: that access is granted based on what we know about you or the user and the device that the user is using, that they're not connecting it from a particular network. They can be anywhere at any time; access must be authenticated, authorized and encrypted, but more so needs to be checked on a session by session basis. And that is what forms the fundamental basis of BeyondCorp enterprise, which gets into the realm of the zero trust architecture. Nikhil can add more to this as he is closely associated on the product development side, on the overall zero trust architecture here, Nikhil?
Nikhil Sinha 07:16
I think you covered it really well. I think this is essentially where the industry is headed. And we have some form definitions coming from various standards, if you think about the principles here, right? It boils down to three key principles in some ways. One is to verify explicitly, right? You want to make sure that you are continuously verifying any given access at any point in time. The second one is you're using least-privileged access, which should be fairly self explanatory for this audience. But the last one, which is “assume breach,” is something which, in many cases, a lot of people are not necessarily actively thinking about. We would like to avoid that scenario. However, zero trust is really trying to advocate for the principle that you have to assume breach and how would you build or architect your system, which accounts for breach within your ecosystem, right? It's, again, easier said than done. It's a hard nut to crack, which is why zero trust has become one of those fundamental pillars that the industry is gravitating towards.
Hank Schless 08:17
Yeah, that's a really good point, that the difficulty of achieving it is really why it's become such an important topic. Like with many things in security, collaboration can be so critical. And I think that understanding different perspectives of where something like zero trust can be worked on, and kind of what angles, what's important; all of that is critical. So it's really good to have your guys input on some of the critical steps people can take, and the fact that each of you are offering these three particular points is super helpful. And looking at Google Workspace specifically, right? I mean, we look at it as a huge part of how a ton of companies operate in your work. Are there any trends that you've witnessed in Workspace usage? And if so, how are those changing up the security requirements maybe for you guys, internally, or what folks that you talk to who use the product are using?
Nikhil Sinha 09:04
Yeah, I think it would not be surprising for the audience here to recognize that the pandemic shifted a lot of how we work, right? And when the pandemic started, and users went remote overnight, it essentially triggered the organizations to react accordingly. Like, for instance, in the past, before the pandemic, you could have had a policy to prevent access to your corporate resources, if a request is coming from, say, a coffee shop and in Honolulu. But with remote work, you don't know where your users are. And thanks to flexible and hybrid work, your users could be anywhere and a policy like this gets in the way of productivity. So to answer your question of how the trends have changed is essentially this is no longer a one time exception, right? This is the norm now. Which means that security organizations have to quickly adopt the zero trust framework, start putting both a short term and long term plan in place because users are not waiting for you. So the trend of user behavior is impacting the trend for security. And then, within Workspace what we tried to do was to provide some tools that can help organizations with it, right? One of the tools is called Context-Aware Access, which essentially extends beyond the corp-enterprise model to Workspace, web and mobile apps, right? It evaluates various first party and third party signals before granting access to any Workspace resource. So, for example, our administrator could author a policy that says, if a user is trying to access Google Drive on a mobile device, it must come from a healthy device. So this is kind of where we recognize that Google may not be sitting on all the endpoints. And therefore we have technology partnerships with the likes of yours, like Lookout, where third party engines would be crucial to that security ecosystem, right? They will be feeding us the signal telling us whether an endpoint is healthy or not. And based on that the administrator can configure policies on whether to provide access or not. So, long winded answer to how the trends have changed. But essentially, we all recognize that work has changed, and so does security.
Hank Schless 11:07
Right, the context, like you said, is so important that… I mean, that's because now with the way things have changed, you need to understand those signals, you need to understand not just the device and the user, but the location, the network, what type of data they're trying to access, where they're accessing all these things. So, Ashish, anything to add to that?
Ashish Kathapurkar 11:25
I think Nikhil covered it pretty well, right? Security should not be an afterthought. For organizations, it should be woven into the fabric of architecture that they're laying out for their own cloud footprint, whether it's hybrid, whether it's all in the cloud, and security should be thought through from ground up as they design some of these architectural principles. And essentially, it is all about safeguarding customer data.
Hank Schless 11:48
When it comes down to it, it's all about the data. That's what matters. And that's what people care about. And guys, to take this one a little bit deeper, one question that I get a lot is around trusting your users. And obviously, we're talking about zero trust here. But it's more a question about what's the balance between putting trust in your users and providing access? So I guess my question to you is, do you think that organizations are putting too much trust in their users when providing access? And if so, or if not, what, what areas should organizations and IT and security teams within them be looking at to make sure that users can really only access what they need without hindering their own productivity? And also without increasing that risk exposure of sensitive data to the outside?
Nikhil Sinha 12:35
That's a great question. I would say that, you know, it's, it's one of the factors, right? There are many more factors to consider, especially these days. What if the, you know, the user credentials are coming in from an untrusted IP? What if the credentials were being used on a jailbroken device? There can be a dozen such considerations that an administrator has to keep in mind and evaluate before granting access? What I would say is that where we see our customers, most of the forward thinking customers have gotten to a place where they're trying to balance the needs of their users, and how much do they trust their users while providing access? There's… one part of it is their own user IDs and passwords and the credentials. But there's a whole host of other things and context that is being evaluated at the same time, which I think is where the right security posture is. And the deeper the organizations can get into it, the deeper you can analyze the contextual data, the better your security posture gets.
Hank Schless 13:30
Well, would you add anything to that?
Ashish Kathapurkar 13:35
Well, I think all I can add to this is –– as you… as customers are looking to build their footprint on cloud providers –– is the notion of shared responsibility. And whether you're building it on-prem or on cloud, or a hybrid architecture, it comes down to who owns what piece of the data. And any cloud provider that provides you the strong visibility, detection, control and response is the right choice here. And Google has a very strong footprint in all of these areas, where customers are building on Google Cloud get access to the best of the breed security solutions that can provide visibility, detection, control, and response.
Hank Schless 14:12
I think the shared responsibility model is something that's finally kind of coming to the front of conversations when I think about, you know, even five or six years ago, I think it was something that people were relatively unfamiliar with. But as people experienced more in the cloud for both good and bad, they're understanding that it's not always on the cloud provider to secure all of that data. So there is sort of… they need to be able to understand where the line is there and where they need to be able to implement some tools. So guys, we're coming up on time here, but one thing I like to ask sometimes is, we all get the question, “What's the one thing I should do?” Right? What's the one… that you're talking to somebody whether it's a family member, or one of your friends or a coworker or someone that’s one of your customers? You know, a lot of times you'll say, alright, this has been a great conversation, but what's the one thing I can walk away from here to really kind of get things going, really start to maybe take another step on that zero trust journey. So what's that one thing that each of you would tell someone? And Ashish, won't we start with you?
Ashish Kathapurkar 15:12
Sure, Hank, I think the one I like to tell anyone who is building on cloud specifically today is think about security from ground up. And it's an evolving process. It's not a “one time, done” when you build your applications or any processes on cloud. It needs to be continuously thought through. And so think about, does it work with the right set of providers and technical folks here to weave security into the overall fabric of your footprint.
Hank Schless 15:40
Awesome. And Nikhil.
Nikhil Sinha 15:42
See, the one thing is very hard to nail down, I would say zero trust is such a wide and expansive topic. But clearly you came prepared with hard questions here. I would say that when you're thinking about zero trust, expect a shift in mindset, right? This is different from traditional models. How do you plan a deployment assuming breach, specially when every security product in the market is lining itself to this framework? There are bound to be surprises, unless you have thoroughly evaluated the solution. So expect surprises or, I would say, have the right expectations as you try to mature this model for your organization. There are many moving pieces here. Whether it is devices, data, user identities, context. And let's not forget there are all kinds of API access as well. All of this would mean that, you know, perhaps you are gonna have higher incident volumes. So these are considerations to think about. The one thing I would go back to is have a plan, evaluate thoroughly as you get on this journey, keep some bandwidth for potential surprises so that you can adapt to it, right? I think of it as if you are in a Formula One race here, right? Your cars are humming; they're all ready to go. A lot of cars have actually gone ahead and started their laps. But in many cases, you don't have the full visibility into how the track maker. So think about those as you plan this deployment. And the more you can plan, the better you can be in your user trust journey and maturing that model for yourself.
Hank Schless 17:18
All right, well, anything I can do that aligns with Stefan I'm a fan of, so it's a good way of thinking about… So guys –– Ashish Nikhil, guys –– thank you both for joining me today. It's been a real pleasure to have you both on.
Nikhil Sinha 17:29
Thank you. Thanks for having us. And thanks to the audience for listening to us for this brief moment.
Ashish Kathapurkar 17:33
Likewise, thanks, Hank. It was a pleasure. Thanks for hosting us.
Hank Schless 17:37
Always. And thank you again, as Nikhil said, thank you to our listeners for stopping by. To learn more, you can always go to lookout.com/blog. You can also learn more about Lookout in Google on our partnership page together. And guys, thank you for joining for listeners. Thanks for stopping by. We'll talk to you guys soon. Thanks