Zero Trust Architecture With Vincent Romney

Host: Hi, everyone. Thanks for tuning into our Scale 20 show. I’m Purusottam cofounder and CTO of Cloudanix. Scale to Zero is a forum where we collect questions from curious security professionals and we invite security experts to learn about their journey and get these security questions answered.

Our goal is to build a community where we learn about security together and leave no security questions unanswered. With that, let’s get started.

So, for today’s episode, we have Vince Romney.

Vince is the head of Global Security Architecture at NU Skin Enterprise, where he leads the design and implementation of information security programs. Prior to that, he was the Director of Information Security at the Younique Products.

Vince, thank you so much for joining me in this show.

Vince: Thank you for having me Puru.

Host: So, we have a two-section format.

The first section focuses on security questions, and the second one is around Rapid Fire. So let’s start with the security questions.

So in that I want to start with zero trust, right? It’s quickly becoming like a new normal in the cyber security. When it comes to zero trust, there are many pillars like identity devices, network applications, and workloads. And there are many principles as well for the implementation, like continuous verification, limiting blast radios, automation of it stack, et cetera, et cetera. So,

What should be the starting point for a zero trust security setup and how should it be prioritized across all of these areas?

Vince: So I think one of the core principles behind Zero Trust is the original terminology that was applied to it, which is Deep parameterization. And when an entity looks at taking the journey towards zero Trust, one of the first things they have to do is really evaluate and draw down the first CIS benchmarks one and two, which is the inventory. Without that inventory and an accurate assessment of what that inventory implies, you’re not going to be able to look at zero trust in a reality base. You’re going to be saying, I want to apply a little bit of zero trust in certain places.

Once you have an architecture understood, you have your inventory, you know what your infrastructure looks like, what your application environment looks like, then you can start that journey towards zero trust by looking at where you currently have applied perimeters. And those trust perimeters that bring into an implicit trust zone are generally very wide. And the Zero trust journey is simply shrinking those down with authentication throughout that process.

So I think CIS benchmark one and two are your best starts because now you have somewhere to lay the groundwork and understand what your baseline is.

Host: Okay, so understanding the inventory and CIS benchmark one and two are the key starting points.

Vince: Sure.

Host: Okay, that’s lovely. So with that information, most of the times, even though you have all the information, implementation is easier said than done, right? So for organizations implementing zero trust, there can be many challenges like additional cost, impact or complexity of the setup or maintenance of the overall security setup as well, right? So,

For a cost sensitive organization, let’s say mid-size organization, how should they approach tackling these challenges?

Vince: Well, I think any organization is cost sensitive, especially in today’s world, regardless of size. But that inventory going back to that allows you to understand what assets you currently have. So let’s say you’re in Office 365 group. Well, are you actually leveraging all of the things within Office 365 that apply to Zero Trust? So you have identity providers. So you’ve got your Azure Active Directory. Your Active Directory on Prem, is that being leveraged appropriately to provide identity for authentication throughout the ecosystem? There’s a lot of tooling within your just Office 365 Toolkit that can allow you to tighten things up and reduce the amount of broad perimeter that’s applied in your organization.

So I hate to fall back on that same comment, but your inventory is very important for that reason. As a cost-sensitive company, the other thing I would say is definitely getting the stakeholders that will be making decisions very familiar with the NIST 802,007 documentation. That documentation is the basis for thoughts and approach on Zero Trust. It’s the foundational document for zero trust. So become very familiar with that document and how it applies. And as you look at vendors, because honestly, every vendor says there’s zero trust now, look at that vendor through the eyes of 802,007 and look at your diagrams in there and understand where that vendor fits because that vendor may be claiming that they are Zero trust, you want that journey towards zero trust, make sure you understand where they fit and what function they hold within that.

Host: That makes a lot of sense, right? Like having an understanding of the inventory, understanding the architecture, and sort of mapping them to the NIST framework to see whether, whatever the vendors are saying, whether they are accurate to the zero trust philosophy or not. Right, and you touched on one of the core components of zero trust, right? The identity. And identity not just for zero trust, even for information security, it sort of holds all the aspects of the organization together. Right. So we received a question from a security leader in the healthcare setup.

How should they protect access to the data securely to their employees, especially in today’s world where remote is becoming normal, right? So in that type of a setup,

How should they protect access to the data? And also, how should they ensure that the data is protected at the same time?

Vince: So I think falling into, say, the NIST 800 and 207 model identity feeds the Zero Trust architecture. So in and of itself is not Zero Trust architecture. It is a feeder or a provider to the policy decision point, policy enforcement point, that model. So you’ve got a policy engine that would drive policy. You have a policy administrator, those become the policy decision point and then you have the policy enforcement point. And that’s in the control plane. So an entity looking to use identity as a key part of that, first off, needs to determine that they’re using the principles applied to identity.

First, is it truly a lease privilege model? Now, lease privilege is a commonly used term and understood across the industry. But if you look at what zero trust is, it’s the implementation of least privilege throughout an ecosystem. So if we take identity and this healthcare provider is looking at it, I have an identity provider. Now, how have you broken down those identity into functional roles so that you can break those roles down and enforce those roles with a policy and backing up to that? I did. Do you even have the capacity at the control plane to enforce that? If you don’t, that’s one of the first steps of tooling you need to go investigate, is look at how you would enforce your policies that apply to those roles that are fed by the identity.

Host: Makes sense. So defining the policies and then enforcing the policies of least privilege across your tech stack right across your architecture.

Vince: Right.

Host: So I want to continue on the identities a little bit. When it comes to identities, MFA is one of the critical components, right? And there are many ways to set up MFA. Like there can be app based hardware, device based, biometrics, like there are many channels coming up, right? And there are pros and cons to all of these. So,

What is your recommendation to organizations who are trying to set it up properly? And how should they ensure that they are following the best practices of lease is privileged?

Vince: So you hit on a very important point to understand. All MFA is not created equally. So multi-factor authentication is widely applied in various models. So you’ve got the original was just an SMS text, right? And then we found out that that was pretty easily circumvented. And so then it moved to say, just your email. Well, again, compromised email; it’s now circumventable. And now we have applications on phones which take it to another level. You have a client based application that’s feeding that that’s better than the others. It’s not infallible, but it’s better than the others. Then you get the hardware tokens which are much more difficult to circumvent, for sure.

And then it breaks down into what factors are we dealing with. And in the modern world, most of what we’re dealing with is something you have and something you know, the biometrics is still not fully implemented in that model. Now there are cases where my phone is something I have, and hence I have a client device on that phone and Microsoft Authenticator is on my phone. I have something I know which was the password I used to make the initial authentication that sends the notice to Authenticator. Authenticator gives me the code and I can type that in or I can use my biometric on Authenticator to thumbprint it and then authenticate it back in.

So I have flexibility in that case. That still boils down somewhat to something I have. Right. It’s still that phone. But now I’m applying a biometric factor to the thing I have. So I think there’s a lot of models out there. First and foremost, if you’re not using any MFA, please use some. That’s the first step. And even if you were to just use SMS, which I don’t recommend, it’s better than not using it, but the confidence you place on that has to be subjected to the caveat that it’s circumventable and relatively done.

So just going all the way to the hardware token, that’s great. You’ll see, major entities have implemented hardware tokens as a product that everyone in your organization uses and they have very little problem with credential identity attacks because they’ve done that well.

Host: Those are very valid points, right? In today’s world, you should not have a non MFA setup. MFA is like a must.

And the second thing is, the closer you get to the hardware based MFA, the better right away, SMS, email, there are ways hackers are able to sort of bypass those, right? So the closer you get to hardware, the better it is.

So I want to sort of move to another key component of zero trust, right? Similar to identities, data is also another important aspect, right? And that is an important aspect for in general, information security as well. So keeping the healthcare vertical in mind,

What steps would you recommend to store, protect and provide access to sensitive data like PII or healthcare or financial information? ​

Vince:  There’s the foundational piece of, again, going back to zero trust, which is what is that data required to do and can you limit the access to that data down to that very specific requirement? I don’t think that there are many entities that really have implemented that level of control around their data. And looking at the structure of 802,007, you can see that there is a reference architecture there for taking the  down to that level where access to a specific, say, patient record is limited to a very specific set of use cases and any use case outside of that is disallowed. And then the roles that are assigned to those use cases then grab an identity, that role is assumed by that identity and then that can happen for access to that data.

The other part, and you bring up healthcare, obviously, is making sure that you are doing this in a way where all of the controls that are applied are effectively logged and demonstratible because you’re under a HIPAA environment and with that regulatory compliance element to it, you also have to be able to demonstrate compliance. I am one that thinks that if you have a compliance framework, you have to meet that first, approach your security first, then look at how you’re going to demonstrate that security to match the compliance. A lot of people get inverted on that and go to the compliance first and then figure out that, well, I met the compliance, but in reality you haven’t met the security requirements.

Host: So security first, compliance later on, right?

Vince: Getting that data use down to a point where you understand what the use case is for that data and then build the policies around that that can be enforced to the roles that are assumed by an identity.

Host: So it all comes back to your identity set up the policy, defining the policies and sort of enforcing the policies for the zero trust. Makes a lot of sense, right?

Vince: Right. And it’s again that idea that the identity and the use case still have to match up if I compromise your identity on the perimeter, but then I start moving through a zero trust ecosystem to get to a specific set of data and my use cases, how I’m approaching that don’t follow a policy, I can be blocked in that process. So even though I’m a nefarious actor that has compromised an identity, I can’t actually get to the data I wanted because I’ve perimeterized that and reauthenticated both from an identity perspective, but also from a role and use case perspective.

Host: That makes a lot of sense. So now let’s move on to the rapid fire section.


Thanks Vince for these insights around Zero Trust. Here are the top 3 things I learned today.

  • For Zero Trust CIS 1 & 2 Benchmarks are the most important. To start, Draw & Understand the Inventory architecture.
  • Identity is one of the core components of Zero Trust and it feeds into Zero Trust. Define the Policies and enforce the policies to incorporate zero trust through out the infra.
  • MFA is a must in today’s world. Hardware Device based MFAs like YubiKey are the best options.

Rapid Fire:

The first question is what’s your persona? Animal.

Vince: I don’t have a single but any animal that spends a lot of time in the mountains is my spirit animal. And whether it’s a predator or prey, they both have value.

So I’ll say elk and cougar.

Host: I love that. I love that. Mountains.

So what’s the biggest lie you have heard in cybersecurity?

Vince: I’m too small to be of interest to an attacker.

Whenever I hear that from a company, I’m like, you’re wrong. But okay, that’s your perspective. But nobody is too small to be of interest to someone who can get some money out of you. If you have a job, if you have an income of any kind and you have a computer, you’re a target. Now, that doesn’t mean you’re going to be hit. It just means you’re a target and you’re playing a roulette game, wondering if you’re going to get hit.

Host: Makes sense. Sometimes startups don’t take a security seriously, thinking that, hey, we are too small for anybody to attack us. But yeah, it makes a lot of sense. What advice would you give to your 25 year old self starting in security and why? Okay,

A one liner quote that keeps you going.

Vince: Well, my 25 year old self wasn’t in security, so that’s always an interesting thing. I was at 25. I was in flight school in the Air Force. So there are different career path. But I ended up in security because I ended up in It and in It, in the Air Force Information Systems information Operations was where I landed, and they stood up cyber warfare back in 2005. Now, I had always been very centric on security. All of the roles I played were very security centric.

So it made sense that when we stood up cybersecurity warfare, that we fell into that.

Host: Lovely.

Get the latest episodes directly in your inbox