Zero Trust: The new way forward in cybersecurity with Jeff Mims

Jeff Mims: No matter how strictly we follow those rules, there's always going to be a way in, and that acceptance is really the mindset that has changed the technology. 

Shaunté Newby: The digital world is ever-evolving. And as we continue to embrace the amazing benefits that technology has to offer, we also have to continuously update our approach to cybersecurity. As Jeff Mims, a Leidos chief technologist puts it, the opportunities for breaches are large. 

Jeff Mims: We have a growing data scale that's harder and harder to protect. The attack surfaces are enormous. 

Shaunté Newby: That's why Jeff and the team at Leidos are so invested in leading the charge on Zero Trust. Zero Trust is an approach to cybersecurity that adds intense levels of security to all zones in the cyber-environment. 

Jeff Mims: Zero Trust focuses on hardening that center, not just the edges. 

Shaunté Newby: That's a super high-level way of explaining what Zero Trust means. But today we're fortunate enough to have Jeff on the show to go further into it. Jeff takes security seriously in both his professional and personal life. 

Jeff Mims: I've been teaching martial arts for a very long time for many decades. So I teach Aikido and judo and jujitsu and a bunch of other things. 

Shaunté Newby: He's got a lot of passion and a lot to share. So let's hear what he has to say. So what do you do at Leidos as a chief technologist? 

Jeff Mims: Right now, I run our corporate internal research and development portfolio. So it's a collection of some of our largest research projects meant to be super impactful across a broad range of Leidos customers.  So for about two years, I started and have been running our Zero Trust investments. So our cybersecurity and strategy around Zero Trust to help Leidos maintain our edge in cybersecurity solutions. 

Shaunté Newby: Why are you passionate about this work? 

Jeff Mims: Well, for one thing, I really like building things, right? I really love building software and systems. And the kind of work that we do today, it's really cool to say, 'hey, I built this and look at its function,' or, 'hey, I built this system and it saved millions of dollars' or something along those lines. Right. That's great. But the most impactful is when the stuff that I build, I actually know helps keep our country safe, our soldiers who serve this country safe. And I've worked for many years on modernizing a legacy ground fire direction and fire control software. 

Jeff Mims: And it's really good to see the most modern technology in our soldier's hands and be able to talk to them about it and work with them hand in hand on moving our country forward. That's really important.  And by the way, it's really important to note that there are two sharp sides to that cutting edge that we're talking about here. And with the most modern solutions come deeper vulnerabilities to cyber-attacks. 

Shaunté Newby: Let's dig into Zero Trust. I want to learn a little bit more from you about what it means and why we should care about it. So from what I understand, Zero Trust is less of a thing or a technology. It's really a mindset or an approach to security technology. Can you elaborate on that? 

Jeff Mims: Absolutely. That's very true. Zero Trust is it's a whole new way of approaching cybersecurity, starting with, very appropriately, the mindset, right? Where we assume that there's a breach or one is imminent, right? So there's a breach, a compromise. This philosophy is it's very different from traditional thinking, which is if we build a wall big enough, we can keep all the bad guys out. Well, eventually the bad guys will master flight and make it over our walls. And then what? Well, that's where Zero Trust philosophy says to protect the inside just like we do outside the walls. 

Shaunté Newby: Does this mean the elimination of trusted zones, if you will completely, because now that you've mentioned people getting in. So now that they're in there, there's you don't trust anything that's going on with their actions? 

Jeff Mims: Yeah, that's actually a major point of confusion with Zero Trust because the name it's a misnomer. It doesn't really convey the thought. If we reduce trust to absolute zero, all of our technology stops working completely. If we flip the old trust but verify mantra around, and indicate that 100% verification is the most important part versus the Zero Trust part, I think that gives a little better idea of what we're headed for with Zero Trust. We're essentially using technology to earn granular levels of trust, applied to a wide variety of identities, requests, equipment, and resources. So we're earning the trust versus saying there's never going to be any right. We're going to limit the trust, especially the trust that doesn't have any basis. That's implicit. There are no criteria for that trust. 

Shaunté Newby: So, this isn't how we've always approached security. So when did the shift really start to happen? 

Jeff Mims: It's been almost a decade since we figured out that we need to secure inside those perimeters, but Zero Trust didn't really move to the mainstream until recently. So in May of 2021, the president signed an executive order aimed at improving cybersecurity, that among other things does a really good job of defining Zero Trust the principles, and it mandates the adoption of technology to implement those Zero Trust principles. So that's really important and that's really pushed it into the mainstream, but it's definitely something we've been thinking about for a while. 

Shaunté Newby: Okay. So let me see if I have a good analogy that our listeners could probably relate to, and that this will also show if I understand it. So sounds something like the idea of needing a key card to enter a building, but instead of just going anywhere in the building overall, you also need key card access to various points in the building and various rooms. Is that a good way to explain this? 

Jeff Mims: Yeah. At a very high level, it is. To gain access to any resource, IT resources on a network essentially, you need to verify your identity every single time, as well as your entitlement to that specific resource or to that room in your example. So we not only swipe the key card at your specific room, but we also check some other factors to make sure you are really the person holding the key card still, but here's where it gets kind of science fiction-y. You swipe the key card once at the entrance to validate it's really you, say with some sort of biometric or something else, right, in the Zero Trust architecture example, we're actually going to bring the room directly to you like some sort of boundless elevator. So you don't actually have to walk the corridors and look around, you swipe the card and the room comes to you. 

Jeff Mims: So if I could maybe switch to the castle metaphor, we like our castle metaphors in Zero Trust, and this castle has key card access. So don't worry. Historically, the best practice was to take all of our valuable data on our applications and build a giant wall around them, fortify that wall and concentrate the defenses at that main gate, right? That's the vulnerable spot. To get inside the castle, you verify your identity, that's your key card, right? And when you walk into your building at the office and it'd be good to know the origin of every visitor, where you come from, from a network perspective, we do try to check that.  And if we recognize you and we recognize your point of origin, we open the gate and we let you in. And once you're inside the castle, you have the freedom to move around. You can try every door, you can peek in every window. 

Jeff Mims: It's not to say that in a traditional network architecture, every door is open, right? And that your key card works for every lock, but you do have the ability to move around laterally from one service or data set to another within the network. So within the castle, you can walk around and see all the different houses and shops and the different doors and windows and things. So from inside that perimeter, there are no enclosed corridors within those walls, right? So a malicious user could leave eavesdropping devices, viruses, and all sorts of other bad things inside the castle walls. Zero Trust architecture came up with this analogy of moving from enclosed castles. What we've been talking about at Leidos are open cities where we have sensors actively monitoring traffic, right? 

Jeff Mims: So in case this isn't like lights and signs that you can ignore actively monitoring traffic, creating unique pathways directly to destinations so that every destination has this micro perimeter defense leveraging the city police force, right, to check your identity, background, et cetera. So what it means is instead of giving you the address to go visit in a city and a map and multiple roots and all those kinds of things, Zero Trust uses this broker that builds a tunnel from wherever you need to go directly to where you are with no stops and no visibility and other traffic. And once you're disconnected, the tunnel's gone and you can't get back to the service without asking that broker, essentially that gate guard, to get you back to the room you need to be in. 

Shaunté Newby: Okay. So this is probably a terrible example, but it sounds like to me, I thought about monopoly and they're like, do not pass, go, go straight to jail. It's like, don't look at anything, go straight there. And it sounds like what you described is like, you're going to go straight to where you are assigned and that's it. You can look, but you can't go anywhere else. 

Jeff Mims: That's right. And the way we do that is by bringing that place to you. So we bring jail to you. 

Shaunté Newby: At this point, we have a pretty good idea about what Zero Trust actually is. But the biggest question here is why? What makes the Zero Trust approach the right one? There are a lot of reasons that Jeff will explain in a moment, but one I want to highlight before we get into it is that attacks most often have some sort of insider or information that allows the attacker to get in. By limiting access at all points, especially on the inside, we're limiting the ability of attackers. That's part of what Jeff explained when I ask why embracing the Zero Trust mindset is so important. Let's hear more. 

Jeff Mims: The mindset is really just that of acceptance that it's necessary. And so why is it necessary? I give you two top categories of why. The first is the increasing complexity of the technology environment itself. It used to be, that you wanted to run an application, you put it on a server, you host it, and you made proxy access into that server. But today we're running systems, hybrid multi-cloud applications that span multiple on-premise locations, and co-tenant environments in the clouds. We have a growing data scale that's harder and harder to protect, the attack surfaces are enormous. In other words, the IT environment is so complex that it's much, much harder to protect. And when you think about it, I have multiple locations that I own, some that I don't own, et cetera, and I try to draw a wall around those to try to draw my perimeter and protect it is very, very difficult, right? 

Jeff Mims: So that's number one is complexity. Number two is the increasing scope of cyber-attacks, and more importantly, the increased sophistication of attackers and the offensive technology that they're using. So we have nation-state actors, and cyber-criminal organizations, and we also have smaller groups that are creating more dangerous attacks using technology that are just as sophisticated as some of these very well-funded adversarial state actors and criminal organizations. They're using artificial intelligence and machine learning, they're able to get insider information, there are even attackers that offer their attacks and ransomware and other things as a service to other organizations to exploit organizations. So we've seen all sorts of high-impact cyber-attacks, things like SolarWinds and ransomware attacks and others.  And so many of these attacks even against the hardened targets, and when I say a hardened target I mean an organization that already has comprehensive security, accreditation processes and things to validate their compliance with current standards, they rely on some sort of insider information. 

Jeff Mims: It could be unintentional, compromising legitimate credentials, say from a successful phishing attack, someone gets a legitimate user ID, password, and so forth. But the end result, it's a bad guy with inside information. And so Zero Trust focuses on hardening that center, not just the edges. So it assumes there's always some sort of compromise. It doesn't matter if it was intentional or accidental. So we finally accepted that while these rules, the cybersecurity policies, accreditation, all those things, they're very, very important, but no matter how strictly we follow those rules, there's always going to be a way in. And that acceptance is really the mindset that has changed the technology environment. 

Shaunté Newby: You keep mentioning, don't trust anything. So I'm wondering how true to the definition of zero are we really going here? And will there be people that have all-access passes in organizations? 

Jeff Mims: Yeah. Privileged access is certainly an interesting aspect of Zero Trust. We always want to give the least privileged necessary for a job function, right? That's always going to be the case with cybersecurity, but there are jobs, administrators and so forth who need fairly expansive access. Ideally, we should try to segment that privileged access that we hand out distributed across multiple people, separate the duties, and we want to take steps to protect our data wherever it is. So even if our data is in a public cloud facility, it's on hardware we don't own, serviced by admins we don't know. We need to employ encryption and key management for encryption keys to protect that data. 

Jeff Mims: So it's another key element of Zero Trust, reducing the need to trust the hardware, the facility and the external admins like third-party admins because the data is encrypted and the keys are safe. So those folks may have access to the computing environment and the hardware, and they can pull the data, but the data are actually encrypted so it won't do them any good. Now there will certainly be organizations that can't afford a big separation of duties, and there are places where it doesn't make sense for efficiency or logistical reasons. There could be tactical reasons in the military and other places where there are only so many people that can do those jobs. 

Jeff Mims: And in those cases, we just need to fully understand the risks that the individuals carry that have these elevated privileges and make sure that we understand not only the possibility of intentional harm, but small mistakes, and unintentional things that could allow those super user credentials out into the wild. And sometimes it's not user credentials, it's also machine credentials, service credentials, certificate servers, and other things that have elevated privileges. So all those things need to be confined and used only for their specific purpose, right? It's the same reason we don't allow administrators to log into their machines daily as an administrator. They log in as a normal user and escalate when they need to. So it's important to try to keep it as separate as we can, but realistically, you're right. There are going to be some people that have all the keys to all the doors. It's just the nature of a lot of our systems.

Shaunté Newby: Earlier in the interview, Jeff mentioned that despite Zero Trust being around for about a decade now, the major shift is only in the past couple of years. The real turning point was a 2021 executive order that mandated federal government organizations to adopt a Zero Trust strategy. We'll learn more about what influenced that order shortly, but first, because of how new this cybersecurity mindset is to these organizations, there have been some challenges. Jeff had a lot to say on that. 

Jeff Mims: The dilemma though, is that most of our government organizations, they now have mandates. And the first mandate was to put together a roadmap for Zero Trust, but they don't have funding. They don't have new funding to meet those mandates. So they have to understand, are they going to make some sacrifices? How do they get that roadmap in the first place? And they're not entirely sure what type of change will be required. So I mentioned a sweeping refresh of hardware is very, very expensive versus just changing software, right? And even software at a certain scale, it can be extraordinarily expensive. So they don't really even know what kind of budget they need yet for that three to five-year plan. But we are in the Palm cycle and we're starting to see organizations getting appropriations for Zero Trust, so that's really important. We're starting to not only see the mandate for it, the acceptance and buy-in by organizations, and the roadmaps, but funding is starting to come. And so organizations have to start taking that roadmap and understanding how they're going to use that funding going forward. 

Shaunté Newby: And so outside of the funding, there's also the challenge of getting people to take new steps and change their behaviors. It sounds like a lot. Is this something else that's been difficult? 

Jeff Mims: I think most of Zero Trust right now is not all that obvious to users or it's forced on them. On the engineering side, there's certainly a lot of curiosity and eagerness to understand and embrace Zero Trust, right? To start incorporating it into new solutions or existing security practices, but users, I think they don't normally see it. And when they do, it's put right in front of them. So generally I don't think this is a problem that's any different than teaching standard cyber hygiene practices. 

Shaunté Newby: So an interesting aspect of all this that came up in the research before we met was the impact this mindset has on the supply chain for software. Can you first start by explaining what exactly that means? 

Jeff Mims: Sure. So think about if you were building a car, you'd want to know where all the different parts of the car came from because you wouldn't want one to suddenly go rogue on you. And it's the same when we talk about software because software, back in the early days when I started building software, I probably built almost every part of that application myself or the team built all the applications. But today a very small part of new applications are built by hand. They're mostly built from modules that are reused and pulled in from other places. It could be purchased commercially. They could be open-source kinds of things, Apache, et cetera. And we need to understand all the components that make up a software application that the software engineers and designers and architects and things didn't actually write, but reused. So reuse is very, very important. 

Jeff Mims: And we want to encourage lots of reuse, modularization, having smaller and smaller parts so that they can be reused more readily, super important. But when we reuse, we want to understand the origin. We want to understand the rigor that the software was tested with. We want to understand the intentions that the person had and how carefully has it been screened for any unintentional vulnerability or intentional malware types of things. 

News Clip: America under virtual invasion. That's what Senator Dick Durbin is calling a massive Russian cyber-attack on US government agencies. 

Shaunté Newby: At the end of 2020, America suffered an incredible cyber-breach that has come to be known as the SolarWinds attack. Jeff has already mentioned it in this interview. 

Jeff Mims: We've seen all sorts of high-impact cyber-attacks, things like SolarWinds and ransomware attacks. 

Shaunté Newby: The attacks sparked major cybersecurity discussions in the country. 

Anne Neuberger: We're absolutely committed to reducing the risk of this happening again. And federal network cybersecurity needs investment and more of an integrated approach to detect and block such threats. We're also working on close to about a dozen things, likely eight will pass, to be part of an upcoming executive action to address the gaps we've identified in our review of this incident. 

Shaunté Newby: That's White House Deputy National Security Advisor Anne Neuberger. In February, shortly after the attack, the White House held a press conference to discuss what happened and what's next. That executive order she spoke about was released in May of 2021. It's the same one we referenced earlier in the episode. In that order, organizations in the federal government were mandated to adopt a Zero Trust architecture. I had Jeff explain a bit more about what exactly happened and how Zero Trust plays into this all. 

Jeff Mims: This is a software supply chain attack essentially. And what we had is we have software that a large number of customers, somewhere between 20,000 to 30,000 customers, we believe, were affected here. So some have called this the largest scale, most sophisticated attack ever. And this includes government customers, commercial, and all kinds of other customers that were using SolarWinds Orion to monitor network performance. This means that the software itself, I talked earlier about service level permissions and accounts and things, it has access to highly privileged data about the network. And so this was an attack on a tremendous scale that compromised a large amount of information from just over probably 20,000 different entities that were using the software. 

Shaunté Newby: And so how do you think the implementation of a Zero Trust strategy would've altered this outcome? 

Jeff Mims: So the biggest thing would be software supply chain security. So we just talked about understanding every artifact. And so one of the things that's come out in the executive order and something that's been around for a while is what they call the software bill of materials. So essentially listing every component part of the software and being able to verify the legitimacy of those parts. And so it's really important. So for us as Leidos, we also have to understand that some of our complex applications may have 10,000 to 15,000 components in them. So that's a lot to understand. So we need some automation to actually understand those components, and be able to validate if they've changed since they were last pulled into the build, because one of the interesting parts about this attack, and by the way, it took many months for them to discover it, which is how they were able to collect so much data, but being able to,  the historical way of protecting code and elements of modules like that artifacts was to use a certificate to sign it. 

Jeff Mims: And that's actually where the problem occurred they obtained access to the token signing for these artifacts. And so they were able to create new tokens that were already trusted. So essentially they had this privileged access to networks because they were able to create their own certificates. And so it's one of those things where we need to be able to look not just at the validity, but how that validity was established. So we need to know for certain that a module didn't change right before the build. So we look in our repository and see the right module, but we could be talking about millions of lines of code.  So it's very easy for something to change and someone to not see it, but our systems can monitor changes at the bite level and understand them very easily with hashes and things. So we need to employ the right technology to understand what's in that build and what changes. So if we'd had better software supply chain tools, and processes in the DevOps environment that monitor those changes, I think we could have stopped this particular attack. 

Shaunté Newby: So let's talk about the future. Is there anything about the future of Zero Trust that excites you? 

Jeff Mims: I'd like to actually talk a little bit about the user experience because we mentioned a lot about users complying and other things and we certainly take a, do no harm to the user experience. We don't want to irritate the people that use our systems in and out every day. Right? So if we think back to our castle example, right, for every network we visit, we need a VPN, right? That means we establish this virtual private network connection. It's a secure tunnel. And what it does is it takes your laptop or your desktop, or even your entire local network with multiple computers. And it brings it inside the castle wall from wherever you are, that's the traditional method. And it's difficult to be inside more than one castle wall at a time. You can picture that, it's pretty hard, right? So normally to go to another castle, you have to leave your castle, right? 

Jeff Mims: Leave the big defenses for a minute and then join another VPN, which brings you into another castle wall. So that's extending a perimeter. In Zero Trust architecture, we get away from expanding those parameters and using this VPN technology. Instead, we use similar technology to create session-based, outgoing tunnels, essentially that don't have the same overhead or the same hassle. So it's generally going to be a lot more convenient. And we all tend to get frustrated with cyber security from time to time. But the other thing to consider is you only need to log in once to a lot of these services, right? And so let's say you have to log into your bank account, right? You put in your username and password. This is information that only you know, it sends that text to your cell phone, we talked about with the code in it that proves you have your phone in your possession. 

Jeff Mims: So for an extra couple of seconds, the bank has dramatically increased the security of your account by moving you to multifactor authentication. So that's a huge plus. The bank system doesn't know the computer you're on. So then it challenges you a third time with security questions, right? So that's a progressive level of security, which is in line with Zero Trust. It's based on continuously monitoring your requests. And it's good for users because those extra few seconds that you spent answering security questions, pulling out your phone, it could save you an hour or more trying to call the bank's tech support to get your account unlocked, right? If they just didn't trust you and they didn't progress, and then imagine the countless hours that you would spend if your data was breached, if someone had gotten that password and that's all that secured your account and they were able to move funds, right, you can imagine the hassle that it would take assuming you even get it back, right. Not just the expense if you didn't get it back. 

Jeff Mims: So I think overall, sometimes it feels like an extra step or two. There are some technologies that actually save time and are more convenient. And there are some that take a couple of extra steps, but I think in the end it's well worth it. It's well worth it to protect the things that we use every day. And as technology becomes more critical with more autonomous systems, with more systems tied together, more sensors and things that hang on our networks, the internet of things type devices and such that we really need to be more cognizant of our cyber security. 

Shaunté Newby: Cybersecurity is vital to organizations in the modern age. Zero Trust is the way forward to keep every part of our cyber-presence secure. And Leidos is leading that way forward. Jeff had a lot of really great insight about why and how it works, but if you want to learn even more, you can visit  leidos.com/zerotrust. That link will also be in the description for this episode. Thank you for joining me on this episode of MindSET, a podcast by Leidos. If you like this and want to learn even more about the incredible tech sector work going on to push humanity forward, go ahead and subscribe to the show.  New episodes will be live every two weeks. Also, rate and review. We're excited to hear your thoughts on the show. My name is Shaunté Newby, talk to you next time.