Transcendent Tango: The Role of Cryptography in Establishing Zero Trust Identity


Posted on in Podcasts

In the same way that the tango begins with foundational steps, the layering of device, application/workload, and user identity forms the foundation of Zero Trust security. Each intentional step weaving to create an intricately coordinated pattern. Join us as we take a look at the cryptographic dance between keys and identity that forms the basis of and maintains Trust in a Zero Trust world.

Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the World Talks Security.


Kacy Zurkus:
Hello, listeners, Welcome to this edition of our RSAC 365 podcast series. Thanks so much for tuning in. I'm your host, Kacy Zurkus, Content Strategist with RSA Conference. And today I am joined by Karen Reinhardt, Principal Engineer of Cryptographic Surfaces at The Home Depot. Before we get started, I want to remind our listeners that here at RSAC, we host podcasts twice a month and I encourage you to subscribe, rate, and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Karen to take a moment to introduce herself before we dive into today's topic. Karen, over to you.


Karen Reinhardt:
Hi Kacy. Thank you. Well, it's a pleasure to be here today. So I'm the, as you said, the Principal Engineer of Cryptographic Services. I'm basically in charge of all keys and certificates in Home Depot, and that's what I've been doing for a number of years. I've worked in identity. I worked for Verifone with keys and certs. I worked for RSA with keys and certs. So as you can tell, I have a good love of keys and certs. Sometimes it's a love hate relationship but I keep coming back, so that's why I'm here today.


Kacy Zurkus:
I love that. Welcome Karen. It's so great to be with you and a great welcome back to the RSA Conference platform. I know that in June you delivered one of the RSA Conference 2022 top rated sessions, which was called Searching for the Grail: Zero Trust Cryptographic Keys & Services. So kudos to you for that. Can you tell us maybe a little bit about what you covered in that session? It does live in our library, so anyone who hasn't viewed it is able to go back and take a listen and watch.


Karen Reinhardt:
Oh certainly. And I don't know, it was, I think it might have been beginner's luck. It was my first full session. So I'm quite honored to get in a top rated session. So I'm used to looking at Zero Trust from identity, but I decided to look at it from the cryptographic side. And as I did that, I noticed something, that the cryptographic keys and everything are already Zero Trust. And that's what I started to do my session on. From my time at Verifone, I noticed how they would make cryptographic worlds with their terminals and these terminals sit all over the world, and this is stuff that's been going on for decades.
So I started looking at all of the cryptography against Zero Trust and went from there and that's where I was really excited to see that the encryption in particular is a major part of Zero Trust now because that's how you have boundaries without perimeters. In other words, I don't have firewalls or anything, but I can have these Zero Trust perimeters all over the place, these Zero Trust worlds. And they're all based on keys and certs, and that works for both. As I looked at it, I looked at the encryption, but then I realized that it's also used for identity. And that's where the idea to bring it forward for this session came from of, as I looked at it going back and forth between encryption and identity and cryptography, it starts to look kind of like a dance.


Kacy Zurkus:
And I love that analogy. So can you tell us how that all led us to the tango?


Karen Reinhardt:
Well, tango's... PKI doesn't get to be sexy very often, so I chose this sexy dance.


Kacy Zurkus:
I love it.


Karen Reinhardt:
But really coming back, because go back to the early days of security. We've got distributed computing just started. You've got mainframe. You've got password files all over the place. Nothing's encrypted and everybody's honest. So that was that world. And as we figured out that people weren't honest, what's the first thing that happened? You encrypted the password file. So what's in the password file? User names and passwords, the first identities. So that's where, as I said, even from the very beginning you can see that dance starting of, well wait a second. I can't assure my identity unless I protect my credentials, but I need to encrypt to protect my credentials for them to be worth anything. So as you can see, there's this back and forth that keeps going. You can't have strong identity without encryption.
But then it even gets... A tango can be a very complicated dance at times if done right so it gets even more complicated a little bit because you have signatures. So you have the identities that are used to log on and get access. You want to encrypt them, but then you also have identity in that you want to know where someone's coming from or what came from somebody. And was this really from you? Signing an email or signing a file. So that's where you also get cryptography coming into identity through the signing and as a verification. So if you're looking at authentication and identity authentication, think of it as signing a token. Okay, I encrypted the user's password, the user logged in, did all that. We decided what they have access to and now we're going to give them a token. How do we know that token's good? Well, you end up with signing the tokens to know that it came from a verified source that actually double checked the identity.
So that's where, as I start digging apart authentication and access management, you'll see that from the very beginning, I've got encryption in there. And then as I get into how to do more single sign on and make this work at more expanded and scalable level, I start dealing with not tokenization per se for identity, but with, you've got the Kerberos tokens, you've got OAuth tokens. There's a number of different forms, and signatures are a way you deal with them. Not PKI signatures, but it's still cryptography. So that's why I said that, is as I started to look at it, it starts with basic steps but then gets more complicated into this, in my mind, beautiful dance. Now I will say I'm a nerd, so my idea of beauty might be different than some other people's.


Kacy Zurkus:
No, not at all. I actually love it because it does create this very visual image for folks and it conjures up this beautiful dance that we can look at and see the beauty of the performance. But you're right. When you break down that performance, those steps are really complicated and putting those steps together in the right sequence is what matters. And we kind of take for granted the outcome of all of that hard work. So I appreciate you sort of getting down into the weaving process of how all of these things come together. I've definitely heard it said by many that identity forms the foundation of Zero Trust security, which is what we're talking about today. Yet identity does remain this sort of siloed effort that is sometimes, and unfortunately so, still disjointed from the security organization. So can you talk to our listeners about your approach to this cryptographic dance and who are your best dance partners?


Karen Reinhardt:
Well, the identity people. On that, and this is where getting creative with the new cloud, having to span things from our data centers up to cloud. And I know a lot of enterprises are going through this and figuring out how to make all these pieces work together. That's been the challenge. So if you think about the cryptography and how can it help identity. So first of all, how much can I trust that identity? What's the assurance level? Think about your driver's license. Obviously your driver's license has a lot higher assurance than your library card because of the checks and balances they do on it. So it's the same with identity. So it really goes back to, what are the credentials protected, how are they presented, what are they doing? And then that's where...
I have an interesting idea and SPIFFE kind of does this somewhat too. So you've got the new SPIFFE certificates and stuff for identity, for workload identity. And that's where you look at signing. So if you look at, how do I make an identity be good everywhere? And that's where I started looking at actual personal identity. Passports, birther docs, driver's license. I made the joke about the library card. All of these are different assurances based on who signed it and how much you trust them and what they did. So that's where I think going forward as we move to the Zero Trust world where we truly need identity to be good across barriers. That's where it's going to depend on who signs it. Who trusts it depends on who signs it. And by signing the identities and using this fabric, we can actually create that Zero Trust world where it doesn't matter where you're coming from. It matters who you are and how much assurance I have that you're under control, et cetera, et cetera. Does that make sense?


Kacy Zurkus:
It does. It actually makes so much sense to someone who doesn't understand cryptography. So hopefully it makes even more sense to the folks out there like you who do get it. Karen, before we wrap up, I would love if you could share any parting words of wisdom with our listeners today.


Karen Reinhardt:
I guess the biggest thing is think outside the boxes. We're so used to thinking about perimeters and perimeters are always going to have some... We're never getting rid of firewalls, at least not any time before I retire, I'm pretty sure. But we're attaching to everything from everywhere now. Think about the internet of things. So that's the thing about, as we keep scaling out, remembering to apply these controls everywhere. There's no such thing as, it's okay. We're just going to trust it because it's here. We have to apply strong controls no matter where it is.
And that's the true secret of Zero Trust is the internal controls should be the same as the external controls. And that's where it all goes back to the end user, the end device, the end identity, and how it flows together with workload identities and everything. So that'd be just... Think of the bigger picture and that you do need the controls. And what I'm finding is it's very freeing because I no longer have to care about was that a DMZ or where's that sit? I just know this is what we're going to do. We're not going to trust that it's safe.


Kacy Zurkus:
I love that. That is lots of great advice, Karen. Thank you so much. It was great to have you with us today. Listeners, thank you for tuning in. To find products and solutions related to cryptography, identity, and Zero Trust, we invite you to visit rsaconference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. Please keep the conversation going on your social channels using the hashtag #RSAC and be sure to visit rsaconference.com for new content posted year round. Thank you so much.

 


Participants
Karen Reinhardt

Principal Engineer, Cryptographic Services, The Home Depot

Identity

cryptography identity management & governance key management zero trust


Share With Your Community