Zero-sum Security: Zero Trust is Compromised as Long as Passwords Remain


Posted on in Podcasts

Furthering the White House Cybersecurity EO, the OMB just released a Zero Trust Architecture Strategy with one of its 5 pillars focused on identity, and requiring implementation of strong, phishing-resistant MFA for agency and citizen access. This session explores the gatekeeper role of identity in ZTA, and the business and technology challenges faced in managing access while passwords persist.

Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.

Kacy Zurkus:
Hello, listeners. Welcome to this edition of our RSAC 365 podcast series. Thanks so much for tuning in. I'm your host, Kacy Zurkus, content strategists with RSA Conference. And today I am joined by our guest, Mario Duarte and Tom (TJ) Jermoluk who will be discussing the challenges of achieving Zero Trust when continuing to utilize passwords. First, I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now I'd like to ask Mario and TJ to take a moment to introduce themselves before we dive into today's topic. Mario, why don't we start with you?

Mario Duarte:
Hi, Kacy. Thanks for the intro. My name is Mario, I'm the VP of Security at Snowflake. I have been a security practitioner now for over 23 years. I started my career as a pen tester. Wasn't very good at it but that's how I started my career in security. And then I became a blue team defender in environments and I've worked at large companies, mid-size companies, startups and everything in between. So again, thank you. Looking forward to having this great discussion today.

Kacy Zurkus:
Excellent. TJ.

Tom (TJ) Jermoluk:
Hi, I'm TJ Jermoluk the CEO of Beyond Identity. We are a startup in the cybersecurity area that's focused on trying to bring a next generation platform to the world of identity and security management in keeping with the principles of Zero Trust. So we've been working hard at this now for the last three years and appreciate the opportunity to share some of this thinking with your listeners today.

Kacy Zurkus:
Well, welcome to both of you. Mario, what I love about your introduction is the suggestion that you don't have to be good at something when you're starting out to grow and really excel in other areas. So I appreciate your honesty there. We know that the OMD recently released a Zero Trust architecture strategy with one of its five pillars focused on identity. And I'd love to start by asking each you to share your perspective on identity as a gatekeeper in VTA. So, Mario let's again, go back to you.

Mario Duarte:
Great. Thank you, Kacy. And just a disclaimer. My Snowflake legal team asked me to make sure to state this early on, "What I'm about to share are my opinions, professional opinions and not necessarily the directions or opinions of Snowflake." So with that said, clearly identity is probably in my opinion, the most fundamental of the five pillars of Zero Trust strategy for any organization today. I can't think of anything more important and more fundamental. But identity should not just be the user. So I'm logging in, is this really Mario logging into this but particular website or environment? I also want to ensure that Mario is logging in from a corporate or trusted device.

Mario Duarte:
And that really becomes fundamental to this whole model, especially with what has happened to the world with COVID. And most of us work-in remotely and being unable to work from inside our office. Now I would argue and many would argue the same point that working from the confines, the protection of your office, it seems like our systems and our access to environments were protected but that's only also is really not as strong as that. But the whole point here is working remotely has really put emphasis on identifying that user, who that user is. And also identifying that that system they're coming from belongs to the company or is a trusted device.

Tom (TJ) Jermoluk:
Mario, I could not agree more. The Zero Trust architecture is one that is intended to prevent lateral movement within organizations, within companies. And there's nothing more fundamental than being able to carry your identity with you at every different point where you need to be challenged on a trust basis. But the important point when people think about Zero Trust is they have to fast forward their notion about what identity is to include that it is the person and the device coupled together, inextricably bound together that is able to provide that level of trust that's necessary.

Tom (TJ) Jermoluk:
So in the past, there have been solutions that focus on the identity of the person and that's okay. You're trying to prove that you are you with an ID or a face biometric, a fingerprint whatever it might be. But unless you couple that with being able to prove the ownership of that device and that you're actually on that device, that there's some way of proving that machine's identity and then coupling them so that they stay together. It's not just on a one time basis that you showed it, but that on an ongoing basis that you showed it, that's when you really start to be able to climb the building blocks of what you need for a Zero Trust strategy.

Kacy Zurkus:
Interesting. So Zero Trust has resurfaced as a buzzword with, I mean, it's not new, right? And this sort of resurfacing has caused a lot of confusion over what it is and what it's not. We know that Zero Trust requires controls at multiple layers, but it is also arguably the patient zero for any compromise, especially with user credentials. So what are some of the business and technology challenges faced in managing access, particularly as TJ, you said this coupling of the individual and the device when we're still relying on passwords.

Tom (TJ) Jermoluk:
Well, the biggest thing is to simply understand that you don't have Zero Trust if you have a password. It's really that simple. There are no number of band aids you can put on the open wound of passwords that are going to somehow make it secure. There's well understood work in academia that's showing that there are no provably secure systems that can be built on top of provably insecure, shared secret system, which is what a password is. So I don't care how many vaults or password managers or other layers of MFA or VPNs or all the different kinds of friction bearing things that you try and put on top of it. Until you get rid of the password itself, you're not going to have a Zero Trust architecture.

Mario Duarte:
The biggest challenge with passwords outside of not being coupled with a device are us. Let's just face it. We are the biggest problem when it comes to password, human beings. And why is that? I know there's a lot of passwords manage as well out there, but if you just break it down to the basics there. If you look at the history of passwords, we try to make these passwords complicated and often changing every 60 days, 90 days, 120 days, whatever that policy compliance requirements was. It was meant to reduce folks from guessing your password from brute force attacks. But the problem is as we make these passwords more complicated, it was harder for us to remember them.

Mario Duarte:
And I know again, you have passwords managers, et cetera, but I won't go there yet, but just stay focused on this basic problem. So as we started making shortcuts for ourselves and we often see... Do you ever see those training programs at work for security training? Don't put your password on a post-it and put it on your monitor so people can grab it and they can become you. I mean, that's one of the big challenges. Think of it as kind of like being your garage door opener and well, you leave your garage door opener inside your car and you park your car outside and you don't take your garage opener with you because of convenience. This is the same idea of putting a post-it on your monitor, thieves know this, and they'll break your window of your car to look for your garage door opener and then gain access to your house and potentially get access to more precious things, more valuable things.

Mario Duarte:
Another case in point, I don't know if you guys ever heard of the LinkedIn password compromise in LinkedIn that happened years ago. Well, a lot of folks would reuse their passwords and they would reuse their LinkedIn passwords with their work passwords and they sometimes try to be fancy. They say, "You know what, I won't make it the same password but I'm just going to change the last two digits of it." Maybe those last two digits is my birthday, well attackers got really good at this and they figured this out and they recognize that people reuse passwords often. And that's one of the big challenges that we have today, especially when you're in the cloud.

Kacy Zurkus:
I want to go back to TJ, you had mentioned that when it comes to passwords, there's evidence there in academia saying that passwords are problematic, right? I would love it if you could each share some anecdotal evidence that you've experienced in all your years of work in seeing legacy MFA circumvented, and how this has left company vulnerable to attack.

Mario Duarte:
With MFA, it's kind of an arms race when it comes to security, quite honestly. And while multifactor authentication has been a really useful advance in security, not all multifactor authentications are created equal. And a lot of the nefarious folks out there have learned how to circumvent multifactor authentication that's easily circumvented. An example of that, what a lot of attackers are doing now is they will do a man in the middle attack between you the user logging in to your particular IDP, think of our IDP being Okta, or [Ping 00:10:51] or Azure, any of those. And what ends up happening is you, the user think you're going to go authenticate to your IDP, and then you're going to enter your multifactor authentication. When in reality, because there's this push notification.

Mario Duarte:
So I'm specifically referring to multifactor authentication in a push notification. Things you potentially get as a text or that you press a verification that, that's you. Well, that can get intercepted in a man in the middle. And basically the attacker will gain access to your password and your multifactor authentication token. He will then present those pieces of information to your IDP. Your IDP will send you SAML token, which now that attacker can use to impersonate you. But it also will pass on that SAML token back to you, the user. So you think you're connected to your application while at the same time, the attackers gain access to your SAML token and they can impersonate you. And again, this is a big problem that TJ is referring to. When you don't couple the user with the laptop, the user with that endpoint, the user with the smart device that is trusted and is monitored and managed. That's when things like this can occur and be exploited.

Tom (TJ) Jermoluk:
Exactly Mario. So we have had the circumstance as we're selling into the customer accounts and we would talk to them about the vulnerabilities of MFA and explain to them and most of them understood how you can phish an email on a user site for a magic link, for example, or why sim swapping became an easy way to break an MFA that was using a sim form of push authorization and those were pretty obvious. But recently the Biden administration recommendations came out and also tried to explain to people that MFA that relied on push or MFA that relied on one time codes, TOPT was also vulnerable. And that agencies would no longer be using those forms of MFA. And we have a customer that had thought of those as a more advanced system and was asking, "Well, why is the government calling out those as being bad?"

Tom (TJ) Jermoluk:
So we actually went so far as to... Right with the customer we went online, got an open source tool that's freely available, got their domain, had them do an MFA and did a man in the middle hack and phished it and logged into their system in about five minutes right in front of them. So it was a good, obvious way of directly being able to show them in real time, just why even those newer forms as they wanted to think of them of MFA aren't protecting them. So anytime there's still a password in the system, anytime you're using these out of band mechanisms of MFA to try and cope with the password still being there, you're leaving yourself vulnerable. The vulnerability simply migrates. The bad had guys are smart too. And they just keep migrating up that chain. And until you're willing to take the step to go to a modern completely passwordless architecture that doesn't have them there, that doesn't use these vulnerable systems, you're going to have that vulnerability in your system.

Mario Duarte:
Hey you know people might even say, "Well, look if you've been a victim of phishing your system might already be compromised. You might have downloaded a binary that's already been compromised." So it's already game over to begin with. Well you don't have to compromise the laptop to still be a victim. If you're going on a public wifi. Okay, maybe you shouldn't. But hey, it happens. You might go to the airport, you might go to a coffee shop, just getting a DNS. If the DNS server is being compromised by that attacker or having you been forced to download a trust certificate, these things happen all the time. They are so easy to do, they will require zero compromise of your laptop. So it's much easier to do in the real world.

Kacy Zurkus:
So some scary examples for sure, that really are things to think about especially as people embark on building a CTA strategy and the CTA strategy of the [inaudible 00:15:39] does mention strong authentication as a necessary component of CTA and deems phishing resistant MFA as a requirement for government staff, contractors, and partners, as well as an option for public users. And for those who can, it encourages exploration and implementation of passwordless MFA as agencies modernize their authentication systems. So can each of you maybe share some best practices for evolving MFA to prevent phishing and speak to this passwordless MFA. TJ, let's start with you this time.

Tom (TJ) Jermoluk:
Thank you. Yes, I think that the recent government requirements that came out can be taken not just as requirements for people who are selling to the government and agencies of the government, but as a great recommendation for what companies should do in general. And companies should be looking at those and turning around and asking their vendors, "Okay, what are you doing about this?" So take that as a list and say, "Are you doing X, Y, Z? And if so, what's your plan to stop doing it since this is now the requirement clearly indicating the direction in which things are moving." The first is, are you actually eliminating the password from the system? Not just trying to use multiple factors on top of it to hide it. So that's a real key underneath, are you actually eliminating the password from the system because if somebody uses MFA but the password is still there. Then what very commonly happens is that the bad guys come in, they defeat the MFA with the techniques that Mario and I have been discussing.

Tom (TJ) Jermoluk:
And then they use the credential because they stole the credential from the dark web. You've reused it from some other site or they got it from social engineering and they're using that credential to get in. So SolarWinds, Chesapeake, JBS Meat. All of these companies where break-ins, where they defeated the MFA and then went and used the credential. And so you have to start with that. Are you taking that out of the system? And then if you are, what factors are you using and how can it be demonstrably in accordance with the ability to say it's phishing resistant or ultimately an unphishable solution.

Kacy Zurkus:
What is the difference between passwordless and passwordless MFA?

Tom (TJ) Jermoluk:
So when people use the term passwordless, it is very confusing because there's not sort of a Webster's dictionary of exactly what people mean on that. What we use it to mean is to say that there's actually not a password in the system. What other people will use it to mean is that when they say a passwordless MFA is that the password is there in the directory of the system, but their MFA doesn't use it. So they use two different factors. For example, they will use your biometric, your face or your finger but then they'll couple that with a push notification to your phone, where you also have to tap on it and accept the push notification.

Tom (TJ) Jermoluk:
So that's their two factors. If you can defeat those two factors and get to the directory of that system, you can find that the password is actually still there in the system. So that's the difference is a number of these companies use passwordless to mean they're not using the password as opposed to there isn't a password. And it's a big distinction. So the government documentation is trying to move people towards saying there actually isn't a password. In a phishing resistant sense there's nothing to be phished the password or the token isn't there

Kacy Zurkus:
Mario.

Mario Duarte:
One of the things that with the advent of newer technologies in both our laptops and our smart devices, we're getting to a point that something where onclave technology wasn't available to the masses at the price point that it is today. So most modern laptops, most modern smart device. By modern, I mean the last four or five years have this concept of an onclave technology, which basically for lack of a better term is think of it as the [Roach Motel 00:20:27] commercial. Roaches go in, but they never come out, right? So the idea is you can store secrets that potentially are like digital signatures for example, digital certificate that goes into these onclave technologies, these CPUs, processors, chips that cannot be tampered or they're temper resistant or some cases, maybe temper proof, unless you're dealing with three letter agencies, government agencies. But for the regular cyber crime criminals and without physical access to those systems these tokens are stored on your systems and they cannot be exported out.

Mario Duarte:
That's really important. That is what's revolutionizing this whole movement where we're now going into something called 502. So for all the listeners, if you have MFA, if you're using MFA and you think you're good, you're protected. I strongly encourage you to look into saying, is my MFA 502 compliant? Is it capable of the using 502, where you're getting rid of these push approvals, push notifications, and you basically have the device having your either biometrics, your face or your fingerprints, either on your laptop or your smart devices to do that second form of authentication of the multifactor authentication.

Kacy Zurkus:
So we've talked about this idea of phishing and the password credentials, user credentials being what the attackers are after. So in addition to the potential that a password could be stolen, what are other risks related to passwords that companies need to be thinking about?

Mario Duarte:
My goodness, I think of SolarWinds. I'm sorry, I'm not picking on SolarWinds, but it's in everybody's side drives for the last year and a half. But if you just look at that model and how that occurred, that's real, that's not just SolarWinds. I would argue that's happening across the board in multiple organizations where let's say you have a development environment and that development environment you're using is probably... You're trying to make it easier for your developers to develop, right? That's their jobs, go and develop, reduce friction. So what ends up happening companies have less strict passwords on their employees? Well, okay. That's a recipe for disasters. Because you could have folks who are using very easily guessable passwords that may be shared in other locations and the attacker gains access to that password and ultimately gains access to your development code or your code.

Mario Duarte:
And they can then insert suspect code as in the case of what happened with SolarWinds. And that's important again, what TJ talking about is that decoupling or in this case, coupling the identity of that user with that system, think about it. Let's look back at SolarWinds. If we didn't have a password to compromise and if there was, let's say a certificate that stored on an onclave chip. Well what is the attacker going to do? Well, we can't really export that. Okay, fair enough. But what about multifactor authentication? Can the attacker phish that person or get in between that communication between that user and the IDP and then impersonate that user and field the MFA in this case, a SAML token, once the user has done an MFA push. Well, now it doesn't matter. Now they have a SAML token with them. They can access anything that user can. If you can couple both the user with no password and also the endpoint to that user and that endpoint to that company's own machines or trusted machines. I would argue the SolarWinds situation would be harder to replicate by an attacker.

Tom (TJ) Jermoluk:
Exactly Mario. So the problem with having one person have their password compromised is that it compromises everybody. Kind of like a virus and our ability to pass it on to other people has shown us. So that is what Zero Trust is all about. It's trying to limit the attack surface of where people can go. When I have a password and I've logged into one system, it's kind of like a castle and a boat. If I get across that drawbridge around the boat and I'm in, I can go anywhere I want in that castle and I can rob the treasury. I can rob the grain stores. I can rob the king's wine cellar. I can get to everything.

Tom (TJ) Jermoluk:
And the notion of Zero Trust and getting rid of passwords is requiring full identity of device and machine represented at any step of any application of any check-in to any network of any part of the organization that it might be. Why make high risk employees compromised by some low risk activity having occurred where somebody got a password through careless social engineering. So passwords really are a fundamental virus for the entire organization. We have to move beyond them. I believe that within a five year period of time, you will never be typing passwords in again, everybody now fully realizes their complete lack of any form of security or no matter how much friction you pile on top of it, your inability to protect it and what that means for the entire company.

Mario Duarte:
Yeah. I would like to see more movement, more adoption. Right now the companies and I will applaud the government for doing the Zero Trust enforcement and it's good. It's pointing organizations in the right direction, but in order to be this impactful, in my opinion, we also have to make it easier for the consumers, not just organizations but the home users. If we can get rid of passwords also for home use, for personal use, I think we're going to make a big ding on some of these security events that have occurred in the past 10, 20 years.

Kacy Zurkus:
So before we wrap up, I would love it if each of you could share some lessons learned on how companies have tried to minimize the password attack surface and done that with some level of success or even reasons why those efforts ultimately didn't work.

Tom (TJ) Jermoluk:
I can think of a couple of attempts in the past that people have made to try and deal with passwords. One would be VPNs. By having a VPN, administrators would tunnel in as it's called into their on-premise machines and be able to access a system there that might have had its own set of passwords in some theoretically secure way. That got very popular for administrators and on-premise devices. But when COVID occurred, people didn't have other solutions for what to do when they sent 10,000 employees home. And suddenly all those people had to work remotely and coming from their home. And so they tried to extend the paradigm of VPNs into that world.

Tom (TJ) Jermoluk:
The problem is that VPNs reroute all of the traffic, not just the control traffic, but the data traffic. And so you have to hairpin or [trambom 00:28:04] this traffic through local pop networks, very high latency, very, very expensive to do. And remember the VPNs themselves still require passwords, which means that they have a vulnerability. Once you have 10,000 people having the password to the VPN instead of a small admin group. So it was something that didn't scale, showed its vulnerabilities in the recent times. And now as people are moving to putting all of their devices in the cloud, are realizing VPNs aren't the way that you're going to go to a cloud hosted server hybrid environment. So that's one example.

Tom (TJ) Jermoluk:
A second would be that people have tried certificates with PKIs, public key infrastructure and certificates. But the problem is that the way they implemented them required the company to run a certificate management system and certificate authorities are notoriously difficult trying to figure out how to expire certificates or issue new ones or keep track of them when people copy things from one machine to another has proven intractable. And so not many people use that system and it really showed the vulnerability of not tying the identity and the device together because if you could copy certificates to a different device, then you feed it the point of machine identity. So those are a couple example of attempts that were trying to minimize this problem but didn't catch on.

Mario Duarte:
Yeah. I think that what I've seen fail oftentimes is that we try to set these, let's say passwordless strong authentication, multifactor authentication, [inaudible 00:29:45] et cetera. And it's really great for that user community and interactions with your business applications. But wherever I would challenge you, even if you deploy that. Wherever you're still using passwords, you have a way to break all of that. So in some ways it's kind of a little bit dangerous to have this Zero Trust because without doing it comprehensively across your enterprise, you might find yourself blind to your own beliefs that your Zero Trust framework is going to fix everything.

Mario Duarte:
So the key is to ensure that you know where passwords are still being used and be almost religious, be relentless about getting rid of those passwords. Now I'll give you an example. I applaud the major cloud providers today for trying to centralize and leveraging IDPs as well. And that has not been the case for many years, quite honestly. And for some of them they drag their feet, these cloud providers have. But let me give you an example of that is this thing with access keys and secret keys. And so oftentimes these access keys and secret keys behave as if they're user logging name or a password, they will give you access into the cloud infrastructure. So maybe you won't be able to authenticate to the devices, the servers, the virtual systems, but you'll have the ability to authenticate to the cloud providers configurations and thus give you more access potentially to administrative rights.

Mario Duarte:
And where this is really prevalent is that developers and please don't take it the wrong way. Engineers we're all kind of lazy, that's the nature of engineering. We try to make things easier for ourselves. And oftentimes we'll employ strategies where we'll include our access keys and secret keys to these cloud providers. The credentials inside our code to make it easier, to automate things. Well, we then upload these things to the GitHubs or the GET Labs of the world. And sometimes these things are publicly exposed or even privately exposed with whoever has access to that GitHub and GET Lab code can then impersonate you and then can access to your cloud environment. So I guess the meta message here is if you go on this journey to go Zero Trust and go passwordless, MFA 502, et cetera, just ensure to make sure that you focus on those things that still rely on passwords, because no matter how much you think you're protecting them from the public internet, there's going to be a way for them to be compromised. As long as we're using passwords, we are opening ourselves to get compromised.

Kacy Zurkus:
You've definitely given our audience a lot to think about and really good, solid examples of why they need to be thinking about it. I am so fascinated to watch the speed at which evolution happens. And I want to know, I wish I had my crystal ball to know if TJ you're right about that five year marker. Hopefully we're not having you back in five years to have the same conversation. But TJ, Mario, thank you both so much for joining us today. Listeners, thank you for tuning in. To find products and solutions related to Zero Trust and identity, we invite you to visit RSAConference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist you with your specific needs. Please go keep the conversation going on your social channels, using the #RSAC and be sure to visit RSAConference.com for new content posted year round. Thank you all so much.

 


Participants
Mario Duarte

VP of Security, Snowflake

Tom (TJ) Jermoluk

CEO and Co-Founder, Beyond Identity

Identity

access control authentication passwordless zero trust


Share With Your Community