Home Interviews “Identity-based protection is the future of cybersecurity strategy”

“Identity-based protection is the future of cybersecurity strategy”

Peter Smith

Peter Smith is the CEO and founder of Edgewise. Prior to founding Edgewise, he was on the founding team at Infinio Systems where he led cross-functional strategy for Infinio’s products and technology as VP of Product Management. Peter brings a security practitioner’s perspective to data center products with more than ten years of expertise as an infrastructure and security architect of full-service data centers and customer-hosting environments for Harvard University, Endeca Technologies, American Express, Fidelity UK, Bank of America, and Nike. In an elaborate interview with Augustin Kurian from CISO MAG, Peter discusses his journey, the scope of microsegmentation, and benefits of a Zero Trust environment.

Your journey with IT Infrastructure began in your college days while you handled infrastructure and security for Harvard Business School. From there on, you have consistently been a person who handled IT architecture. Tell us a bit about your journey that led you to Edgewise.

That’s right. When I was managing Harvard’s network very early in my career, I built an early version of a network access controller (NAC) before it was even an established category. My NAC determined who could access which resources from where. For example, a student would have a different level of access in their dorm than they would in a classroom.

Later, I joined Endeca to run infrastructure and security, and it was there that I first experienced the problem that Edgewise is now addressing. I was trying to control user and application behavior based on address-based firewall controls, but it was a nightmare. That was when I realized that I needed to control the app itself, and not the underlying address.

Coincidentally, during this time, I met Bob Gleichauf, chief scientist of In-Q-Tel and the creator of the Cisco NAC that I used to replace my original NAC at Harvard. He encouraged me to run with my idea and develop it into a product which led me to found Edgewise.

What were your initial challenges in properly implementing network security? What according to you was essentially wrong with network packets?  

To date, most of the focus for cybersecurity has been on early detection and rapid remediation of anomalous behavior or attacks-in-progress, but the sheer volume of new threats and vulnerabilities that are constantly appearing is simply too overwhelming. There are literally hundreds of thousands of new malware samples and at least a dozen new vulnerabilities discovered daily. It’s inevitable that, eventually, an attack will succeed in evading traditional network security tooling.

Access, however, is not unlimited. There are a finite number of communication pathways between applications. If these pathways can be secured, then even if an attack bypasses perimeter controls, it will not be able to continue to communicate and gain unauthorized  access to data or applications.

Microsegmentation can secure applications, hosts, and even individual databases on the network and restrict communication into and out of these “secure zones.” But most means of doing so rely on IP addresses, ports, and VLANs. Today’s networks—especially cloud and containers— are dynamic. Therefore, using only ephemeral, network-based information to make secure access decisions is highly risky and unreliable as instances spin up and down and as new applications are continuously deployed. Plus, traditional methods of microsegmenting a network can take months, even years, cost millions of dollars, and is a policy management nightmare throughout deployment. We thought there had to be a better way.

Edgewise was recently approved with two new patents on key elements for automating microsegmentation to enable zero trust security for enterprises. Tell us briefly about these new patents.

The two new patents, plus the one we were awarded in December, cover the basic pillars for extreme automation of microsegmentation within a network, which are:

Right data: Before microsegmentation can take place, the security team needs a comprehensive, accurate map of application communications pathways. One of our patents describes Edgewise’s ability to map communications through load balancers, layer-7 proxies, and NAT without deploying an agent to those devices or modifying their configurations. This patent is an important piece of collecting high-quality, high-fidelity data about network communications, which is the essential ingredient for automating microsegmentation.

Right analysis: Our third patent covers our ability to use machine learning to build the minimum number of policies necessary to secure access pathways between applications. We don’t rely on IP addresses for microsegmentation, but instead create immutable, cryptographic software identities using attributes of communicating applications, so even if the application is moved, policies don’t need to be changed.

Right control: The patent we were awarded in December describes how Edgewise verifies software identity at both ends of a network communication to ensure that only approved software communicates–denying access to malicious software and misused administrative tools.

We have eight more patents pending, but these three patents form the core of our intellectual property.

How do you propose microsegmentation for zero trust security in a cloud platform?

Microsegmentation tools that rely on IP addresses, ports, and protocols can’t protect cloud architectures. Due to the dynamic nature of the cloud, static security controls are unreliable because network constructs can change multiple times throughout any given day, or even a single session.

To overcome this problem, Edgewise builds cryptographic fingerprints for workloads, as described above. Using software identity rather than network information to build policies gives us the ability to take a uniform approach to policy creation and application identification so the security team can know with certainty that only software verified by its fingerprint is allowed to communicate, independent of network location.

Combine this software identity approach with zero trust principles — specifically, require access verification for every communication request, allow only identified applications to connect, implement least-privilege access, and update policies dynamically using machine learning—and now you have a method of microsegmentation that actually works and isn’t an operational mess.

Tell us relevance of creating a zero trust environment. How does zero trust environment fare against several vectors of cyber threats, including insiders?

The concept of zero trust is pretty simple: all communications inside the network are assumed to be potentially hostile and must be identified before they are allowed access. With zero trust, least-privilege access is applied not only to who is accessing the data, but also what, meaning the services, devices, or connections touching the data. It’s the best way to ensure network security is hardened all the way to the interior.

Concerning insider threats, there are five steps to combating them through zero trust.

First, remove overly permissive access controls that allow employees to interact with data and systems without resistance. Second, implement continuous authentication and authorization. Often, credentials are only checked one time at each juncture. Zero trust abandons the idea of a trusted user or process and requires a check on authorization and authentication every time access is requested. Previous access doesn’t determine future access.

Next, enable multi-factor authentication, which is not at all cumbersome in a modern zero trust network. Multi-factor authentication can happen automatically and seamlessly because identities are collections of multiple factors which cannot be changed by an attacker, whether it’s an unwitting insider or an external threat.

Fourth, segment the network. A modern, zero trust segmentation strategy shifts focus away from the network to what is communicating on the network, using identity as the basis for perimeterization. It continuously authorizes and authenticates communicating assets, enforcing control based on communicating assets.

Finally, take a data-centric approach. The vast majority of insider attacks happen because an employee wants to steal or destroy company-proprietary data. So, put security control as close as possible to the thing attackers want: the data. A zero trust network places the strongest protection around the most sought-after assets instead of the environment in which the assets are communicating.

Edgewise’s product portfolio claims to detect load balancers without relying on IP addresses or ports, without installing an agent on the load balancer. What are the benefits of such a system? How reliable are they?  

Like many network tools, the presence of load balancers is generally detected based on network constructs such as IP addresses, ports, and protocols. But in modern networking environments that include cloud, serverless, or containers, the network architectural information changes constantly, which makes it hard to detect load balancers. And if they’re not detected, both they and the traffic that flows through them will be unprotected.

We use machine learning and statistical methods to find load balancers that otherwise would go undetected, and we can do so without installing an agent on the load balancer itself, which is important because in some environments such as the cloud, installing an agent isn’t possible.

The system takes as little as one second to map the load balancer, NAT, and proxy entry/exit points. Once those points are mapped, the ongoing connection tracking is 100% accurate. This mapping process occurs during the initial ML learning period and provides the highest quality data to the ML policy automation process.

What are future plans of Edgewise? What is the future of cybersecurity?

Edgewise will continue to advance security’s and operations’ ability to rapidly and automatically discover and microsegment their networks to achieve zero trust. We strongly believe that zero trust is going to be the foundation of all security control in the future, and that companies must adapt how they protect their networked assets. A layered security strategy is the best strategy, but it’s time for companies move the most hardened control directly to applications and services instead of the network. Networking is going to continue to change — 15 years ago we couldn’t have conceived of containers — but what isn’t going to change is the data organizations need to protect. Protecting the data first is key to preventing full-scale data breaches, and I think identity-based protection is the future of cybersecurity strategy.