Recently, for the SSE Forum we had the pleasure of speaking to Jim Reavis as part of our ‘Breaking Down Zero Trust’ series. We discussed how he started his journey in IT and security, the background behind the Cloud Security Alliance and his thoughts on Zero Trust.
Jim was always interested in computers and was a tinkerer back in the 70s when he was a kid. In 1986 when he was in college getting his computer science degree was when he had his first experience of what became the internet. The university connected to a medical research center and you were able to download an application to the VAX VMS system that enabled you to back-date object code. He didn't quite understand the implications until he realised that students would wait until the computer science professor had published the perfect code for a project and then they would go and use that program to backdate their object code to get perfect scores making him realise the internet could be evil!
Jim graduated in 1987 and pretty quickly got into selling PCs and being involved in networking. He quickly understood that the problem at this time was around connecting to the internet and how this created a big security problem even if at that time the blast radius was small. Since then he has always stuck with cyber security as you get that wonderful blend of the technology, the science and the art, the motivations, the art of war, and all of these thoughtful adversaries and so it was pretty easy for him to see it as a career and he has now been doing it for 30 years.
Like many others, Jim played Doom as well as used the early bulletin boards to share cheat codes and secrets. He said he was pretty interested in those things but as he was a young dad at the time he had to balance those things with family life. He commented that he has always felt that gaming is going to play a bigger and bigger role in our industry and he feels we are now on the precipice of it playing a much bigger role in cyber security.
We discussed that games today have MFA as part of the login process and Jim said his son understood as he has gotten older and he has changed to a very secure approach. Jim feels that a lot of our security issues are legacy and the younger generation will help save us from that.
Jim did consulting for a long time, and also started a dotcom startup in 1998. That made him love entrepreneurial stuff which led him to do more advisory work. He then joined the Information Systems Security Association (ISSA) which he ended up running and it was that combination of being an entrepreneur and advisor that led him to start the CSA. It was all about sharing, cooperating, and trying to create a higher baseline of security everywhere. We want to compete and win for the right reasons but no one should be happy when their competitor gets hacked.
Jim released in 2008/2009 that cloud was going to be the next big thing so let's go start building the best practices now. At this point, Jim had seen how quickly people could take an idea, and instead of getting 100 computers, they could build it in the cloud. There was also a Harvard business review article that talks about how IT will become a utility similar to how electrification led to a power grid. This caused Jim to view cloud computing as the primary catalyst toward IT as a utility. He thought people would move overnight, but he didn't think about the long tail of legacy computing. To him using something like a service felt so obvious. Using it on demand like you turn on the light is how we need to be doing compute.
You get compromised at your weakest point. This could be anywhere in your supply chain. We all need to raise our level of security. We trust all the people we are connected to. This is about educating people.
Jim said the CSA has stayed pretty consistent throughout its life, with a wide-open community, crowd-sourcing of research, making all the research free, and believing that anyone might have the right ideas. Having training and corporate events has also remained consistent. They have always tried to stay as leading edge as possible on new trends. The pandemic and the work from home were big catalysts of having them get more focused on zero trust. They saw so many organisations with great security models and architectures struggling to go 100% virtual because they assumed they would always remain in a physical environment.
Jim believed this led a lot of people to go back and rediscover what John Kindervag and Paul Simmonds had been talking about with zero trust. This accelerated the need for cloud and doing it right as people put more of their corporate jewels in the cloud. This period has been a big reset.
Jim said the CSA started to get a lot of feedback from companies that want to use the cloud that they don't really understand what zero trust is. They don't understand how it manifests itself practically and what they should be doing. How do they communicate it to the board from a business perspective? How far do we go on architectures and strategies?
Jim commented that Zero Trust should be seen as a philosophy or a set of guiding principles, as opposed to a specific technology. What they want to do at the CSA is help clear up some of the confusion by providing education and a resource center that [provides curation of all the resources that exist. Let's understand where we might take this and create a professional certification around this. A certificate of zero trust knowledge.
They want to arm people to make a difference and to put in this zero trust within their organisation and carry it forward with technologies that are not even invented yet or not widely commercialised. Zero Trust came from a network-centric approach and network is still a huge part of this. Information is no longer stored in one spot. The people will also be very important as well as devices.
Let’s teach people how to think about zero trust knowing that the technology is likely to change quite a bit but here is the best technology available at this time. Both John Kindervag and Paul Simmonds are on board to assist with this as well as hundreds more.
The next step for the CSA is to look at things like tools that can be used to benchmark an organisation against how they adhere to zero trust principles or how they can take some of the maturity models and help people understand how to progress, or get certification bodies and auditors involved.
Applications and data are now all over the world in every nook and cranny. People no longer have data centers or campuses as users and are now remote. You now need a strategy to secure this new world. Business leaders need to be trained.
The CSA has a group called CXO trust that brings together executives and boards of directors to discuss cyber security. They believe education is critical for people at the C level and its part of what they are building. The first part is to understand where people's pain points are. The top two champions of zero trust in a recent survey they did was the CTO and the CFO with the CISO being third.
The sins of the past are now part of the issue. We used to just get things working. We now need to look at security at every level in every project to make a business run better. People need to have the mindset that everyone is out there to get them. We won't go anywhere if we just focus on how we harden the technology we have today. We just won't get there if we don't embed security into business.
We need to acknowledge that this isn't just a technology problem but a people problem. There is some education that needs to be done at all levels of business. Maybe we even need to start in schools so that when people get into business they understand. Now is the time for us to change our approach. People are more likely to take this change on board and accept the change since the world has changed because of the pandemic.