As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google Podcasts, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
The world is more than 18 months into the COVID pandemic and one thing is for certain: business and life itself are not going “back to normal” any time soon – if ever.
The changes forced on organizations by COVID are simply too substantial. They range from the shift to remote work and the (permanent?) end of office culture, to a whole hearted embrace of digital transformation and cloud computing. Sure, these things started out as temporary responses to a mortal threat. A year and a half later, however, they’re deeply entrenched – the building blocks of a new, post-pandemic “normal” for the business world.
Remote Work Poses Security Challenge
But securing that new normal won’t be easy – as incidents in the last year have shown us. The shift to remote work has pushed the enterprise perimeter out to thousands or tens of thousands of vulnerable home networks. It has increased reliance on VPNs and other remote access technology, and cybercriminals have taken note. The compromise of the colonial pipeline, after all, came by way of a vulnerable VPN concentrator that Colonial’s internal security assessments and “red teams” overlooked.
And then there’s the problem of all those investments organizations made before COVID. Just because workers have gone remote, doesn’t mean that organizations don’t still rely on legacy infrastructure and code that is old enough to drive – if not drink.
Fifty Shades of Hybrid
What will it mean to secure this new normal? In this spotlight edition of the podcast, Cathy Spence, a Senior Principal Engineer at Intel, joins us in The Security Ledger Podcast studios to talk about what the post-COVID new normal will look like. For Cathy, the future looks a lot like the present, with recent developments like the shift to remote work more or less permanent. Still, every organization is going to have to find its own way of supporting remote work without compromising its core mission. Intel, she notes, is in the business of making lots of actual stuff (like silicon chips), so going 100% remote simply isn’t an option.
Most enterprises were designed to support everyone working from home during a snowstorm. It’s another thing to have everyone working from home for a year and a half.— Cathy Spence, Intel
Cathy’s day job at Intel is as the Chief Architect for Intel Commercial Client Platforms. So she has spent a lot of time thinking about the IT needs of large corporations. Post COVID, she imagines a future with a thousand shades of “hybrid” work. That state of play will greatly complicate the work of security teams and security vendors, who won’t be able to make assumptions about what any customer’s post COVID “normal” looks like.
Operationalizing Zero Trust
In this interview, Cathy and I talk about the myriad of ways that COVID 19 has shaken up the status quo and shifted the battle lines of enterprise security. We also talk about the work she is doing at Intel to distill key components of Zero Trust networking to work “out of the box” with Intel-powered products.
To start off, I asked her to explain the difference between commercial and consumer laptops and how the different use cases influence the design of the device.
You can listen to our conversation above, or use the button below to download the MP3 recording.
(*) Disclosure: This podcast and blog post were sponsored by Intel. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
[START OF RECORDING]
PAUL: This episode of The Security Ledger podcast is sponsored by Intel. Intel is an industry leader creating world changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, Intel continuously works to advance the design and manufacturing of semiconductors to help address customers’ greatest challenges. By embedding intelligence in the cloud, network, edge and every kind of computing device, Intel unleashes the potential of data to transform business and society, for the better. To learn more about Intel’s innovations, check them out at Intel.com.
PAUL: Hello, and welcome to this Spotlight edition of The Security Ledger Podcast, sponsored by Intel. I’m your host, Paul Roberts, the Editor In Chief at The Security Ledger. In this episode of the podcast:
CATHY: If you kind of think about before the pandemic, most enterprises were designed to support everybody working from home during a snowstorm. But it’s another thing when you have everybody working from home for a year and a half.
PAUL: The world is more than 18 months into the COVID pandemic, and one thing is, for certain, business is not going back to normal anytime soon, if ever. The changes forced on organizations by COVID from the shift to remote work to an embrace of cloud-based applications started out as temporary measures in response to a mortal threat. But they’re the building blocks of a new post-pandemic normal for the business world. But securing that new normal won’t be easy. The shift to remote work has pushed the enterprise perimeter out to thousands or tens of thousands of vulnerable home networks, and it has increased the reliance on VPNs and other remote access technologies, with cyber criminals taking note. And of course, just because workers have gone remote doesn’t mean that organizations don’t still rely on legacy IT infrastructure and application code, much of which is old enough to drive, if not to drink. What will it mean to secure this new normal? In this Spotlight edition of the podcast, we’re joined by Cathy Spence, a Senior Principal Engineer at Intel. Cathy and I talk about the myriad of ways that COVID-19 has shaken up the status quo and shifted the battle lines of enterprise security with the focus of policymakers and the security establishment on zero trust networking. She and I talk about the work that Intel is doing to distill key components of zero trust so that they work out of the box with Intel powered products. Cathy’s day job at Intel is as the chief architect for the company’s commercial client platforms. So to start off, I asked her to explain the difference between commercial and consumer grade client systems and how the different use cases influence the design of the devices.
PAUL: We all kind of know this intuitively that businesses buy different types of laptops, desktops than consumers or students or whatever. What are some of the special types of features that businesses demand of their laptops and desktops and that end up as part of the systems that you build?
CATHY: I get that question a lot. What’s the difference between a commercial PC and a consumer PC? And the base platform itself is largely the same. But you have to remember that commercial devices are corporate owned, so they tend to be a little more robust. Believe it or not, people don’t take care of them as well as they might take care of their own personal PCs. It’s kind of like a rental car. And think about how people treat those. So your commercial PC need to be more robust. And then you have to think about that’s a corporate asset. And so the company needs to be able to find their PCs and know how they’re operating, secure them and so forth. So my team actually focuses on adding those unique capabilities that strengthen the security and the performance and the technology needs for modern workforces. And, for example, like business devices, you know, they normally contain all the corporate data. Right. And therefore they require the additional security reinforcements. Our best for business platform Intel VPro, it comes with hardware shield, which is a set of strong hardware enhanced security features that gives more heavyweight protection to the corporate assets.
PAUL: Historically, one of the big concerns, obviously, with corporate laptops was theft and loss of the data that’s on the laptop because it’s not in the hands of thieves. Obviously, with COVID and the huge transition shift to work at home and remote office in the last 18 months, a whole crop of new risks has come to the fore as being really relevant for companies. Can you talk just a little bit about how the Pandemic has shifted the conversation on the security of these corporate assets?
CATHY: Oh, absolutely. The Pandemic was hugely disruptive. So if you kind of think about before the Pandemic, most enterprises were designed to support everybody working from home during a snowstorm. But it’s another thing when you have everybody working from home for a year and a half. You know, many companies had to rewrite their business processes to keep everybody productive from working from home. And then they had to address all those challenges that come from working outside of the office, everything from your basic security hygiene, like, as you mentioned, who can see your data or overhear you speaking in the next apartment over maybe. And even things like remote security patching has been very challenging. So depending on that enterprise on how far along they were with adopting modern practices, some organizations were better prepared than others for all that disruption. So I think the biggest thing before the Pandemic, everybody was moving towards what was called digital transformation, modernizing over the cloud. And then what happened with the Pandemic is it accelerated everything.
PAUL: Yeah. It’s like you strapped a rocket engine to the digital transformation plans basically. And said, instead of doing this in the next three years, let’s try and do it the next three weeks.
CATHY: Right. Well, they did it in weeks or a few short months of what they had to do. And I put a lot of stress on even like the corporate VPN, how do you dial in and kind of get access to your apps and your data? And so they had to do all kinds of different things, like, you know, implement split tunneling, right. So that you didn’t have to bring all the traffic back through the enterprise and redo how they do support VPN. So it’s been a big, huge change in 2021.
PAUL: Necessity is the mother of invention. I mean, looking back on that period, can you think of some kind of cool innovations or discoveries or realizations that we might not have, but for COVID and the pandemic?
CATHY: Well, I don’t know that there’s, like, brand new things. I think the security landscape has been extremely challenging with, you know, some pretty high profile cyber attacks, you know, like, for example, the Colonial Pipeline ransomware attack or the Solar Wind supply chain attack. And through that, I think that 2021 has really become the year of zero trust. I think at least that’s what they say out in the industry or predictably that it’s going to be. I think everyone is trying to figure out what that means. And even now, I don’t know, it looks like we’re all going to be able to go back to the office. And now we’re not sure. And enterprises are really trying to think about what their work models are going to be. Right. So those zero trust kind of models have been really accelerated, and there’s been some innovation in that area.
PAUL: You mentioned the zero trust. This is the term du jour or term of the year. I’m not even sure what that is in French. If everyone from the federal government on down is talking about this as the paradigm that we all need to move to sooner rather than later. Talk, I guess, about your definition of zero trust. And when we think about Intel, obviously, we think about some of the contributions you’ve made in hardware based security things like the trusted platform module. How does that, you know, hardware based security root of trust and so on slot into the zero trust model as it were?
CATHY: Okay. Let’s start with the definition. Right. Personally, I subscribe to the NSA’s definition, right. They have a great paper on embracing a zero trust security model if anybody hasn’t seen that. But I define zero trust as an architectural approach in a mindset. Right. So, you know, don’t trust anything on Steroids, really. And you’re always verifying explicitly and continuously. You just have to assume you’re under attack and make sure that you’re limiting the damage of your high value assets. Right. You just want to try to protect them as much as you can. So it’s a combination of monitoring and then also implementing a least privileged access to access. So zero trust doesn’t stop at a network or a system. You can apply it all the way down to the Silicon and for us, it’s about making sure that below the OS that it’s protected. And that’s because that’s the foundation of your entire security stack. So we’ve seen more and more attacks that are happening below the OS. So having that hardware based route of trust that’s going to be super important as we move forward.
PAUL: So among your other super powers and accomplishments, you’ve done a lot of work around security frameworks and standards for cloud computing. And obviously we were talking about digital transformation. I mean, a huge aspect of that is moving workloads from traditional IT environments to cloud-based applications and cloud-based storage, and so on. Can you talk a little bit about specifically the migration to cloud? And obviously, once again, COVID put a rocket booster on that transformation as well, and how that is going to impact some of the security planning and how it should impact the security thinking of companies that are doing that where the digital transformation really involves a big shift from on-prem managed IT assets to cloud manage.
CATHY: Yeah. Well, there’s a lot to that for sure. Yeah.
PAUL: I tend to ask really long winded questions, and I don’t know it’s not because I’m getting paid by the word. I’m gonna tell you that.
CATHY: I’m trying to be distinct in my answers. So I think that so as I mentioned earlier, right. Everyone has rewritten their business processes to be more effective when everyone’s working from home and things are not going to go back, they’re not going to go backwards. We have to keep moving forwards. When you think about your applications and your data and you want to protect your data that you have different kinds of you know, you have to understand what your data is, right. Where’s your high value data versus your not high value data and how you should have access to that data and your applications, right. So you have the applications that are maybe the newer ones that you want to get that you’re trying to modernize, and then you might have older legacy applications that you don’t want to trust, or rather, you don’t want to touch it, because in my break, I mean, we’ve had customers tell us that they have apps that are old enough to drink, drive and boat, and they don’t want to touch those applications. So dealing with your legacy applications and how you might encapsulate those and kind of deal with those. And there’s different ways that you deal with those legacy applications and then your new applications that you want to modernize and really take advantage and really build the whole zero trust in right from the start, because I don’t think it’s just about your network. I think you know, your app understanding, too, when you can have access to different kinds of data based on not only the user who’s accessing that data, but also other, more hardware oriented, you know, identification like the hardware’s identity. Is this an authentic platform? What’s the security profile of that?Where is it located right now? There’s all kinds of different factors that you have there that can go into that least privilege model of when you want to provide that access and when you don’t.
PAUL: Maybe some kind of biometric authentication on the device itself, right. I mean, something like that.
CATHY: Well, you could do that, too, for the user. So I think that there’s…
PAUL: User plus device, right.
CATHY: Understanding who the user is, right. And in some cases, you don’t necessarily have the user. But, you know, if there’s a user trying to access it, you might want to know that it’s really them, which is a challenge. But even beyond that, the device itself, there could be use cases where you want to challenge the identity of that device to make sure that’s really my device. Right. And you can do that as well.
PAUL: You’re listening to a Spotlight edition of The Security Ledger podcast sponsored by Intel.
PAUL: One of the issues is that everybody’s network perimeter is now the sum of thousands of home networks or wherever people happen to be working for small offices, branch offices. What are some strategies you’ve seen just in how companies are ensuring that those environments from which they’re connecting into secure corporate assets, cloud-based or otherwise are secure? Any interesting developments on that just in the last 18 months?
CATHY: It was difficult when everybody’s working from home. Especially the last mile into people’s homes. And I’ve seen some companies actually put in their own set up rate of giving the employee a router and giving them to make sure that they have stronger environment. Because again, like in consumers, sometimes consumers want they’re very concerned about costs. Right. So if you set up your network from your home, maybe you have a really old access point and router, and you don’t have, it’s not really being managed in a more sophisticated way. I’ll put it that way. Right. So an IT Department, I’ve seen that happen. VPNs are still being used for very critical things. And I think that more use of TLS for encryption is another technique that I’ve seen used. We talked about Sassy just now that’s more advanced and emerging. How can IT gain more control over those remote environments? But today there’s a lot of challenges, and I think there’s training. I think training your employees security training and make sure that everyone’s aware of some of the common problems and what their role is that they play a role in the stewardship of the corporate resources.
PAUL: You kind of anticipate my next question, which is the Internet is obviously these days a lot more than laptops, desktops, servers. There are also broadband routers, webcams, smart doorbells, right. Smart appliances, all manner of connected smart devices running software and running Intel, Silicon and other hardware and software. How are organizations, how are companies and your focus on the enterprise side dealing with that threat? We know, for example, the Conti ransomware playbook got leaked for affiliate playbook. And part of that was actually about using some software to go out and scan for routers and webcams and stuff and use those as launching pads for their attacks as well. How do we kind of extend that zero trust model beyond just desktop, laptop servers, cloud applications to encompass all of these other connected devices that might be either within an enterprise IT environment or certainly within workers’ home offices and home environments that they’re working from now. And what’s Intel doing on that front?
CATHY: So when you’ve got those kinds of devices, well, number one, you probably have a lot of them. So you’ve got a scalability challenge. You don’t have a user for a lot of those devices. There’s no user who’s operating it. So if you focused all your efforts on just user authentication, that’s not going to help you in that kind of a model. And then I think with those kinds of devices, you have another challenge, which I kind of talked about the consumer version of that. But even if you’re in an enterprise, like a campus building, a lot of those kinds of devices they’re installed by what’s called OT operational technology versus IT. And you can think of those folks as like the facilities folks who are probably less sophisticated than an IT shop when it comes to security. Right. So you have all those challenges that you have to deal with. So having that zero trust model is super important here with those IoT endpoint kind of devices, right. Understanding what access do these endpoints have? Can they be on their own isolated networks? What are the notion of hardware identity, which I’ve mentioned a couple of times during this discussion today that could come into play and be even more important. But some of it depends on what kind of an IoT device you’re talking about. Are you talking about a digital sign versus a sensor versus, you know, a kiosk? I mean, you have all kinds of levels of those kinds of devices, and you want to apply the right set of rules, business rules or conditional access rules to those kinds of devices and make an effort to really protect yourself in those situations. So for us, it’s all about kind of the hardware, the hardware identity. A lot of times. You know, even our best for business VPro platform is in some of those higher order devices. So having things like hardware shield people build, you know, I’ve seen digital signage and key and point of sale systems and kiosks and things like that and all of those can be protected with that same kind of hardware root of trust and below the OS protection that we have in hardware field.
PAUL: All the things you’re talking about are amazing. And if adopted broadly, would certainly change the dynamics in terms of defenders versus attackers. And so on. The problem often is getting both device makers to invest in higher security components, especially if it increases unit costs, for example. And then on the enterprise side, getting those organizations to really select for those security features, what do you think is the best way to really push a concept like zero trust really down both into the manufacturing process, as well as on the buyer side, to really encourage people to select for these types of features and then use them so that we can actually raise the level of capabilities of organizations.
CATHY: Well, so my team, we work on some of those features. We’ve seen that enterprises, they are willing to pay for the additional security. They do want the best security, for sure, especially when you’ve seen a lot of those high profile attacks or especially the first half of this year. For us, we are always looking at, and there’s been a couple of developments, executive orders recently around cyber security. We’re constantly looking at these and trying to bring them into something more actionable, right. That we can apply at the hardware level, because sometimes they’re they’re just a really high level. So you have to kind of interpret that and decompose that into what can we actually do from the platform in order to help address those pain points? And we’re constantly looking at that. And we’re thinking about how can we do things so that they just work right out of the box so that IT doesn’t even have to do things. So whatever we can do to simplify that adoption, we really try to do that. So I think it’s a combination of what can we make work right out of the box?Where do we have, we have to expose some monitoring, so that IT and the information security folks can actually see that it’s working, right. And then we have to be really careful about how we implement configuration so that it itself is highly secure and people can’t do things like turn off the security. So those are some of the things that we think about to try to just how do we make it easier? That’s why, like, with hardware shield, a lot of that, it just works right out of the box as much as possible. But we’re only one piece of the puzzle, too. I mean, you have to have the whole zero trust mindset, but that’s what we’re doing.
PAUL: Final question when we talked earlier about COVID and the Pandemic, and you had sort of said, you know, things aren’t going to go back to normal, things aren’t going to go back to the way they were. As somebody who works day in, day out on tailoring Intel’s products and technology for enterprise buyers and for corporations. What is your vision of what the new normal will look like when we get there, when we run through the Greek Alphabet as it were, and COVID is finally behind us. What do you think that new normal is going to look like? And what is Intel’s role in that new normal?
CATHY: That’s hotly debated right now. Everybody’s talking about that. And we have a couple of advisory boards that we talk to on a pretty regular basis. And we’re always talking about this. What are things going to look like in the future? So obviously everybody just rewrote their business processes so everybody can work from home. They’re not going to go rewriting them again. But I think that there’s some folks that and some companies are just letting people work remotely on an ongoing basis, if that works for their particular, whatever their business is. You know, obviously, like Intel is a manufacturer. So we have to have people there doing the manufacturing. Everybody can’t all work from home. It’s really I think a lot of it is the degree of hybrid that maybe I don’t have to work from home all the time. But I’m going to be in the office only at certain times, and especially when you need to collaborate with your team. Right. So there are some companies that we’ve seen that are implementing, like they get rid of a lot of the desks and they put lots of collaboration spaces in because the reason that you’re going to be in the office is because you have to work with other people and you need to do that. But you need to be able to do that in a way that some folks can still be remote. So I think during the pandemic, we had a lot of level playing field because everybody is working from home. Once people start to get back into the office, then I think you have some different challenges, too, because depending on where the leadership of the organization is located, it’s going to create some challenges. I think really what this does from a security standpoint, right. Is that you’re going to have very unpredictable traffic patterns, who’s in who’s out. And so we haven’t been very mobile because everyone’s just at home, but now you’re going to have the mobility as well. Right. And so everything that we’ve been talking about today around zero trust and putting those good security principles into practice, that’s going to be even more important, right. When everybody kind of gets back to whatever that new normal is going to look like. And then we are going to have to learn from each other. Right. The best practices of what’s working and what’s not working.
PAUL: The AI is going to have to get a lot smarter and figuring out what your patterns are. I guess if you’re if you’re both remote and mobile all the time.
CATHY: Well, that can help. When I think about what’s going on in commercial, in enterprise, everyone talks about, like cloud first, that the next wave has got to be more around kind of the AI first. Right. AI, how do I do AI Ops? And if I can anticipate when people are going to be there, I might reconfigure things a little bit so they can work better. And depending on how things turn out. You might have to do your best to limit some of the human contact, right? And so how can I use technology to do that? There’s lots of different ideas and options for that as well. And whatever we can do to help with that, we want to be there, right? Because one company’s security breach is another one’s risk if we can all kind of come together and encourage that whole zero trust adoption, the industry at large can make a lot of progress towards more secure future.
PAUL: Cathy Spence of Intel thank you so much for coming on and speaking to us on the Security Ledger podcast.
CATHY: It was great to meet you, Paul. Thanks very much.
PAUL: Cathy Spence is a Senior Principal Engineer at Intel. She was here to talk to us about securing the post-pandemic enterprise. You’ve been listening to a Spotlight edition of the Security Ledger Podcast, sponsored by Intel. Intel is an industry leader creating world changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, Intel continuously works to advance the design and manufacturing of semiconductors to help address customers greatest challenges. By embedding intelligence in the cloud, network edge and every kind of computing device, Intel unleashes the potential of data to transform business and society for the better. To learn more about Intel’s innovations, check them out at Intel.com.
[END OF RECORDING]