Dell Global CTO: The Public Cloud Has A Zero Trust Problem

Dell Technologies, which announced a private cloud offering focused on enabling zero trust security, believes that ‘to do zero trust, you have to be able to see every component,’ Global CTO John Roese tells CRN. ‘You quite frankly have a very difficult problem to solve when doing this [in the] public cloud.’

Enabling Zero Trust

Dell Technologies took a major next step in its effort to provide technologies for enabling zero trust security Wednesday, with the announcement of a new private cloud offering that the company touted as addressing some of the major difficulties around implementing zero trust. Dell disclosed in a blog post Wednesday that it’s working with “more than 30 leading technology and security companies to create a unified solution across infrastructure platforms, applications, clouds and services.”

[Related: Zero Trust Is A Huge Security Opportunity. It Also Means ‘Heartburn’ For Some MSPs.]

Zero trust is increasingly seen as the ideal architecture for stopping hackers in today’s threat environment. Following the principles of zero trust means implementing more ways to verify users really are who they claim to be, and adding measures to ensure malicious actors won’t get far even if they thwart initial defenses. Whereas cybersecurity has previously been approached with a “piecemeal” implementation process, “I don’t know if we’ve really looked at it in its holistic nature, like we do now when it comes to zero trust,” said Max Shier, CISO at Optiv, in a previous interview with CRN.

That theme of taking a holistic look at security via zero trust principles is reflected in Dell’s private cloud announcement, which seeks to enable a range of security capabilities that are necessary for achieving zero trust including continuous authentication, continuous monitoring and microsegmentation, the company said. Dell’s private cloud offering is aimed at “replicating the Department of Defense-approved architecture with technology from leading providers,” the company said.

In an interview with CRN, Dell Global Chief Technology Officer John Roese said that to truly achieve all of the DoD requirements of zero trust, a private cloud approach is essential. However, while Dell is confident that “you can build a zero trust private cloud, it doesn’t mean you can make a public cloud zero trust,” Roese said.

“To do zero trust, you have to be able to see every component and be able to attest that it is in fact trustworthy,” he said. “You quite frankly have a very difficult problem to solve when doing this [in the] public cloud.”

What follows is an edited portion of CRN’s interview with Roese.

What conclusions has Dell reached about how to get more involved in helping customers with cybersecurity?

We need an architectural shift. The architectural shift is sitting in front of us — it’s called zero trust. Unfortunately, zero trust is wildly over-marketed and confusing. The essence of zero trust is actually three shifts that need to happen. The first is a shift towards mandatory and pervasive authentication. You can’t have unknown entities in a zero trust environment, whether it’s a device, a person, an application or data. No. 2 is, you need to change your policy paradigm from preventing things to assuring that known good behavior occurs. That is quite hard to do, but necessary. And No. 3 is that because of those two things, your ability to detect anomalies by deeply embedding threat detection inside of your system becomes real-time and effective for the first time, instead of a needle in a haystack model. It sounds pretty straightforward except nobody’s ever built one of these. We found almost zero evidence of anyone ever successfully, at scale, delivering a zero trust environment. It didn’t exist as far as we could tell, until we stumbled onto the work that DoD and the U.S. government had been doing for a few years, where they had built a reference architecture. And that just gave us a comfort level that there was “proof of life.” Now it’s a specific reference architecture for purposes that the military and the government wants their definition of it. However, we felt very comfortable that that work was the basis that at least proved that you could build a zero trust data center, you could build a zero trust private cloud. It doesn’t mean you can make a public cloud zero trust. It doesn’t mean you solved the edge. It doesn’t mean it will work for everybody. But what happened as soon as we understood that is we believed that it was time for Dell to be very vocal.

What is your approach to helping customers to achieve zero trust?

Our approach to help solve the problem, candidly, is just to absorb that integration burden — to try to make these things consumable. I do believe now that we should stop believing that zero trust is unachievable. I think it is. Then the question becomes, OK, what does that mean in the context of the real world? And that led us to the discussions we’re having now about greenfield/brownfield. There are no enterprises in the world that are greenfield. They’re all brownfield IT. They’ve already built their system. Their security architecture is a collection of 1,000 tools that were randomly put in place to react to problems. That’s the standard operating procedure for IT for the last two decades. And because of that, even if you say, “I want to do this new thing called zero trust,” you are doing it to an active infrastructure, an active IT environment, that has a huge amount of technology deployed in it — that may in fact be counterproductive to achieving a zero trust outcome. But that’s just the reality — you can’t just instantaneously take your application and move it to a public cloud. It just doesn’t work that way. You have to understand how to migrate applications, or if to migrate them. And that term, “brownfield,” describes that reality of the enterprise. The enterprise, by and large, is a brownfield environment. It is the accumulation of technical decisions and functions that were put in place in a previous time to run the business. This new [zero trust] approach would be really easy to do if you were building something from scratch. But the reality of the world is that nothing is built from scratch, for the most part.

Why do you believe this needs to be done through a private cloud/data center approach?

Today, it’s very hard to do this in a public cloud. But the bottom line is, if you have pools of capacity, of which some of them — maybe 10 percent of your capacity is instantiated as a greenfield environment designed to do zero trust — and you have the proper skill sets to do application migration and the control plane across all of them is the same, you now have the necessary tools to de-risk your enterprise. And again, the missing link is, how do you build that zero trust private environment? That’s the thing we’re building for. That’s the thing that we’re confident can emerge as something customers can achieve.

Public clouds have a problem in zero trust because in a shared public cloud environment — a big public cloud that’s got hundreds of thousands of customers on it — their whole business is to abstract that infrastructure. They don’t want you to know what’s underneath it because that’s their turf and they can be very flexible. More importantly, if they gave one customer access and said, “You can come in and audit, you can see all the way down to the component level” — that component is not just being used by you. That’s being used by other people, and those other people would have to give you permission, because I would be quite irritated if somebody allowed another person, who I didn’t even know, to see the hardware that I was using in a cloud environment. Because of that paradox — that to do zero trust, you have to be able to see every component and be able to attest that it is in fact trustworthy — you quite frankly have a very difficult problem to solve when doing this [in the] public cloud. In fact, a lot of the public clouds are now starting to build private instances, trying to build zero trust. They actually look more like a private, dedicated environment, where the entire stack is dedicated to one customer, so they can attest and guarantee that all those components are the right ones [for zero trust].

What have you done that’s different with this than a normal data center?

With this particular reference architecture that was developed in the government, that we thought was a good starting point, there are 151 security controls. These are basically things that mitigate risk and remove [issues] like lateral movement. This particular reference architecture is Dell servers, Dell storage, networking from people like Arista and others. It’s stuff that’s all off-the-shelf technology. And then about 20 software tools. And each of those tools closes some of these gaps. For instance, there are well-defined user authentication, device authentication, application authentication and data authentication.

So with what I just described, if you understand authentication, most customers don’t go that far. They don’t authenticate the data and the applications. They just authenticate the devices and the users. So it’s got a much more robust, integrated, full-stack authentication capability. Next to it, from a policy perspective, there are many tools. In fact, there are tools in the system that deal with things like least-privileged access. That’s all it does — it says, I want to make sure anything that shows up on this infrastructure, it defaults to no access other than the ability to be configured. There are networking tools inside of both the hardware and software network that come up, and create what are called SDN service chains and micro segmentation That’s where when you’re a user or an application, instead of you showing up on the network and going wherever you want, you show up on a virtual network that is bound to you and your applications. And the only place you can go is where those applications live. That eliminates lateral movement, where the idea is you authenticate, you get into a device, and if there are none of these network controls, they can bounce from your PC over to like an SAP server that happens to be accessible and compromised. You can’t do that in this environment.

And then beyond that, there are telemetry tools. The actual ecosystem around it’s quite complex, which is why customers struggle with this. But because now there’s a reference architecture, because it’s being pre-integrated, the customer ends up consuming something where at the uppermost level, all they have to do is decide, OK, who needs to be on this infrastructure — devices, people, applications and data — they do have to decide that and put it into the authentication framework. They have to describe the policies — what should each of those users or groups or applications be able to do? And they can describe it in human language and it will translate into network and infrastructure behavior. And then from a monitoring perspective, they are seeing the actual real-time behavior and telemetry of this system as a peer to authentication and policy. So think of it as a magic black box of zero trust where they just add users to it, tell it what to do, and see that it did it. That’s a big shift.