Guest: Zack Butcher (LinkedIn)
Company: Tetrate (Twitter)
Show: Let’s Talk

Tetrate has been working with the National Institute of Standards and Technology (NIST) to define and promote the federal guidelines for Zero Trust. In this episode of TFiR: Let’s Talk, Swapnil Bhartiya catches up with Zack Butcher, Founding Engineer at Tetrate, to talk about the latest publication he co-authored, NIST Special Publication 800-207A (SP 207A), which provides organizations with systemic guidelines for updating network and microservices security using a service mesh.

Highlights of this video interview:

• Companies are building more complex applications in more complex environments. The security challenge gets harder as well.
• Traditionally, security is done at the perimeter, and it is about stopping the attacker from getting in. Zero Trust acknowledges that a motivated attacker can get inside the perimeter. To mitigate what that attacker can do once inside, steps need to be taken at every hop, at every service, and at every instance to limit the data that they can egress in the systems.
• The purpose of the NIST Special Publications is to help educate security decision-makers, auditors, and regulators that are evaluating systems. The papers are not meant to break new ground, but to facilitate discussions on how we can do the right thing in the modern context.
• Butcher also co-authored the NIST SP 800-204 series of publications that talked about microservice security and multi-cloud. In that series, they argue that the service mesh forms the security kernel for the modern distributed system.
• Recently released for public review, the NIST SP 800-207A introduces identity-based segmentation, i.e., there are 5 policy checks at runtime that you want to happen on every single hop in the infrastructure: encryption in transit, service identity and authentication, service-to-service authorization, end-user authentication, and end user-to-resource authorization.
• Encryption in transit is needed for two properties: eavesdropping protection and message authenticity.
• Companies are starting to lay identity-based policy on top of their traditional network-based policy. This helps customers gain agility while they do it, because we can relax network-oriented controls in favor of identity.
• The Tetrate Service Bridge is an enterprise offering that brings the management capabilities essential for implementing a Zero Trust architecture, including who can do what, where, and what are the safe configurations that the service mesh can take. It lets you build controls and guidelines, using service meshes to implement those controls. Tetrate does this across the entire infrastructure, not just one mesh deployment.
• What’s ahead: Tetrate, NIST, and the Department of Commerce are co-hosting the Fourth Annual Multi-Cloud Conference and Workshop on May 25 in Washington DC. One of the focal points is the NIST SP 800-207A. The goal is for decision-makers and practitioners to come and learn about what some of the other large organizations in both the public and private sectors are doing, how they’re approaching Zero Trust, the cultural changes, and the tools and technologies to achieve that.

Advice for companies looking to improve their security posture:

• First, figure out what’s in your inventory and then build a plan of attack from that. Otherwise, you’re just taking stabs in the dark.
• Know who owns what in the organization.
• Monitor it ideally in real-time.
• Know what it’s doing at runtime.
• Build more sophisticated capabilities on top, such as continuous monitoring to reduce our time to identification.
• Build tools for remediation: need to be able to identify what’s normal and what’s not normal, and then be able to take action to return the system to normal.

This summary was written by Camille Gregory.