When the coronavirus arrived, the world changed. Offices and schools closed with little warning and an entire workforce was relocated overnight. At Secureworks, our business continuity plans were activated, staff began to work from home and work continued without interruption. Our regional hubs around the world were already sized for the increased VPN load. The biggest contributor to our seamless transition? We built practical continuity plans that were periodically exercised and refreshed to remain functional, we scaled our environment to accommodate everyone, even our SOCs to securely work from home, and latency-sensitive Office 365 traffic was excluded from our traditional VPN scope. These factors made for a smooth transition and enabled communication and collaboration to take place unhindered.
As a cybersecurity company that helps thousands of organizations prevent, detect and respond to threats, we have been working ahead of the market to assemble a new, unique Zero Trust implementation. When we realized this “home office” situation was not going to end soon, we realized we had a unique opportunity. Our empty offices and remote workforce provided a green-field environment to aggressively deploy the next chapter of our Zero Trust implementation.
With Zero Trust we would:
- no longer apply the term “remote” to any employee, regardless of location.
- refactor our office spaces to an open, collaborative environment where employees and guests inherit no special access – they work from the same security posture as in their home office or on a public wifi network.
- for each action taken, we would verify the user’s identity, the health of their device, the service they need to access and the intent of the action they were requesting to perform. We would also factor in threat intelligence data and maintain context across a user’s multiple accounts, their work and BYoD devices and their activity across multiple services.
Nine months into the coronavirus pandemic, Secureworks is completing the first chapter in our Secureworks journey: an enterprise-wide roll-out of our own Zero Trust implementation.
--Ken Deitz, Secureworks’ Chief Information Security Officer
Our Zero Trust Vision
In 2017, we began a fundamental rethink of our internal security model at Secureworks. We needed to maintain the highest level of security while supporting rapid company growth, an increased global presence and a new, complex culture of employee collaboration and innovation.
Our CISO and IT organizations assembled a multi-year strategy based upon Zero Trust. The strategy team combined the two dominant Zero Trust implementations at the time: the trust evaluation engine of Google's BeyondCorp and the secure connectivity of the Software Defined Perimeter (SDP) by the Cloud Security Alliance.
We called this hybrid Zero Trust implementation, "SDP+".
To assemble SDP+, we evaluated more than thirty Zero Trust offerings. Many were branding exercises that had little to do with Zero Trust, others existed only to gauge market interest. There were a few tech demos masquerading as functional offerings. Mature capabilities such as backups and fail-over could be "added to the roadmap if we wanted them." In our evaluations, one offering stood out from the others: AppGate SDP.
AppGate: the "SDP" in SDP+
AppGate SDP was fully operationalized and had years of proven experience outside of the private market. We worked with AppGate to ensure their offering met our 62-point security and operations eval criteria, survived our external pen-tests and even endured hands-on disassembly by our security researchers. AppGate was clearly the SDP portion of our Zero Trust solution.
Building a Trust Engine
The market did not yet offer a functional trust evaluation engine, so we began prototyping code to explore possibilities. For any action taken, we needed to establish the identity of a user, verify their device was safe, evaluate signals and threat intelligence data, look at historical context and understand intent. Only then could we authorize access, open a narrow network path and pass along permissions/roles for downstream processing by a service to be accessed. This trust evaluation needed to be performed continuously and rigorously, expressed in a useful policy framework, recorded by an audit trail and exposed in an operational dashboard. If any factor changed that would alter the level of trust, we needed to respond in as close to real time as possible, narrowing or expanding access to the service and its data.
Towards the end of 2018, we discovered a first, basic trust evaluation capability in Microsoft's Azure AD Conditional Access. When MCAS (Microsoft Cloud App Security) arrived, we recognized an alignment with our end-state vision of Zero Trust. MCAS was able to establish a single user identity, track context across multiple services and devices, accept input from external signal sources and consolidate everything into a calculated trust score. This led us to move to Conditional Access and MCAS as the next generation of our SDP+ Trust Engine.
Endpoint Devices and Activity
When we began this journey, enterprise device management solutions were focused on mobile devices or Windows OS. As the market matured, we saw InTune move beyond the Windows OS, and VMware’s Workspace ONE expanded to support of non-Windows platforms.
Endpoint security offerings such as Microsoft Defender ATP and our own SaaS Red Cloak Threat Detection and Response agent are now sharing telemetry data. Across wide endpoint, network, and cloud, these solutions reveal the compliance state of a device, and provide rapid, automated response to state changes.
However, understanding a single device is not enough. We need to evaluate context across multiple devices such as a user’s work laptop, their personal mobile and wearable devices and even to personal virtual assistants. We’re also thinking beyond the present to account for a future where wall panel displays and vehicles will directly interact with our environment as user endpoints.
Zero Trust also needs to look beyond a user and their device, to understand how a service is being used over time. To perform service inspection, we no longer need to bottleneck traffic through a distant data center. Instead, users are protected by a globally scaled Cloud Application Security Broker (CASB.) For general browsing and primitive SaaS services, the CASB layer provides insight and response functions. For the most mature SaaS services, we pull events from the SaaS API itself and feed them into our SDP+ Trust Engine, responding to changes, as needed, at an API level.
Where Are We Now?
Nine months in, as we refactor our offices to collaborative workspaces, we are retiring privileged user VLANs and "trusted" wireless networks. In a Secureworks office, all end-user devices are equally untrusted, whether that is a managed endpoint with our full security stack, an employee's personal phone, or a guest's laptop.
With our laptop build teams unable to access the office, we set a “moonshot” goal to implement a touchless laptop deployment model. With the support of VMware Workspace ONE and other services, we now ship Windows, macOS or Chrome OS devices anywhere in the world, direct from the manufacturer. Upon receipt, the user powers up the factory-fresh laptop, signs in with their credentials, and the laptop pulls down our security stack to become a fully managed device.
What's Next?
Our Zero Trust journey is not yet complete. Several years in, we can see there is much more to do.
Today, our users are more productive with fewer manual sign-ins and longer SSO sessions. As they work, we perform full-stack reauthorizations in the background. Our goal is near real-time response to changing trust levels, rather than waiting for reauthorization minutes later. One step closer to this goal is the work Microsoft is doing with Continuous Access Evaluation.
We are also rebuilding our access model—moving to a roles-centric approach with each user having a handful of roles that accurately describe their work—rather than complex membership in many granular groups.
The VPNless Employee
All of this combines to deliver what we call the "VPNless Employee." As VPNless Employees, our team members can securely work and collaborate from anywhere in the world. They have no VPN client and need no connectivity to on-premise services. Approximately one-third of our team members are moving to consume SaaS services such as Salesforce and Office 365, secured by a globally scaled, user-transparent CASB layer. Two-thirds of our members add on the step-up capabilities of AppGate SDP for highly secured connectivity to Secureworks’ workload.
Sharing what We’ve Learned
As we continue on our Zero Trust journey, the Secureworks IT and CISO organizations are informing our product development and incident response teams to better protect our customers. We regularly engage with customer IT and CISO teams, at a peer level, and provide guidance in Zero Trust.
We are proving out the very latest Office 365 and SaaS security capabilities to provide our incident response teams with hands-on, practical advice on how a customer can avoid or recover from a breach. And because we believe more businesses will be exploring Zero Trust solutions of their own, we are committed to continuing to work with technology partners such as AppGate and Microsoft, contributing thought leadership to help guide the industry.