On this week’s SecurityIntelligence Podcast, hosts Pam Cobb and David Moulton explore the Zero Trust model of IT security. Joined by Chase Cunningham, principal analyst with the security and risk team at Forrester, the trio runs the numbers on getting started with a no-trust model, how to effectively measure its impact and what’s next in a world where devices don’t give each other the benefit of the doubt.
Getting Started With Zero Trust
What exactly is Zero Trust? Cunningham says it’s “strategically focused on addressing lateral threat movement within the network or infrastructure by leveraging microsegmentation and granular enforcement based on user context, data access controls, location application and the device posture.” In other words, it targets the lateral movement of malicious actors and code across corporate IT networks that’s often enabled by overly generous infosec processes. Cunningham also offers a simpler definition for this approach: “Never trust, always verify.”
Cunningham points out that while humans have an inherent need to trust one another, devices have no such drive. Trust by default occurs in IT thanks to human bias, but with the recognition that trust shouldn’t exist in enterprise networks comes the commensurate idea that it should be removable.
So how do companies get started with Zero Trust frameworks? Cunningham recommends that companies “pick really small problems that have relatively binary solutions and fix that first.” This could include addressing bad passwords, regularly patching critical systems and deploying two-factor authentication (2FA) wherever possible — all fairly straightforward approaches that “eliminate a large swath of the problem.”
Making the Numbers Work
Despite the relative ease of ground-floor implementation, many organizations opt out of no-trust models because “the leadership that’s in those places has been burned by the promise of security technology in the past.” It’s no surprise, then, that these C-suite leaders want metrics to justify spend on Zero Trust solutions. But as Cunningham points out, in many cases companies aren’t measuring the right things. Instead, “they’re justifying their current position based on flawed data. And then they’re asking you, ‘Well, tell me how I can move to a new position with data that doesn’t exist yet.'”
To make the numbers work, Cunningham suggests leveraging Zero Trust to address specific issues at the workload, network, user, device or automation level. Instead of focusing on big pictures and big data that doesn’t yet exist, a scaled-down approach can provide actionable insight and allows companies to “solve the problems with the technology that the technology was meant to solve.”
The Future of Skeptical Systems
Cunningham has been hard at work communicating the benefits of Zero Trust to both the C-suite and the next generation. He recently wrote a field guide — The Cynja Field Instruction Manual — aimed at keeping kids safe in digital-by-default environments, and he’s also looking ahead to the next iteration of skeptical systems that verify first and trust second. For Cunningham, two trends are on the horizon:
- Digital planning — Using virtualized and cloud-based resources, companies will be able to better design IT infrastructure and test Zero Trust models before deployment to help fine-tune resource use and spending.
- Defining new models — Traditional data isn’t the only source of Zero Trust insight. According to Cunningham, “it may be a process. It may be a way of doing business. It may be a particular formula.” As a result, companies must redefine both how they measure the impact of no-trust models and what they hope to achieve with this approach.
Limiting lateral movement is critical to shore up corporate defenses. By leveraging a Zero Trust approach, companies can help remove human bias, address specific security risks and improve the next iteration of their IT environment.
David: Hey, Pam, are you there?
Pam: Yeah, just proving I’m not a robot.
Pam: Well, the auto-logout for Box punted me out of our notes and, you know, that’s pretty timely since we’re doing a Zero Trust podcast today.
David: Oh. Sometimes these things line up. I’ve been seeing that myself with all the end-of-year, new-decade tasks, kind of the consequences of a Zero Trust framework. You know, I was in our benefits the other day, got bumped out, took me forever to log back in because I kept putting in the wrong password so that one’s on me. But, you know, I actually had a really good experience with two-factor on some insurance renewals the other day. So that was nice.
You kind of get both ends of the spectrum. Zero Trust is pervasive across industries, but I think it’s still evolving and being perfected, which is kind of wild since it was introduced to the world about a decade ago by Forrester.
Pam: Yeah. You know, it reminds me of something that one of our previous guests said, Bert Vanspauwen, who’s our resident IAM expert.
David: And while we’re on this topic of going out into the future, how far away are we from Zero Trust as a reality? Is it the next wave?
Bert: I’m not sure whether it’s the next wave, but I think it is an important concept. And I think as we try to get a grip of the identity for the internet of things, the Zero trust model or the CARTA model, however you want to call it, is an important model. I must say that probably as an IOT discussion this is very relevant, but for the typical IAM clients at the moment, their focus is more on getting to grips with digital transformation.
Pam: So we’ve covered authentication in-depth with Bert, and we’ve talked about lateral movement with Wendi Whitmore and even all of these ransomware attacks that we’ve kind of talked about on the podcast. But today, we’re actually going to get right into this new world that criticizes the current world of privilege and access and entitlement. And we’re even talking about how to make it easier for us, you know, all of us feet on the street to get what we need out of our systems.
This is the SecurityIntelligence podcast, where we discuss cybersecurity industry analysis, tips and success stories. I’m Pam Cobb.
David: And I’m David Moulton. We’ve got an interesting show today with Chase Cunningham from Forrester where we’ll look at a few points of view around Zero Trust, what it means, how to do it and whether you already are there.
Chase: I’m Chase Cunningham. I’m a principal analyst on the security and risk team at Forrester. Primarily, my coverage area is around Zero Trust and Zero Trust-related technologies and solutions. I guess the only other thing I’d add to that is I’m retired Navy and I’ve been at Forrester for about three years now.
David: Very cool. So, Chase, something that I’m sure by now you’re really familiar with doing and you’ve maybe perfected is give our listeners that quick refresher on what is Zero Trust. You know, your elevator pitch.
Chase: Sure. So let me give you kind of what I consider to be the, I guess, you would say my definition for zero trust. And the reason I do that is to kind of frame… Everybody always says, what is the definition? So this is mine. Zero trust is strategically focused on addressing lateral threat movement within the network or infrastructure by leveraging microsegmentation and granular enforcement based on user context, data access controls, location application and the device posture. That’s a really long-winded way of saying Zero Trust equals never trust, always verify.
David: One of the other things that I wanted to get into with you or ask you about is that Zero Trust has been around for a while. As it’s matured, what’s causing the popularity that I’m seeing with Zero Trust right now? What are your thoughts there?
Chase: Yeah, I mean Zero Trust, as far as just the sort of idea and concept, has been around for almost a decade now. Started out in Jericho Forum, moved into John Kindervag who was at Forrester before, and now where we’re at with the ZTX really has been the sort of evolution there. The growth that you’re seeing is being driven by kind of the categorical realization that the perimeter-based model of security has just failed us. And that is resonating with the industry. Folks understand that the way that we’ve built and architected security just isn’t working. So we have to do something different. And luckily, it happens that there was this sort of visionary strategy put together way before technology caught up and now we can actually do Zero Trust. So that’s where you’re seeing the gravity kind of come behind it. It’s a sort of happenstance of technology meeting strategy, meeting where the industry is going all at once.
David: Yeah, it seems like a perfect confluence of those things, those technologies, the idea and then the perimeter falling apart or no longer working. And we see that in the headlines all the time. You mentioned that the concept, the model has been around for quite a while. If you were to go back to that early days and give us some of the evolution, just take us through that timeline a little bit. What are the things that you think have really held true as a principle?
Chase: Well, one of the original things really that sort of Jericho Forum time was around people realizing that network systems and computer-based infrastructure had a human flaw built in. And that human flaw was, you know, the emotion of trust. That’s a human thing that doesn’t belong inside of an infrastructure. It’s something that we, people, do, but computers don’t really care about trusting anyone. They do what they’re told. So that was there, still is there, still broadly applicable.
And then moving forward it was John Kindervag’s modification of that to really say, “Okay, well, if we accept the trust is not supposed to be present within networks, we should be able to remove it.” And in removing that, we need to dial in and focus on the data within infrastructures because that’s what is the really bad stuff to allow a trust to access that causes all these mega breaches and compromises. Solid principle, makes sense.
And then further evolving from there is where we’re at now, which is kind of the newest iteration of, let’s leverage those concepts but combine it with the technologies that are available to actually do those things and remove trust at the grand scale. And that’s kind of the evolution, those basic tenets still apply, but now we’re actually leveraging vendor solutions to do exactly what, you know, that concept was kind of preaching.
David: You know, Chase, as you talk through that, it struck me that our technologies reflect ourselves, right? So we’ve encoded trust into our systems, into our networks. We’ve encoded bias into our AIs, those sorts of things. But when you talk about always verify, that’s the computer’s way of actually building trust. So while Zero Trust is the name, it’s a sense of almost computational or network trust isn’t based on human concepts of trust, but computer trust. Does that make sense?
David: So Zero Trust is a concept. It’s hitting this perfect confluence of opportunity and need and technology. And if you were a listener out there and you’re thinking, you know, “Maybe I should give this a try,” is there an easy place, a low-hanging fruit, that you would recommend some of the organizations that are interested should start? Where’s the easy place to start?
Chase: I think this sounds counterintuitive and this is usually where people in the workshops kind of…you’ll see them start, you know, sweating. It’s really…it’s not around the data security problem. The easy place to start is actually around devices and users. And if you kind of accept that the reason for that is because devices and users are where breaches actually start, that’s where you want to focus your efforts on first. If I can eliminate the really easy, simple stuff, the bad passwords, the no 2FA, the unpatched systems that touch my network, like all those basic security hygiene things that users and devices cause, I can eliminate a large swath of the problem. And in doing that, I get to be able to vector in on those really harder problems to solve as you go down the path of the journey towards Zero Trust.
So I tell people all the time, pick really small problems that have relatively binary solutions and fix that first. And in my experience, you can apply technology towards users and devices pretty easily and make a massive difference. I mean, just something as simple as MFA being employed can be a, you know, multiple factor of reduction in compromise activity.
David: It’s interesting you talk about that. In prep for today’s conversation, I was looking at some of the research our services team has on this. And one of the things that really surprised me and stood out was that only about 40% of the enterprises that we surveyed had multifactor authentication.
Chase: Which makes me want to scream, like pull my hair out and scream.
David: Absolutely. It drives me nuts that some of my more sensitive financial information, and I won’t name banks here, but I can’t get them to set up multifactor. It’s just…it’s really concerning. So I would wonder, you know, you end up talking to a lot of different organizations. You’re deeply immersed in this concept. What’s holding those organizations back?
Chase: Usually it’s because the leadership that’s in those places has been burned by the promise of security technology in the past. And they’re hesitant to try and put it in place again because they were the ones that went and fought for some of these solutions to be put in place three, five years ago that the market and industry told them this will solve all of your security problems. And now they’re standing there, holding the bag because none of those things lived out to fruition. And the really confusing thing about that is the solutions that used to be offered were really complex and solved or tried to solve really complex problems. Now, we have really well-built, very dynamic solutions that solve relatively simple problems, but people are hesitant to use them because they got burned in the past. It is a frustrating place to be for those organizations and for those individuals.
David: Yeah. So is it that? I keep thinking to myself, “All right, you didn’t like the vegetable. You didn’t like asparagus. I’m going to make you try it again.” So maybe the same thing is true for organizations. You tried it, it was bitter, but don’t give up on it because we’ve evolved. We’ve come along. The technology is better. The concept is actually really solid. Maybe that’s our rallying cry out there. So what are some of the more advanced things that you’re seeing companies do? I mean, let’s go to the other end of the spectrum. Anything stand out that really impressed?
Chase: Yeah, there’s two pieces. Number one is the organizations that are using virtualization to literally design what their infrastructure is going to look like. And so they’re not drawing stuff on whiteboards and PowerPoints; they are actually using virtualization to literally build representative environments of where they are going to be for Zero Trust. And then they test stuff. They blow it up, they delete it, they infect it, they try it and they move on. And that way, they’re perfecting not only their approach, but also their planning and their justification for the process itself.
And then the other thing that really is big is the organizations that are moving to an almost entirely cloud-based infrastructure with very limited endpoints that they’re allowing their users to use.
David: Yeah. It takes advantage of the resources that the cloud providers have. It’s striking to me, the difference, just a few years ago how the infrastructure has changed quickly. We’ve talked about the moment with cloud as an opportunity to reset a once-in-a-career opportunity to reset how you think about security. When you’re talking to some of those folks that are using these advanced techniques to draw things, are they able to prove an efficacy around the concept that gives you constant, you know, confidence to continue to recommend it and to drive, maybe to counter those arguments a few years ago where CISOs got burned?
Chase: It’s possible. I think where you run into the issue usually around that is for the organizations that say, ”We want metrics to justify this.” And when you say, ”Well, what metrics are you using to track, you know, your current state of infrastructure?” they usually say, ”Well, we have, you know, one or two or three things.” And it’s based on the network traffic and things that they’re looking at that aren’t necessarily useful, anyway. So they’re justifying their current position based on flawed data. And then they’re asking you, “Well, tell me how I can move to a new position with data that doesn’t exist yet.” So it’s kind of this, you know, self-fulfilling prophecy of, “Well, I can’t do that because the numbers don’t justify it,” but the numbers don’t justify it because the numbers aren’t there.
David: Okay. So it’s measuring the wrong thing and not able to get past the fact that you’ve instrumented something that no longer makes sense.
Chase: Yeah. It’s like somebody telling me, “Well, tell me what this stock is going to cost me in five years based on, you know, great British pounds,” and you’re investing in American dollars. Well, I don’t know. I can give you a rough shot over the board, but it’s just a guesstimate.
David: Yeah. That really helps to frame it. It’s a completely different way of looking at the problem. So one of the things that I wanted to ask you about is this idea of Zero Trust came out, you know, almost a decade ago and focused a lot on network segmentation. And now as I read some of your papers that you’ve put out, you’ve talked about Zero Trust extended. And it seems to have shifted the focus a little bit, maybe more on integrations and an ecosystem. Can you talk about what was the intent behind the change?
Chase: Yeah, I think that the intent behind the change was really that we felt that the industry had pretty much gravitated that this was the correct strategic approach. It made sense to them, but they were still saying, “Well, how do we do this?” And for a long time we’d been saying, “Well, start with data. Do day-to-day to data, then micro-segment around that and then move from there.” And conceptually, that makes sense. But in reality, when you talk to organizations that are trying to do this, that’s not achievable at the beginning. That’s something that you might get to at the very end of this process.
So where we flip the script with the extended was can we take all of these other possible solutions that are available that solve all these other problems — workload, network, people, device, automate, visibility — and cobble those together into a framework and say, you know, “Use these things to solve this problem and work your way through that process and you solve the problems with the technology that the technology is meant to solve.” Not try and continue to ice skate uphill and solve for something that is really, really hard to solve with what you have available.
David: How has that been embraced or interpreted maybe by some of the teams that are on the ground using it or even some of the vendors that are looking to solve in this space now that they have more tools in the framework?
Chase: Yeah, it’s interesting when I talk to the end user side of this because the moment I run them through that, all of a sudden the light comes on. They go, “Okay, like I get that. It makes sense. That’s what we’re doing anyway. I understand how we can map this.” And they usually will say, ”Well, can we get a copy of the framework so that we can start figuring out how we map into that?” On the flip side of that is when I go to the vendors, I honestly cause a lot of hate and discontent when we launched this thing with the vendor community because they were saying, ”Well, we have a platform that does all of these things, most of them,” or, “We have this solution that does X.” And from the folks that were engaged in zero trust, we were literally telling them, “You don’t need to solve for X right now. Let’s go back and solve for, you know, W, and the solutions that do W are these.” And the platform side of this, of a vendor that has 15 capabilities, you may only need five. And for vendors, that means we’re cutting the bottom line on them, which no one likes losing revenue. But the reality is, this is about fixing security, not about buying security solutions.
David: No, I think that’s fair. So if you look at it as it helps a client out and they understand it, you said the lights go on. That’s exciting because that means that we’re moving in a direction where, you know, the mission of the business is to secure and to allow you to do the things that you want as a business and to thrive. One of the other questions I wanted to ask you about is, so Zero Trust is a security concept, but it strikes me, and you’ve kind of hinted at this, but it strikes me as it’s beyond security. It’s part of your network team, your IT team, out to your line of business and how they’re thinking about and approaching delivering the services or the applications that they’re building. Do you see this being something that translates outside of just the security domain?
Chase: Yeah, and I mean, it’s interesting that now I’m actually doing briefings with boards on and for, you know, Fortune 50 companies on how Zero Trust enables the business. And we don’t talk at all about security and hackers and, you know, numbers of exploits and breaches, whatever. We talk about in business, you leverage a strategy and you put solutions in place that enable you to achieve the objectives, and your business grows. In security, that’s what we should be doing as well. We’re just taking a slightly different twist on the narrative there and leveraging security solutions and strategies to benefit the business because customers and consumers buy more things from secure enterprises, and that makes everybody happy. A rising tide lifts all ships.
David: Right. If you don’t trust the company’s going to be able to survive or protect your data, protect your transactions, then why on earth would you absorb the risk as a consumer? Or even as an employee, you don’t want to go get dinged there.
Chase: And even for the companies, too, that are…you know, if they get breached or they get, you know, hit up, they’re going to spend time and effort responding, remediating, litigating blah, blah, blah to get back to square one. It makes more sense from the context of fixing the problem before it’s a problem to not have to do with that and not spend all that money, time, effort, revenue to fix an issue you could have fixed in the first place.
David: Yeah. As you talk about that, it strikes me that that’s a CMO issue, right? I don’t want to lose my customers or damage my brand. It’s a risk officer issue. Let’s not absorb or expose ourselves to risk that we shouldn’t. So I can see how boards and the C-suite would be really interested in this type of conversation.
Chase: Yeah, they seem to get it and it’s nice because you can…I can talk to a firewall engineer about what a firewall rule set looks like for Zero Trust segmentation. I can also go talk to the board of a Fortune 50 company about how strategy enables business based on security strategic sort of objectives.
David: So as I’ve talked to some CSOs, they say that they struggle with that conversation as it goes up to the C-suite or up to the board. I would wonder if an interesting way for a CSO to explain things is use the Zero Trust model, as you’ve articulated, at different levels of concern and oversight within the business, not just at that practical firewall engineer, but all the way up and down. And it gives a nice set of bounds to have the conversation.
Chase: Yeah. I mean, nobody that’s in the business, you know, hardcore business space is going to understand what PKI does or how AES-256 increases, you know, DNS tunneling security or some, you know, weird thing that you throw in front of them. But they’re going to understand that if you do things better and you have a strategy and a plan and you can map technology and goals and objectives to that, you can get to the end state. And they get that. It is a bit of a translation to make it all work. But that’s the benefit you get from being able to have a singular strategy.
David: That’s right. Yeah. Actually, one of the videos that you put out there in October were your thoughts on NIST and Zero Trust. And as I watched that, I wondered if you expect that the government’s embrace — and that’s what my big takeaway was on Zero Trust and where it fits in within this — is that embrace of Zero Trust going to help drive adoption in the private sector?
Chase: Yeah. There’s about 40-plus federal agencies now, double from what it was last year, that are engaged in their own Zero Trust initiatives that are in this space. So the role is happening there, the impetus is there, the momentum is there. And the funny thing for folks to realize is, in security the federal government is the innovator, is who leads us in the space. If you think about when we all started responding to security and all the requirements we have and etc., we follow what they told us we should do.
So that’s what’s going to happen in this space is now these federal government agencies are going to be in on this. They’re going to grow in it. They’re doing…some of them I’m working with are looking at 10-year projects. They’re going to evolve. We will all follow that model. It may be slightly different versions of that flavor of ice cream, but we’re all going to eat a bite.
David: Yeah, sure. It seems to me that Zero Trust is a, you know, like that conceptual model and how you get to your outcome is particular to your threat model and your environment and the rules of engagement and budgets that you have. One of the other things that you talked about in there was this idea of a hybrid network that may have some areas that are protected or under a strategy of Zero Trust and then others that are still, for one reason or another, using the perimeter controls. And I’m wondering if you can talk about, is anyone that is in that situation, maybe a government, maybe a private sector, using that as a way to tease out the efficacy between those two sections of their network?
Chase: Yeah, I did a thing with a cruise line, and for them they embrace that pretty heavily. And for there…I call it the content, the sort of concept of contested space for Zero Trust, where if you think about in sort of a combat environment, you typically have an area that you control. Then you have an area that is sort of in your control and then you have an area that is where the combat is actually occurring. It’s contested space. And when we help them figure out segmentation and isolation and the crown jewels and all those things, that’s the high ground. That’s what we want them to have, the Zero Trust stuff fully fleshed out.
As they move into those other areas where they probably won’t be able to get the high ground, they have to realize that it will be contested space. And what you do there is you give it your best shot and you try and make sure that you have control if you can, but you’re never going to own it. So there’s a pretty massive difference that people see really quickly between the contested space and the high ground. And that the metrics that you can gain there are very real.
David: You mentioned the cruise line, I’m guessing that you can’t name names, but I’m wondering if you can share a success story or two that you think would help security leaders build the support in their organization to embrace Zero Trust.
Chase: Yeah. So when we started the project with them, they had had seven CISOs in five years and their sort of security portfolio products had 59 solutions in it. So they literally had things that were alerting on top of other solutions for the purposes of alerting on another solution. And they were logging things to log things because of logs. And as they got through the process, they went from 59 solutions down to less than 20. So in that time, how much network throughput did they free up? How much budget, how much operational capability did they put in place, all because they put a strategy in and then they had someone in there that said, “Look, we’re going to do this,” and they started mapping solutions into the framework so that they could follow along. “Well, gosh, I don’t need three different endpoint antivirus solutions. I need one. Let’s pick one that does it best. I don’t need three different network analysis vulnerability solutions. I need one.”
David: Yeah, in that tool rationalization and bringing those costs down, that’s like a hard number that you can get into. But then just the mental, cognitive overload that you give to your team, with 59 tools, you know, that’s incredible. And to be able to more than have that, it strikes me that your teams are going to be happier and more efficient. And you probably can then go away from some of the more esoteric tools or particular skill sets that are harder to obtain towards something that’s a bit more mainstream.
David: So I want to switch things up a little bit. I’ve seen that you’ve written a couple of articles over the years that were aimed more at kids or keeping kids safe really. And then a field guide. Is it Cynja Field Instruction Manual?
Chase: Yeah, Cynja.
David: Okay. So a shout out to my son. He’s the one that figured out the portmanteau pretty quick. That’s Cyber Ninja, right?
Chase: That’s it. Yup.
David: That’s cool. So what I wanted to ask is, how do you explain something like this in a practical way to the next set of geeks that are coming up or our kids in a way that helped them really understand maybe how Zero Trust impacts their life and where they could use it?
Chase: Yeah. It’s tricky to try and do that because we have a generation of people that are coming up that have never had a day in their life without wireless, right? They’re used to being connected. They live on their devices. They’ve been digital from the time that they emerged. And so really the twist that we put on there is kind of back to the old things that I think we were all taught as kids is don’t trust what you don’t know and make sure that what you’re doing is something that you’re okay with grandma knowing about or putting on a billboard. Like, don’t be out there posting stuff online if you wouldn’t be willing to have it on a billboard that your grandma’s going to drive by on her way to church. It could be embarrassing. It could come back and get you later.
And as far as don’t do things that you probably think you shouldn’t do, if you wouldn’t, you know, go into the park and walk up to some stranger that you don’t know and just shake their hand, you wouldn’t do that online either. So, you know, just thinking about those sort of basic concepts that we have as children from kind of my generation of being a little bit wary of strangers, not, you know, going up and meeting people that you don’t know, not dropping your kids off at the playground and just driving away, basic concepts is what they have to apply to the digital space. You know, Cynja side, we just made it cooler with the comic book character, but it’s still those same basic principles.
David: So I was at a Cyber Day for Girls [event] recently, helping out there with some of my coworkers, and they showed this video where all of the things that we do in social media were replicated but in real life. So just walking up and telling people that they, you know, should look at pictures, and the guy who opened up the big binder and was flipping through it, look at this one. Look at this one. You know, poking people. It was very awkward, but it really showed a light on how weird some of the things we do online are. And I think that advice of, you know, the less you say, the better off you are, and don’t embarrass grandma, come back to how we might frame things, not just to those kids that we’re trying to make sure are safe or the next set, but to our coworkers and, you know, the people that we want to make sure are safe and helping our businesses thrive. So a quick thing that I found, Chase, and I wondered if you’ve seen this. Did you know that your book is available on Amazon for $900?
Chase: For $900? Wow. That’s a rare edition, I guess.
David: Yeah, plus $3 in shipping. So I happened across that and, you know, I was like, “Whoa, I wonder if I can get a copy of this.” And I don’t think that this Amazon seller is really serious about selling their copy. But if anyone’s out there thinking about getting a copy of Chase’s comic book, just a mere $900.
Chase; Yeah, I would say go buy the Kindle version. That’s like four bucks.
David: There it is. So a final question, you know, on Zero Trust, you’ve talked a little bit about the evolution in the last nine, ten years or so. Any thoughts on how this model is going to change or could change to adapt to the future and some of the things we see coming?
Chase: I think the two biggest changes that we’re going to see is the stuff that we’re seeing around how important virtualization is to this and how to correctly use virtualization to plot and plan for your future state as Zero Trust. And the other one is, I think, we’re going to basically be redefining what that core ZTX pillar for data actually means. Because what we found data is sort of the antiquated thing of stuff in a database. And in reality, a lot of organizations now, they don’t have a central repository of ”data.” It may be a process. It may be a way of doing business. It may be a particular formula. Like, there’s so many different types of data now in the sort of digital ethereal world that we live in, that we’ve gotta redefine what data means for Zero Trust.
David: Yeah, I think that’s a really good way of thinking about where it’s going to go. You know, I’m constantly looking at the shifts in culture and adoption of privacy through, you know, legislation and/or just the norms, and it strikes me that Zero Trust is actually a space that could really drive organizations’ strategy to adopt a more privacy-centric way of looking at things or being able to protect a customer’s information or some of the unstructured data that you’re talking about, whether it’s video or images or, you know, processes and workflows. So it’ll be interesting. I hope to have you back on the podcast to talk about how things evolve, where ZTX goes and, you know, maybe next time I’ll have that $4 version of the Kindle.
Chase: You’re not going to go buy the $900 one.
David: No. And I’m sure it’s great, but it just…it gave me a chuckle that that’s out there. So once again, thank you so much. I really appreciate having this conversation with you, and I’m sure our listeners have picked up all kinds of things to think about.
Chase: Thank you so much for having me. I really enjoyed it.
Pam: David, I can’t believe you didn’t get me that comic book for the holidays. I really thought I dropped enough hints. But since you didn’t, perhaps you can give me the gift of your insight. Did your perception of Zero Trust shift at all after your conversation with Chase?
David: Oh, for sure. Chase is masterful at talking about Zero Trust in some of the concepts that were a little hazy. Those cleared up for me. And I think my biggest takeaway was that Zero Trust seems daunting. It’s like this overwhelming amount of work that you have to do. And, you know, in researching for this, I had a perception they had to rip out your entire network and start over. And I thought, “Well, who on earth would do that?” And Chase was pretty clear that that’s actually not the requirement, that you can start small and implement some changes, some hygiene best practices, and really build towards the network, the Zero Trust environment that you want. And that’s a relief. You know, you can get better. You have control over this. It’s not just an academic exercise to look at Zero Trust.
Pam: Well, that is great news. And in other great news, let’s talk about our New Year’s resolutions because we’re still here at the start of 2020, and I’m curious if you’ve set any resolutions for yourself that may or may not relate to cybersecurity.
David: Well, yeah, the cybersecurity one that I have is recognizing, from this conversation, that my IoT stuff, strangely more than I expected, is running on the same network as my tablets and phones and my wife and kids’ stuff. And I want that stuff separated. I’m buying in, Chase. And so that’s my resolution. I’ve started looking at different ways of doing that, and there are a lot of really great options out there if you’re doing home networking. I’m reading quite a bit and, you know, I’ve set a goal for myself maybe not to let this one slide for all of 2020. How about you, Pam? What are your resolutions, cybersecurity or otherwise?
Pam: I think my cybersecurity resolution is more spreading the good news about not clicking on stuff. I’ve done pretty well at not clicking on stuff myself, much to my father’s chagrin. I don’t usually open the emails he sends me with links to funny articles because the subject line is just funny article and I’m sure it is funny, but I also know I’ll probably see it when he posts it on Facebook.
David: That’s true.
Pam: I don’t really click through those kinds of emails a lot, and just trying to get the word out to more people even, you know, personally I’d like to thank everyone we work with here in the cybersecurity land knows not to click on random stuff. So I think spreading the word about that is kind of my personal cybersecurity resolution.
David: Do you think we can get a business started up before RSAC 2020 called “Don’t Click Stuff” and get a booth and that’s really all we’re selling is maybe T-shirts, needle point?
Pam: I think stickers. Definitely a strong sticker game. Yeah.
David: Yep. Yeah, don’t click stuff. I see that as a good…I would wear that T-shirt while working on my network problems.
Pam: Amazing. Well, that’s it for this episode. Thanks to Chase Cunningham for joining us as a guest.