Transcript:
[00:00:00] Michelle Smith: Hi everyone. And welcome to this very special episode of cyBARR Chats. Today, I’m joined by BARR founder and president Brad Thies and CEO and co-founder of HIVE Systems Alex Nette. And we’re going to be discussing a topic. That’s getting a lot of attention lately. So according to a 2020 study by Okta, 60% of North American organizations are currently working on implementing this model compared to only 16% in 2019.
So, what is this model that’s gaining traction among organizations of all sizes? Zero Trust is what we’re going to be talking about today. So Brad and Alex, thank you so much for joining us today. Let’s get started with the basics. Alex, can you kick us off with what is zero trust?
[00:00:44] Alex Nette: Yeah, thanks for having me, Michelle and Brad. Zero trust is a great new concept. Uh, well, not really new. It’s been around forever. Uh, but there was this idea back in the day that when we thought about cybersecurity, that everything was a castle and you protect the castle with a moat and defenses and, and keep the bad guys out. But over time, we realized that once the bad guys got in, they kind of had free reign or even worse.
What if the bad guys were actually growing employees or your own team, uh, and the idea for zero trust was born. Uh, the idea is that everything is separated and segmented. Uh, so that means that nothing trusts nothing. So whether it’s coming from the outside to the inside, inside the outside or inside to inside, uh, it’s all separated.
That doesn’t mean that it doesn’t, uh, or cuts into business processes or stops the business from working as it should, but it takes a more granular look at that approach. Uh, especially as we start to decentralize the way that we do IT. And we think about having. On-prem resources or things in the cloud or other SAS based solutions.
Uh, the need for zero trust, uh, has kind of happened inherently because things start to get broken apart, uh, that need for continuous evaluation, uh, and a monitoring of that to make sure that nothing trusts anything implicitly. Uh, has especially gotten more relevant in the era of ransomware, as things can easily spread from part to part, the idea of zero trust can definitely cut down on that as well.
Uh, so it is a great way of looking at it. Uh, sometimes you will hear it called a zero trust model or no trust, or, uh, sometimes even just standard. Uh, Hey, we’re not doing it the old way. Uh, this is the new way. Uh, and so it’s, it’s kind of grown and changed over time, but it is how we’re looking at cybersecurity here as we move into 2021 and beyond.
Brad, anything to add?
[00:02:28] Brad Thies: No very, very well said. And, and, and from an implementation standpoint, it’s good to know what, how you define it. Um, there’s, there’s so many different ways to implement it that we’ll get to in a minute, certainly. Um, you know, but I always liked the farm analogy of, of it’s no longer that, uh, that fence that’s going to protect.
You can assume that everything inside your farm you got to verify that they’re okay too. You know, milk the cow 10, 10, the farm do, do whatever they have to do within those what are called resources within your enterprise. So really encapsulating and containerizing things around your data and resources versus just assuming everything is trusted once you’re in.
[00:03:10] Michelle Smith: So we know that 85% of data breaches involve some sort of human error. And half of all data breaches involve credentials, according to the 2021 Verizon data breach investigations report. So I’ll start with you, Brad. Why is it that the traditional trust model is not working to protect companies, data, assets, and applications.
If you could just touch a little more upon that. Um, and, and the farm analogy I think was great. Um, that’d be great.
[00:03:38] Brad Thies: Well, let’s start with cybersecurity in general. Traditional gets, uh, to traditional could be last month in cybersecurity and, and it’s the whole, whole thing of always improving continuously continuous improvement.
It’s not a binary thing. You can’t go from, uh, Trusting a network to complete zero trust. There’s somewhere in between. And so first and foremost, how do we always continue to improve? And the stats that you just mentioned speak for itself that is what’s not working because of all this credential theft that is happening.
Um, more lines of code, uh, means more bugs means more vulnerabilities and that soft gooey center. Um, that, that hackers love to exploit. You have to assume that they’re already in there and, and so that’s, what’s not working. Um, but it’s more about shifting your mindset to always improve.
[00:04:38] Alex Nette: That’s a great point.
Um, I think a big part of it is looking at it from a, an, like I talked about before there was this idea of hackers and scammers always would be a big part of this, but it can just sometimes be employee negligence. Uh, when we think about due diligence on overall cybersecurity, uh, some of the core tenants are that confidentiality, integrity, and availability.
I am protecting that. Sometimes it can just be an accident that happens a database or a database gets deleted or sent to the wrong person. Or somebody pulls a power cord or trips over a power cord and unplugged something that gives you a trust can help. Uh, also continue your business from a business continuity or disaster recovery standpoint and keep things flowing.
Uh, it just reduces that overall risk. Uh, yeah, one of the big things there is really having that overall structure for what the company looks like and understanding what zero trust means to you. Uh, and I think there’s a gradient scale as companies move from on-prem and maybe to the cloud and how they look at that zero trust model as a whole, but sitting down and kind of thinking through those processes, uh, is not just the cybersecurity exercise, but really a business continuity exercise.
[00:05:47] Brad Thies: Yeah, that’s right. And what’s also not working is probably people feeling like they always have to enter in a password every time they go into something. Um, you know, that that’s one form of zero trust that you always have to reenter a password and human nature is to figure out a way around it. And the human nature figure out a way or a way around that also produces opportunities for threat actors, whether it’s external or internal as well.
And so that’s another reason why it’s, it’s probably not work and we can’t just throw more passwords at the problem. Um, You have to think about this more pragmatically of all right. What, what’s our policy? What do we want to do? And then further, how do we extend that into enforcing that within our environment so that it’s easier on the, on the user.
[00:06:37] Alex Nette: That’s a great point. Yeah. There’s no greater moment to find a way around something then annoyance. We sometimes think about that from an innovation standpoint to do something better, but especially in the world of cybersecurity, we see it often that when there’s something that’s standing in someone’s way, they will spend more time to try to figure out how to get around that, then just abiding by the process.
So, yeah, as we dive into this a little bit more, that is a key part of this is that overall change management and change enablement for the organization.
[00:07:06] Michelle Smith: Yeah, interesting points. Um, so Alex, I’m going to throw this one over to you. What are some of the main principles behind zeros?
[00:07:15] Alex Nette: Um, I think the, the real big thing, uh, at the end of the day is just always assuming that something could go wrong.
Uh, and I think it’s about really identifying how do you reduce that risk across your entire organization? So how can you segment, how can you separate where did the logical lines fall from a business perspective? Uh, for those of you who are like Lord of the rings fans, uh there’s you know, the big Ghandour castle that exists.
And I like this analogy because there’s a castle at the tippy top of it, but there’s some rings that kind of step up to get there. And so if you think about logically putting different departments in different rings and say, Hey, this is the, uh, accounting ring. This is the HR ring. This is being very sensitive, proprietary, you know, material ran.
This is the personal information ring. You can start to segment those different groups inherently, though. They can’t easily move between those groups, right? You don’t just get to move up and down the rings, any old way, there’s walls and separations and gates. Uh, and you get required to break that down.
Obviously, if you want to move that further down, even more, you start to segment those rings into individual huts or houses and groups in between, but the key piece, and this is really that segmentation of that separation that can stop things from going wrong. Right. Again, if someone only has a limited access to a limited amount of data, Yeah.
If they delete that data or send it to the wrong person that reduces the overall business risk, uh, the same could be said if somebody gets in, they can only do, but so much, she can only move maybe within that ring or maybe move within the house or somewhere else that they break into. Uh, I think that’s a key piece, especially as again, we think about the world of ransomware, the ability to limit the spread.
Uh, as a huge part of this, if they don’t have access and that zero trust models implemented correctly, that can reduce the impact of either a hacker or anything automated like ransomware. Uh, definitely a big piece though, uh, sitting down and thinking about what’s right for your business. Uh, not all of these zero trust models are gonna work appropriately.
Total isolation and segmentation of every single person or department might not work for your company, or if it’s not big enough, it might not make sense, but finding where those lines can be drawn and do align with business and overall risk tolerances is the way to approach this. And so it’s a little bit more of an art than a science.
[00:09:27] Brad Thies: Yeah. And it’s also bringing a lot of components that have already existed in a lot of cybersecurity programs. Um, with something just as is a written policy, you know, least privilege access is a zero trust concept that’s been around for a while. It just wasn’t called zero trust. Now it’s just getting more important because of the connectedness, like, like Alex mentioned, and thinking back to when, you know, the mainframe wasn’t really connected to the internet and, you know, then it does get connected, then there’s issues with that.
And so zero trust just assumes that it’s going to only get more complicated and there’s going to be resources that you don’t know if, if there needs to be trust there. Yeah. And so the principle of that is taking all of your existing policies, maybe even your existing, how you analyze logs and how you analyze an incident management incident, threat detection, and then taking some of that information that you already know today in your environment, and then applying it to continuously authenticate and authorize.
Um, your, uh, uh, workloads against your resources. So you can already leverage, if you have a, have a an incident, uh, intrusion detection system, as an example, you can take some of those lessons learned from that component and then figure out what’s normal behavior within your environment to start preventing.
Um, issues from happening, uh, an extreme example of this, and there’s lots of products in the marketplace that, that do this, that take these principles is essentially just profiling, which sounds scary. Uh, but profiling the, uh, the, the end user or the activity of down to the keys. So how did that person enter in that password?
How does that person actually type on, on the endpoint and that, and even if you enter a correct password in, it’s going to go through and analyze that and say, you know what? This trust score isn’t high enough where I don’t feel comfortable letting them. This person access to that resource, even though they entered in the right credentials and, and, you know, think of all the different threats you can Thor, because of that, because of that type of technology, that’s, that’s on the far advanced end where you’re starting to get into you know, essentially fingerprinting everything.
And, uh, assuming that everything’s been compromised, it takes a lot more than just multifactor. Um, it takes, uh, it takes actually profiling the actual.
[00:12:01] Michelle Smith: So what is required or what are some of the first steps that companies can take to achieve zero trust, particularly SAS providers operating in a cloud environment.
I’ll throw that one to you, Brad.
[00:12:17] Brad Thies: Um, first, like anything, any project get on the same page with your team because it’s an enterprise effort and you have to, you have to be somewhat all in on this mindset shift. And and that includes getting buy in just like any project, if you’re doing something of this broad sweeping nature.
Um, are you asking the questions or are we okay? If the low end game is starting to profile our users, is that acceptable? Is that appropriate? Um, or do we want to maybe start somewhere in, in a different area where just simple as defining what our policies should be taken away. Okay. We’ve have all these things written down.
Um, are these the right things written down because that’s what then makes up your governance of actually putting that into the policy within the systems that everything has to run through.
[00:13:14] Alex Nette: I think that is the biggest point. Um, Bradley, I nailed it as is looking at how do we sync up with the team being from it and cybersecurity, but also the business as a whole, uh, I’d say a shift in how things are going.
Probably traditionally where we just used to trust it implicitly having kind of that governance and that overall concept about what the, this needs to look like and how this is gonna work for the business or, or reduce risk for the business, I think is a key piece of the puzzle. Um, definitely also just laying out the goals around the program.
Uh, I think what is wanting to be achieved, is there some specifics. Data that needs to be better protected or some end goal or state, or even if it’s just a lessons learned, maybe something did happen and you want to find a better approach forward, uh, sitting down and having that partnership is a great time to bring that back to the, uh, C-suite level and have that conversation about why this is important and why the investment in it will help reduce risk in the long run as things move forward and, and grow, uh, and decentralized even further than they are today.
[00:14:15] Brad Thies: And sometimes it’s as simple as starting with a small area of the business as well to test it out. And, you know, CMMC has been a hot topic of late and a lot of, a lot of the smaller businesses are just setting up an enclave and saying, I trust everything in this enclave. I don’t trust anything outside of it.
And that’s as simple as it is. That’s your beginning of, of some type of zero trust. Just a model. If you have very specific workloads, you’re trying to.
[00:14:42] Michelle Smith: So many companies might be hesitant to implement a model like this because they think it will be too costly or disruptive to their operations. Alex, why would you say it’s important to start working on that sooner rather than later for the companies that, that zero trust is that right?
[00:15:01] Alex Nette: Uh, my number one reason, uh, is a concept called shadow it, uh, and what that meant back in the old days was that somebody would bring in something and maybe plug in some new server or a new computer in your office. And it was something that you could go and find and tangibly clap or unplug, uh, in 2021, though, the idea of shadow, it has branched out to the cloud.
Uh, and what that means is is that really anybody with a credit card can now go get a license for almost any product that they want. It could be a database that gets, it could be something that syncs up for HR related things, uh, accounting, any of those other processes. And so where you end up is if you have this in-house trust, someone could quickly link that back up and suddenly move all that data into that new space.
Uh, without anybody ever having looked at it, evaluated it and understood the cybersecurity implications. We were going to contractual obligations and all it takes is 9 99 a month for one user to do that. It definitely falls under a P-Card standard and somebody could get that up and running real quick.
So the zero trust we start to say, Hey, we don’t trust anything. We don’t let things link up and just start pulling data any old way. Uh, that definitely reduces that risk from someone saying I’m going to take initiative and start up some new service and, and stop that from happening early on. Uh, definitely as well with the increasing, uh, end points that people are using, taking mobile devices and tablets and DYOD and everything in between, uh, that also exposes things out further.
And so being able to clamp down on that, uh, better restrict and manage data. That’s moving out from the traditional in the office and outwards towards employees as another critical area.
[00:16:36] Brad Thies: And also let’s just start with the, the stats. I, IBM has a report on the cost of a data breach. They issue periodically and breaches caused by this threat that we’re trying to, to, to reduce is because it’s stolen or compromised credentials.
They took the longest number of days. All the breaches up, up to almost a year before somebody actually identified the issue or the problem. Um, and so really the question is how. How are you not comfortable with, or how are, how, how are you getting comfortable that somebody is most likely already in your network trying to exploited because that, that is the assumption.
And if, if we haven’t accepted that assumption yet today then you’re not really thinking about security as a differentiator in your business. You’re thinking about it just as a, as a cost factor.
[00:17:34] Michelle Smith: Great. Well, Brad and Alex, thank you so much for sharing your insights and expertise with us today. We look forward to seeing everyone next time on cyBARR Chats.
Have a great day.
[00:17:45] Alex Nette: Thank you.