Hot Topics
Security Bloggers Network 
SBN

AZT EP 01: Andrew Abel

by Elliot Volkman on July 14, 2022

Catch this episode on YouTube, Apple, Spotify, or Amazon.

Zero Trust Basics With Andrew Abel

This week we chat with Andrew Abel, our defacto Zero Trust expert who is currently the EUC Cyber Security Strategy and Architecture Lead for an energy company out of Brisbane Australia. 

Andrew has been involved with Zero Trust for some time, holds Forrester’s Zero Trust certification, and has an extensive background with solutions architecture and identity management, both of which play significant roles in the adopting of Zero Trust. More importantly though is Andrew’s interest in strategy and business alignment, which places him as a key player in in moving a concept like this forward.

When ask what value Andrew sees from a concept like Zero Trust, he said it’s important to zoom out and look at the big picture. 

Zero Trust is a philosophical concept with an “umbrella that all good decisions fit under nicely.”

In particular, he feels that drawing a straight line between what the business needs to properly grow and secure itself along the way is a critical element to Zero Trust. Currently, it’s easy to get sidetracked by shiny objects from vendors, and while they may have a solution for future problems, stick with the ones facing you today. 

Multifactor (MFA) the priority? Inventory your people and devices, identify your gaps and build your access management playbook, and from there it’ll be clear what vendors can solve your use case. The shiny object in this scenario is split between secure browsers for users or even potential passwordless (biometrics) options, which would come secondary to finding an IdP solution.

“I focus on it heavily as a business tool, rather than a security tool. I look at it as a way to protect the business, to make better decisions, better security decisions, but based on your business’ assets.”

By elevating Zero Trust beyond a cybersecurity concept, it allows executives to better understand the potential financial and reptutational risks involved with an organization’s current environment. While this may not increase budgets significantly, this is an important prioritization point for bringing security concerns into the boardroom.

Introducing Zero Trust to Your Organization

As Andrew notes (11 minutes in), in most cases those who want to bring Zero Trust to the table may not have the authority to do so, and those with authority may not have a firm grasp on the concept, yet.

“There’s a way to introduce it (security concepts) but one of my pet peeves is security people just spinning out buzzwords to try and impress… maybe not impress people about how clever they are, but presented as a security concept and people’s eyes roll back in the head.”

This is where someone like the chief information security officer (CISO) plays a critical role. 

Semi-related, this is also why security vendors need to take a step back and ensure they are not barking up the wrong tree as there are usually researchers, change makers, and other decision makers who make up the buying committee. Stop bothering the CISO about every security concern.

“Translating the security stuff into the business language, because business leaders are hired to run the business. They understand the business language. So you need to make the effort to articulate your strategy in a language that resonates with them.”

So what does Andrew propose? Rather than focusing on the concept of Zero Trust out the gate, continue to focus on business alignment and priorities. For Andrew, bringing in an identity platform was critical for managing identities. Vendors may throw around Zero Trust, SASE, and other tool sets, but internally these don’t hold significant weight. Instead, Andrew build an identity operations strategy, which later advanced towards network controls, and all of this sits upon a foundation that follows Zero Trust concepts. It’s Zero Trust but without the buzzwords.

Making the Purchase

When it comes to making technology purchases associated with your Zero Trust strategy, it’s the same gameplay as any other process.

  • Identify business need

  • Prioritize need and map against risks

  • Evaluate potential outcomes

  • Inventory your environment

  • Research potential solutions

  • Chat with vendors

  • Post-purchase

    • Be sure they can support on training and education, and don’t just set you on your way OR

    • Ensure you have the right internal resources who can build, maintain, and manage the new tool

“Because, I’ve seen many times over the years that companies, what they think they wanna do is totally, they bring in a vendor because they wanna buy a horse. And then when the vendor’s left, they’ve got a camel and they dunno how to ride it. You’ve gotta make sure that the’s giving you your solution to your target, not the other way around.”

So there you have it, week one is a wrap, Zero Trust must be elevated to business concepts and is as much a philosophy as it is a framework. Be sure to listen in to the rest of the episode to learn first-hand how Andrew navigated the adopting and implementation of Zero Trust as we only scratch the surface in this recap.

This Week’s Takeaways

  • Zero Trust is as much a philosophy as a framework or strategy. Andrew maps it up as a business concept rather than a simple security approach.

  • In order to get internal buy-in, Zero Trust must be positioned in business terms. The board is designed to discuss in business terms how to run things, and cybersecurity does not easily translate over.

  • It’s important to draw a straight line between what business needs are to grow, secure itself, and protect itself from threats. Then, mapping it to what Zero Trust has to offer. 

  • Like any other security tool investment, ensure Zero Trust vendors provide the necessary training resources or budget hire(s) that can build and maintain it.

Coming Up Next

Next week is our off week, so we won’t air a new episode; however, we will share some 101 level resources about Zero Trust. When we swing back around for AZT EP 02 we’ll be chatting with the Founder and CEO of EDG.

Ryan Alford [LinkedIn]

Ryan is the founder and CEO at Engineering Design Group. We’ll be discussing how IoT and devices play a role in Zero Trust, and the importance of build trust and credibility through transparency. Devices are among the largest current gaps for the concept.

Adopting Zero Trust EP 01 Transcript

Please note that the transcript is provided via AI tools and may include inaccuracies or types.

[00:00:00] Announcer: Welcome to adopting zero trust, an independent podcast that dives into the world of zero trust and tells the story of people who are adopting it throughout our series. We’ll investigate why zero trust is becoming a critical concept for cyber security. Our hosts Elliot Volkman and Neil Dennis will have transparent and open conversations with the people driving modern security approaches forward while leaving ven hype.

[00:00:26] It’s time to remove implicit trust and buzzwords and get to the root of the. 

[00:00:31] Elliot: All right, everybody. So thank you so much for joining us. We are at of our first initial episode of adopting zero trust, or as we will be continuing to call this a Z T it is a podcast obviously about adopting zero trust.

[00:00:44] Part of our goal here is really to be an independent voice where we’re chatting with folks like our guest here, Andrew to really get a better understanding of what zero trust is. So today, if you do a quick Google search, First few pages you’re gonna mostly see vendor information and that’s great.

[00:00:59] They play a key role in adopting zero trust, but at the end of the day, we want to talk to practitioners who are actually implementing it. Having conversations with peers. And really just being able to help guide other individuals who are, gonna be in those same set of shoes. Obviously on the us side the federal government has instituted in the next two years.

[00:01:19] They wanna move towards zero trust model. We’re seeing things like just this past week which at time are recording as just this past week N has put out a new Concept for our framework that they want open for public opinion. So we’re seeing more and more organizations like this come to the table.

[00:01:35] And it’s just becoming very much more real, but that’s enough on my end. I’m just the guy who helps put this together. I’d love to get our two actual voices here doing most of the talking. So Andrew, I’m actually gonna kick this to you. I absolutely love your background and I don’t wanna destroy what I see on LinkedIn.

[00:01:53] So I’m gonna let you give me the spiel and we’ll dig a bit more into 

[00:01:57] Andrew: your story. Yeah. Yeah, sure. Thanks for that. And yeah, it’s great. Great to be with you guys today. So thanks for having me along and yeah. Looking, I’ve been looking forward to having a chat for ages, so it’s great to be here.

[00:02:07] Yeah, I guess the zero trust thing for me, I’ve always been in it for a long time. Not always in security, but what’s really been the main interest for me has always been strategy and business alignment. So when zero trust came along, the more I learned about it and I’ve always been more of a student of the traditionalist around zero trust, like the N and the C S a and the CS and all the sort of non-partisan non vendor.

[00:02:30] I guess theoretical versions of what zero trust should be. So the more I read about that from that perspective, without the vendor spin on it the more interested in it I got and the more I could see a, a straight line between what business needs to grow and secure itself and protect itself from threats and what zero trust had to offer.

[00:02:47] So that’s the thing for me, that’s really attracted to me. It to me initially and now as I say, the. Stuff that comes out. And even in the us, I follow it quite closely. And the philosophies and the evolution of what NIST is putting out there. It seems to be really on point for me about, driving businesses forward and aligning that security and business goal.

[00:03:06] Elliot: Absolutely. Yeah. I think that is a fantastic outlook. Cause at the end of the day, again, most people are gonna run into conversations with vendors and their perception. But there’s just so much more out there and it’s a little bit under the top layer, so to speak. But before we get more into your story background Neil, I’m gonna make you reintroduce yourself at least for the first dozen episodes and probably another a hundred more.

[00:03:25] Obviously we have episode one where people are gonna get to know you, but. What’s your background? What is Mr. Cohost here? Doing and learning about zero. 

[00:03:34] Neal: I’m along for the ride. So I, for those tuning in, if you miss our little fun intro slide that we do as episode zero here, I’m literally approaching this from a technologist perspective.

[00:03:45] I’m an Intel analyst. I strive to learn new things. I try to keep my technology background and focus with cybersecurity demand and figure out where things are growing, what they might be doing, where they’ve lagged behind. And so for. Coming from that perspective I am genuinely curious about factor fiction or middle road reality of what zero trust really is today versus kind of Andrew, you already mentioned this lightly, you saw it, in the past, probably before the term was even really coined, but the concept of what it really implies to do things so that’s where I’m at.

[00:04:15] I’m really curious about. What we’ve already done before we started coming up with the new phrases for all this stuff and where we might be going courtesy of the new marketing spiels and things like that, and the mandates that are coming out globally. Yeah, holistic approach, very technology focused pure curiosity play.

[00:04:32] So thanks for enjoying it with us, Andrew and I look forward to the rest of the convers. 

[00:04:37] Andrew: Perfect 

[00:04:39] Elliot: for sure. Awesome. So yeah, we’re gonna basically just throw a few questions your way, but otherwise conversation will just go wherever it ends up going. But that being said you have obviously a background working with some pretty large technological back organizations, and now you’re more the utility side of the world.

[00:04:56] So you’ve seen probably. The flavors left and right. As far as like how vendors approach things versus practitioners and internal, but I love just your general take on zero trust. Like when it first came across your desk, what did that look like to you? Was it is this too good to be true or, yeah.

[00:05:14] What was 

[00:05:14] Andrew: To me, it looks it seems to be an umbrella that all good decisions fit under nicely. Like we’ve all people who have been in security over a number of years, even Neil, you mentioned the analytics side and all of that. And that, I have a massive amount of respect for people with those skills.

[00:05:28] But that’s one sort of slice of the one vertical that the whole cyber security thing. And then you’ve got your identity stuff, your devices stuff. So to me it feels like we’re all out there doing. Our sort of vertical of security to protect the organization, but zero trust in the, in its purest sense in the way it was designed as a philosophy, I think is that sort of overarching umbrella that fits across all of that.

[00:05:50] And you can line it all up and give it some direction and give it some, apply end states and target goals and business strategy alignment to what we’re all out there doing individually, or, in silos previously. That to me is where it’s at. And that’s why I like the, this stuff.

[00:06:04] That’s why I focus on it heavily as a business tool, rather than a security tool. I look at it as a way to protect the business, to make better decisions, better security decisions, but based on your business’ assets. So that’s why I think when a vendor comes along and we spoke before about RSA and every second vendor.

[00:06:20] Don’t trust, do trust, maybe trust zero trust, all that stuff. So beware of vendor bearing gifts, I say, because unless anyone knows your environment and what you are trying to achieve, they, they can’t come in and by magic drop a zero trust solution and off they go, 

[00:06:36] Neal: yeah. I think on that note, the solutioning concept, for me, that’s. That’s an interesting one because you have all these larger companies that have been around for a while that have done some kind of implementation around various degrees of security. Whether it’s gateway security the new EDR XDR concepts, all that stuff left. Middle, all that stuff.

[00:06:55] And now everybody’s slapping the word, trust something on, on it, right? Yeah, one way or another. And I think hindsight for me is there’s not a magic bolt, anything ever. And if you’re buying one, you’re probably buying the wrong tools or you’re gonna be upsetting a lot of people with downstream and security stack.

[00:07:15] Yeah. Yeah. But that being said thinking about more of a holistic approach and piecemealing the zero trust concept together with multiple vendors, instead of trying to rely on a single solution. Curious that approach and that thought mechanization. 

[00:07:28] Andrew: Yeah I think that’s where it comes back to understanding your assets like a windows 10 laptop is a windows 10 laptop, and you can apply a million different vendors products to that laptop to do a million different things.

[00:07:37] But at the end of the day, you’ve gotta decide as an organization, what you want that device. To do production wise, productivity wise and what posture you wanted to hold security wise. So if you are in a, obviously if you’re in a government role, you’ve gotta have a high level of security around data and various bits.

[00:07:54] If you are just using that laptop to sign people on at the front desk, then that’s a different concept. I think that’s where the beauty of it is that if you understand what your business goals are, Then you’ll pick the right product and the right vendor to, to get to that outcome.

[00:08:06] Because, I’ve seen many times over the years that companies, what they think they wanna do is totally, they bring in a vendor cuz they wanna buy a horse. And then when the vendor’s left, they’ve got a camel and they dunno how to ride it. You’ve gotta make sure that the’s giving you your solution to your target, not the other way around.

[00:08:22] Neal: Yeah. That’s no joke. I think that’s just words live by across the entire security stack and product requirements. I know we’ve got a list of things to think about here, but on that note, you mentioned loosely requirements in a roundabout way, right? So thinking from an Intel analyst perspective, I don’t like to do my job either government side or private sector side without an actual require.

[00:08:45] Plural mapped out somewhere. Whether I am sitting at the tactical level with a strategic level or somewhere in between. I like to build, to map things out to both the actual risk inside the organization. I’m supporting understand the threat verticals, but then map that out to leadership, what they understand around risk and dollar sign, right?

[00:09:04] The the actual dollar value. So I think that’s a good point. You need to make sure you’re not buying a camel when all you really need is a poodle. Yeah. Yeah, exactly. Today. Maybe you still need the camel for something larger in six months, but if you haven’t really mapped it out, we got the wrong 

[00:09:16] Andrew: sadly yeah, exactly.

[00:09:17] Yeah. That’s it. And then that’s the other problem that we probably all see as well that, you kick off a project. You think you want to do something, you get pretty close to what you deliver and then everyone goes home. But then someone’s gotta come along and operate it and clean up the mess.

[00:09:29] And then no, one’s no, one’s built an operating model. So I talk about, we do network impact assessments to check bandwidth in the old days and all that kind of stuff. New stuff, like an operat, an operational impact assessment has to be done. So you’re putting in this product, who’s gonna operate it.

[00:09:42] Have you got the head count? Have you got the skills? Are you gonna create. A hundred more service desk tickets a day because the process is rubbish, all that stuff. So that’s, and again, part of the zero trust thing, which is the beauty of it, that you can fit it to your organization. You might say we’ve got a bunch of really smart guys who do a lot of open source stuff, write a lot of their own codes, do their own cloud.

[00:10:02] DevOps stuff. So we can morph our environment in the zero trust context to support our strengths, which is that in, in another environment, you might have a different skill or a different philosophy around how you treat stuff, and I think the risk questions are very important. One, because again, that varies some like financial institutions.

[00:10:17] Obviously they all understand business risk, but the financial risk and organizational risk and reputational risk are very important. But for other organizations that might be the risk of ransomware or a loss of production or something else. So that risk is so varied across different organizations as well.

[00:10:32] And it’s all stuff you need to understand when you’re sitting down to do zero trust. I think it’s all the outcomes. And where do we want to get to? How do we wanna operate? What are our strengths, all that. 

[00:10:42] Elliot: Yeah. Your your analogy, I think when you were chatting with chase cutting him I think it was.

[00:10:47] You wouldn’t use a hammer to bake a cake and obviously yeah. Kick outta that. That’s it? I love that. Yeah. Yeah. Yeah. That’s I at the end of the day, it’s it can’t be about tools and technology. No. Yeah. So I think the take that you have is focusing on the business. Alignment is a huge element of adopting zero trust.

[00:11:06] So I think from my end, I’m totally curious internally, where did that conversation start? So obviously there’s interest on your end knowledge, but yeah. Is it top to bottom? Is there, what was the buy-in process like? 

[00:11:18] Andrew: So I think that’s where people like me architects and strategy people and security people in general with when it comes to introducing zero trust to your organization sometimes need to be a bit creative because in my experience, the people who understand it and want zero trust don’t necessarily have the seniority to fund it and approve it.

[00:11:37] And the people who do have that seniority don’t necessarily understand it. There’s the. There’s a way to introduce it. one of the things that one of my pet peeves, is security. People just spinning out buzzwords, to try and impress maybe not impress people about how clever they are, but presented as a security concept and people’s eyes roll back in the head because I’m big on.

[00:11:56] Translating the security stuff into the business language, because business leaders are hired to run the business. They understand the business language. So you need to make the effort to, articulate your strategy in a language that resonates with them. So I think, but to get back to the creativity bit.

[00:12:11] So for me, we had invested in an identity platform to, to manage identity. I didn’t come in as his zero trust. I came in as here’s an identity operations strategy. And then from there it morphed out and other people might have really good network controls or sassy or something like that. And then you can go in that way and say, look, we’ve just heavily invested in this network thing.

[00:12:31] I don’t think we’re fully leveraging our investment. There’s some zero trust concepts I’d like to apply. This is what I reckon. And then you can like that creativity can then let you spread out and say, I might talk to the device guys about how this network thing, that I’m planning impacts devices and you just go from there.

[00:12:45] So you’re doing almost zero trust by steal, but again, it comes back to that. It’s basically just good decisions and good security that’s happens to be called zero trust sometimes, 

[00:12:54] Neal: So you kinda hit on something in my Bailey wick a little bit and around collaboration, internal in particular, in this element, coming from your side of the fence as well, a little bit, I’ve definitely done my fair share of manipulating. In a polite way, the chains that be, and the lines that be to try to get buy in from a lower echelon before the leadership realizes what’s happening. Yeah. Uh, Maybe not necessarily be the best approach, if you’re in charge of doing something to keep something secure the people at the end of the day that have to respond to whatever it is that you’re creating alerts around or creating work around, those are the ones that you really need to get your buy in from.

[00:13:28] And then hopefully the leadership follows along. In a lot of situations. It’s always nice to go top down in these types of structures, but sometimes bottom up is a good approach. So collaborate, coordinate, and then take over the office space. 

[00:13:41] Andrew: Yeah, exactly. I think that’s a very good approach as well, because if you go to someone senior, you that’s gonna approve a budget for the next financial year or whatever.

[00:13:49] They, the first thing they’re gonna say is who else is on board with this? Or who have you run this past, but to your point here, what exactly what you just said if you’ve got, I’ve been through the device guys, the network guys, the cloud guys and everybody’s on the same page.

[00:14:00] Then it’s got a lot more legs straight up than you just saying, oh here’s my latest idea. Let’s do this . Yeah, 

[00:14:06] Neal: definitely. And I think Once again, from an Intel perspective, again, from my side of the fence, that’s a unique posture to be in from an Intel analyst side, trying to help promote these things.

[00:14:16] So nugget for anybody who has an Intel analyst on their team, or someone playing at one, get them involved in these processes sooner than later, let them help you map out risks both top to bottom, and they can be a good point of educat. To the teams as a whole and help message out what needs to be messaged out.

[00:14:32] But on that same vein, the collaboration element, you start talking to someone about how to make their life less complicated. Yeah. And next thing you know, when an event kicks off, they’re there helping make your life less complicated, 

[00:14:43] Andrew: right? With the two. Yeah. That’s right. Exactly. Yeah. Yeah. And I think that analytics side that you’ve mentioned there is absolutely core because one of the drivers for all of us, when we all start our zero trusts on the obvious one’s identity device network, blah, blah, blah.

[00:14:57] But the holy grail for it is to move from incident response and reactive incident management to proactive and real time analytics. And that’s where the EDR XDR that, that telemetry. And to me, I see. A lot of the value in zero trust is building that bridge between that real time analytics and telemetry information and response to instance and threats and the business and saying, look, this stuff is our goals.

[00:15:20] This is our real time knowledge about what’s going on in the environment. And we just need to build a structure around it and put some controls in place and some processes under the zero trust banner that, that really bring that to the center of what we’re doing. So yeah that, that’s a big thing for me is, and.

[00:15:35] That language of the business. In the old days, you had the developers in one corner of the room and the Unix guys in a different corner of the room and it off not talking to either of ’em than the business, somewhere else, and everybody, and nobody knew what each other did, but you just hoped it came together at some stage, , but these days, know, that’s.

[00:15:49] That doesn’t cut it anymore. We’ve all gotta understand the business and we’ve all gotta be able to speak to business leaders. And I know in the us, I think there’s a rule coming in. Isn’t there about direct board directors have to have cyber security knowledge. So that’s gonna accentuate that as well, yeah. That’ll need to continue on. 

[00:16:06] Neal: It’s focused on some key elements that slipped into the omnibus bill. But yeah it’s a seed planted. That’s going to grow probably across the board regardless, but it’s very fixated on critical infrastructure and key resource pieces that we define over here.

[00:16:19] Yeah. Yeah. 13, 14. I don’t remember how many industry verticals, but Electric and power, energy sector, financial services, single. So if you’re in those, congratulations, you do have a legal requirement to have someone on your board that speaks cyber security. Oh yeah. So I you, so you bring up a point going from reactive to proactive.

[00:16:34] And so you touched on this a little bit already, but if you’ve got, if you think there’s something to expound upon how zero trust, a little bit more takes you from that, where the core competency allows you to bridge that gap and do that more specifically. 

[00:16:49] Andrew: Yeah. I think that, a bigger part of it is around and again, it comes back to how it all ties together.

[00:16:53] So for example, if you’ve matured your identity section of zero trust, and you’ve got a good handle on your organizational roles we’ve defined a bunch of identity types where I am non-human and human. So yeah, I think if you can define, and that’s another thing I’m big on is the apply organizational roles to non-human identity.

[00:17:09] So define their scope apply the identity. Compartmentalization to the network segmentation concepts as well. So all of that comes together in terms of being able to limit what a compromise credential can do, where they can get to, or even in normal operation, what they can get to as well. Once you’ve defined that you can then link that into your device management, your XTA EDR things.

[00:17:29] So you’re looking for that anomalous behavior where, you go look this identity, hasn’t tried to connect to this thing in the last eight months of operation. And now it is so that’s the real. Proactive vibe that you can pick up from a good zero trust environment where it’s not overly a bunch of complex tools, it’s more philosophy business principles and stuff around, and that’s stuff that should just apply.

[00:17:47] Anyway, when you hire someone, you should have a good idea what you hire ’em to do, or if you’re buying a new truck or buying a factory you should have an idea what you want it to do. Yeah. 

[00:17:56] Neal: So one more quick curiosity then on that note, so you talked about identity access control, obviously, which is a very big key component.

[00:18:02] But do you see the whole passwordless security movement and the way it ties into zero trust competencies, where we’ve got this whole higher risk approach to access control management within. That’s growing momentum. I talked about on the, pre-call here a little bit about Gartner and all the zero trust companies that are there, but oddly enough I did see a decent amount of people talking about the whole passwordless environment.

[00:18:24] I think there’s I think Google corporate, I could be wrong. I thought I read an article about Google corporate, starting to feel this passwordless environment in a test phase at their corporate office. Yeah, apple actually just announced, 

[00:18:34] Elliot: Biometrics related stuff so that users can move towards a password list as well.

[00:18:39] Yeah. There was actually this kind of weird Twitter thread that popped up over the last couple of days where people were like I think in a perfect world, it sounds like people would love it, especially on the hype for the user side, cuz they don’t have to remember passwords. They don’t have to use password managers.

[00:18:52] But in the us, and I don’t know how this impacts outside of the us, but. Obviously passwords are protected under law. Privacy policies, but biometrics are not. So I think that opens its own kinda weird worms here in the us. 

[00:19:07] Andrew: Yeah. Yeah. That’s it. I agree. I think that it’s a good example of one of those concepts where the technology gets ahead of the.

[00:19:14] Cultural willingness to adopt it kind of thing. From a technology point of view, like you just touched on earlier, it makes sense. And it works definitely, but from a cultural point of view, people are a bit like, oh, what no more passwords, after we’ve been using passwords for 30 years or 40 years or whatever, it’s a bit to get their head around.

[00:19:28] Yeah, I think there’s a, and just on the. The biometrics as well as some sort of trepidation, I think from general users in the public around that biometrics and who has access to my facial recognition and where does it go? And, and also, I guess the new concept is the decentralized identity stuff that, that is out in the market as well.

[00:19:44] I’m very keen to see where that goes and how that manifests in 18 months, time kind of thing where that. 

[00:19:51] Neal: So I’ll say one more thing on this. Once again, the perspective of having a high, realistic learning algorithm based off of a user profile is extremely intriguing and scary all in the same vein.

[00:20:03] We’re talking about more than just like a fingerprint and a facial recognition. When we think about what passwordless security is trying to imply, and I think we saw. The antithesis of this, the network defense model of this, maybe probably 10 plus years ago where companies were trying to come out and fingerprint your user base, but not use it for direct authentication, but use it for the trust models.

[00:20:23] Use it to define, Hey, this user hasn’t logged into this server in, in eight months. So this is all precursor to the zero trust in my brain. Yeah. But define what the users’ activities are even define how they hit the keyboard, right? Yeah. Yeah. And make this fingerprint of a digital fingerprint of a day in the life of someone in that seat.

[00:20:41] And then when that fingerprint moves from here to another system or when that fingerprint changes from that solution being able to flag things. What you’re talking about in general, zero trust constructs here. Yeah. At least from my perspective I think it. A unique, fascinating growth curve in what we were doing 10 plus years ago to try to stop a threat actor from taking over your laptop and usurping your Google profile or whatever it was, Microsoft office back in the day.

[00:21:05] Yeah, for sure. 

[00:21:07] Andrew: Curious about that. Yeah. Yeah, no, I think you, that’s a really good point and it just didn’t finish with the machine learning and the AI and all of that. It’s not, you have to give it some rules as well and the rules have to be based on what you want your environment to run.

[00:21:21] It’s not like data off star Trek where you just turn it on and it works it all out for itself. Or makes all these brilliant decisions and stops the ship from blowing up. You’ve gotta give it some basic rules to follow, to make decisions at the moment. Anyway, obviously it’ll evolve over time but yeah I think that’s definitely something to consider and again, vendors will tell you, oh, just use AI or machine learning to do all this.

[00:21:38] It’s oh yeah. Okay. Not quite as simple as that, but yeah. 

[00:21:40] Neal: It’s another one of those adages again, what’s old is new again, cuz I remember in 2000. Was it 2006, 2007 was when the whole group kit thing really kicked off. Mm. And uh, we had people accessing your bios chip sets and all this other stuff to install these persistent BS things.

[00:21:57] They were, whatever they were. But from a P T before it was defined a P T to just some kid in a basement that just realized you could hack a chip, right? Yeah. Whether it was your GP, whatever. But all that to say is the machine learning natural language processing capabilities that we have today.

[00:22:11] Moving it back even further than just that high, realistic fingerprint of a user in 2007 and eight, we had root kit discovery and the whole concept was based off a high, realistic learning, right? Yeah. So building core competency, I think maybe starting on that level historically. And then that turned into figuring out how to fingerprint a user to keep a bad guy from Usur bring that profile, which is now built into helping you.

[00:22:32] And I. Potentially just do our day to day livelihood without having to have 5,000 passwords and 20,000 browser tabs open. So you remember where you. 

[00:22:41] Andrew: Yeah. Yeah. I think that’s a big thing. And one of the things I talk about is transparent security. So I think that I don’t think zero trust should be pushed as a security control thing.

[00:22:51] I think the trans the security should be transparent. So it’s applied and the security people and the people responsible know it’s being applied and traffic’s assessed and all that. But from A’s point of view, they’re just doing their work. They don’t see the security Like in the old days where people complain constantly about, oh, I can’t do anything and can’t access this, can’t do my job, so that, that’s the evolution, and I, I like to think of zero trust as like a, like a new payroll system or whatever, the CEO comes in and says, we’re gonna invest in this new payroll system. You’re all gonna get paid more efficiently. Your holidays are gonna be recorded and everyone buys into it.

[00:23:20] And. Done across the organization, just as a thing, so I think that’s where zero trust has to be as well. Just an organizational thing that everyone buys into and that’s helped by not pushing it as a here’s a new security thing we’re gonna do. 

[00:23:34] Elliot: Yeah. So actually building on that and obviously with your background in identity I’m curious how that plays a role.

[00:23:39] So you can technically enter zero trust into an organization in a dozen different places, from what most organizations Forster, Gartner, they’ll throw out I am and identity IDP. Is a good entry point, cuz you do your risk management your risk profiling, and then you build an inventory of all of your assets, devices and people.

[00:23:59] Where in your mind do you, Again, you might lean towards that, but is that the ideal place? Or should you look at what your most active priority projects are and try to adopt zero trust into that? So does it make sense to have a foundation or go after what you’re already needing to go after.

[00:24:17] Andrew: Yeah I think that it does. So I think that at least up to this point, the problem that zero trust has had is being able to demonstrate value and return on investment in organizations. So I think one of the reasons why Forester and big companies say identity is cuz everybody’s got them, so a good zero trust project to me is one that spends the first year even demonstrating value, decluttering the environment.

[00:24:43] Tuning processes doing more with less saying, like this guy this process has currently taken us 12 hours or two days to do. We can apply different controls and different processes and do ’em half that time. So I think that’s, to me, if you. Invest not invest. If you start with identities, devices, and connectivity and make, and particularly in connectivity identity aware network controls rather than firewalls and stuff like that.

[00:25:08] I think if you start in those three areas, they’re typically the easiest areas for most. Organizations cuz they’re already in that space. Not everyone has a strong cloud footprint with workloads, for example not everyone has developed scenes and socks where they’ve got a good analytics and telemetry and threat protection capability.

[00:25:25] But I think if you can say, if you’ve got an active directory, if you start even with your service accounts, as one of your non-humans and you tune your service accounts to limit what they can log in to eliminate interactive logins, that kind of stuff, you can demonstrate value straight away and say.

[00:25:38] The, we’ve started in the identity space cause we’ve got some and we’ve done a bit of network stuff and we’ve tidied up our devices. We’ve tightened up how much stuffs runs on ’em we’ve improved even our GPO. So they’re more secure. We’ve used CIS benchmark scores, all stuff that’s readily available to demonstrate value.

[00:25:53] And then from there in your second and third year, zero trust you get into your sort of heavier concepts around applications and workloads and stuff. 

[00:26:00] Elliot: Very cool. So building upon that, I’m curious. Obviously zero trust is not just technology. It’s also education and trading. So beyond those questions, which I’ll definitely be poking around at.

[00:26:12] So I’m curious as you are looking at adopting it be it identity network, wherever that entry point is. What does the resource shift look like? Because obviously there’s education training. Technology involved, should the goal be focused around obviously reducing efforts automat?

[00:26:29] But just in general now, what does the general scope look like when you’re starting to adopt zero trust? Between education training getting other people involved in 

[00:26:37] Andrew: the process? Yeah, I think that it’s of from, for the general users, it goes a bit beyond education training. That’s. Very important, but it’s also a cultural thing, where you develop a security culture and that’s not make everybody, able to jump on and do some coding or whatever, but it’s make people aware of this, usually a secure choice to make and a less secure choice.

[00:26:58] Who do I share this document with? I move this document around the network? How do I present information, that kind of stuff. So that, it’s that cultural thing. But then in internally within the security and it broader it teams I’ve talked about operating uh, Platforms that are operated by security.

[00:27:12] So like your EDR XTR typically can be operated by the SecOps team or whatever. And the other side of that is operating platforms securely. So if you have an EUC team that might operate things like in tune or some device management portal, they’re not security people, they’re not necessarily in the security team, but they’re, they have a platform.

[00:27:31] Where, the security posture of the devices, which is at their control is crucial to the overall security posture. So I think that’s where the big resource shift that I think you’re talking about comes from, because typically if you, and I’ve been an UC before as well, and typically if you’re running system center or in tune, it’s all about enablement and productivity and getting apps out to devices and letting people do their job.

[00:27:53] But these days it’s such. Focus on security, posture and risk as well that you need to understand. These are my security capabilities in the platform that I’m operating, and these are the better choices I should be making. I should be doing a monthly when there’s a new iPhone come out, I should be looking at all the new policies.

[00:28:07] I should be checking my, how many devices are outta compliance? What are my policies, all that stuff. So I think, it’s not feasible for every platform in the organization to be run by a security person in the security team. So all those platforms that are run outside of security, there needs to be a sort of.

[00:28:23] Gradual evolution to security thinking of how those platforms are operated. So those platforms become operated securely. 

[00:28:31] Elliot: Yeah. So I think that actually begs the other question. Is there a threshold for like team size and capabilities to be able to actually truly adopt zero trust is today everything on the market technology wise is definitely positioned towards enterprise or somewhere around enterprise organizations where they.

[00:28:48] Full on it, folks dedicated security personnel. They have those resource and capabilities, but, What does that look like? As far as what you’ve seen, do you think realistically smaller organizations with less resources can adopt it, or if it’s just piecemeal? 

[00:29:04] Andrew: I think most definitely it is suitable to everybody because I think it’s contextual to the size of your business.

[00:29:10] If you are a bank with a hundred thousand employees, then obviously you’ve got a different context too. If you’re a law firm with 30 people, 30 computers, I think that when you look at and one of the things I love about zero trust is that it is a philosophy like Toga that you can bend and customize to what you want to get out of So if you are an accounting or a law firm, that’s got 30 people, you should certainly look at zero trust. Pardon me? You, because you don’t need to invest heavily in, let’s go out and buy a new Palo network, bit of kid or whatever. You can just make better decisions, Make let’s harden up our end points or let’s refine our processes or let’s tune up our active directory or whatever we’ve got, so they’re all zero trust controls that you can put in and they may get you to the threshold of where you need to be in, in how your business operates.

[00:29:54] So it’s not about investing a bunch of a bunch of money in new technology or platforms or hiring a bunch of security people. It’s about just making it fit right for your organization, so everyone can do it. I. Yeah, I 

[00:30:06] Neal: think that’s the biggest point. There is it’s doesn’t necessarily have to cost you more money, but it can save you money long term.

[00:30:12] Exactly. Yeah. At a scale of economics and. Come in. I have a consultative background. I used to work for a really large consultancy firm for several years after I got out of the military. And one of the things I loved about the firm I was at, we didn’t try to find new problems to make more money. We try to find new problems that needed to be solved simply to do it.

[00:30:33] Yeah. And sometimes there’s money that goes along with it. And I think that what you just mentioned from a. From a scale of economics perspective, the, a rather robust amount of people, especially in that SMB space, that small business side don’t need to go out and spend even five grand or 50 or 500,000 to get to the concept of zero trust.

[00:30:53] They just need to have one semi-intelligent person on the team that understands what it means to do security the right way. Exactly. And pick that up. Like you mentioned as an idea, not as a financial burden. 

[00:31:05] Andrew: Yeah, that’s right. Yeah, for sure. Yeah. And, it’s all about the context as well of who you deal with how you operate, how, what information you have, and again, all the concepts of we have, credit card information for customers.

[00:31:16] We have merger and acquisition information. We have. We, or we don’t have that, so it’s all about understanding your business in the, to me identities, all that, they’re all digital assets, just like physical assets in the old days of buildings and desks and computers, so you’ve just gotta inventory all your digital assets and make sure they’re protected, so it’s exactly what you’ve just described. So 

[00:31:36] Neal: yeah. Hopefully it is easy for some people 

[00:31:39] Andrew: yeah. Yeah. I was just gonna say, talking about investing with vendors and I was just RSA, like all the vendors will say we’ve got a zero trust solution, but they’re obviously some are strong in the network space.

[00:31:49] Some are strong in the identity space. Some are strong in the operating system space, but they don’t typically tend to sit across everywhere. Which is where to, I think Neil, you mentioned before that it has to be a mix, which is exactly right, because, you can’t just go with a vendor and we flirted with a vendor’s view of what zero trust was.

[00:32:07] And then when we really kicked and punched it, we realized hang on, that’s your view, but that doesn’t solve all of our problems, so yeah. Yeah. 

[00:32:14] Neal: That’s once again, that’s the biggest piece here. So RSA versus as a Gartner, like I mentioned last week, instead of RSA, got to avoid that hell of AOO over that RSA and trade it in for Gartner

[00:32:25] But that being said, like I mentioned, on the floor, at least half the vendors out there. Whether they were in a tiny little booth or whether they were in the big floor booth had some mention of something trust related trying to spin off a zero trust when they didn’t really know what it was themselves.

[00:32:40] So they would say, identity trust is obviously a brand, but it’s also a concept. We had people that were literally to around just no trust, come and learn how to do no trust society or whatever. Say that one 

[00:32:52] Elliot: so I, I think that. 

[00:32:53] Neal: Concept of what zero trust is at its core is ironically enough is still being figured out by the vendors.

[00:32:59] Some are leveraging it as a buzzword, so they can try to upsell their current offerings with their new zero trust technology, quote, unquote. Yeah. Others are just trying to actually approach the problem and provide to your point a chunk of the solution. But yeah, nobody that I’m personally aware of can effectively map out the entire.

[00:33:19] Security or the security structure and mapping of all your assets and things that you need to do that. Yeah. Maybe you can bring in a consultant that does a lot of that for you and tells you it’s vendors to bring in if you have the money to do that, but you’re not gonna find a single solution for everything.

[00:33:33] You can find one guy who does networks very well. Maybe that’s where you start off with stuff like that. But using that approach to know you need to piecemeal this together is that yeah. 

[00:33:40] Andrew: And you raised a very good point before around the. Resource types. And the people that play a role like, to do zero trust, you really need say a good process person.

[00:33:49] You need someone who understands risk. You need a good BA, you need someone who understands applications and networks. And so it’s not even like the process and risk people may not be security people per se. They may just be, good business process people that can analyze how the it and security processes to respond to incidents currently operate, they, their output is gold in terms of a proper zero trust strategy as well. So you have to be creative. You have to be pragmatic as well. I think that’s the other problem that people have is, sometimes security guys and vendors come in and say, you must do this and you must do that. And it’s no, you must not.

[00:34:21] You must do what works for you and you must be pragmatic, and keep an open mind and get creative. Because I think that’s where the best solutions are creativity and pragmatism mixed together is where the best solutions come. 

[00:34:32] Neal: Agreed. I think you, to that point, you really only have two primary options.

[00:34:36] You either realize that your team, even if they’re just getting started is your best resource for anything, not just your team, but the other teams within the company as a whole, wherever they’re sitting, if they touch to your point, you may not be a security guy, but you may touch a digital asset, or a connected asset. Yeah. That person potentially still has a say in how they think that asset can. Better. Yeah. And then the other flip side of that is taking the time. If you really want to take a more holistic approach, bring in an actual consultant, not a firm that does zero trust, but a person who understands the concept from the outside in yeah.

[00:35:09] And can help review that by leveraging your team as well. I think there’s two core approaches other than just going right out and trusting the first vendor that says zero trust is awesome. Here. Let me do it for you. Yeah. Take the time to step back and review your options a little bit for, yeah.

[00:35:23] Andrew: Yeah, for sure. And then 

[00:35:24] Neal: back to what we mentioned earlier, work to get buy in for the people who actually have to 

[00:35:27] Andrew: do the job. Yeah. Yeah. And leverage that culture as well, because even in the old days before zero trust came along, we all had similar problems. No vendor is ever gonna be as invested in the success of your business or your outcomes as you are or the process person the service desk person because or the CEO, because ultimately there’s that.

[00:35:47] People are people right. They’re invested in where they work. They wanna succeed. They want to do well. So a vendor doesn’t have that, despite what they might say. So leverage all those resources, all the people that know the lay of the land and where the bodies are buried, get them involved and get that information, because that’s the key.

[00:36:02] Neal: Yeah, exactly. 

[00:36:04] Elliot: That’s so spot on. So change the direction just tiny bit. So I know that you’ve got the. Lovely, probably only piece of paper that would say you’re a true zero trust professional, which a Forrester provides just morbid curiosity. What was that like? Would would you recommend that experience to other folks?

[00:36:22] Yeah. Oh, 

[00:36:23] Andrew: I dunno how I might be on shaky legal ground, but I thought that certification, I thought it went away for a while and now I was on a Forester website. I’m actually talking at a Forester event later in the year. And it seems to have come back again. So there is, yeah, I did the Forester zero trust strategist certification.

[00:36:39] And I really liked it actually because the main thing I liked about it is that. The forest review was all about risk, right? So for me, that was a good side step into an area. I hadn’t really explored as much in my career. So they talk about for every dollar you invest in a zero trust project.

[00:36:56] This is the return in to move the risk needle, lower, that kind of stuff. So it was all about justifying the spend on zero trusts projects by reducing the organizational risk. So it was really good. It talked about how to deal. The board, how to present things up. So I learned a lot from it. I thought it was fantastic.

[00:37:11] And in fact it was probably the main thing. That’s that clenched my love of zero trust and interest in it. So I do highly recommend it. I think that I think that the N stuff is Puritan about zero trust concepts with their domains and their principles and tenants and all that, which is brilliant.

[00:37:25] I think the Forester is a great compliment to that because of the risk focus. And I think the Gartner stuff is great as well for that sort of. This is what the market is doing, and this is what you need to consider in the real world kind of thing. And then obviously you’ve been bits on top, so 

[00:37:40] Elliot: yeah, very much yeah. I’m curious. Are there any other organizations that you’ve seen that have done a good job of packaging up with being more vendor neutral platform, agnostic elements like that? Like cloud security Alliance is obviously out there doing their thing open. I think they have a zero trust program that they have in place and has been up and running.

[00:38:01] But what kind of resources would you throw out to folks who are again, just trying to look at adopting zero trust and kind of meet to where you’re at today? 

[00:38:10] Andrew: Yeah, so I think what we touched on is you need to understand what you wanna achieve. Clearly in your head and have it written down and then you can bring in vendor products and stuff to achieve that.

[00:38:19] But, so when I wrote the strategy for where I am, I looked at obviously NS CIS have done a lot of work. They’ve got the 18 controls or I can’t remember what it’s eight or 18, but they’ve got a bunch of controls around it. C S And then yeah, the cloud the cloud Alliance, as well as in their Forester Gartner.

[00:38:36] So I guess start with those ones the John stuff chase Cunningham, they’re both guns, obviously fathers of zero trust. So read all their gear. Chase has got plenty of stuff out there on the internet, so you’re not sure the content and yeah follow up with that and then try and stay away from.

[00:38:53] The vendor stuff until you feel that you understand what you wanna achieve with zero trust and what it means to you, and then talk to you. Obviously we’ve all got vendors that we deal with no matter whether you’re big or small there’s usually the few of the same suspects start talking to them but don’t lead in with, oh, we want to get into zero trust.

[00:39:10] Can you explain it to us? Because yeah. I’ll explain. 

[00:39:12] Elliot: I think you have to nail on the head. Yeah. Yeah. Neil and I both work in this space and deal with sales folks so we can sling the mud and take it back our way. But, I think bringing vendors into any conversation at that earlier stage tend to be a bit of a mistake.

[00:39:28] There are some that can probably walk you through. They might have experts and consultants on staff. But again, I think the resource that you threw in front of folks is probably the right direction. And then making sure again, business need and business alignment. There is there first do the research and then start having those conversations.

[00:39:47] Neal: Yeah, for sure. The vendors is definitely there to coach into how to use their product. Yeah, 

[00:39:50] Andrew: exactly. But I think that’s the other thing to bear in mind is as you start to learn about zero trust and look at the domains that, identity devices, information network.

[00:40:00] Yeah. I, I. I’ve evolved even in our organization. So I don’t call it data. I call it information for a specific reason. I don’t call it networks. I call it connectivity for a specific reason. And then, you, your telemetry and analytics and all that stuff that you layer over the top when you sit down and look at a cloud application, you go is it workload or is it networking or is it identity?

[00:40:17] You’ve gotta understand what that means and where those delineation points are for your organization based on your processes. So again, it’s boring mapping out all those processes and assets. And but you’ve really gotta know it to make smart decisions. Otherwise you end up like with the camel, like we talked about before, no, who wants to learn how to ride a camel when there’s horses everywhere.

[00:40:38] The only other thing I’ll say is to keep an eye out on the internet. There’s I know I’m personally involved in a couple of things that are coming up around zero trust groups and meetups that are about to kick off. Look for those LinkedIn groups, look for groups where you get impartial advice from other people that are going through the journey, going through exactly what we’ve just talked about for the last hour about where do I start?

[00:40:57] How do I get involved? And look out for any of. Sort of resources. You can get your hands on, watch the podcast watch the demos, go to the conferences and then use that to help build the picture in your mind. 

[00:41:08] Neal: I’ll add to that slightly, if you’re us based or at least, affiliated U EU us get involved in the ISAC and ISO world as well.

[00:41:17] That’s wonderful reference points. If you’re not EU us or somewhere else where you can get involved in those, I know there’s the Australian cert for instance, poke not, those people like to talk about how to make life better. Most countries have some form of assert or some form of government component.

[00:41:32] That’s similar to what DHS is attempting to offer from just a free learning environment and collaborative environment. So I think those are also relatively good resources for whatever neck of the woods you happen to be living 

[00:41:44] Andrew: in. Yep. Yep. 

[00:41:46] Elliot: Exactly. Awesome. Very cool. Thank you so much for joining us.

[00:41:50] I think this is gonna be probably one of the best ways that we could kick off this series. Your expertise, your educational background. It’s definitely where I think a lot of people will want to be in the future. So you’re ahead of the game and being able to share that insight with folks is gonna be very important at the end of the.

[00:42:07] Yeah. I mean at then end of the day Neil and myself were students of this and we’re just trying to help facilitate these conversations. But again, thank you so much for joining us and sharing 

[00:42:16] Andrew: some of that expertise. No worries. Thanks for having me. It’s a great chatting and really enjoyed it.

[00:42:19] Thanks guys. Good luck with the rest of the recordings. Thank you, man. Appreciate it. Cheers guys. Thanks. 

[00:42:25] Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers, or companies of our hosts, guests or potential sponsors.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Elliot Volkman. Read the original post at: https://www.adoptingzerotrust.com/p/azt-ep-01-andrew-abel

Elliot Volkman