Adopting Zero Trust: Zero Knowledge Authority

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.

This week we have a two-for-one special and feature our newest panel-style format. On the practitioner side, we have crowd favorite Andrew Abel, who currently works with a financial institution, but has worked across multiple other industries in the past. On the Zero Trust technology side, we have Michael Loewy, Co-Founder of Tide Foundation

Tide Foundation lives between authentication and micro-segmentation, or if we look at CISA’s Foundation of Zero Trust principles: identity, network/environment, and data. The solution also impacts devices and application workloads, which means they fully align with the philosophy behind Zero Trust.

On today’s episode, we ground Zero Trust back to reality with how much implicit trust can truly be removed, dig into the concept of Zero-Knowledge Authority and how it chips away at ZT gaps of today, and follow up with Abel on how ZT has changed over the past 6 months.

Editor’s Notes

This week we are testing the waters with our much-requested format of bringing in multiple perspectives. To properly kick things off, we brought back our very first guest, Andrew Abel, to speak to the practitioner perspective, and we get to introduce you all to Michael Loewy, Co-Founder of Tide Foundation, a technology company that decentralizes authentication. Beyond the new format, for those of you who watch the video version, you’ll notice that Andrew has finally revealed himself to be an AI glitch, or more realistically, we had some technical difficulties, so it’s a bit choppy. Michael was kind enough to work with us to reshoot his parts as well.

With the new format, it’s worth noting that we expect to eventually run into a technology vendor who hitches their wagon too heavily on Zero Trust buzziness, which is one of the motivations behind us launching this podcast; however, Mike and Tide Foundation were far from that. As you listen to this week’s episode, Tide Foundation makes an excellent case for taking on the Zero Trust wrapper from a philosophical perspective rather than trying to mold it into something it’s not.

Next episode, we chat with the amazing George Finney, a practitioner and author. When we release that EP, we’ll also be giving away some of his latest book, Project Zero Trust, which we talk about a good bit.

Now, onto the recap.

Key Takeaways

  • Implicit trust can’t entirely be removed today, but Zero Knowledge Authority chips away at it

  • Zero Knowledge Authority removes trust from several use cases, such as no longer having an owner of critical keys

  • Zero Trust as a concept is becoming both understood and watered down at the same time

Zero Trust? How About Zero Knowledge Authority

If you’ve ever seen the movie, show, or read the comic Watchmen, there is a common theme of who watches the watchmen. This term more likely originates from the Roman poet Decimus Junius Juvenalis who posted the question ‘Quis custodiet ipsos custodes?’ In translation… Who watches the watchmen, in which Juvenal was questioning the integrity of guards posted to watch over his wife. 

This same question is often asked as it relates to cybersecurity, and in particular, Zero Trust; how can we have implicit trust in the technology charged to secure data and information? The short answer is that we can’t fully remove that implicit trust today, but companies like Tide Foundation are chipping away at it. To further drive this point home, we have seen plenty of headlines as of late tied to a certain password manager, charged with securing our keys to many castles, who was breached, and now the integrity and trust are out the window. 

While it is not our place to bash a victim of these circumstances, as we should all run under the notion we have been breached or eventually will, it would be impractical to ignore the situation as well due to the related learnings. Headlines aside, this brings us to Loewy and what he’s building at Tide Foundation: Zero-Knowledge.

If there are no mechanisms in place to watch the watchmen, or in our related example, no way to ensure technology can create a virtual moat to protect our keys, perhaps the solution is to remove the ability to actually hold the key.

“Tide is a tech startup that allows platform developers to lock down their systems and grant access with keys that no one will ever hold,” said Loewy.

As Loewy calls it, we’ve been playing a game of cybersecurity musical chairs where we still have to trust our identity and access management system (IAM), perhaps a root certificate, or even a server hosting the certificate. To chip away at these pieces of implicit trust, multi-party cryptography is one route to navigate them back into the Zero Trust fold.

“Our perspective is that zero trust is a philosophy, it’s a methodology, it’s an aspiration, but it’s also a misnomer. When you call something Zero Trust, it implies that you don’t need to trust it. Where the reality is, at the core of every zero trust architecture, there is some kind of an authority that governs access and decides who can access what and whether or not to trust you, and that authority, that system is managed.

A team of administrators, an army of employees in your vendor supply chain that have God-like access to that system, all of which you have to blindly trust because today, there’s no way for you to verify their integrity. So the first thing to understand is that Zero Trust as a direction, as a methodology makes a huge amount of sense, and it’s absolutely the way that we need to go to stem this tidal wave of mass breaches.

But we also need to recognize there are these Achilles heels that exist in every system where blind trust is still required, and typically it’s in that core system where if that system’s breached, it’s game over. Starting with that mindset, laying that out on the table, recognizing that, and then looking for ways to change the paradigm so that we can remove those critical points of vulnerability.”

Catching up With Andrew Abel

Back in July of last year, when we first chatted with Abel, he guided us through what Zero Trust implementations look like from a practitioner’s perspective. He identified some of the challenges that come with a ZT implementation, such as internal buy-in and education, and what the steps are prior to bringing in new related technology:

  • Identify business need

  • Prioritize need and map against risks

  • Evaluate potential outcomes

  • Inventory your environment

  • Research potential solutions

  • Chat with vendors

Now, roughly six months later, Abel shared how things have changed

“I think in the, specifically in the zero trust space, which you know, obviously has been my main focus, there’s been good and bad. So the good has been that it’s got traction, and people are talking about it now. And when you talk to people at the decision-maker level, you don’t have to explain it from the rudimentary level up again as we used to, which is great,” said Abel.

However, on the flip side, the watering down effect is still very much in play, and he’s been bombarded by people who want to sell services, products, engagements, and consultancy in that space.

“Once it’s up and running, then where are we, what’s our governance look like? How do we tie all the products together? How do we do our information sharing? Which to me, is where the beauty of Zero Trust lies, information sharing for immediate threat response, proactive risk reduction, even budgeting, planning, training, investment in staff, all that stuff,” said Abel.

He feels that this, in particular, will be the last gate people and technology vendors will have to get through to fully align with Zero Trust as a strategy and concept rather than a tool.

Weekly Zero Trust Headlines and News

Most of the content about Zero Trust is opinion-based, but here are some impactful news stories from the past couple of weeks.

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: welcome back to season two of Adopting Zero Trust.

We are now at episode two, and as Neil and I had alluded to in the previous season, to wrap things up, we’re looking at kind of shaking things up. So, through this I’ve got two folks to introduce you to. In fact, we’re gonna reintroduce you to someone. And then we’re going to add in our new aspect.

So, just jump right into it. Go straight into the conversation. I’m gonna hand this off to Andrew real quick to an introduce himself again. He was our very first guest on this for season one. He is a treaded to true zero trust professional practitioner and consultant currently works in the financial sector.

He has previously been in I think energy sector is probably the safest way to put. , but he has applied his work to multiple different sectors. So he’ll come in from a practitioner perspective. Of course, we have Neil, who is our standard talking head threat intel analyst. But Mike, I’m gonna also hand this off to you real quick before we jump back over to, so apologies for that.

But Mike, can you introduce yourself what Tide does and your background it. Going to be a unique perspective that we have not brought to the conversation here so far to date. But you have an entrepreneur entrepreneurial background. You are an executive, and you were built right into the heart of Zero Trust and moving that concept forward.

So that said, I’m gonna hand that off to you. Let’s learn a little bit about your background and what Tide.

Mike Loewy: first of all, thanks for having me on the show. I appreciate it. Excited to chat with you guys. Uh, especially considering we’ve gone all the way around the world for me to meet another fine Aussie and Andrew. Um, my background is building and bringing to market enterprise software. I’ve been doing that my entire career.

I spent a couple of years in the US at the University of Illinois, came back to Australia, built a software development house, which I sold. Finally came out to play and built my own products. And now I’m the co-founder of Tide Found. Tide is a digt tech startup that allows platform developers to lock down their systems and grant access with keys that no one will ever hold.

So a technology that ends the game of musical chairs in cybersecurity, which says, we want zero trust, but you just have to trust your identity and access management system, or you just have to trust this root certificate or this server hosting this root. Well, this administrator that administers that server, so a technology enabled by new multi-party cryptography that enables true zero trust.

Elliot: Excellent. So, I peruse the website and we’ll kind of dig into that in a moment. But Andrew, if you could give yourself a little bit of a reintroduction I will obviously tuck you up left or right, but, where are you currently at and yeah, let’s get a little refresher.

Andrew: Sure. Firstly Elliot and Neil, thanks for inviting me back. It’s always good to be invited to somewhere a second time if it’s not to apologize, so I appreciate that the rerun. So thanks for that. Yeah still being in, in zero trust in different sectors as you mentioned.

Still learning, still expanding my knowledge. Still climbing into different areas of zero trust, like the cultural stuff and the people stuff and all that. And that’s one of the things that interests me about Tide, which I’m sure we’ll talk about. But yeah, continuing the journey and following what’s happening in the states with the executive order and how that’s progressing and everything.

So yeah, I’ve been the usual route through a lot of architecture over 20 years in it security recently strategy and planning is my main core strength and zero trust specifically. So yeah that’s. Focus.

Elliot: Excellent. Thank you so much for that. And again, thank you so much for being here for round two. Certainly not for apologies this time, but Excellent. So,

Neal: can I ask a real quick question? El, maybe you’re already on this. So this is, once again, format wise, Ellie and I never really gameplay anything other than the fact we’re gonna have conversations. So sometimes I still, some of the questions, sometimes I go really ad lib. But I had a really quick question for Andrew before we really dive back in.

If you’ve got 30 seconds between the, when we did this last year and between now 30 seconds of what you think is critical changes or at least key changes that you’ve may be seen. Real quick, I’m just kind of curious in retrospect what you’ve seen since the last time we talked.

Andrew: Yeah, I think in the, specifically in the zero trust space, which you know, obviously has been my main focus, there’s been good and bad. So the good has been that it’s got traction and people are talking about it now. And when you talk to people at the decision maker level, you don’t have to explain it from the rudimentary level up again like we used to, which is great.

I guess the negativity is with. comes a flood of people who wanna sell services, products, engagements, consultancy in that space, whatever’s trending, people will jump on it. So, I think Zero Trust has also suffered a bit of misrepresentation and probably been watered down and some people are starting, I hear, see it now.

Some people start to say, oh yeah, I’ve heard all about that. Or someone tried to tell me about that. And yeah, no, it was rubbish, not, it’s not for us or whatever. So I think that. And then on the actual technical side, the other trend I’ve seen is that people are starting to talk about product solutions, designs, implementations, but still people aren’t getting the other side of the why I say the other side of the tennis court kind of thing.

You put all your stuff in and all that, but then. It’s up and running, then where are we, what’s our governance look like? How do we tie all the products together? How do we do our information sharing? Which to me is where the beauty of Zero Trust lies, that information sharing for, immediate threat response, proactive risk reduction, even budgeting, planning, training, investment in staff, all that stuff.

So I think that’ll be the last the last gate that people go through on the Zero Trust journey. And people still aren’t really breaking that down and thinking about it yet. I don’t.

Neal: Awesome. Thank you, Andrew. Good. So I figured, at least from my brain, it’s a good way to kind of kick things off and see where we go. So thank you. I’m gonna throw it back to Elliot, to doing the real kickoff question.

Elliot: Yeah. So I mean, that, that does put us in a really strong position, but also that is gonna be a hard ball that unfortunately I have to throw it right out the gate to you, Mike. So, with what Andrew just stated, obviously positioning is everything in this space and. You’ve worked through different products, you’ve worked through different industries, but you know, what do you feel like is some of the most challenging aspects of trying to get that fit and mapping, zero trust in that messaging.

Do you go out the gate zero trust, do you lead with that and then go towards the product? What does that look like and what does the reception look based on what you’ve seen so far in the.

Mike Loewy: It’s funny, uh, I think it was the last RSA conference. I remember me doing the rounds where every stand, every product had a zero trust badge on it. So all of a sudden you’re selling zero trust. And we’ve seen that out in the market where you have a product, you have a new interface, uh, you have zero trust stamped on it.

But really it’s just another firewall. Our perspective is that zero trust is. Um, it’s a philosophy, it’s a methodology, it’s an aspiration, but it’s also a misnomer. When you call something zero trust, it implies that you don’t need to trust it. Where the reality is, at the core of every zero trust architecture, there is some kind of an authority that governs access and decides who can access what and whether or not to trust you and that authority, that system is managed.

A team of administrators, an army of employees in a, in your vendor supply chain that have God-like access to that system, all of which you have to blindly trust, because today there’s no way for you to verify their integrity. So the first thing to understand is that zero trust as a direction, as a methodology makes a huge amount of sense, and it’s absolutely the way that we need to go to stem, this tidal wave of mass breaches.

But we also need to recognize. , there are these Achilles heels that exist in every system where blind trust is still required, and typically it’s in that core system where if that system’s breached, it’s game over. Um, so starting with that mindset, laying that out on the table, recognizing that, and then looking for ways to change the paradigm so that we can remove those critical points of vulnerability.

Elliot: So if you don’t mind me saying, so realistically, I think first of all, I totally align with the idea of calling this philosophy more than anything. I’m sure we’ve heard that many times on past episodes as well. And then, To, I think you, what it sounds like you’re getting towards is like you’re trying to ground this into reality and just cut myth out of it.

So everyone would love to get to a situation where we fully remove implicit trust or we fully remove aspects. Where trust, just, we have some sort of technological or process-based oriented solution that helps navigate around that. But I think what you’re saying is, at least today I don’t think, we’re in a position to ever make that argument.

But maybe in the future there’s some technological advances that, integrate with everything and cover out each niche. Would you say that’s an accurate positioning or, how, if I misrepresented.

Mike Loewy: Yeah, I think that’s a fair statement today. Um, I’m on the, the board of a medical research institute, and much like every organization around the world, they’re actively trying to improve their security posture. And one of the things that I’d like to talk about is, okay, so you’ve got this constellation of different systems and processes to protect your organization, but think about the access that you as the head of the IT team or the ceo, how much, how much authority do you.

you guys hold the keys to the kingdom, and if you wanted to, if you were malicious, what kind of damage could you do to the organization and what would that look like? So who in the organization is, is really trusted, and where do those trust elements sit inside the organization? Um, and how do you mitigate that Today it’s those soft spots are virtually unavoidable.

So let’s say you are, figuratively speaking, using a key vault. You’ve got the keys secured in a, in a vault. , but someone has the keys to the vault, and so you’ve always got this, this situation where an element where someone has access to that authority. So through technology, we’ve looked for a means to remove that, to find a way for that authority to be governed or wielded in a, in a way that doesn’t require blind trust, and at least has an element of verifiability.

Andrew: Yeah.

Elliot: Very interesting. Excellent. Andrew, anything that you would like to build on that? So as a resident practitioner,

Andrew: Yeah, I think that Mike’s point is a good one. And I think that it’s only a matter of time before we see specific changes in attacks. If someone, there’s all sorts of ransomware attacks on piece, people’s home computers or blackmail about personal images and all of that.

And I think it’s only a matter of time before somebody gets blackmailed and. Person will say we don’t want any money from you, but what we want us to, username and password for the organization that you work at because we know you’ve got privilege. And then they hand that over and then they know that, the cyber criminals can make a lot more out of access to that corporate system than they can from the person’s home computer.

So I think that to, and in, in my career in the past, I’ve certainly knocked back privileged access because, Going I’m just doing strategy work, or I don’t need that privilege, so if I don’t have it, then I can never, it can never be misused, so I don’t want it. So I think and one of the beautiful things about Tide for me is that when you remove that privileged access from a human and distribute those keys and remove that risk point it takes away that onus on most people to carry, because I think, like I said, over the next period of time, it will become a personal burden for people to have privileged access to certain systems for certain organizations.

Elliot: Yeah, absolutely.

Andrew: On the right track.

Mike Loewy: Yeah. Just to compliment that, we’re already seeing that some of the best attacks are the ones you don’t even know about yet. Um, they’re exploiting privileged access that today someone has to hold and you’ll only find out about it years down the track because they use that privileged access to also clean up their tracks.

On the other hand, uh, from some of the more prominent ransomware attacks, we’ve seen groups like lapses led by a 16 year old living in his parents’ home. Breach some of the biggest, most well-resourced, protected companies in the world and stealing some of their most valuable ip. Um, not through any fancy hacking technology.

They either bought or compromised access credentials from privileged employees.

Andrew: Yep.

Neal: so that, that’s kind of a fun question real quick. So since we’ve got two Aussies on the phone, y’all are obviously sitting right in the backyard of some larger CN trees there. Right? And you obviously have a lot. than the standard EU world does going on relative to those burdens of war time environment potentials.

Right. So you mentioned a p t esque mentalities and the stuff that we find out tomorrow versus what’s going on actually today. So structurally speaking it’s critically important to protect that pii. So whether it’s you removing yourself out of the equation as part of that access point, or you’re putting wrappers around.

The things that matter, if not everything, to start to provide that zero trust at the document level. Right. To where, if someone tries to open up a PDF in China they’re gonna have to go through a lot more than just simply changing a geotag to manipulate the Geo Feds around it. Right? They’re gonna have to have some legit understanding of what you’ve built into that fingerprint around that document, per se.

I think that’s some of the things that. I feel miss out on the etiology of what it means to have zero trust. A lot of people think about the user, but I think a lot of people miss out on the fact that users are always gonna get compromised. We’re always gonna click on crap. I mean, it says right here, don’t click on fill in the blank.

But don’t click on crap for a reason, but we’re always gonna do it. Someone’s always going to do it. But if we have zero trust mentality at the document level and the right policies, then you’re right. The next level is to compromise. , whatever’s managing those policies and procedures and then how do you get into that and those layers of, around all that stuff, right?

So for me think it’s one of the fun things, especially for y’all, cuz p i in particular is probably getting sucked away into big country land across the pond there for y’all into China daily, in and out just as much as it is here in the US and some of the other counterparts in the EU world. So for me, big things to think about on how far down to push.

Thought flow, and everybody’s very fixated on the user as a start, which you should, but I think a lot of people need to consider the docs that are at play and how to protect that layer too personally. So,

Andrew: Yeah, I think that the traditional approach to security in big companies was to, somebody starts work on a Monday, make sure they’ve got access to all their systems and they can be productive. So, they can produce, they can work. They’re not sitting around waiting for access and all that, which is fine in historical sense, but now it needs to move from, Create access and let them work to govern that access in real time and proactive.

And that’s why to me, the security operations, the telemetry that shared intelligence and all that is the key to zero trust. Because you need to know what’s happening when it’s happening so you can respond to this stuff you care about. Rather than’s no good going on. We had a breach three weeks ago and we’re trying to work out what they got access to.

Like you need to know as it’s happening as much as possible. So,

Neal: So I have a quick question from Mike. So when you kind of were doing your intro, you talked about keys to the kingdom that no one knows. So when we start thinking about drilling down into these ideas and the structure and the implications of that, can you elaborate a little bit on what you mean by that phrase?

Mike Loewy: Yeah, sure. Um, the way we see it, there are some secrets that are just too sensitive to exist and certainly to exist in the custody of people, fallible creatures as we are. If you think about the root certificate of an identity and access management system, with that certificate, you can access any resource in the organization bypassing however many factors of authentication you design for your employees.

Or think about it in the context of a, an institutional cryptocurrency. You might have locked behind this key. A billion dollars worth of Bitcoin. That’s a secret you don’t want in anyone’s hands. Uh, think of SolarWinds, where there’s a key that proves the integrity of your software. And when that key was stolen, malicious code was inserted, embedded in the software, signed with that stolen key and multiple organizations around the world using their product.

Had information. Exfiltrated for years. The only thing protecting virtually every software. Hardware vendor for that matter, from becoming the unsuspecting vehicle of a supply chain attack, are these keys, these secrets. So they come in different forms and different systems, but the idea is the same. If these keys can be generated in secret, operated in secret, and designed only to be used as programmed, then they don’t need to be trusted to anyone.

So that software vendor can say, uh, ner Key that signs our software. Only a five of these 10 managers. Or whatever that workflow process might be. This key then becomes incapable of signing that piece of software unless five managers approve it. And the other missing element, and this talks to what Andrew raised earlier, is information is the telemetry.

If someone has access to those keys today, they can be signing things and you won’t know. But with a key that’s operated in a decentralized way like Tide does with no one person holding that key. , there’s also an immutable record anytime it’s used. So even if those five managers are colluded, there’ll be a record that your third party cybersecurity managed service provider can see that can’t be cleaned up even by the most privileged employee in your organization.

Neal: Yeah, immutable records and I’m, I can go down a rabbit hole on that part, but I’ll wait a few minutes. Decentralized and distributed authority. I think just anecdotally, some of that construct is there from the Beck world, right? Where the oil scams and stuff like that coming outta Nigeria in particular or any kind of welcome to tax day here for us soon on, on the states where people hit up the HR department or finance department asking for a spreadsheet with everybody’s socials on it, or a million dollar check.

No, those are good points. Thank you. Appreciate it. I don’t know if you have a thoughts collateral buying

Andrew: Yeah. Yeah. I think that, yeah that fits in with the sort of the philosophy we talked about, zero trust being a philosophy and, even the term zero trust, like for me, you started zero, but then you, it’s about establishing contextual trust rather than just zero trust. We don’t trust anything otherwise, we’re all just standing around looking at each other and no one can do anything.

Nothing works. So I think that, yeah from the technology, the tide technology, that, that’s part of that overall philosophy where there’s an opportunity by using the technology to remove a big trust based risk, big, trust based risk factor, but still let the outcome happen. So, so the work can continue when the organizational goals can be achieved, but you’ve essentially removed a massive risk factor.

And as I said before, for the employees, you know, if you are one of those managers doing your partner signing the distributed key, you are happy to follow the workflow process because ultimately you are doing something positive and playing a role in the security of the organization, but you are not personally in a position where you know, you have something that could cause damage or whatever.


Neal: Yeah. So on that note, I’m bringing back up the mutable record construct and things like that from your perspective. Blockchain. No. Blockchain, things like that to help with that ledger of sorts, right? Distribute a ledger and blockchain, all the fun things. What’s your thoughts on kind of implementation and all that type of fun stuff with that construct?

Mike Loewy: So the one thing for us that we’ve taken and, and none of us are crypto guys, none of us are on the extreme of decentralized the world. But the one thing we saw in Bitcoin was probably the most secure, most resilient SaaS platform ever conceived of because you knew that as an end user, once you turn your key, the platform can only do what it’s been designed to do.

Uh, you’re trusting in mathematics, not any one server, one individual, one organization. and it’s fully verifiable. Um, the authority no longer lives inside of the SaaS platform, inside of the SaaS server. It’s been pushed to the edges in the form of these keys. So the end users, the owners of those keys in that respect are the only authorities in the system.

So compromising a, a platform that holds an authority is orders of magnitude greater than compromising any centralized SAS service. Um, so that concept or of decentralization, of removing the need to trust a process is really powerful. Um, as to whether Bitcoin is, uh, a good store of value or a replacement for currency, I’ll leave that for others to comment on.

Um, but that aspect of, of removing the need to trust the platform is basically what we’ve leveraged to secure traditional platforms. Traditional it. Even if you think about that in the context of the last few months in Australia, and uh, I dunno if it made the news in the US but recently more than half of the population of Australia had their identity stolen in cyber attacks.

Our second biggest telco, our largest medical insurer were breached. Whole host of other organizations. It’s a massive turning point in Australia. There’s a a realization that. As an organization holding all of your customer data when, when the breach is inevitable, is a ticking time bomb. Um, one report estimated the damages of this one breach to the medical insurer I mentioned earlier, to be upwards of 5 billion from compensation brand damage, and, and the other costs associated with, with this one single breach.

Um, all because their customer identities were stored in a way that could be, uh, compromised and mass. So the idea of introducing a concept where the authority of your customer’s data no longer sits with your organization is now starting to make a lot more sense. Um, having the keys to your customer’s data set outside of your platform so that it only becomes available to, to your organization in the context that it should.

And enabling your, your customers to bring their own authority to access their their data, um, is a win-win. Um, it removes a massive liability for the, for you, the organization, and introduces this new level of transparency and control where, where appropriate to consumers, um, dissent, authentication, decentralized technologies.

Uh, the only thing that can enable us.

Andrew: Yeah, for sure. I think that there’s always the battle between legislation versus, feasibility and technology capabilities and the risk with crime as well because, there’s legislation in all comp, all countries around how long organizations have to hold data and what type of data and all of that.

So, that was one of the things that we heard about here when, companies would say the government’s forcing us to keep all this information for a certain period of time, and then there’s an onus on the organization to protect it when. They may not necessarily want to keep all of it for that length of time as well, so.

Neal: So that this is the NSA curiosity question. You, I didn’t realize that y’all had the data policy procedures for X lifestyle amount of data, rather for your orgs. But is that a, I don’t know if y’all are aware of what SOM is in Russia, but is that ala maybe I’m going down the wrong rabbit hole.

Little bit. Oh, so arm style, like we need access as a government in case something horrible happens and we need to figure out why our own nine 11. And then if the answer is yes, no, whatever that. This is obviously gonna clash with the idea of more of a GDPR approach to data Sovereign, right? Yeah.

So first one, is a kind of reference point, like that government trying to make sure that they have access to things when they need to. And if you don’t wanna answer this, I get it. You’re good. But more curiosity questions around that. So,

Mike Loewy: Uh, I guess I know, I know that it’s a very politically charged question depending on how you look at answering it. Um, but if you look at lawful interception, for example, in the telecommunications industry, it’s a fairly well established piece of legislation that you can see has some really good potential upsides in terms of preventing terrorist attacks.

Of course, that same access could be used to provide, um, big brother oversight to control. Uh, tide is a technology, uh, a technology used in the context of a business trying to comply with whatever legislation is relevant to their jurisdiction. Um, the technology needs to work in a way that doesn’t compromise the security and doesn’t put a business in a position where they can’t comply with, with legislation relevant to their jurisdiction or multiple.

So the biggest challenge with any kind of lawful interception is that organizations are being asked to build back doors in their cryptographic processes, which can obviously be used for the intended lawful purpose, but also leaves a gaping hole that can be, uh, leaving an organization vulnerable to unlawful access.

So again, one of the things that you could do with a decentralized authority, um, very similar to the way I described the, the software signing. Is to build a process that can’t be circumvented. Any information interception can be done with the relevant oversight to ensure that that process ist abused and has the necessary scrutiny.

Andrew: Yeah. And the Australian government’s releasing a cybersecurity strategy in April, I think it’s due, which is that the media conversation has been around taking a more proactive approach, pushing back early, not just responding to breaches. And I think there the, the points micros, about the recent incidents we’ve had have really focused everyone’s attention.

So I think that whole landscape around data retention, individual identities, empowering people to. More of a ownership of their own identity footprint, and all of that will flow out of this cybersecurity strategy that comes in April. I think they’ll be wide ranging ramifications both in legislation and in approach to security for organizations.

Neal: Nice. Thank you. So, like I said before, I have a point. I ramble a lot, but eventually I get there. Marine Corps brain plus some other things going on. Recap real quick. , why Australia is the way it is, relatively speaking. Y’all do have built in things and to be fair, almost every established country with their own three letter agency equivalence has something or attempts to make something of that approach.

Us It’s a little more complicated, but still there’s things there, right? So I wanna throw that out there because GDPR came into play while I was still working in the government side of the house, and, for a while threw wrenches into. But as a private person, it benefits us even here in the US and probably all as well.

When you go browse sites, if they’re based in the eu, you still get prompts If they’re not, a lot of people just kind of carpet bombed and said whatever, we’re not gonna try to figure out how to service someone in EU versus not. So you still have the right to be forgotten no matter where you’re at. That being said, everything still gets some kind of anonymized hash.

So even when you click delete your bucket of info and GDPR land is. There, but it becomes some kind of, fully anonymized record where it does take several layers to get back to you. So my, my general point and growth there is OSI GDPR movement in a sense of privacy and engagement. Back to hopefully some kind of distributed ledger mentality.

Some kind of blockchain esque thing should still provide you even when you haven’t opted in blatantly. Some anonymized approach to your data set, and I think companies like Tide and everybody else has a really big play into what that can potentially look like both in Australia and globally for when those privacy concerns come up.

And even if you’re there or not saying, yes, get rid of me, or Don’t get rid of me, you’re still protected in that generic GDPR esque policy procedures that hopefully come to fruition. So we can still get the basic root data that says you browsed Google y. But I can’t put your name to it without going through several more echelons of effort.

Right? In theory. So I, I don’t know, once again, gdp, RS blockchain. Hopefully y’all feel that’s kind of where hopefully it ends up going. I don’t know if that’s the sentiment or potential sentiment long range.

Andrew: Yeah, I think you’re right. I think that’ll ultimately be the compromise exactly. Along those lines where the information will still be retained, but in a different way where it’s a lot more protected and less vulnerable to a straight up compromise, so I think that the core of the desire for retained information will remain from various different players and sectors.

But I think the expectation will be if you’re gonna keep it, you gotta make it a lot more secure. And that was, One of the smacks that the organization’s got was like, how was this, how was it so easy to get to this high value information? Because it was established that it wasn’t overly complicated.

A attacks in a lot of cases that we’ve seen so.

Mike Loewy: There’s been a, a, a bunch. We, we’ve had, we’ve had a bunch of different attempts at introducing new privacy legislation and even focusing on how existing legislation has been enforced. This recent set of events was absolutely a catalyst for expediting that process and making a, a priority, and it’s not only changed the, the psyche in terms of individuals thinking about what information they’re.

Um, but how organizations think about their responsibilities. Um, there are many CEOs and CISOs and CIOs scratching their heads, and Andrew would know better than anyone else how in demand his services are because it’s really a turning point. Um, so there is, this is absolutely gonna be part of the psyche.

They’re gonna be part of the legislation and the technology will need to cater for this.

And, and the other thing is as a, as a citizen, people are thinking a lot about how every time you do something, every time you engage with a government service, a bank with a telco, they’re asking you to provide this information, the the information that you are seeing on the news every day, being stolen from them, not from you.

You didn’t click that dodgy link. It was someone who worked at the Telco. So it’s certainly entering the consumer consci. . Um, and while privacy legislation is definitely about the rights of individual constituents, penalizing organizations for not protecting sensitive data also has an impact on national security.

Those breaches, uh, of customer identities in, in Australia, I mentioned earlier, have a very, uh, geopolitical flavor to them. Um, and I can tell you it’s tied. Um, we’ve been cited in a number of different O E C D. In recommendations to parliaments. So I think the, uh, policy makers, uh, are definitely taking a notice.

Neal: Sorry, I know I took us down a weird rabbit hold, but thank y’all.

Andrew: That’s it.

Elliot: I love the focal point on basically what we’re kind of dancing around is this A technological solution to essentially what social engineering constantly plagues everyone and will probably for the foreseeable future. I think from my perspective, from the more layman start what I’m seeing is basically you’re.

Stretching out the blast radi. So if you have a policy in place that requires multiple people to approve use of a key or something like that, even if it’s, logged that is potentially one of the more novel approaches that I’ve seen to reduce impact to social engineering. So even, the more standard approach to zero trust, what we’re seeing.

Zero Trust network access, or, no, there’s a couple other different names floating around. They’ll try to throw Cloud VPNs, but the messaging around that is basically honing into one single point. So instead of you. Pump, you break in, they have privileged access. They can’t spread or move up the chain.

You just get that contained in there. So instead what I’m seeing here is even if they do breach this system, they do have that access. You’re creating an additional layer on top of that very basic core element. So, once they’re in the system, and we should be under the guise that, either insider threats occur or there.

Obviously people trying to break in. You’re adding yet another layer to prevent that kind of social engineering attack, which again, is constantly one of the biggest entry points for the headlines that 

we see.

Mike Loewy: . Yeah. And, and our base assumption is the inevitability of that bridge. And I think that’s something that the world is coming to terms with too. Um, now we assume the most core, most horrific bridge that you can imagine and start there because that’s the reality. That’s the reality of what these attack vectors are and.

Um, so what do we do when that core breach occurs? When your identity and access management system has suffered a highest privileged breach when someone has rude access to your server? Now what what Tide does is make sure that when that happens, there is no concentration of authority to exploit. Whether you are a malicious IT administrator or a CEO that’s been inadvertently compromised.

And going back to the, the privacy piece, um, think about any large organization. One of the ways that you can use this technology is to lock each customer record with a different key. Each key is split across a different combination of nodes on an infinitely scalable, decentralized network. So again, first, an attacker needs to go through the effort of compromising and and breaching the organization, holding my encrypted customer record.

Then they need to go to the effort of finding and compromising my key, my key that’s distributed across a decentralized network. So they need to compromise 20 different servers, 20 different environments. And after all of that effort, you’ve exposed only a single. , uh, now imagine having to replicate that process, those efforts across a customer base with 20 million different people.

It’s gonna be a very expensive attack, um, virtually impossible. And that’s what’s now possible with this technology, that that didn’t exist before. To create a blast radius that is so big that it becomes virtually impossible to compromise, certainly at a mass level.

Andrew: and I think that the other thing that I see as a use case is around that in insider riskers micro-segmentation. So like everyone’s familiar with micro-segmentation in terms of networks and VLANs and all of that, but the. New trend in zero trust is micro-segmentation of outcomes and applications.

So say you’ve got the companies like Neil you mentioned before about tax time in the US so the company’s payroll system or whatever, so you can use, if you believe in the concept of removing human. Interaction from the process, which I think we all do, you can use the technology to micro segment the outcome so you can chop up your ha your payroll payroll system into, so this person needs the decentralized keys to run the reports.

This person needs a different set of keys to be able to generate the spreadsheet with the the ID numbers in it because, and that way, again, we’re getting away from you need to be in this ad group or you need to be part of this. Part of this directory structure or whatever that, that a human can alter maliciously.

So again that micros segmentation of outcomes and applications is a good use case for insider threat as well.

Neal: kind of, once again, thematic of what we talked about last year on the show. was what’s old, is new, both in exploitation and in security constructs. And so you’re talking about micro segmentation. I remember in the early two thousands, you know, started virtualizing the very first efforts to really virtualize routers and systems and stuff in general.

And uh, microsegmentation all the way down to the desktop. Like I could have a browser running. A browser specifically baked before we had larger scale like edr, XDR constructs, where the browser itself was segmented from everything else on your box. So that was the first effort to get rid of root kits initially at the end user.

So if we clicked on something end user to help keep the root kits from exploiting everything else, it can only run in that virtualized environment. So I, coming back around, I think it’s interesting terminology, technology. about this also at the very, very beginning, Mike, where you’re, you know, is new people rebranding things.

Andrew, you mentioned that as well, you know, old constructs, rebranding it, and just slapping the zero trust label on it. And in reality, is kind of what’s really it is it’s all tech, that people are finally finding the right ways to approach and then wrapping the etiology around it to put that brand on it.

Hopefully some people are literally just slapping the Zero trust label on and doing the same exact crap uh, new buttons to do. But yeah, bringing it all back around and actually kind of rethinking old his new approach in Tech Stack. So,

Andrew: Yeah, exactly. And to me that’s the beauty of the sort of amalgamation between the business strategy and business planning and the technology in cybersecurity where they all merge together. Because ultimately you’ve gotta know what you’re hiring people to do for the business and that’s all that they need to do.

If I went in into a new job and said, I can only do this job if I’ve got a bowl of blue M and mss, the boss would say, you don’t need a bowl of blue m and ms to do your job. So it’s the same concept, you don’t. Permission Overprivileged accounts and identities. You just provision enough to do the job so,

Neal: taking a step back into something, we kind of started to go down and Mike, you loosely touched on this a little bit, but uh, when we about identity access management and all the other things, I have a curiosity question around We talk about trying to ease the burden of authentication on the end user.

There’s technologies out there now that are like passwordless this, passwordless that you see, financial services industries trying to find ways to adopt that because the more they put in front of the end user, the less likely they are to actually log in. Wow. And this is why they don’t implement MFA on most bank accounts, but they do maybe sometimes have the, nowadays you still get the O T P for a lot of institutions, which is about as far as they go, but long and short password list versus uh, you of current mentality and do you see a play with that structure?

And what we can do to assign that kind of more biometric type fingerprints into the trust model.

Mike Loewy: So making sure that, uh, the way that users authenticate, doesn’t put hurdles in front of them is critically important because as human beings, when you put barriers in front of us, we have a tendency to find shortcuts or find our way around them, which is where security vulnerabilities open up. And that’s not just true for customers, making it easy for a customer to interact with an organization, but for employees and, and develop.

We’re seeing a lot of lazy code because you’re on a tight deadline. Um, you have to get this thing live. That’s where we’re seeing GitHub repositories being compromised, or we’re seeing, um, production keys being uploaded to public GitHub repositories. Um, so making sure that end users can authenticate in ways that are convenient, uh, that are familiar, is really important.

So again, our, our approach is not to try and change human behavior. , but just to make sure that the process itself has that integrity. Remove the need to trust the process. Um, obviously adding additional factors of authentication is highly recommended and will be much better for security. But as a starting point, let’s make sure we’re not making it difficult for end users to interact with the system because otherwise they’ll create those shortcuts.

We’ll lose them as customers or become unproductive as an organization with our employees and go from.

we’ve seen, we’ve seen, I mean there are, there are so many brilliant ways that second factor authentication has been circumvented through breaching some of the messaging providers that that send or email, um, the, the passcodes to your customers to more blunt force approaches that fatigue users into eventually giving something up.

Um, whenever that process can be compromised, someone will find a way in.

Neal: Yeah, I think for me personally and 

Andrew, I, don’t know what your thoughts are on this either, but 

I. The fundamental nature. What a passwordless authentication brings to me is just an, should be an additive layer in a password environment in my mind, or some kind of, 

mean, the whole point of MFA is multiple layers of authentication.

Human, physical, whatever those, the three tenets of mfa, right? Something, something you are, something you have. So I think Passwordless security kind of provides to me, and that wrapper. to something. You are process or something. You have pieces, right? So still put a password in, but you can leverage in the zero trust world, you can leverage what the passwordless mentality brings, I think, to help kind of get that, that other aspects of what it means to truly fingerprint a persona beyond just that base layer of authentication.

I don’t know if y’all agree or not, but I think with a Passwordless environment coupled. The password itself. But the ideas of that, I think to me, that brings in the MFA wrapper without having to ask someone to download an actual app. Right. Without having to wait for an email. To your point M FFA in and of itself, O T P, email compromises, things like that, all those have redirect schema around them that work very well when you focus on it now.

But I think, that passwordless piece, I believe is kind of that first layer of zero trust mentality with the user still being able to do what they’re used to.

Mike Loewy: Probably the best way to look at at, at a biometric is more akin to a username than a password. Um, you can change your password, but you can’t change what your retina looks like or your fingerprint not very easily. And once, once that biometrics been digitized, then sits somewhere for a, an authentication provider to compare.

Neal: Sorry. I had a really fun thing real fast, walking through the airport in , I don’t know if it was Detroit or if it was Minneapolis, St. Paul, but last year, end of year, there’s a company, that’s doing these. They look very beautiful, but they’re doing these hyper HD scans of your iris to turn into this large fricking poster, like four foot by four foot poster of your eyeball.

And all I could think about was I literally could take a picture of that HD photo. and in most cases, most of the screens that you use to do iris, even clear at the airport. I could literally walk up and they’re not paying attention and that’s good enough where I could go boop, right that in front of it.

And most of those scanners don’t do three-dimensional recognition. They just do the 2D format flow on the deal anyway. Water full exploit path. Sorry. Fun anecdote around your point that biometrics once their digitizer still going to be usable cuz you’re just replaying the ones

in. ,but it can be even less complicated than that.

Just freaking mob them all and watches getting photos of their eyeballs taken. , and you’re good to go.

Mike Loewy: . One of the things I watch on with fascination is all of the genetic testing services available for me, there is nothing more personally identifiable than your dna, and we’re all freely giving it away because we wanna find out if we’re 100th, uh, Cherokee or whatever it is. I would love to know more about my generic heritage.

Um, but the, the thought of putting that kind of information in the hands of a, an organization that’s monetizing. With no control or visibility, um, is, uh, you know, when, when you think about in, in 10 or 15 years down the track, what that information could allow someone to do, it’s slightly terrifying. Um, and that’s also the risk of using any kind of biometric digitize for authentication, particularly if it’s sitting in a big repository.

Andrew: Yeah. I think that these good questions that people didn’t really think about, And I think as people get more into the zero trust journey and the overall security approach, and we see breaches in response to breaches, all these questions are gonna come up and it’s a good conversation and we’ll ultimately get to.

Better outcomes and a better posture through all these things. But I think at a very small level, zero trust to me is all about being pragmatic and finding that balance between Ella’s, it’s better than it was, and oh, we’ve done enough. Now we’re secure, but you’re really not. So I think that, Bottoming out a lot of these topics and saying this is still our residual risk and all that are key to getting to a point where you’re happy to move on because there’s so much in, even when you look at zero trust between identity and cloud and network stuff and there’s so, so many bases to cover, you’ve gotta get to a point where you feel that the risks

move on. So, 

Neal: Yeah. And at the end of the day, it’s all just a war of escalation no matter what we do. Right. 20 years ago, just a password was all you really needed. And then people realize that the servers didn’t have a and keep migrating forward. Forward. And no matter what you do either biometrics, passwordless, all of that is.

Drums down to just a fingerprint digitized, right? At some layer it’s all a digital ones and zero file. You find ways to get to that file, replay that file, it doesn’t matter. So securing the actual authentication process and the server hosting it in and of itself is what ultimately is really important, in the grand scheme of things.

So, no matter what you’re doing for an end user to log in and make it good, it does you no good if that fingerprint in and of itself is not. regardless. So all that being said, like I said, I know we’re up 

on time overall. Elliot, I don’t know if you wanna bring us home real quick or if anybody

has some saved grounds, but 

Elliot: Yeah. So we’re actually gonna do this a. Reverse. Andrew, you’re familiar with us for asking you with these basic questions, but Mike, from the security technology perspective, we would love to understand what your perspective is, and you already kind of alluded to this being a philosophy, but how do you define zero trust?

Mike Loewy: for me, zero trust is, is many things at the same time. It’s, it’s, it’s a philosophy, it’s a methodology, it’s a journey. Um, and it’s an aspiration. And, and what it really means if, uh, putting, putting fixed definitions aside is recognizing that the need for blind trust in security is a vulnerability and we need to eliminate it, um, and strive for true zero.

Um, and in doing so, we protect organizations. We protect individuals, and we protect processes that are important.

Elliot: Excellent. Yeah. Totally agreed. And I think one of the misconception. Not something you obviously pointed out is in zero trust. It’s nev not never trust. We tend to see that being one of the breaking points of miscommunication. It’s starting with a baseline of zero. But I appreciate that you basically brought us to reality and home that.

In today’s world, there is no process or technological solution where we can fully remove implicit trust as much as we would love to. I’m sure this is the desire along the way, we will, we’ll see some of that, but I feel like your particular perspective helped again, bring us back to reality for the state of zero trust today.

Neal: Yeah, I think, 

One great having y’all both on the show again. 

Mike, first time appreciate it. Hopefully you come back again when the time’s. All right, we’ll see

Mike Andrew .But but you know, once again, thank y’all. I think it was a really fun conversation. I think it’s good for Elliot and I’s perspective and the rest of the audience out here, getting some of those vendor thought flow.

But in your particular case I do feel. , both as a founder of the company that you’re in, right? And kind of your approach prior to being that it. pretty unique and good perspective relative to this. And I don’t know, I hope Andrew agrees he was talking good about you before, but I think where y’all are at and your approach to this is hopefully not unique, but it is definitely a good, refreshing approach to the things to see that it’s not you, yourself, even are not just trying to slap a new label on things.

So thank you for that. Thank you for sharing those experiences and bringing that kind of. Mentality, but in reality it’s really not. I feel like it’s still very practitioner focused in how you were approaching it and talking about it. So thank you Andrew once again, as always, 

appreciate it. Look forward to seeing you again, hopefully, 

Very soon.


Andrew: That’s it. Same time next year. 

Neal: we’ll see where it goes. Maybe we can get get y’all both 

out to maybe, I don’t know, RSA or some other conference state side or vice

versa, LA and I can 

talk the 

Andrew: Yeah, that’d be great. Yeah, I’ve been looking at the RSA It looks 

like a good event to be at for sure. So, 

Neal: Yeah, if y’all are coming out, if either one of you or anyone else that you think we should chat with comes out, let us know. El Elliot and I are still debating about trying to do maybe some quickfire episodes, like 15, 20 minute, 30 minute things. 

If we can find some host space and line up a good set of people to chit chat


So do some legit onsite interviews and some fun stuff. So, 

Mike Loewy: Yeah, no worries. I can definitely hook you up with some good folks.

Elliot: Yeah. So thank

 you all again. Really appreciate it. Again, this is a new territory for us, so we appreciate the willingness to be our Guinea pig in this. It could have been plenty of different ways, but I knew Andrew wasn’t gonna terrorize you too much. I had a couple of questions I wanted to poke fun at, maybe some messaging on your site, but I’ll be nice and kind of leave that off the table.

Mostly joking aside, but again, we really appreciate you being that first Guinea pig for us. But that takes us to episode two of season two. So thank you all so much for joining us and stay tuned for the next episode.

*** This is a Security Bloggers Network syndicated blog from Adopting Zero Trust authored by Neal. Read the original post at: