The Banyan Security Blog

Den Jones blog banner

A Q&A with Den Jones, Banyan Security CSO

Why join a startup now?

Early in my career I moved from Scotland to California with no financial safety net while providing the sole income for my young family. In those days finances were extremely tight and I felt that it was a lower risk to work for a large and stable company like Adobe. I always thought of startup life being less stable.

However, for the past 20 years I’ve run my teams like a startup. Moving fast, taking calculated risks and recognizing that our company and our customers need to see exciting, business-enhancing results on a regular basis.

I’ve always wanted to join a startup, being able to contribute to a fast-paced and nimble organization that delivers industry leading results is an appealing opportunity.

 

OK – so why Banyan?

At that point, it was about joining the right start-up. In Banyan, I already knew the founders and many engineers from our partnership at Adobe. An extremely gifted team, humble but with a solid product and strategy. It was vital to me that I join a company that really solves industry problems and with a vision to transform the future of businesses around the world. Press release announcing Den’s role here.

 

Why did you pick zero trust as a focus area?

Zero trust is such an exciting space; it really revolutionizes both identity security as well as the remote access space.

What I experienced during our deployments at Adobe and Cisco was how incredibly impactful Zero Trust can be. It’s very rare that you can improve the employee experience while also improving security. Normally one happens at the expense of the other.

Zero Trust done right can deliver this and much, much more.

 

It’s often said that zero trust isn’t a product, but rather an aspirational strategy. Would you agree?

Ha, it’s really a blend of both…and maybe a little more.

In the last few years I’ve seen many companies struggle to get started. Just defining the problem often escapes many companies I’ve spoken with. As a result, there was no way they could describe the business value, problem statement, or the current risks.

COVID has permanently changed the global workforce. The composition of the average business will have more contractors, consultants, gig, and temporary workers working hand in glove with the full-time employee base. Physical locations are increasingly varied and remote. A dropping unemployment rate will mean hiring best in class with less regard for geography.

Relying on network-centric tools and legacy VPNs is simply not going to cut it from any meaningful perspective be it security, manageability, or usability.

And so, for all these reasons we’ll want to drive toward solutions that use zero trust tenants. Is it a “buy this product and magic happens” situation? No, of course not. But, being able to take advantage of technology that leverages zero trust will become an important competitive advantage for organizations.

 

Most security and IT folks seem to have arrived at agreement as to the value of zero trust principles. Why aren’t we seeing more successful deployments?

That’s the rub. We’ve got general agreement as to the “what”. Where folks are struggling is with the “how”.

Having things like continuous authorization, user and device trust, least-privilege access are all desirable.

But when your starting point is a legacy VPN, getting there can seem daunting. And the dirty little secret is that yeah, it takes work. You can’t buy a zero trust product and expect magic to happen. You have to think about your existing tech investments. About your workforce composition. Device requirements. Resource sensitivity.

Can the right technology help? You bet. And we can do better. I plan to use my experience deploying zero trust in global enterprises to help other practitioners in industry make it real.

 

Why isn’t having a modern identity system sufficient for granting folks access to resources?

Historically we relied on user authentication to make sure the “right” people accessed our systems. However, in practice this means a legitimate user can connect with a device that has a completely unacceptable security posture. For example, an out of date OS, no disk encryption, no installed endpoint security, even the possibility that it’s already compromised. Which means a bad actor can still sit on the device while the user authenticates and then with that access perform background tasks to further their attack.

 

What are some of the aspects of zero trust that deliver the biggest bang for the buck?

There are several areas that really help an organization improve productivity and reduce operational costs; here’s a few:

  • Ending the need to change passwords every 90 days
    • Reduces user frustration and wasted time
    • Reduces service desk tickets related to password changes by over 60%
  • No longer requiring users to VPN in
    • Saves time for your workforce and reduces frustration
    • Enables reduction of expensive VPN concentrators, lessens need for geographic spread
    • Depending on your approach you can remove the legacy VPN platform entirely and adopt Banyan’s Service Tunnel feature, accelerating your Zero Trust adoption
  • Security Improvements
    • Eliminate access to applications and data from unsecure devices
    • Prevent the ability for mass attack on your corporate network
      • By removing overly-broad VPN access
      • Turn your office network into a guest network to prevent lateral movement

It’s evident that in the Identity and Remote Access space companies turn a blind eye to a huge problem – no one is really achieving least privilege. If they did then attestations would not be blanket approvals each quarter and VPN platforms wouldn’t simply provide full access to the internal networks for full time employees.

Imagine a day when upon an employee’s device being compromised a bad actor doesn’t get full access to your entire network. Or automatically adjusting access privileges to those applications that aren’t being used, thus preventing access creep.

 

What do you want your professional legacy to be?

I’ve only thought about this in the last few years. Legacy takes several forms. As a leader I want to build world-class organizations that break the mold and lead the industry.

As a practitioner I’d love to be seen as someone who collaborates with other industry leaders; not just in a visionary capacity but also as a servant to others. I’m curious, still learning myself, and see this type of engagement as personally and professionally important. And, being able to share my experiences to enable others is an incredibly rewarding experience. I invite people to reach out.