As we settle into life with COVID, the topic of zero trust security and a remote workforce is top of mind for all enterprise security teams. During this session you’ll hear from security practitioners who were responsible for the zero trust strategy and implementation at two Fortune 500 global enterprises – Adobe & Cisco. They will share their experiences and tips for rolling out zero trust methodologies at scale.
The audience will gain understanding in:
- How to get started: Selling the strategy, people, process and technology
- How to make real progress in months, not years. Demonstrating continued business value
- Real world examples. Highlighting improvements to user experience and security posture.
- Tips and tricks, lessons learned and what to avoid
View Transcript
Den Jones:
Hi everyone, welcome to our session. We’re going to talk a little bit about Zero Trust today, something that I think you’ve probably never heard of, certainly not an overused marketing term. And certainly something that everyone knows exactly what you mean when you say zero trust. Not confusing at all, and certainly not something with more than 500 definitions. So, let’s talk a little bit about it. And we’ll talk about what I’ve done in my career as a practitioner, which was driving zero trust at two different companies, and some of the lessons that I’ve learned.
Den Jones:
I think it’d be really good for us to talk about, well, “what is zero trust and why zero trust?”. We’ll dig into a little bit about common architectures. My experience of the couple of companies was really… the architectures are pretty common, there’s a lot of things that will work for you, and then some things might work against you. And we’ll talk about that as part of the journey and lessons learned.
Den Jones:
My name is Den Jones. I joined Banyan in December, and prior to that, I was at Adobe and Cisco where I ran the enterprise security organizations. Among other things, zero trust was a part of the strategies that we got underway there. With Adobe, it was back in 2018, we called it Project ZEN, Zero Trust Enterprise Network. Took us around seven months, as you can see from the stats, a lot of users, a lot of devices, and a lot of applications. I left there and went to Cisco, and ran enterprise security there. And in five months, so we’re getting a bit quicker here, five months, we’d done 100,000 plus users, 100,000 plus devices, and over 100 applications.
Den Jones:
So, let’s talk about now, when I’m at Banyan. I run security, I run IT, I run our customer zero program, but a big part of my life is coming out here, talking to people like you as an evangelist in the industry, sharing my experiences. Because zero trust and what we do at Banyan, it’s not just the only piece of the puzzle, it’s one piece of the puzzle. You’ll have an identity management strategy, you might have an endpoint strategy and network security strategy. And zero trust, depending on which vendor you talk to, these things are all part of the puzzle.
Den Jones:
So why do we need a new security model? Let’s dig into this. So for years, authenticating to an app and service, it was only about the user. Originally it was just username and password, then we got to multifactor authentication. But still the user is getting into the application and service without us knowing anything about that device.
Den Jones:
And not only that, back in 2017 at Adobe, I was always talking about how our workforce was less and less in the office, and the applications and services we were deploying were also less and less in the corporate network, and more and more in the cloud. So not only was this evolving workforce happening, but the evolving apps and services. And then what we noticed was the tactics and techniques of the bad actors, they were also evolving. They’re not trying to brute force your firewall and break into the network and think about a thousand different password combinations that they got off the dark web. They’re just sending you a link, they’re social engineering your employees, and that means that they get onto your device. And if the posture of your device, which as I said before, we’re not necessarily checking, if that posture’s not very good, then they might get into that device and hide. And they might get into that device, and because they’ve got access to a lot of things on the network, quickly move around.
Den Jones:
So by nature of that, the corporate network, we always thought was safe. But, my view has always been the corporate network’s not safer than your home network, because your corporate network’s a huge target. On your corporate network there’s thousands of people. I would say it is kind of like me driving. If I’m going to drive in the road and it’s just me, a couple of cars on the road, great. But now there’s hundreds or thousands of cars on the roads and I’m passing many cars all the time, just like your corporate network. Are you trusting that everybody else also on that network or also on the road is as good a driver as you with great hygiene like you’ve got when it comes to looking after your device, and patching when you’re meant to patch, and not downloading and clicking links that you’re not supposed to? So, that network in the corporate side, it’s not really that safe.
Den Jones:
And then secondly, the network perimeter is no longer the security boundary that you thought it was, especially if your apps and users are not inside your network. And especially when a bad actor social engineers one of your 40,000 employees or 100,000 employees, however many you’ve got. So for this, all of these things combined that’s why we kept thinking we need a new path, a new approach, a new strategy. And, hence why zero trust was born.
Den Jones:
So, magic hat. Not my favorite slide in this deck, purely because I think it’s a little bit crazy with the birds flying out of the hat. But I used to always try and tell people, okay, imagine a day where you’re not changing your username and password every 90 days, imagine a day where we’re not using your username and password, and you’re logging in less instead of username and password, we were using a certificate.
Den Jones:
Imagine when we say, hey, your device and your posture of that device needs to improve, and you enable some self service so that they can improve this themselves without contacting IT, so you can suddenly see your fleet of end point devices from a posture perspective getting better, and users being incentivized in order to do that. And where you’re publishing applications, internet accessible without the requirement to use VPN. Which means your users aren’t VPN-ing in, and most companies when you allow that anyway, you’re enabling all access to that network when a full-time employee logs in via VPN. So they can see thousands of devices on your network. Well, publish the application so you don’t have to VPN in. And then if I could say, look, would you like to complete this project before you retire, rather than doing something in years, as I’ve said from the previous slide, you can do this in months. One company, seven months, next company, five months, and that covers a hundred thousand plus people.
Den Jones:
So it’s possible to say, I can deliver you something which is better, a better experience for your users. You can get something which is a better security posture for your company. And as you can see here, this was not the full list of the stuff that my team came up with for improvements, but it’s the good ones. It’s the ones that you can say, hey, there’s a financial thing here. Or there’s an employee expedience thing where your employees actually can get to their apps and services quicker. They’re not seeing the same amount of friction, and then we can improve the security posture.
Den Jones:
There are common components to this. So before I jump into this, from a zero trust perspective, as you can see, the focus is users to applications and services. We’re not talking about service to service or other kind of zero trustee things. When you hear companies in the marketplace talking about that, we’re not trying to deliver that capability. We’re really focused on the thing that I think is more visible to your employees, more visible to your board, and the highest security risk of your company, which is thousands of employees clicking links and connecting to your network and apps and services. So we’d rather improve that posture. But there are three common components to this. There’s the user, where we want to do some level of posture check on the device. There’s the access proxy on the right hand side, where we’re saying, if I’m going to go to an application or service, which is inside my network, then there needs to be a reverse proxy, a method to get in. And then there’s a thing in the middle, which glues this together, which is a policy engine.
Den Jones:
Now, if I’m going to access applications and services that are in the cloud, let’s say, I’m going to go to Office 365, I’m not necessarily going via that access proxy, I’m just requesting access. It’ll divert me back to an IDP in their case, maybe Okta, but we can use a [inaudible 00:09:16] or anything, which is a SAML compliant standard. And then we’re going to check the policy that’s based on the application being published, and our user and our device. And in our case, I want a minimum, a minimum of a good OS. I want to be patched. I want to have an end point. I might decide. I want it managed by IT versus an unmanaged PYOD, we can work with those as well. And ultimately good integrations with something like CrowdStrike, where I have the ability to detect malware on the device. And a good thing is if that is detected and CrowdStrike alerts to it, then we will actually cut your session and revoke the access for that one device.
Den Jones:
And the good thing about these components is I mentioned earlier about certificates being used, that certificate is tied to the user and that device. So if I try and log into your device, that’s not possible because the device is registered with your identity, your human’s identity and your device’s identity together. If that device is compromised and you lose your access on that device. If you still have other devices like your cell phone, that is not revoked, your user’s access is not revoked. You can still continue to do work, even though you’re have one device that’s compromised, but the rest are not.
Den Jones:
So along the journey, there’s similar things that’s happening here. There’s some PQI, there’s some policy management, there’s risk scoring, so the risk scoring of the device, which will change depending on what’s going on in that device. And then there’s continuous authorization. I want to know that I can revoke your access, and in order to do that, I need to know that we’re going to continually authorize your access to an app or service. On the right hand side, good call out here, we have the ability to cover things like SSH and RDP, Kubernetes, EC2, so you’ve got cloud services, we also have on premise services. We’re not just about an application. We can cover other ports and protocols as well. Now let’s finish building this out.
Den Jones:
Now talk a little bit about zero trust. So one of the things that I identified along the journey with the teams was that we already have made a lot of investments. In the Adobe case, we were an Okta customer. We were already using a workspace one for our MDM. We were already using Carbon Black for our endpoint detection. We’ve already got our SIM set up and our network access control. So there was already some level of network segmentation and things of that nature. But biggest thing is the talent. We already had a team of people that were great at running all of these services and capabilities. So ultimately what we wanted to do is bring the team together, get a core virtual team, a very small core work virtual team, and actually build out a development environment of what we thought of as a zero trust platform, which is intercepting the authentication workflow, and then rerouting the traffic to an internal application via reverse proxy and doing some policy check on the device or posture check based on our policy that we’d maybe put in place. So that was pretty straightforward, but the important pieces is we were leveraging the existing investments we already had, and it’s about gluing these things together.
Den Jones:
So as I mentioned as we were getting started, important thing is selling the vision, the people, the process, the technology. You want to get to a situation where the vision isn’t about, let’s do some zero trust. Because as we all mentioned, agreed, probably, because I’m not there in person, but I’m sure you’re all raising your hand saying we have no idea what you mean by zero trust, because the vision isn’t about I’m going to sell you in the marketing term. The vision is I’m going to sell you on some outcomes. Do you want to improve the user experience? Do you want to improve security? Do you want to do something quick rather than something in years? And as part of these things, we’re going to bring some benefits. Start off with a really small cross functional team. By time I got to Cisco, they had very, very many people working on zero trust type activities. And what I wanted to do was actually reduce all the people working on these activities, getting down to a small core team with one strong leader. And we did that. We may have offended a few people in not including them, but the reality is too many cooks in the kitchen didn’t get as anywhere, so we wanted to make progress quick.
Den Jones:
And we found a concrete use case. At Adobe, two of the best use cases were MNAs. We were doing MNAs where we wanted to not connect the network of these two companies until we felt comfortable. So what we’d done was we published the applications on our zero trusts platform that the new acquired company employees were going to use day one as part of them joining Adobe. That’s a great use case. In other scenarios, it’s maybe a small engineering team that are just going to get to some lab services and you’ll give them access to those without the need to use VPN.
Den Jones:
We wanted to leverage those existing investments. That for me was a really huge part of the selling of this and our investment into what we were delivering for zero trust. And we started in both cases by integrating with our existing authentication platform. I’ve never, ever heard anybody say to me, they’d like to log in more people. People don’t really like logging in to begin with. So I’d never had to ask permission if people would be okay with me improving the authentication experience. So if you’ve got your identity team and you can work with them to get this moving, that’s the perfect place to start. And everybody wants to be a hero, right? So if your identity team would like to be thought of as rock stars and breaking new ground and doing some creative stuff, then this is a great place for them to get involved because they can really make a difference here.
Den Jones:
I think everyone’s ran a project before, so I’ll give you a second just to digest this. [inaudible 00:16:14] Ultimately, in the project, we can complete a POC. And then from there we find some good engagement with some of the smaller applications that we might want to test things with. We’re going to go through sign off, we’re going to get the infrastructure built and go ready. And then the go live thing is actually all about us finding a set number of applications, a set number of groups of users, friends, and family, getting things going and small pockets first, and then growing it to a company wide deployment.
Den Jones:
As we went through this, I would love to tell you this communications thing, we didn’t really communicate much with the company. What we did do is we’d done internet postings. And the cool thing about this is as we went through the project, we did have someone contact our SOC and think they were a bit of a genius as they discovered that they could access internal apps and services without VPN-ing in.
Den Jones:
And at that point they thought they had found a big vulnerability in our environment. And we’d done some research, the SOC team pulled us in as well. And as we’d done the research, all we really discovered was we’d already configured their device for some zero trust. Their device met the posture, and that meant that they could access applications and services that we had published and that they were going through our prop platform. It was all safe, it was all secure. And what the user realized was, hey, they were accessing stuff on our new zero trust platform without VPN and they didn’t even know that they were doing it, and they didn’t even know we had done it. So, that’s how seamless we made this.
Den Jones:
So lessons learned. Executive support’s really essential. And as I mentioned, it’s not that BS where you’re saying, Hey, we want some executive support to do some zero trust. That’s not a great term, and it doesn’t really derive any outcome or benefit to the business. So you’ve got to explain this to the executives in a way where they understand the business benefits and the user benefits. And by the way, even executives hate logging in and they hate VPN too. So that’s a good place to start. No vendor can do it all. I’d love to tell you that Banyan can do it all, but we don’t, and we don’t plan to. We do some really key components very well, and we integrate with all the other people that you’re going to want to partner with on this journey or already have an existing investment in.
Den Jones:
Introducing principles to an organization. And for us, it was about users accessing apps and services in a more seamless way with less risk. We avoided the term zero trust, and we’d share the benefits to the users and to leadership as we went along that journey. And from a user perspective, it was really internet site posts that we were doing to talk about the work and the active communications that we’re really working on was mainly to leadership in the people in the core team. I’m a big fan of using countdowns, so on the right hand side of our weekly report on the top right, we’d have a number and it was a number of days until X. And that number kept counting down and down and down as we got to what we said that milestone was. Either it was a company launch, or in some cases we might have said, hey, we’re going to be at a conference talking about this thing. So we wanted to make sure we were talking about something we’d actually delivered and not something that was a pipe dream.
Den Jones:
So as we went forward, let’s talk a little bit about what I said you would expect to get. So users accessing applications without going via a VPN. We were going to improve the employee experience, we were going to do this in a number of ways. One is remove the username and password from the authentication as part of the first factor, remove the need for users to change their passwords every 90 days, and remove the need for VPN. And that meant all users were accessing apps and services without caring or understanding where they were. We’d improved the security, one thing is device posture. We got more visibility into the devices. So now you can imagine when they’re logging in and we’re doing a device posture check, we’re also capturing what that device is.
Den Jones:
Hey, so while we’re doing it, let’s make sure we’re updated to CMDB on the fly and said, hey, Den logs in from this device every day. Let’s make sure that device is recorded in our CMDB as being Den’s. And now when you’re going through, let’s say malware pops up as being on someone’s device, it’s easier for the SOC to actually track down that device because you know exactly who used that device last. So from that visibility, from that posture, it’s a far better situation to be in. Shameless commerce slide, so I’m not trying to sell you on the Banyan Kool-aid, there are plenty of companies that can do some zero trust. I’m just going to say we do it a bit better than the rest, actually. And one of the things that you can do without worrying about us is you can actually go to the Banyan website and you can download and get registered and set up your own edition for free.
Den Jones:
We cover 20 users, so a small team, and you can get up and running in 15 minutes or less. And we have a video on our website on that as well. Now you may contact me, I do have office hours. I’m on Twitter, LinkedIn, and my email is up here, but I will leave you with this. We have a podcast every month called Get IT Started, Get IT Done. [inaudible 00:22:28] where it’s not about all talk and no action, we are all measured on results. So how you get it started is cool, but more importantly, you got to get it done. Thank you very much, everybody. Thanks for your time and attention today, we really appreciate it.
Close Transcript
Book Office Hours with Den Jones
If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.
Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.