View Transcript
Voiceover:
If you use the internet on a daily basis and chances are you do, you probably don’t put much thought into cybersecurity. Your network connections, the pages you visit, the files you download. You should be thinking about these all the time. Welcome to And Security for All.
Voiceover:
Your host is Kim Hakim. We’re here to help you understand in general terms how and why your cybersecurity should be kept in check. Now, here is Kim Hakim.
Kim Hakim:
Hello, everyone. Happy New Year. I haven’t seen everyone for almost a month with the holidays. I’m Kim Hakim, your host. If this is your first time tuning into the show, welcome. Welcome to another episode of And Security for All. We had such a great lineup of speakers in 2021.
Kim Hakim:
If you missed any of our speakers, please go check us out on Voice America on the Business Network and any place you like to listen to your podcast, you will find Voice America, and you can find And Security for All. We are here in year 2022. Last year seemed to fly like every year does.
Kim Hakim:
All my colleagues and friends in the cybersecurity industry had a very nice holiday gift. They had Log4j. 2020, we wrapped up with solar winds and now all the security teams are out there bogged down with the Log4j issues. My hats are off to all the hard workers out there fighting the continued fight of cybercrime, breaches, hacks, you name it.
Kim Hakim:
We’re actually going to be talking about that today. We’re going to be talking about Zero Trust. How to make real progress in months, not years. Zero Trust is such a overwhelming word we see on hashtags all over the place. Let’s go back to the basics and talk about how do we wrap our head around this?
Kim Hakim:
How do we just really go back Zero Trust, what’s that mean? We’re going to discuss tips, tricks, lessons learned, and what to avoid. Before I invite my guest in today and I have two guests today, I wanted to update everyone on what’s going on in the FutureCon world. For those of you that may be new listeners, FutureCon puts on cybersecurity conferences all throughout North America.
Kim Hakim:
Everything that we’re going to do in 2022 is in a hybrid mode. We have roughly about 28 conferences that will be touring throughout North America. We have a few virtuals out there, but we’re really trying to move away from virtual and we want to get back to live events.
Kim Hakim:
The good news is our live events will always stream and we will always have virtual attendees. The bad news is we’re still trying to get those people that don’t want to leave their house to come out and see us again. We’re actually going to be in Dallas on January 20th. My two guests here today Banyan Security, they are going to be a sponsor of that event today.
Kim Hakim:
We have so many industry cybersecurity leaders that are doing keynote. Well, first of all, that event in Dallas, we have some of the best speakers in Dallas that are going to be speaking at that event. If you want to check out that event, please go to our website at futureconevents.com. We would love to see you live or virtual.
Kim Hakim:
One thing that we launched right in the mid, we started going back to live events around August 2021, and it’s definitely been a struggle getting people to come back out, but people are starting to come back out. One thing we’ve decided to do over the next year is celebrate all those hard working cyber security professionals in the industry who are working hard.
Kim Hakim:
They probably feel like they’re never getting acknowledged. Each of our events, we’re going to be honoring about 30 individuals in each market with a special award and a cocktail reception. That cocktail reception will go out to all of our cybersecurity attendees that are going to be at each to that. We’re super excited about that. We really want to try to acknowledge those unsung heroes really, that are out there working hard every day.
Kim Hakim:
If anyone’s listening to this and you have somebody in the industry that you think should be nominated for someone that goes above and beyond doing their extra work in the industry, please move us because we’ve been taking nominations for the past year. I have two great guests today.
Kim Hakim:
I have Den Jones. He brings a unique mix of leadership and IT implementation experience to Banyan Security as their CSO, which is their chief security officer. I have Carlos Martinez as the Banyan Security Director of Solutions architecture. Both of these guys came from Cisco. Prior to that, they came from Adobe. I am excited to welcome my guests today. Welcome, Den and Carlos.
Den Jones:
Hey, Kim. Thanks very much for having us and Happy New Year, everyone.
Kim Hakim:
Happy New Year. Thanks for being here. Guys tell me, since you were both at Adobe, you were both at Cisco, and now you’re both here at Banyan, one of you guys want to take the lead on how that happened and what you guys are doing?
Den Jones:
I can open and then Carlos can add the fun stuff. I was lucky enough to work in Adobe with great careers both at Adobe and at Cisco, two awesome companies. I ran enterprise security in Adobe. Then, I left Adobe to join Cisco in IT organization where I ran enterprise security there. In both cases, responsible for a lot of the identity and access management stuff, a lot of workforce security.
Den Jones:
Then one of the big things in both companies was on organization we were responsible for the Zero Trust implementation and delivering Zero Trust, as you said earlier in months, not years. Those were two really exciting programs for both companies.
Carlos Martinez:
I’ve been focused, I’m a practitioner at heart. I was a security engineer at Adobe, really took on. Was excited to hear about this whole new initiative around Zero Trust and what it could do, not only from a security perspective, but how it could enable our workforce. Really was a big part of that role out there.
Carlos Martinez:
When I heard Den was at Cisco, I was like, “Well, Cisco’s working on a similar initiative and was excited to be part of that.” We’re a package deal at this point. It’s been exciting though.
Kim Hakim:
Go ahead.
Den Jones:
[crosstalk 00:07:13] sorry, Kim. I was just going to say, but the move to Banyan was a really interesting one. During our time in Adobe, we became a companion customer. We got to know the Banyan team. We loved the product and their strategy and what they’ve been working on.
Den Jones:
As they’ve matured and evolved over the years, we were speaking with the co-founders. They asked us if we wanted to join Banyan in the crusade. Zero Trust, as you said it’s a big marketing term there. There’s not many people out in the world who have actually got experience of deploying Zero Trust, especially in that rapid fashion.
Den Jones:
We were just super excited to join what I think of is a company that’s uniquely placed in the industry. A company that has a very compelling story and solution. For us, we had great confidence. Look, you don’t leave a company like Cisco, which is an excellent company to join a company like Banyan without having some faith in the future of Banyan, and what Banyan is delivering in the industry.
Den Jones:
For us, it was a not a leap of faith, it was a leap of real enthusiasm and enjoyment of joining such a young future thinking team.
Kim Hakim:
It’s such an interesting industry that we live in because I just like you have a million competitors out there that do the same thing as I do. Fortunately, I’ve been in the industry 20 plus years and had a different company I founded. I think that’s the same thing with Banyan and all these new companies that are coming to life is that we have so many great leaders in the industry that are coming from companies like Cisco.
Kim Hakim:
All those other great companies out there and could [inaudible 00:09:06] so many of them that have taken the leadership teams and then developed these companies like Banyan. I don’t know a lot about the history of your founders, but is that the case? Where did your founders come from?
Den Jones:
I don’t know. Carlos, do you want to jump in on that one?
Carlos Martinez:
Jayanth, they all come from deep technical backgrounds. I can tell you our CEO Jayanth comes from VMware, where he was a big part of some of the initial technology out there and actually was one of the mentors was a co-founder. They have deep technical networking knowledge. The product has actually have moved or evolved service to service, to more of a focus on user to service.
Carlos Martinez:
They come from Stanford grads and just come from the background of just networking expertise, some identity chops. It all comes together because with this particular Zero Trust network access solution that Banyan provides, you need a little bit of that versatility on the endpoint component to proxy solution, identity where proxy, et cetera. It’s all come together.
Kim Hakim:
Before we dive into Zero Trust and talk about some of these things we’re going to talk about today, I do want to remind you guys that the listeners on And Security for All, not all of them are super technical, like you guys are. There may be moments that I’ll ask you to break that down a little bit for us so they can understand what we’re talking about.
Kim Hakim:
I saw in your bio, Den, there was a little fun fact in there. I have to ask you. It said Den released music when it was on vinyl and I definitely miss vinyl, but it says what was that? Tell us then.
Den Jones:
I’m glad you said not everyone’s super technical, because I always confess, I’m not super technical that’s why Carlos is here. On the vinyl front, the music front, I still am involved in music. I write and release and produce music under the name, Urban Punkz.
Den Jones:
It’s all electronic stuff. I’ve got a lot of influences over the years from the 1980s synth-pop bands and things of that nature. I collect vinyl. I’m a huge vinyl fan. I’ll collect everything. I go to antique stores and I find old Beatles stuff. Bob Dylan, The Doors, anything really that’s not in my collection or that I think isn’t in the collection.
Den Jones:
I’m a big vinyl fan and I did release music. The first record I released was in 1994 and I was a young 22-year-old kid going around the rave scene, playing gigs, and stuff like that, which was a very fascinating experience, which is probably good for another podcast.
Kim Hakim:
I know. I have so many questions and I don’t want to go off there, but I do have one question because I haven’t actually heard a vinyl record on a radio player. Whatever you call them. I grew up listening to that. What’s that sound like, I guess it’s high tech enough now because they’ve redeveloped all that stuff. Is that good sound coming out of that?
Den Jones:
Well, it’s good sound in my studio because I’ve got really expensive speakers for my music production, but I actually still use the original techniques turntables that were built back in the ’80s and ’90s and stuff. I’m getting that the little hiss and the crackle, and all those things coming through.
Den Jones:
Which is really for me, it’s part of the authenticity of having vinyl as opposed to just streaming music. Otherwise, Spotify is cool. I use that, but nothing beats putting on some vinyl.
Kim Hakim:
That’s awesome. Maybe I’ll have a new hobby this year, but I doubt I’m going to have time, but that would be a fun one. Anyway, let’s go talk about Zero Trust. You see hashtags all over the place, Zero Trust, Zero Trust, Zero Trust. Let’s just start down, let’s downscale it a little bit. Let’s talk about what Zero Trust is.
Kim Hakim:
Zero Trust, one of the things you said is how can you turn an organization into a place where you can implement Zero Trust in a month and not years. I would like to hear from you guys and you guys can choose whoever to start. How does a company say it’s not even an enterprise level company, say it’s a company with 500 to 1,000 employees.
Kim Hakim:
What would your advice be in training all of the folks in the corporation how to wrap their hands around Zero Trust?
Den Jones:
If you don’t mind I’ll start and then Carlos can throw in some color here. Let’s define Zero Trust. First of all, I have no trust that when you get 20 people in the room, they’ll all have the same thoughts on what Zero Trust is. I think that’s that for me is the opener. In our context, I think of Zero Trust and you can have services service, but for now let’s focus on users accessing applications and services.
Den Jones:
The industry traditionally always went along the lines of we’re going to use a username and password that will help us understand who you are. If you’re going to access resources on the inside of our network, you’re going to go through a VPN. In both cases, the experience in doing so and even the security posture in doing so, it’s not exactly evolved much over many years.
Den Jones:
As you look at the last 15 years at hasn’t really evolved much. We introduce things like multifactor as part of the identity stack, the authentication piece. Then from a VPN thing, there is some posture check that you might do during a VPN. As a user experience goes, it’s not really evolved. And it’s certainly cumbersome and clunky.
Den Jones:
If you can think of it, let’s take the authentication step and make that simpler a better user experience. Let’s remove the need for the user to VPN in and make it easier for them to access those internal apps and services. Then, very importantly, let’s include the posture check of the device.
Den Jones:
I might have five devices and they all may be a varying level of security posture. Some of them might not be patched. Some of them might be managed. Some of them may not, some may not have any endpoint software. Then at the end of the day, you could have one device compromised, but your other four not compromised.
Den Jones:
How we handle that as part of that access is the thing that I think that has really evolved more and more over the years as Zero Trust has become more mature. Taking the user context and the device context as part of that access and enabling a smoother access into those apps services is a huge part of it. Carlos, do you want to add in more in there?
Carlos Martinez:
In a nutshell, from a user to service perspective that’s on point. It’s being granular and providing that least privileged access to those resources and validating on a per app basis. Once you establish that for accessing a specific resource, you’re doing that for the next attempt to access another resource.
Carlos Martinez:
That’s where some of the traditional methods like VPN just falls short. You validate once or you ensure that the user who they say they are and they now have full access to move around laterally. With Zero Trust, yes, and a lot of us are familiar about the security benefits that come with it.
Carlos Martinez:
As Den pointed out, once you start establishing that user and device trust, you’re able to do some really exciting things. At least I find them exciting where you can improve that experience for accessing resources. You move away from the premise that you have to be part of a network segment to access these resources.
Carlos Martinez:
Now, because you are now adding other layers of security, you’re able to make these resources available without having to connect to your network via VPN or anything. You can provide a more, I like to say frictionless method of access. You’re also able to reduce the number of times you’re prompting a user for their credentials.
Carlos Martinez:
You have other means to verify. Again, establish that user and device trust. Big user experience benefits, including those security benefits that many of us are aware of from a Zero Trust network perspective.
Kim Hakim:
We spend so much time on the show and we read so much about the news, about all the bad things that have been happening in the industry because they happen every day. Let’s talk about some of the highlights of what you’re seeing when people are implementing Zero Trust in a company security posture.
Kim Hakim:
Give us some examples of what you’ve seen from bad to good and by following your advice, can you give us some good examples?
Carlos Martinez:
Go ahead, Den, if you want to jump in.
Den Jones:
You jump in first, you go.
Carlos Martinez:
By the way, I’ve had the pleasure of talking to a lot of my peers in the industry. Practitioners that have gone out and have either begun to research, getting started in their journey are well into their journey. One of the biggest things is that a certain team or engineer or manager will go off and try to boil the ocean.
Carlos Martinez:
They’ll develop a plan and try to deploy this across their organization. The reality is and as Den pointed out earlier, once you start introducing this notion that device health matters in order to gain access, you’ll start to discover that some of my devices that I didn’t know they were in a degraded state or this or that, and it may raise some headaches or cause some unforeseen issues.
Carlos Martinez:
Really for us, one of the tips that we give is find a specific use case, and start there. Slowly as you gain that experience, expand, and iterate. That’s one of the things is really starting finding that use case. In our previous role, one of the use cases that we found was just that acquisition use case. New users that had to access certain resources and we had to provide a method to do that.
Carlos Martinez:
Now, traditionally, you had to go and build infrastructure and connect that infrastructure to the company. With Zero Trust network access, you’re actually able to do a lot of that without requiring the old traditional infrastructure methods. That’s one tip. Den?
Den Jones:
Well, one of the things for me when we’ve done this before I spend most of my time working with the executives, getting a sponsorship, getting the buy-in. One of the things for us that we found was it was really, really important that you did have the executive sponsorship and understanding their support and their role in this.
Den Jones:
The other thing is it doesn’t take an army of people to actually deliver this. Continually, when we speak with people out in the industry, you hear a lot of people thinking you have to build a team, spend millions of dollars, and you make a huge investment. As Carlos said, you start small. What we try and say is get that enthusiasm within the organization.
Den Jones:
I always start off with a few stories, Kim, I say, “Would you love a day where you never have to your username and passwords any longer? What about a day where you never need to VPN in? Could you imagine never having to change your passwords every 90 days?
Den Jones:
Everyone’s like, “Yeah, we’d love that.” Well, could you imagine that being real in five months? We know we have the ability to deliver that. Carlos and I have got the experience where we have delivered it in months and not years. I think the one thing, when you talk to the CIO, the CIO conversation is different from the CSO conversation.
Den Jones:
We’d love to say to the CIO, these are the benefits for your workforce and your experience there. Even things like reducing service test tickets related to password changes. On the CSO front, or the security team, you can turn around and say, “Would you like users to not enter their passwords again, but yet in the background do continuous authentication?”
Den Jones:
Would you like it so that you almost eliminate lateral movement. Also, when you’re thinking of your network security and your segmentation would you like to simplify that? Today when most VPNs, when companies build them, they give their full-time employees broad access to the network as opposed to just that one application.
Den Jones:
We’re taking it away from being an open network VPN scenario to something which is really nice and tight, and controlled.
Kim Hakim:
When you go in and you’re talking to the CIO or the CISO and you’re trying to implement a product that’s going to keep their security posture safer, how are you working with them to train the users to follow the rules? There’s always one or two bad apples in every organization that can take down the whole company. What’s your stance? Where do you come in with that?
Den Jones:
The great thing there is you don’t have to train your users to enter their passwords less and you don’t have to train their users to not have to use VPN. That’s a great thing. There’s a really low friction deployment and it’s a low risk. In both scenarios, we found that we actually could under communicate the transition and the change because it was pretty seamless to the workforce.
Den Jones:
One of the things, when you start implementing Zero Trust, the way, the way that we’ve done it is we get a position where you now decide if you want to enable the posture check to prevent the access to an application. In which case, you do need a good platform that gives a user some acknowledgement back and make it self-service for them to remediate.
Den Jones:
To your point, Kim, if they’ve not patched their device, and we want that device to be patched before you allow the access to the application, we have the ability to be notifying the user that’s where they’re not meeting the requirement. Then, how do they remediate that so that they can do that themselves without calling IT because you want that to be self-service.
Den Jones:
You don’t want that to be a cost burden on IT. When you start to share this with the CIO, for example, you can turn around and say, “Look, here’s the financial benefits. Everybody understands there is a cost to password related to changes at the service desk, and it’s a friction for your users. If I turn around and said, “Wait a minute, we can reduce password related tickets by 60% or 80% is out of interest.”
Den Jones:
Instantly, the CIO likes that number. They like to see that because password related changes are usually in the top 10 kinds of service desk tickets. Things like that it is a conversation where you get to share three big benefits with the CIO and three big security benefits.
Den Jones:
It’s really very rarely in your career do you get a chance to lead a project where you improve the workforce expedience while improving security. The Zero Trust implementation that’s exactly what you get.
Kim Hakim:
I have a question coming more from I have a really great relationship with many, many great CISOs in the industry because I’m not trying to sell them anything. They’re invited to be speakers on my shows and it’s just great that I don’t have to sell anything, because it’s a tough world out there trying to get in front of a CISO.
Kim Hakim:
I’ve seen over the holidays many prominent CISOs posting things on LinkedIn, yelling at sales people, stop booking calendar invites on my calendar. It must be such a tough world when you have such a strong message that you want to deliver to these C-level executives.
Kim Hakim:
How do you compete with your competitors to get in with them? I know you have your sales team and that’s what their job is supposed to be. What challenges are you seeing with that?
Carlos Martinez:
One of the things and you’re right, Kim, there’s a lot of noise out there that’s the reality is Zero trust is something that’s used everywhere. You’re also right, we don’t hold that burden necessarily, but what we’ve done is we like to get out there and we have in meetups or just different peer groups where we try not to touch on the actual product or solution.
Carlos Martinez:
What we’ve done is we’ve gone in and talk about just like we’re doing here about approaches, what’s worked? What hasn’t? I think for us, everyone that we’re talking to is just interested. Just generally want to know what’s worked on your end from a communication standpoint and what tactics were really helpful for ensuring that there’s uptick in adoption.
Carlos Martinez:
When do you start enforcing access to certain resources, et cetera. On our end and Den, maybe you can provide some additional context, but I have not seen anybody turn us down when we’ve been discussing more from a practitioner approach on the methods for adoption.
Den Jones:
[crosstalk 00:28:58] I was just thinking, first of all, Kim, I’m really surprised because I thought not every competitor has a Den and Carlos. I was just thinking is that not the magic here? Geez, you’ve got Den and Carlos show, come on. In all seriousness, I think it’s one of the unique things about Banyan, which really was exciting for us when we joined was they actually have a free Team’s Edition.
Den Jones:
I always had an aversion for sales people and I apologize upfront for any sales people watching or listening today. You don’t want to have to call a salesperson in order to find out if the secret sauce actually works. The cool thing about Banyan is we’ve actually got a team’s edition. You don’t need to call us, you can just go online. You can get up and running in 15 minutes and you can see it work.
Den Jones:
I think of one of the differentiators we have is really our speed of deployment. You don’t you don’t need to talk to and speak to us about it. You can actually try it for yourself and we will not bug you because you tried it. I think that’s really, really cool. They have a Den and Carlos team, which very few of our competitors actually have.
Kim Hakim:
Well, there’s only one Den and Carlos, so there you go. It is just because I do deal with hundreds and hundreds of sponsors and that’s what makes, I love our sponsors, but everyone’s great. It’s just such a competitive world. I think that there is a certain due diligence that the chief security officers have to do by looking at all different types of products and services that are out there.
Kim Hakim:
I can see how they can be so overwhelmed because there is so much out there. Going back to some of the tips and tricks and lessons learned, have there been some lessons learned that you sit down and have discussions with the CISO about, “This is what we were doing before, what do we need to do now? What lessons have we learned from what we did wrong and what can we do right?”
Carlos Martinez:
I’d say some of the pitfalls that I know we’ve run into have been things like going out and using the right terms even to get your users to adapt. Using the term Zero Trust as an example for your user base has been negatively received. You can use other terms to say, “If you want borderless frictionless access, this is a new method of getting out there.”
Carlos Martinez:
Small things from like changing that conversation or focusing on the conversation and selling and upselling the benefits to your users as you’re deploying is one thing. Another is really not relying on a single vendor to do it all. I know vendors will sell that they can do the identity, the endpoint management, and all these other functions.
Carlos Martinez:
The reality is enterprises want to integrate. They want best in breed and they want all these components to work together. Really not budging from that if you have an identity solution that you’re using and you’re happy with really resisting the need to move and transition for this Zero Trust initiative.
Carlos Martinez:
Those are for me are two things that I always tell people is make sure that when you’re communicating out to your users, that you have a crisp message, and to leadership as well. Then the other thing is make sure that the product you do select [inaudible 00:32:55].
Den Jones:
One thing, Kim, as Carlos mentioned, you’ve got existing investments and it’s really, really important that you don’t have the executives in the company think that they have to go in buy and invest and throw away their existing investments. The important piece of this is when you’re looking at solutions, look for solutions that integrate really well with the existing investments you have.
Den Jones:
Ultimately, you do want best of breed. Some people want sweets, but in my experience best of breed when you’re talking about something like this is really, really important. Ultimately, don’t leave with the impression that you need to rip out your VPN. I’ve never used that as an excuse or a justification for the Zero Trust programs that we’ve led before to say, “We’re going to get rid of VPN.”
Den Jones:
You’re more than welcome to look at your VPN options. I think what we really happens over time is your VPN usage starts to reduce. What is important for us and one of the lessons learned was we struggled in both cases to understand which applications were the heaviest hitting applications via VPN, that we then say, “Let’s Zero Trust enable those.”
Den Jones:
Getting that information and transparency into that journey, we managed it, but it took a lot of work for us and a lot of heavy lifting to do that. I’ll close off with you don’t need a big team. The existing people that look after the existing things like the identity stack or the endpoint security stuff or the MDM, these are the same people that are going to participate in your Zero Trust effort.
Den Jones:
You don’t have to build a huge team in order to get good results.
Kim Hakim:
We’ve been almost two years in this COVID world that we live in. We started seeing people starting to go back to work and now companies are going back remote again. What do you think are some of the biggest challenges that the CISO’s, what do you think they’re going through right now with all these changes of people coming back to work, and then suddenly they’re back home.
Kim Hakim:
Again, what advice are you giving to them and how are you staying ahead of that curve of all these changes and something bad can happen? Once again, here we are quickly going back home again.
Den Jones:
I’d love to start by saying everyone’s been home and they’re on their home networks. The quality and the security of home networks varies. The risk is that you may have infection on your device, or you might bring something bad into the office network.
Den Jones:
Most office networks are wide open networks, once you get in, you think you’re safe because you’re in your corporate network, if there is anyone with a compromised device or malware, then those bad actors will start to spread really quick. For me, the ability to turn your corporate network into guest network where all you can do is get to the internet.
Den Jones:
I think that is a really compelling story for any Zero Trust endeavor. I think that’s a huge one. That’s why knowing the posture of the device and the visibility into what they’re accessing and then getting that network so that you can’t have a huge big wide open office network, that’s for me is really important this year as we’re starting to transition back in, and back out and back in. Hopefully, have don’t get to return to work soon.
Carlos Martinez:
That’s exactly what we’re hearing from folks as we discuss what the long-term plan is I think everyone’s in agreement that we’re moving towards this hybrid world. Simplifying the corporate network is something that I know a lot of folks have discussed.
Carlos Martinez:
Came back to your earlier point. I think that is what does the future look like? I think it’s that hybrid world. How do you simplify your corporate network so you can apply some of the same principles.
Kim Hakim:
When things has come out of nowhere, for example, we did a wrap up event in 2021 in Atlanta, it was the perfect storm. Omicron and then Log4j, and all of a sudden, we’re trying to get these people to come back out. What impact do you think Log4j is now going to leave with, again, going back to Zero Trust?
Kim Hakim:
What can people do? That just seems like a mess and I can’t really wrap my head around the whole Log4j thing, but you guys are the experts on that.
Den Jones:
I think from a networking perspective making sure your egress and the access to these systems internally, that you’ve really got that choke point and you can try and block there. Ultimately, it’s really about developers and instant responders. My hat’s off to those people who work tirelessly over the break.
Den Jones:
They’re going to spend a lot of time trying to identify code and older systems and how do you protect those things is a challenge I think that’s going to be around for a long time.
Kim Hakim:
Carlos, I don’t know if you had anything you wanted to add?
Carlos Martinez:
Exactly what Den said. We are obviously not out of the woods yet. This is going to have a long-term effect for folks patching and whatnot. It’s definitely something that will change the view on moving forward how do you quickly assess and determine how the impact in the organization.
Den Jones:
One thing I want to make sure Kim, I’m clear on is Banyan from our perspective, we have no impact with Log4j. Luckily enough, one of our co-founders made great decisions early on with the technology stack that we use. Lucky for me and our team that we looked internally and there was nothing to find. It’s not in our stack. We were pretty delighted by that outcome.
Kim Hakim:
We have a really great, it’s on our YouTube channel at future con events, and our last wrap up we had James Azar, who is from the CyberHub podcast, and we had Homeland Security there. We had a lot of government sector sitting on a panel and it was right when Log4j came out and they did an hour talk about it.
Kim Hakim:
One of the things James said is as cybersecurity practitioners, we’re like retail workers at Christmas now. All of a sudden something hits us and we’re working hours and we get our time off. Well, I don’t know when they ever get their time off, but I definitely that was a bummer for all those people that had to work through the holidays and are still working.
Kim Hakim:
Anyway, I had to talk a little bit of Log4j because it’s still out there and it’s still keeping people hands down 24/7. Going back over to Zero Trust, can you tell us going back to some of those examples and some of the things that Banyan Security is doing when you go into a company, how would they even get started with if they’re already into something with a different vendor?
Kim Hakim:
I feel like a lot of people, “If it’s working, don’t fix it.” How do you get them to that scare factor of, “Things could change tomorrow. You better protect yourself.”
Carlos Martinez:
What I can tell you is that for organizations and practitioners we all know the end state of where we want to be. It’s that transition that is critical. It’s everything. Having the tools that allow you to iterate and I mentioned this earlier is you find the use case, and then you gradually start expanding and having the tools that enable that is key.
Carlos Martinez:
In particular, Banyan Security does offer what I feel and one of the reasons why Adobe selected Banyan is because of the versatility, all the different tools that enable you to get started with things like a service tunnel, where you can have the ability to allow access.
Carlos Martinez:
As you gain visibility, then you apply these very granular policies that apply Zero Trust principle. It’s all about finding that versatility, having the different capabilities to enable you to transition to that end state.
Den Jones:
I would say Kim, it’s really interesting. We were fortunate that we ran the identity stack for the workforce authentication. It was pretty easy for us to insert into that workflow of the authentication, the posture check to ensure as you’re authenticating to those apps, we can check the device posture.
Den Jones:
This is one of the cool things is if you can sit there and say, “I want to just pilot this in a small environment, you can see it working. That’s a really easy way to get up and running. People don’t realize it is actually pretty simple to get started provided you have the flexibility within your identity stack.
Kim Hakim:
Well, can you tell me there are some I’ve had a couple people on the show that they’re trying to completely go to zero passwords, no passwords, but I think it’s a little different from what you guys are doing. How are you guys implementing that? I would love, just for example, this show right now, I hadn’t been on this my radio show computer for a month.
Kim Hakim:
It took me 20 minutes because I couldn’t remember my password that I put in a month ago. I had to reset everything and it was annoying, and I’m just one person. How are you implementing that into corporations?
Carlos Martinez:
There’s the solutions vary out there, but Banyan will deploy as part of the registration process an ability to establish the identity of that user, and additionally the device through use of certificates. We’re able to securely not just distribute, but also manage the whole life cycle so that we’re reducing that need for you as an example, to be presented with your username and password.
Carlos Martinez:
That is how we’re doing it today with the Banyan solution and it’s great. People are not getting the continual prompt to enter their credentials plus MFA, and rinse and repeat. It’s been really, really popular. I think people are like, “Give me more of this.” I would say at Adobe and Cisco, one of the number top three items.
Carlos Martinez:
It was one of the top three items that people we would never get away with was like, “Why am I being prompted so often as I access to SaaS and on-prem resources?”
Den Jones:
I’ve been in the identity game since the mid-’90s, Kim. When people started to talk years ago about single sign on, it was always one of those terms that made me feel sick because you’re not single signing on really what happened for so many years in the industry was you’d log into your laptop or your computer.
Den Jones:
Then you’d start logging into applications and services. If the application team didn’t partner with the identity team, into your single sign on platform of choice, then the users would have to log into that specific application again. The reality is usernames and passwords.
Den Jones:
It’s not that they don’t exist any longer, but what you’re really trying to do is have them be in the background so that the users don’t see or are prompted to and/or username and password. If you look at the industry and just where the industry’s going, we’ve not eliminated the username and password, we’ve just made it less relevant and ideally less in the face of the user.
Den Jones:
I will always tell people, it’s not about single sign on. I think of it as dynamic authentication. We might want you to step up depending on the context of the user, the device. We try and also have you log in less or seen authentication prompt less because we’ve got a better trust with the user and the device context.
Den Jones:
For me, it’s a very fun time in the industry right now because we’re getting to a position where most of the benders out there, including the OS and hardware manufacturers, they are doing things that are leveraging your biometrics and things of that more, your passwords less. It’s a fun time to be in the space.
Kim Hakim:
I have Manuel Salas. He is one of our LinkedIn listeners. Our LinkedIn listeners have been super quiet today. We have a lot of them out there. He said, “Did Mr. Jones work for Adobe as well?” he did. He said, “He looks familiar. I’m not certain Den, if you have anything to say on that.
Den Jones:
Manuel, I do look familiar. I look like very many famous actors out there. If you watch some good movies, I’m sure they’ve used my face and many of them. Nice to see you, Manuel. Thanks for checking in.
Kim Hakim:
He said, “Hi, Carlos.”
Den Jones:
Hello, sir.
Kim Hakim:
Anyway, is there a certain industry sector that you guys are better for? Is it everyone is your customer or what are you guys doing with the industry?
Carlos Martinez:
There is no particular vertical that I would say would be more interested than others. We actually have customers across the board. Really everyone is looking, I would say at applying Zero Trust principles in different use cases. Some development heavy organizations or just folks that really have just the need to get out there, and secure some web applications for productivity apps.
Carlos Martinez:
I think for anyone, as far as the customers that I’ve engaged with it just varies across the board. I wouldn’t say that one vertical or industry would be more interested. That’s certainly not what I’ve seen.
Kim Hakim:
Den, did you have anything that you wanted to add? I’m primarily asking that because I’m interested in banks. Especially, when they’re doing MFA and stuff like that, how are you working with banks?
Den Jones:
As Carlos said, there’s not one specific vertical. In the banks specifically, I don’t know as much about our customer as Carlos does because he’s heavily involved with our customers and the customer success team. I think of it like banks or the financial sector MFA is vitally important to everything that they’re doing.
Den Jones:
I’m a banking customer, I would hate to think of my banking systems or the privileged people that run the systems in the banks. I’d hate to think of them not using a multifactor. I would love to think of them as being a Zero Trust implementation, because it’s vitally important that especially the people that run those systems that they are at least looking at the posture check of the devices they’re coming from.
Den Jones:
I think the whole industry’s, if I just generalize it a little bit, if you think of something like ransomware, we have the ability with a good Zero Trust implementation to almost eliminate ransomware spreading across your organization. I look at banks and other sectors and just say, “Look, there’s not one magic sector, Kim, but we have the ability to be a Zero Trust a good implement to really combat some of the threats that we’re facing right now.”
Kim Hakim:
Manuel’s still out there. I think he’s a jokester out there. He said that he lives in San Jose and you guys used to come and get coffee from him.
Den Jones:
I think we certainly did use that Starbucks at Park Plaza because it was right across from the Adobe Towers. Carlos, every now and again, you need to leave the office and get some caffeine.
Kim Hakim:
Eddye Royal from Dallas, thanks Eddye for chiming in today. This is going to happen. We’re have about five minutes left and then we’re going to start getting people asking us questions when we’re at the end of the show. Everyone’s still quiet. I guess they’re trying to wake up from New Year’s Eve.
Kim Hakim:
Anyway, we’re coming towards the top of the hour. We still have about four minutes left. Let me turn it over to you guys and have each of you talk a minute about some of the tips, tricks, lessons learned your advice of how to make 2022 a more secure year so these corporations aren’t spending 24/7 trying to fix some sort of ransomware, anything that could possibly happen?
Carlos Martinez:
I would say again find that use case in your organization to get started in your Zero Trust journey. Does not have to impact the entire company. Really just focus on that one and use case gain experience and expand. As Den pointed out, if you are looking to just kick the tires, just understand how a product a Zero Trust network access product works.
Carlos Martinez:
Without any commitments go to banyansecurity.io. Try out the Team Edition and you can get started really, really quickly.
Den Jones:
Kim, I think the thing I’d love to leave everyone with is with a good Zero Trust implementation, you can certainly secure and protect your environments a lot more. That’s pretty easy to take away. Then the other thing is if you’re really struggling to get started come up with a plan, but then also reach out to myself.
Den Jones:
If you ever want to hear our stories and even have us talk about your environment. We’re not the sales team, so I’m not trying to sell, I’m not motivated or commissioned by selling. I am certainly as a practitioner, really excited to meet other practitioners and help however we can.
Kim Hakim:
Are you guys excited to get back out there in person? I know you’re going to be live at our Dallas event on January 20th. How excited are you and how encouraging are you to people to come back out in person?
Den Jones:
We are super excited about the event. We booked our flights and hotels weeks ago and we can’t wait to get there. We’d hope we’ll see many people out there. Certainly, ideally we can talk some tech and talk about how people can get started.
Carlos Martinez:
Absolutely, can’t wait. My wife can’t wait to get me out of the house in years.
Kim Hakim:
Well, good for you guys that you booked your hotel and flight because I’m running the event I haven’t done that yet. I better do that when we get off this show. Guys, thank you so much for spending the last hour with us. I look forward to seeing you guys out in Dallas, Texas. Then, you’re going to be in Los Angeles.
Kim Hakim:
The Super Bowl just moved out of Los Angeles. Let’s hope we’re going to see each other in Los Angeles. I’m not hanging my hat up yet, I’m planning on having that event. Thanks again, guys. Carlos Martinez and Den Jones from Banyan Security. Thank you so much for spending this past hour on And Security for All. Super excited for next week.
Kim Hakim:
I have Tina Patoni. She is one of the greatest speakers I’ve ever had. On one of my shows, she is now working for Google. Let me get it correct. She’s working for Google Cloud. She took that position last year. Make sure you guys tune in next week because we are going to have a great conversation with Tina Patoni.
Kim Hakim:
Thanks again, everyone. You guys, Happy New Year again. Thanks for tuning in and check us out at futureconevents.com and we will see you next week. Stay safe, stay secure. Have a good weekend. (silence)
Close Transcript
Book Office Hours with Den Jones
If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.
Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.