Jim and Jeff talk with Den Jones of Banyan Security about secure remote access for enterprises.
Speaker 1 (00:00:09):
You’re listening to the Identity at the Center podcast. This is the show that talks about identity and access management, and making sure you know who has access to what. Let’s get started.
Jeff Steadman (00:00:25):
Welcome to the Identity at the Center podcast. I’m Jeff, and that’s Jim. Hey, Jim.
Jim McDonald (00:00:29):
Hey, Jeff. How are you? And happy new year.
Jeff Steadman (00:00:31):
Happy new year. Welcome to 2022. The first show of 2022.
Jim McDonald (00:00:37):
Yeah, the first call I had was on Monday, coming back from the long break, and I felt like I couldn’t even concentrate. But I’ve been on the phone all day now, for the behind the scenes this Wednesday, after new year’s, and yeah, starting to get back on track.
Jeff Steadman (00:00:57):
Yeah. My favorite part is trying to remember what it is I do for a living, and how to do all the different things that I just don’t do very often, and have to start again in the new year. So it’s always good times. I’m sure other people are like that too. It was always a big time for password resets, coming from security ops.
Jim McDonald (00:01:12):
Yeah. No doubt, no doubt. And for what we do, I just was reminded of one of the interesting aspects today, which is we hold workshop with our clients to help kind of develop their IM strategy, and we’re meeting with people throughout the organization. So we might be meeting with somebody from the business continuity disaster recovery side, or logging, or you name it, any other part of IT, the PMO. And if folks aren’t prepared or understand why IM might have something to do with their area, or why their area might have something to do with IM, they’ll ask questions like, why are you asking these questions? What does what I do have to do with what you do.
Jeff Steadman (00:02:02):
Jim McDonald (00:02:02):
And so I think it goes for a lot of parts of life though, right? I mean, you got to kind of set the context, you got to kind of set the baseline. And just I felt reminded of that today, and that was what I wanted to share.
Jeff Steadman (00:02:16):
Yeah. Context is key in setting the expectations for any conversation. You and I were part of that same conversation, and hopefully I brought it back to try and rescue kind of where things were going. But I think, in full transparency, it wasn’t a great start, but we figured it out.
Jim McDonald (00:02:34):
Yeah. Well, I mean, it’s something we’ve run into many times over many years, so it’s something that… I mean, it never goes away. I used to call it stump the jump, because you get in a situation where you kind of feel like some of those questions are trying to get you rattled. It really kind of depends on how aggressive the person gets, in terms of why are you asking these questions? But I think for the most part, people are just trying to understand like, why do you need to know this information? Because we’re all kind of guardians of the information that we’re responsible for, and you don’t want to just give out that information willy nilly, especially if it’s secret to that business.
Jeff Steadman (00:03:29):
Yeah. Plus also people don’t want to waste their time. Right? Why am I here? What’s the point of this? This could have been an email, instead of a meeting. Right? All that stuff too. So it goes with it. We also started something new over the break. Do you want to talk about that?
Jim McDonald (00:03:46):
Yeah. So it’s IDAC, Identity at the Center, or IDAC.live. It’s a YouTube streaming page, if you will. We’re going on once a week and we’re streaming video. We’ve always been resistant to doing video with the podcast.
Jeff Steadman (00:04:04):
And when you see the video, you’ll know why.
Jim McDonald (00:04:08):
That’s probably true. But I think it’s interesting, because we do the podcast and it’s more formal, more structured. There’s always guests. Whereas the stream is just you and I, and it’s a little less structured. We pick something like an article we’ve read recently, and just share our thoughts and our experiences relative to that, or whatever comes to mind. And I think people will like it. Because I think, I follow a few podcasts myself, and definitely you start down your podcast route based on what your interest areas are, and you want to hear what these experts in whatever field it is talk, but after a while it’s the personalities and the sidetracks that keep you interested in it. And if you like those personalities, you keep coming back for more. And hopefully people like our personalities and come back for more with the stream.
Jeff Steadman (00:05:11):
Yeah. It’s fun. I like it. It’s different. We’re still kind of figuring out I think format and length and time and when to do it, and things like that. But I like that it gives us the opportunity to be more current with things. And also if you’re watching the stream, or even after the fact, you can always comment and we can engage in a conversation kind of real time and answer questions, and let people give our two cents on whatever they’re thinking. We’ve done it a couple times here, so it’s cool. The wild madman ramblings of Jim and Jeff, when it comes to IM and whatever else strikes our fancy for that particular day.
Jim McDonald (00:05:48):
Jeff Steadman (00:05:50):
Well, let’s pivot this to where we want to take this conversation, because speaking of smooth transitions and the wild ramblings, I feel like Zero Trust has been one of those for the last couple of years. It has not stopped. It has gained steam over the last, I’d say really the last year is when I’ve seen kind of a lot of growth in that area. And we’re very fortunate that for our first guest of 2022, we’ve got Den Jones. He’s the chief security officer at Banyan Security, and he’s also an advisory board member with the Identity Defined Security Alliance. Welcome to the show, Den.
Den Jones (00:06:26):
Hey guys, thank you very much for having me, and happy new year, everyone. It’s great to be here.
Jeff Steadman (00:06:31):
Yeah. Happy new year. And I should also, I’m going to tease something we’re going to talk about later. Also known as Urban Punks. So we’re going to get into what that means a little bit later, because I am totally fascinated by this. But before we get there, let’s talk a little bit about identity. And this being the first time on the show, we always like to kind of find out what the identity origin story is for somebody, whether it’s identity or InfoSec at large, is it something that you chose or did it choose you? How did you get into this space?
Den Jones (00:07:00):
Well, I tell you, so I was a young kid at college, back in Scotland, in the mid nineties, and back then it was pretty hard to get a job out of college. So out of 38 class members, I was the one person that got a job in the first year of leaving college. And I just happened to join a factory, working in a small IT team. And my first job was I was going to be a Novell admin, a network admin, a server admin, an email admin, all of the above, like all these smaller IT teams. So my first identity gig was really working with NDS Novell version 3.11, I think it was back in those days. And so I’d say, in desperation, I got the first job that came along. So it kind of picked me, I think. But I just wanted a job. So worked hard there, and just started to learn more things. So then it was really a Jack of all trades.
Jeff Steadman (00:08:07):
So I know you kind of had that IT background. I guess what was the pivot, from managing an IT infrastructure, where you’re like, yeah, give me InfoSec, that’s what I want. I’m crazy.
Den Jones (00:08:19):
Yeah. It was really bizarre. So I left that company sometime, done some contract work, and landed in Adobe, back in their Edinburgh office, European IT team. And then in 2001, moved to the US. And if anyone follows the Adobe history, we certainly had our challenges, from a security perspective. And at some point, as part of a huge investment Adobe were making to try and get on top of all of their challenges, they created a central IT security team, and I was part of that. And what I led was all of the directory and authentication stuff, all the privilege stuff. So really everything was all centered around the directory type services, because that’s what I had been doing for pretty much 20 odd years.
Den Jones (00:09:13):
So I knew, even with Adobe, I’d been in Adobe, at that point for over 15 years, so I knew where the skeletons were, because I knew about privilege, because I knew about how the server team ran their stuff. So privileged identities on servers. I knew how we’d done our social media stuff. I knew about our banking and financial systems, because I’d led services that catered to those. So when you think of identity, identity is not just the regular person that logs in and checks email, right? There’s privileged identity, especially is where you get into, it’s not just an API account, it’s not just an engineer, it’s all of the above and more. Yeah, so that was a fascinating change.
Jeff Steadman (00:09:58):
And you’re not the first person from Adobe we’ve had on the show. We had Eric Anderson on a few months back last year, I guess, technically, at this point. And it was a great conversation. I think it was episode 91, if I remember correctly, so encourage people to go back and check that out. And also shout out to Eric, because I had forgotten how good The Struts were, and based on our conversation on that one, they owned my Spotify listening habits for 2021. But I digress. So at this point, Den, you’re with Banyan Security. What does Banyan Security do? Because for people who aren’t as familiar with the organization, I guess what are some of the issues or challenges that you guys look to solve?
Den Jones (00:10:38):
Yeah. Well, the first thing to clear up is we are not the Banyan VINES team. So anyone who’s been in the industry long enough will know there was this old company called Banyan Vines. I never used their technology, so I don’t really know too much about them, but I can tell you about us, which is we’re a small startup in the Zero Trust space. And we’ll get back to what do we mean by Zero Trust, I guess soon, but in the Zero Trust space. I was a customer of Banyan when I was at Adobe. Eric and I and our team, we adopted Banyan’s platform early on. We were really excited about it.
Den Jones (00:11:20):
Years later, because I’d left Adobe for a few years, I joined Banyan with really some enthusiasm, because their proposition in this space, I think, is pretty unique. Their ability to get up and running really fast is brilliant. It’s a really customer, great user experience, user experience friendly platform. And then one of the other things is, VPN or not to VPN, they not only help you recognize and solve that question, but they’ll show you and help you understand where you are in your journey of Zero Trust, which is really unique. There’s not a lot of players in the market that do that. So I knew the co-founders from working with them before in Adobe, and they reached out. They wanted to bring in some people who had had practitioner experience. So me having led a team at Adobe to deploy Zero Trust, then led the team at Cisco. I’m uniquely positioned to talk about the scars and the whirlwinds of actually delivering Zero Trust, and how do you pull that off. So it’s an exciting thing.
Den Jones (00:12:32):
The good thing is, I’m not a big fan of salespeople. So I don’t mean to disparage on them, but they’re not my favorite type of people to engage with. So one thing that we’ve got, which is really cool, you don’t need to talk to our sales team. You can just go to banyansecurity.io and you can take this test drive. And for a small team, it’s actually bit of a teams edition, which is free, and you can get up and running in 15 minutes. So you can get started, and it’s pretty cool. So I don’t want to do the sales pitch. That’s really not my job. I don’t want to be a sales guy, so I’ll let people go figure that out for themselves. And they’ll find out how to call the sales team if they want that.
Jim McDonald (00:13:13):
Den, love the origin story. It’s kind of a blast from the past, thinking about the directory days, because I think if you were involved in IM and account security 15, 20 years ago, it was all about LDAP. It was all about Netscape directory or Sun directory or even Active directory, which was kind of the… it was frowned upon in this establishment, in terms of being a true directory. And it’s interesting today how much more it’s looked at as the defacto directory standard. Or maybe not the standard, but at least the standard bearer. I’m also glad that you brought up the Banyan VINES speech, because I do think… I’m going to go on a limb here, Jeff, because we had one guest who, part of their origin story was they were a Banyan VINES administrator. And I think it was Jackson Shaw, episode 52, back in July of 2020. So I’m going to go back and listen to that. I think it was him. If I got that wrong, it’s my bad. But yeah, you don’t really run into that many folks who have Banyan VINES in their origin story.
Jeff Steadman (00:14:30):
Yeah. I don’t know for sure when it was, I’ll be honest, but it’s old school. When I think of Banyan, I think of Steve Banyan from… well, that’s a different Steve Banyan, but I think of Banyan from Seinfeld. So that’s just me.
Jim McDonald (00:14:46):
Yeah. That’s funny. So we are going to talk today about Zero Trust, Den. I’m not sure if you’ve heard of it. But if you have, maybe you could give us a, what is your definition of Zero Trust? What does it really mean to you? Is it a product, or is it something more?
Den Jones (00:15:11):
Yeah, it’s a great question. I always say to people, if you get 20 people in the room and you ask them what Zero Trust is, you’ll get 25 answers. And I still think, after all these years, you can go back to the John Kindervag days, where in Forrester he’s got the paper out and says what it is. You can go be for that, where you talk about the US government defense, where they have their views on that. And then you’ve got Google’s BeyondCorp. I kind of look at it like, is it an architecture? Is it a principle? Is it an ideology? The reality for me is, I sum this up really simply, is I try and steer away from the term now, because I really want to focus on the outcome.
Den Jones (00:16:01):
I think so many people get wrapped up on what they mean by Zero Trust, that they forget we’re actually here to run a business. And the biggest part of the outcome is, the way the identity is industry has moved forward, years ago, I needed to know it was Den that was going to access the app, so I put in a username and password, and there was no thought of trust given to the network you were on. So that whole idea of you’ve got your firewall, and if you’re inside the corporate network, you’re good. Well, that I think has obviously evolved over the years, the way we’re being attacked by bad guys. So I just kind of look at this like, Hey, this is a bit of an evolution of how we access applications and services, taking into account that the networks and the environments we’re coming from have a totally different level of trust.
Den Jones (00:16:52):
So what we’re really trying to do now is establish a better level of trust. And in some cases, when you get more mature, you might talk about that trust level might be more dynamic, right? I don’t know the type of app I’m going to, the kind of role I have, the kind of device I’m from, the country I’m from. So when I think of this, it’s no longer simply, am I in the network on my corporate computer, where I just go straight to the app internally?
Den Jones (00:17:20):
Well, we’ve evolved. We’ve got so many more Cloud apps. We’ve got so many traveling workforce, especially in the recent years with all the work from home. Then that’s totally changed our concept or our thinking on a lot of this. But how we’re being attacked. We’re no longer being brute force attacked, let me break your firewall and get in. We’re being, here’s an email, just click this link. And then all of a sudden, the bad actor’s on your device with your credentials. So for me, it’s a different mindset. I just see this, though, as an evolution of what we’ve really been trying to do in the industry, on guaranteeing that it’s you, and that it’s not a bad guy pretending to be you.
Jim McDonald (00:18:03):
Yeah. I kind of feel like if you were to put together a degree program in identity and access management, Zero Trust would have to at least be one of the courses. And for me, required reading would be the NIST paper 800-207, which is the Zero Trust architecture. It’s heavy, right? That’s kind of putting it in that university context, a lot of reading, but it’s good reading, right? I think if you really want to understand Zero Trust, and kind of build a footing in it, it’s a good place to start. I think the other thing is how to talk about Zero Trust, because there’s this selling process within the organization, right?
Jim McDonald (00:18:50):
The first time I heard of Zero Trust, it did cross my mind, what, you don’t trust me? And I kind of always feel like when we talk about Zero Trust to somebody who’s not an IM lifer or a security lifer, that’s probably the impression that they get, like you don’t trust me? What do you think of that kind of selling process of Zero Trust, from a CISO perspective, right? You have to talk to non information security nerds like us, and make them understand what it is and why it’s important. And so how do you do that, and get past those kind of hurdles?
Den Jones (00:19:31):
Yeah, and there’s three main audiences. In Adobe, it was a uniquely different experience, because the term Zero Trust wasn’t as mainstream as it is now. And so we’re going back to late 2017. And the way I phrase this… and I was blessed, I had a good architect that was in our team, that really was hitting my head off a wall saying, Hey, we should look at this. We should do this. It wasn’t my brainchild, in Adobe, to start the program off. I had a great architect, Bensey John. He was hitting my head off of a wall saying, but look, think of this thing. So it started with him selling it to me, and he was selling it to me really at technical level, but then an emotional level. And the first thing I thought of is, okay, this thing actually would be brilliant. Totally, now I’m sold.
Den Jones (00:20:29):
And the principles of the easy sales technique, there’s three audiences. There’s the person that runs IT. There’s the person that runs security. And then there’s your user base. And if you start with your user base, and you turn round and say, would you like to never have to enter your username and password again? Right, that sounds like an easy question. So would you like to never have to log in via VPN again? Okay, sounds like an easy question. How about you never want to change your password every 90 days again? And that sounds like an easy question. So if you got your user community and you say, Hey, do you want some of that? That’s easy.
Den Jones (00:21:10):
If you go to your CIO, and their leadership team, they are all about user experience in the organization, and they’re all about saving money, right? CIOs are under extreme pressure to reduce their operational costs. So if you turn around to them and you would say, how would you like to reduce the service test tickets related to password change by 60 to 80%? They’re all over that. If you would like to say to them, and how would you like to not have to have users change passwords and use passwords? And when you tell them the same thing, their eyes light up, because they get it, and they can translate that to a softer dollar value that they can take back to their leadership.
Den Jones (00:21:57):
Now, if you go to the security leader… now in those days in Adobe, I was the director reporting to their CSO. When I go to our CSO in Adobe, I was like, Hey, how would you like to improve in these ways? And by the way, your peer, the CIO, she’ll reduce her cost by X, Y, and Z here, here, and here. At that point, the security conversation is really good. Would you like to improve security so that bad guys can’t scrape passwords, and we’re doing more multifactor or more dynamic authentication? Would you like to remove the ability for lateral movement?
Den Jones (00:22:37):
Would you like it so that when you VPN in, the employee who VPNs in, doesn’t have full access to the corporate network? Because most companies, when they build VPN solutions, they lock it down for all these groups. But generally, the full-time employee group, which is your biggest group, they’re not locked down. They usually get full access, because locking it down was very expensive and very complicated, and usually flawed anyway. So when you tell these people that, all of a sudden these three audiences, they love what they hear, and you’re not mentioning Zero Trust. Because you don’t have to say, would you like some Zero Trust? Especially when nobody really agrees what Zero Trust is.
Jeff Steadman (00:23:24):
Yeah. It’s not like there’s an easy button for it. So Den, you sold me. I don’t want to change my password anymore. I don’t want to have to enter the one I do have as often. Now becomes the hard part, I think, in a lot of people’s minds, and that is where do I even start? I guess my question to you would be, how do I get started with Zero Trust? And if you can kind of help me understand that, I think that would help a lot of people out there.
Den Jones (00:23:50):
Yeah. So there’s people process technology, but just from a… most of us and the listeners are technologists, right? So let’s talk about technology. So I was in charge of the identity management of both companies, Adobe and Cisco. And you don’t need to ask permission to improve the experience of the authentication workflow. So I started there, I said, well, wait a minute, I’ll improve the experience. We connected our Okta platform in Adobe to our Zero Trust platform for posture check. So the very first thing we done, was we done a really small pilot, where we built these little environment, a little pilot environment, and we took Okta, and those days it was VMware, VIDM and F5 APMs for the reverse proxy. And we built these things together in a small pilot, to prove that we could use a certificate instead of the password, that we could do a posture check on the device, and then we could seamlessly let you into our applications on the network, but only to the specific selected applications.
Den Jones (00:25:10):
So basically we were internet enabling those apps. That was the kind of feeling you’re giving, for someone who’s on a device which has the Zero Trust stuff. So in our case, the Zero Trust stuff was, was it IT managed? Did it have our endpoint protection on it? Are we look at the OS version? Do you look at the patch version? In your journey of Zero Trust, that posture check can improve. We didn’t start it off complicated at all. It was latest OS, and was IT managed? And then with the endpoint protection. And our certificate. Our certificate existed, that was a big thing, because we used that to hide the username and password. So if you can inject into the authentication flow, and then do the posture check, and then divert traffic, if it’s an internal app, via your proxy, that’s not a complicated architecture to build out.
Den Jones (00:26:09):
We built our pilot environment in a couple of months, and then actually to expand that to production, friends and family launch, get some feedback, that for us, in Adobe, was a seven month project, to go from concept to actual full go live with 40,000 users. And along that journey, we were just testing it out with larger groups. But the architecture wasn’t very complicated. So I think people that think, how do I get started? I’ve heard all sorts of nonsense. I’ve heard someone say, asset management. And it’s like, what do you mean asset management? I don’t think in 20 years I’ve ever heard of the CMDB ever being right, and asset management ever been great. So for me, one thing I could do though, is I could say, using our Zero Trust platform, we could scrape the data off your device and the fact you logged in, and we can infer that we see you every day on this laptop, we can infer that that laptop is therefore yours, or we’re tagging it to you. And then we’ll drop that in the CMDB.
Den Jones (00:27:18):
And you would’ve heard Eric talk about this on your show, how we gamified and we showed the devices. So if you logged into an application from a device that had nothing, like didn’t have any of our Zero Trust, no endpoint, we would throw it under your name on that portal, and give you a flat zero. You’ve got a really low score. So if I wanted my organization to have a good score, then, Hey, guys, I better get to position where that device is managed. Because any unmanaged devices I log into any of our apps from, I’m going to get a bad score. So you can scrape that information. And stuff like that was really cool. When I think of Zero Trust, for me, Zero Trust is I don’t trust a device that doesn’t have at least three things that we want it to have. And we’d scrape that. And then you get to the position as well, where within that same thing that you built out, you could deny access to the application if you weren’t Zero Trust enabled, meeting our minimum posture. And that’s the really powerful piece.
Jeff Steadman (00:28:24):
So I have a quick a comment around gamification. This is my brilliant identity software feature enhancement idea for 2022, that I’d love to see someone build. And that is, take the idea of Spotify unwrapped, where it listens to your music history and kind of comes up with here’s your things. Do the same thing for authentication, except gamify it in a way where it’s like, you typed your password in X number of times this year, or you took advantage of X, Y, Z methods, whatever it may be. That’s how big of an identity nerd I am, and I’m sure that somewhere out there someone wants to build something like that.
Den Jones (00:29:03):
Well, we were doing… yeah, in the Adobe team, so in 2001, we built a portal, myself and this one Lotus Notes developer. Believe it or not, Eric talked about this portal, where we used to allow self-service for groups, right? We done groups and password, that lipstick on the pig, in front of all these platforms that we had in Adobe. Well, myself and this guy, Vincatesh, we built this and in the original version of it, he built a Lotus Notes front end, and I had batch files at the back end, all going to active directory. And it was like net group, blah, blah, blah. And that’s how we were adding and removing users from groups way back in 2001.
Den Jones (00:29:46):
And for me, I wanted to evolve that thing to where we were going to be like a dynamic playlist. So I remember Tom on your show talking about role-based access control. And for me, I was never a fan of it, because it was always expensive, right? So I was like, well, why don’t we create it that you, as a user, could go in there and you could create roles, but you could create roles in the form of a dynamic playlist. Hey, if you’re in this org, you’ve got this title, you’re in this country, I want you to be in this group, and this group has access to things. And then all of a sudden we just do the look up every night and we’d start to see that. And then you kind of not gamify it, but you make it all self-service. My whole thing in my career was, I don’t want to have to work really hard. I want to build things that enable things to happen without being intrusive to our users. And in sense, that makes me not work so hard.
Jim McDonald (00:30:48):
So Den, one of the things that crossed my mind… well, first I have to kind of go back to the CMDB point, because I just thought this was funny. Jeff and I, we were, during our stream this morning, both in lockstep, need a CMDB, need a good asset inventory. Right? I mean, but I think the point that you’re making, is you’ve never seen a CMDB that’s perfect, but have you ever seen a non-existent CMDB, or one that is such garbage that you can’t even use it as a starting point? That’s the problem that I run into a lot. And it’s like, you at least need to know the basics of your environment, because how are you going to get control of access to your environment if you don’t know what your environment is?
Den Jones (00:31:34):
Yeah. I mean, I’ve never seen one that’s been so garbage that you’ve wanted to just throw it out and start all over again. I’ve seen some fancy Excel sheets. I remember really in the early days in Adobe, we had, before this was all automated, a lot of our networks were all Excel sheets. I mean, it was all just huge big tables and tables and tables. And in the end, we deployed BMCs platform, but we also deployed Infoblox’s platform. We integrated them, and then we got BMCs network automation technology so that it was always bringing that in. And I think the principle is a good CMDB is something which is derived via a discovery and automated means. So if you’ve got a nice IS or Cloud platform, where you’re building compute, you do have a choice to say, if I’m going to build a compute where it’s only going to last 15 minutes, how am I going to record that that thing existed for 15 minutes and then was pulled down?
Den Jones (00:32:42):
Like these kind of decisions, I think, are where you get into the nitty gritty of it, but ultimately, I kind of look at this like we have enough logs, we have enough automated processes, where it’s not hard to put it together. It’s just about dedicating resources and time to kind of make that effort. And a lot of CIOs, they all talk about CMDBs being brilliant. But at the end of it, when they’re really pressured about where do they put their money, they put their money on things that are very visible to the business. And sometimes the CMDB and these backend services, they’re just not so visible. So they don’t really enjoy the same level of funding, attention and love that you really need to have. But that’s life.
Jim McDonald (00:33:31):
That’s a great point. I’ve definitely seen that. One other thing I wanted to mention about the selling process of Zero Trust, is I think even people might start with the question like, well, why do I need Zero Trust at all? What is it protecting me from? Like, what is the benefit I get? And I think if you kind of dissect a data breach or a ransomware attack, and you kind of go through the parts and pieces of how somebody gets in, and then what they do from there. So you talked a lot about authentication, right? Which is the, how do they get in? But there’s other ways that you can have a ransomware attack, which is somebody’s machine could be compromised at a Starbucks location, or they’re working from home and click a fishing link.
Jim McDonald (00:34:21):
Part of the smart thing about ransomware containment is containment, right? Making sure that can’t spread laterally. And when we talked the other day, you brought up an idea, which I hadn’t thought of before, which was brilliant, around when you come on the corporate network, you’re in your own little cell. Kind of like when you go to a Starbucks or something, you join a public public wifi, right? You shouldn’t see the clients who are next to you also on that wifi. Maybe you can, but that would be a security flaw, right?
Den Jones (00:34:59):
Jim McDonald (00:35:00):
It reminded me of 15, 20 years ago, when you would go onto a corporate network with your Windows machine, and you go into network Explorer and you see all these computers and all these printers, and you could just go and see what are they sharing? And if people were oversharing, you potentially could get into their file shares and do things. I was kind of like a network guy, so I was always goofing around, looking around, and people overshare all the time. I mean, who could be completely aware of all the settings and what they’re sharing on their computer? So I wanted to turn it over to you to kind of explain what your idea was around that, because I thought that was really interesting.
Den Jones (00:35:44):
Yeah, so one of the earliest things that I shared with our CSO was, do you want to, and I put the word almost, eliminate lateral movement? Because in every big attack, the bad actor comes in, they get a machine, and from the machine, they start spreading out. And they can spread out in seconds, right? This isn’t over months. They can be hiding for months, but they can spread out over seconds. So one of the things in that concept was, if you just look at network segmentation in the industry. So first of all, a lot of security people, a lot of their origins are networks. So they think of it like network segmentation and firewalls solve all problems, right? Or most of our problems.
Den Jones (00:36:31):
I’d like to expand on that a little bit further and say, don’t necessarily disagree that they solve lots of problem. But if you take a network, you say, look, I’ve got a data center, I’ve got a lab network and I’ve got an office network. So just those three kind of base networks. To get from the office network to the data center, normally every good company would have bastion hosts, and they should require multifactor authentication. So there’s some level of gate to get in there. And lab networks, maybe they’re a bit twisted and unique. So they may have that, they may not. They might be wide open to get to, but if they were, then why would you segment them off to begin with, right?
Den Jones (00:37:14):
So the office network, that’s the one where the masses are. If you think of you’re privileged users, they’re usually always in the office network before they get privilege and go into their compute host bastions or whatever. But if you took that office network and you turned that into a guest network, and then all guest networks, Starbucks, for example, is like a guest network, all guest networks. So you’ve got the principle of, all I can do is get to the internet. I can’t see those around me, right? So if you do that to your office network, and your applications and services at all behind your Zero Trust platform, then you’re not VPNing in to get any wide access. The only thing you can do is connect to your Zero Trust available applications, and you get to the app and nothing else via that port and protocol, and it guarantees and ensures your device meets a minimum security posture.
Den Jones (00:38:15):
So the problem with things like ransomware and all this other stuff, is it can spread really quickly to things you don’t want. And it gets in really quickly, because usually the point of entry is someone clicked a link and their endpoint security software didn’t catch it. So do you have good endpoint? I don’t know which one’s the best. I don’t want to debate that. But the reality is, is give yourself a fighting chance, as an organization, by saying, I’ll require that device have a good OSB patched, have good endpoint software, good logging, and require multifactor. At least a basic hygiene that we know is all goodness. So the problem is, is traditionally before Zero Trust, before what we were building, it was just username and password, regardless of the device posture. And it was on a network that was wide open. So if I can see 40,000 devices inside a corporate network like Adobe or Cisco or whatever, then that means a bad actor, once they’re in, they can spread that far, that fast. Usually in those networks, you’re going to find devices or varying state of quality of security posture.
Jim McDonald (00:39:36):
Yeah. I mean, you’re going to come in on the one machine, you’re going to scan whatever you can scan in a lateral way. And then if you can find another device and infect it, take over that device, use whatever accounts have been authenticated or hashes exist on that computer. And then replay that until you get to the point where eventually you can own the active directory, and then it’s game over, right? That’s when you pay the big ransom, whatever it’s going to take, because your company’s been brought to its knees. But interesting, one thing I wanted to key off of that you talked about there, is you talked about core corporate networks. I haven’t been on a corporate network in two years. I haven’t gone into an office in two years, but I VPN in. And I’m wondering, I learned a lot about ZTNA over the past two years, especially over this past year. And I’m wondering, is the next generation for VPN? Is VPN going to the go the way of the dinosaur? Is it the TLS instead of HTTPS? If you’re following what I’m saying?
Den Jones (00:40:50):
Yeah. So it’s a great question. I’ve done a lot of presentations, 2018 onwards, on our Zero Trust efforts over the years, both the Adobe stuff and the Cisco stuff. And most of the questions that people gave me were, is this a VPN replacement project? Or did you justify the funding for your Zero Trust by using funding from VPN? And in all cases, I said, no. There’s a place for VPN. And I never used the funding for it. What I did use though, was the luxury of saying, Hey, we’re going to deploy this Zero Trust thing, and if ever this thing doesn’t work, you can still use the VPN stuff. We’re not taking that away just now. And then over the course of the maturity of your efforts, you get to decide, are you going to reduce the investment in VPN.
Den Jones (00:41:52):
One of the things that people really struggle with, on any Zero Trust initiative where they’re trying to reduce the VPN usage, is understanding the VPN stuff, and what activity’s happening over their VPN network. I would always just say to people, there’s a lot of players in the market. One thing I love about what we’re doing, is that we enable that visibility. We actually do have a VPN solution as well. So we do acknowledge that you might not be comfortable taking VPN away. There might be usages for that. But we use that to our advantage as part of your journey.
Den Jones (00:42:32):
I look at it like there’s VPNs are usually wide open to your network with any port and protocol. What our proposition is with Zero Trust deployment is to say, it’s only that application and only that port and protocol that you need to get to the application, and you don’t get to the rest of the stuff inside your ecosystem. Which from a security perspective is huge, and from a user experience perspective is huge, because you don’t know where the app is. You don’t need to know where the app is and you’re not VPNing in.
Jim McDonald (00:43:08):
Right. I think the first scenario is less administrative effort. You can to have access to everything. The other’s more administrative effort, but much more secure. Last question I wanted to kind of hit on relative to Zero Trust was, you were talking about how much money you can save for passwords. And I was thinking, if I’m the CEO, I’m thinking to myself, I don’t want to spend anything on passwords. It’s like you came to my house and said, I could put it in a new well, and it’s like, I already have a well, I don’t want to spend money on that.
Jim McDonald (00:43:47):
So in other words, where I was going with that is like, I’d rather go passwordless. You talked about the days of people trying to brute force passwords is over, but people are still trying to use the password as a way, as probably the most common way to start a ransomware attack, or at least a data breach, or any way to infiltrate a network or an application is through a stolen password or a commonly used password, things like that, go to possession based authentication. To me, it seems like it’s a critical component of Zero Trust, right? It’s your level of assurance that the person is who they say they are, grows much more by going passwordless. Would you agree?
Den Jones (00:44:33):
Yeah, absolutely. Now I’d love to come back to one point you mentioned on the VPN and the cost of administration. One thing to think of in Zero Trust environment is, you’re not worried about the network ackles and all that business. So there’s nothing of that. It’s if you’re a member of the group that has access to the application. So it’s really just by nature of you being in the directory group, you get access to the app. So there’s absolutely zero administration from a VPN equivalent, which is a great cost saver from an operational perspective. From a passwordless perspective, I’ve been trying to go passwordless since about 2011, I think. I wrote a white paper internally to Adobe, working with PWC, just on identity strategies. And this idea of being able to go passwordless was just always intriguing to me.
Den Jones (00:45:34):
Because, yeah, look, we always just write the same crap down on a post-it note back then, and you’d be like password. And then it’s like, okay, but you’ve got to change your password 10 times, or every so often, but you can’t reuse the last 10. So you append a one or a two or a three, but it’s always the same format. We’re human. We’re not that creative. If we use a password manager now, that’s brilliant. But from a corporate perspective, and this was great in Adobe, we used to give password managers out as part of just being an employee.
Den Jones (00:46:12):
But at some point we ended up saying, look, we’re not going to pay for this anymore. We’ll arrange a discount, and here’s a discount code, because corporate-wise, we had over 2000 applications tied to our Okta platform, all requiring MFA. So when we use certificates as part of that first factor and not word, we’re like, what’s that password manager doing within their corporate? Really not much. In your home life, you might still have hundreds of things, because they’re not easily tied like that. But the desire to go passwordless is, if I’m not entering a password, I’ve nothing for the bad actor to scrape. And that’s a big thing, right? So for us, it’s like it’s changing the security posture at the same time as it’s changing that user experience.
Jeff Steadman (00:47:01):
Well, I think that’s the key part of passwordless, right? Is removing that hash that can’t be compromised.
Den Jones (00:47:06):
Jeff Steadman (00:47:07):
We’ve covered a lot of ground on the Zero Trust thing, and you can see why people are confused over it, just on this conversation alone sometimes, where it sprawls so much of the infrastructure and the network and the internet and all the different things that are out there. Which leads me to my last question for you, Den, and that is, what does good enough look like for Zero Trust in the year 2022? Because I feel like sometimes we get lost and say, oh, you need to have the latest and greatest, all the bells and the whistles, and you’re never truly done. But I think about this from a more pragmatic perspective is, okay, how do I get to good enough? Because this is not the only fire as a CISO that I need to fight.
Den Jones (00:47:48):
Yeah. No, that’s a real question, Jeff. And it’s funny, right? So both of my teams, but my Adobe leadership team that I worked with for years, great team, but they would give me so much grief because I’d use the term good enough all the time. And they’re like, if I told the organization, Hey, good enough, they’re thinking that I’m lowering my standards. And it’s like, no, I don’t want to lower the standards, but I want to recognize that we have other things that I don’t think are good enough. So let’s get this to good enough and then decide how far you want to take it. Right? So good enough, if you haven’t taken any steps in Zero Trust, I want to say, look, it’s easy. You’re not having to bring in a million players. I added one person to my staff in Adobe.
Den Jones (00:48:35):
We used the existing team that does the existing endpoint, the existing network, all the existing people. They’re just working together. And the good enough for me was get them working together, get a small pilot going, and then expand the pilot into production. And the first thing you want to really do is say, can we do a posture check as part of the authentication? Can we get to the internal applications via reverse proxy or some other capability? And if you can get to a position where you can say, let’s do those things, then for me, that’d be a great accomplishment as you go through your year.
Den Jones (00:49:19):
You get to expand further the network concept of turning your network into guest network, or if you’re doing an M and A, try not connecting their network to yours and have the things that company needs, those people needs available via Zero Trust. Zero Trust enabled their devices. We done that in Adobe a couple of times, and it worked a charm. I would just say, take one step forward every day, that gets you in a position where you’re a little bit better off than you were yesterday. One of the big things that people get hung up on, and they don’t take a step forward, is because it’s not perfect. So good enough for me is a brilliant term, because it simply means I want to be better today than I was yesterday, and I want to recognize that this week I might focus here and next week I might focus on security intelligence or something else.
Jeff Steadman (00:50:12):
Yeah. It’s okay to get smarter. Right?
Den Jones (00:50:13):
Jeff Steadman (00:50:13):
You’re moving things along.
Den Jones (00:50:13):
Jeff Steadman (00:50:17):
Sorry, go ahead.
Den Jones (00:50:18):
Sorry. I was just going to say, look, we don’t have enough money and resources as enterprises to do all the things you want to do. So you have to be really smart and pick your battles wisely, and just not try and boil the ocean on everything you touch.
Jeff Steadman (00:50:34):
So I know that we normally will do predictions at the end of the year, but we’re weird and we’re going to start at the beginning of the year. Real quickly, because I know we’re running short on time is, what does Zero Trust good enough look like next year in 2023? If table stakes right now in your mind is being able to do that posture check, what should I be planning for as table stakes for next year?
Den Jones (00:50:58):
I would say, especially as people return to the office, figuring out how to start turning office networks into guest networks, and allow listing core services that you just couldn’t Zero Trust enable. And for everything else, have users just go to the internet to get any internal services, acknowledging that you have a blend of internal and very likely a lot of Cloud services. If you can do that, that would be… because ransomware’s not slowing down, right? And that’s something that can really help save and reduce the impact of any ransomware attack.
Jeff Steadman (00:51:37):
That makes sense. So let’s… I teased this at the beginning of the show when I mentioned Urban Punks. So who slash what is Urban Punks, Den?
Den Jones (00:51:51):
Yeah, it’s brilliant. LinkedIn, I guess I left that sitting in there, the co-founder of Urban Punks. Originally Urban Punks was my idea, where… I’ve got a big musical background, and I just had the idea where I wanted to get a collective of producers together, and we would co-collaborate on every song that we released. But I got really busy in this work business, so I never got to get the other people together. So Urban Punks is just one punk. It’s still just me, where I, over the years, I’ve released music under many names. Urban Punks was the most recent one that I’ve used. I’ve been releasing music since ’94. I released my first single on vinyl. Hoping everyone remembers what vinyl is, because it’s making a huge comeback.
Jeff Steadman (00:52:43):
I was going to say, it’s the new age right now, again, like just right up there with bell bottoms.
Den Jones (00:52:47):
Yeah, it is, right? So I was fortunate enough to get a record deal in my early twenties, played gigs, released records, was a ghost writer for other bands and DJs. So I done a lot of that stuff in my mid twenties. And then when I moved to the US in 2001, I continued to do it, but just not as successfully or not as busy, I guess, because I was focused on this IT career.
Jeff Steadman (00:53:17):
Gotcha. So the type of music, you were kind enough to share kind of the SoundCloud with it, is I guess electronic dance music, but I don’t want to over generalize it. How would you describe your music to someone’s like, okay, what the heck am I listening to?
Den Jones (00:53:33):
Yeah. I mean, it’s electronic, it’s based on synths and that style of gear. You’ll not find much in the way of a guitar or a saxophone in my music, but sometimes I’ve been known to drop them in there. I try to think that it was house techno trance, but I never seem to think I fit easily in any of those genres. So I try not to label it. It’s a hobby, it’s fun, and I’m trying to not put pressure on myself to try and get the next top 40 hit, I guess. Although, that would be nice.
Jeff Steadman (00:54:16):
So I guess you’ve been kind enough. We’re actually going to play one of your songs. I’m going to append it to the end of the show here, so people will check it out. It’s a track called Gia. I guess, tell me what the inspiration for that is?
Den Jones (00:54:30):
Well, it’s funny, because all the names of the songs, it’s kind of like going back to days where, I was sharing earlier, naming servers, when I was building servers, I could never think of a name. I could build the server quicker than I could think of the name for the server. So usually I’m pulling names from famous actresses, actors, TV, movie characters, and things like that. So randomly these names just pop up, I guess. I don’t really know where they come from. Usually with enough of the right liquid refreshment, then you can come up some creative names.
Jeff Steadman (00:55:09):
That has known to be truth the world over. All right. Well, I think that’s a pretty good spot to leave it for this week. Real quickly, any final thoughts, Den, on the topic of Zero Trust, or anything that’s kind of sparked in your brain right now, that people should be taking away from this specific conversation?
Den Jones (00:55:30):
Yeah. I mean, I think, well, first of all, Zero Trust is going to continue to be a huge buzzword, and probably become mind numbingly boring as a term. I really just say, focus on the outcomes. Don’t focus on the term, focus on the outcomes, and focus on that business value, and find a way to connect with the leadership above you and the customers around you. Because if you can connect with them on that emotional level, then you’ll find that they want those outcomes.
Jeff Steadman (00:56:01):
Jim, how about yourself?
Jim McDonald (00:56:04):
Well, something that I think Den just kind of touched on very briefly, which is around the idea that we want to invest in something that’s something that can be seen or felt. I think in IT a lot, it’s the experience, right? It’s improvements to the user experience. So even if most of the money is going in behind the scenes, if you can remove somebody’s ability or requirement to put it in a password, you can improve security, but also improve the user experience. So I know that in our past conversation, we didn’t hit it on it too much on the call today, but in our conversation previously with Den, we talked quite a lot about that. And I think that ought to be kind of a minor takeaway, that people tie that user experience as a way to sell something like Zero Trust, or the parts and components of a Zero Trust architecture.
Jeff Steadman (00:57:05):
Yeah. I don’t care how good your product is, if it sucks to use, no one wants it.
Den Jones (00:57:09):
Yeah. I was going to say, Jeff, very rarely in your career do you get a chance to improve the user experience and improve security. This is one of those rare things where you get to do both.
Jeff Steadman (00:57:22):
Yep. This is why I like the IM space, it’s the opportunity to fix process through the proper application of people, process and technology. So how’s that for nerd speak? All right. So I think we’ll go ahead and leave it for this week. You can learn more about Banyan Security at banyansecurity.io. It’s B-A-N-Y-A-N, security.io. If you want to learn more about us and the show, we’re at idacpodcast.com, and you can follow us on Twitter @IDACpodcast. And come on, check out our YouTube show that we’re doing weekly, it’s idac.live. That’ll take you right to our YouTube channel. Again, it’s kind of a work in progress as we work through it, but hope to see more people kind of attending live and continuing the conversation with that. So rather than our normal closeout, I’m going to, through the power of audio editing, insert Urban Punks, and a track called Gia. So thank you all for listening, and here’s that.
Speaker 1 (01:03:45):
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe and visit us on the web at identityatthecenter.com.
Book Office Hours with Den Jones
If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.
Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.