Securing Remote Access for the Perimeter-free Enterprise by SecurityGuyTV.com

Chuck Harold (00:02):

Hi everybody. Welcome back to a special RSA edition of SecurityGuyTV.com with your host, Chuck Harold. I’m speaking with my friend, Mr. Tarun Desikan. He’s at Banyan Security.io. Now it’s B-A-N-Y-A-N Security.io. Welcome to the show, my friend.

Tarun Desikan (00:18):

Thank you for having me, Chuck.

Chuck Harold (00:20):

Now you guys, you’re going to be at RSA. It’s booth ESE15. Now that stands for Early Stage Expo. It’s a special section, so make sure you guys find him. Today let’s talk about the buzzword at RSA, zero trust. That is a big word to be throwing it all over the place. What’s it mean to Tarun? What does zero trust mean?

Tarun Desikan (00:41):

It’s not just the buzzword, Chuck, it’s probably the number one buzzword. I’ve heard it bandied around many places. I’m excited to tell you what we think it means and why folks should come and talk to us. Even though it’s a buzzword, zero trust actually means something very specific to security professionals. It’s the idea that your enterprise that you’re securing, that for the longest time was secured with a VPN and a traditional parameter based network model, doesn’t work. That system was designed when employees came to the office and accessed applications that ran in your data center. But that’s just not how the world works anymore. Your applications are in your cloud, your workers are mobile, they’re always on, and the VPN doesn’t work. So zero trust to us is a security principle that enables style of secure access, no matter where you are, who you are, and what you’re accessing.

Chuck Harold (01:36):

I came from the physical world. Initially, I was a police officer and I worked at the studios in physical security. And when I heard the zero trust thing being thrown around, I started laughing, because here’s why. I don’t build a building and say, come on in. I don’t set up security in something with no locks, right? So it’s funny to me that the cyber world decides, we’ve been letting people in all this time, now we’re going to have zero trust and we’re only going to let you in if we know who you are. Shouldn’t they have been doing that from the very beginning? Right? I mean, so to me it’s a weird buzzword to me.

Tarun Desikan (02:10):

Well security, if you look at it, is always a trade off. It’s always a trade off between usability and control. And so as a security professional in the enterprise, you always have to keep in mind that you can make something super secure, but then no one will use it. And so I would say the traditional security model, the VPN, actually worked. It worked for 25 years. Back when you were into physical security, it made sense. You can only access applications if you came to the office. It’s pretty straightforward and it’s, as far as I can tell, pretty good. It’s just that today, that’s just not how enterprise is run anymore, right? You don’t go to your office to work as much. You work remotely more. And your applications are no longer tied to your office, your applications are in the cloud, your applications are everywhere. So on one hand, yeah, I agree with you that, hey, why did security ever do this? But the model did make sense at one point. It just doesn’t make sense now.

Chuck Harold (03:09):

Oh, here’s something that I’ve heard from a few people about zero trust. It works. It’s more effective. I get all that. But a lot of times people are not paying attention to the end points. So I can sit here on my phone in Arizona and I log in as Chuck Harold, but maybe Chuck Harold got bunked on the head and it’s some bad guy logging in as me. And we didn’t verify that endpoint, or my phone was hijacked or something, right? So how much vulnerable are we with the endpoints on this zero trust thing?

Tarun Desikan (03:38):

Yeah, that’s a great question. Actually one of the most famous implementations of zero trust is a Google project. It’s called Google BeyondCorp. And it started because Google, this is about maybe eight or nine years ago, their endpoints got compromised. So specifically some of their developers lost their laptops and Chinese state actors got ahold of those laptops and they did them some of the most insidious things. Once they had the hardware, they pretended to be the developer and they tried to insert little pieces of malware into Google source code. So it’s like they went after the crown jewels in the most insidious manner. And so the use case you describe is not hypothesis, it’s actually some of the core motivation behind why enterprises actually adopt zero trust.

Tarun Desikan (04:25):

So the fact that the endpoint gets compromised, but then it still has unfettered access into your network. The fact that a user gets phished, but there’s nothing you can do about it because you don’t know what all they have access to. And so as a concept, what Banyan is trying to push across or what our product helps enterprises do is kind of shift that responsibility and distribute trust to the users and the devices that actually need access. So you have to prove to us that you are authenticated. You have to prove to us that your device is trusted and your device maintains the right security posture before you get access. And the key thing is that we make it very easy, we make it very lightweight, human centric. So as a user, you feel empowered to essentially enable your corporation to be more secure.

Chuck Harold (05:15):

Are we using biometrics more and zero trust, or are we using multifactor authentication and zero trust? Are all those proven methods still used and incorporated with this?

Tarun Desikan (05:28):

Yeah, that’s a great question. So zero trust actually combines multiple different methods. So one part is verifying the user, right? I think that’s really important. If Chuck is logging in, we better know it’s Chuck. And so there are many ways to verify it’s Chuck. It’s username, password, that’s a starting point. There’s biometrics. You can start looking at who you actually are, not just what you know. And then you can also look at what you have, and that’s multifactor authentication, push notifications to your phone, and so on. But the user is one component. It’s an important component, but it’s only one component. The other component you want to look at is the device.

Tarun Desikan (06:04):

So in the old days, you used to rely on the fact that the user was in the office. If they came to the office, you gave them access. You can’t do that anymore, so then you need to have a lot of trust in the device. So it has to be Chuck, it has to be Chuck working on a Windows laptop that’s issued by his employer, and we take it even further. It is where are you located? Are you in a coffee shop? Are you in an airport? Are you at a compromised physical location? And the last thing you have to look at is what are you actually trying to access? Which application is it? Is it a trusted application? Has the application been compromised?

Tarun Desikan (06:37):

And it’s only when you can establish user, device, and application, do you actually enable that access. And so the challenge in the zero trust space, everyone knows these principles and pretty much every vendor you talk to will claim to do something like this, but the challenge is really to do it seamlessly and do it comprehensively. And that to us is what is exciting about zero trust and that’s why we started the company.

Chuck Harold (07:03):

Well, I think this is really cool. Now let me ask you a question. So I just read an article today that apparently the Russians have been in our hotel rooms with their wifi, stealing stuff.

Tarun Desikan (07:12):

I have no doubt.

Chuck Harold (07:14):

For years and years, apparently. Right? And I got to tell you, anytime I go to a hotel, my wifi gets all wonky. If you’re using the zero trust method and you’re authenticating all these layers you talked about, could you program your zero trust to say, listen, we will not let people log in from hotel rooms because we just found out the Russians have a whole spy network in Hilton. Right? So can you get specific like that?

Tarun Desikan (07:40):

So absolutely you can. I would argue though that even the Russians cannot hack today’s encryption. Now the NSA on the other hand, I don’t know that much about. The NSA might be able to hack it, but I think the Russians still cannot encrypt today’s… Still cannot hack that. So I would, before I start blocking Hilton, because I’m a Hilton member myself, don’t block my access to it. I would actually suggest, before we get into blocking major hotel chains, let’s just ensure all communication is actually encrypted end to end.

Chuck Harold (08:15):

Okay. That makes more sense.

Tarun Desikan (08:17):

That will solve a lot of problems.

Chuck Harold (08:18):

Yeah.

Tarun Desikan (08:19):

Yeah. And the other aspect of it is that there’s some simpler hygiene elements that you can do before you go down and start blocking large network blocks, which is make sure your laptop is actually patched. Right? Most of the Russian hacks actually take advantage of the fact that you’re running some piece of software that is a little old and has some kind of small bug in it. And sometimes that bugs is a security vulnerability. And that’s what they use to get onto your laptops. So if you can enforce some basic hygiene, like, hey, make sure your laptop is patched, make sure the firewall is on, make sure you’re running your antivirus tool, and then encrypt all your communication, you should be good for like 70, 80% of the use cases.

Tarun Desikan (08:59):

But you’re absolutely right. When you do detect a threat, you need to block it immediately and you need to block it comprehensively. So that’s the other part of the Banyan platform. So on one hand, we have this trust scoring system that ensures every endpoint, every user is trusted before you give them access to your corporate applications. The other part of our platform is a continuous authorization framework, where if we detect that you have been hacked, if we detect the Russians have compromised the network, our goal is within a second, but sometimes we can do it in milliseconds. Within a second, we have revoked all the privileges that that network segment or that user and device had. And so I think that capability is really important for zero trust.

Chuck Harold (09:40):

Tarun from Banyan Security.io. See him at RSA, booth ESE15. Tarun, I feel safe. I feel better talking to you. Thanks so much for coming on SecurityGuyTV.com.

Tarun Desikan (09:51):

Thanks for having me, Chuck.

Close Transcript