Podcast

TechSpective Interview with Den Jones

Den Jones, Chief Security Officer at Banyan Security, joins host Tony Bradley on this episode of the TechSpective Podcast to talk about the current state of zero trust.

View Transcript

Tony:

Thank you for joining for this episode of the TechSpective Podcast. My guest for this episode is my friend Den Jones. So Den, if you want to give a little bit of background on yourself and where you’re at now and we’ll kick things off.

Den Jones:

Hey Tony. Well, thanks for having me, and happy 2022, everybody. So yeah, Den Jones, recently joined Banyan and the December of ’21 as their chief security officer. And in that role, I’ve got the responsibility of running IT and running security and then also our Banyan at Banyan program. And there’s a great part of my role, which I’m really enjoying, which is getting to spend time with people in the industry, talking about all things security, including zero trust, whatever that means to the many people out there. I think that varies to begin with. And prior to Banyan, I was actually at Cisco and Adobe where I ran enterprise security in both companies. And in both companies, had the identity stack, and in both companies also deployed zero trust. So I’ve got really great experience deploying zero trust to over a hundred thousand people, which is kind of cool.

Tony:

Okay. Now, before we go further, and I’m going to date myself here somewhat, but when I got into IT as a network admin and everything, one of the kind of prevailing vendors architectures at the time was Banyan Vines. And I just want to clarify, your Banyan has no connection to Banyan Vines.

Den Jones:

That’s correct. Yeah. So we’re Banyan Security. So it’s Banyansecurity.io, is the website, and nothing to do with Banyan Vines. We don’t even have a logo that has a tree or a vine or even a grape. So we’re not even close to vines. But people always bring it back to Banyan Vines, especially if you’ve been in the industry as long as we have, Tony.

Tony:

Right. Well, I was going to say, I guess it will totally depend on what’s the age demographic of the audience of this podcast, whether that is even relevant. Because to people of a certain age, that’s the first thing you think of, if you hear Banyan in relation to information technology, or whatever. And I think below a certain age, they’d be like, “I have no idea what you’re talking about. Why are you even bringing that up?” So you talked about what you did at Adobe, Cisco, and what you’re doing now at Banyan, and you and I spoke previously on this podcast, while you were at Adobe, about the zero trust deployments and things like that. And one of the things you just alluded to though is kind of where I’d like to start this conversation, which is, what is zero trust? And I don’t remember, the podcast you and I did was, what, two years ago?

Den Jones:

Yeah. Easily 2019 or 2020.

Tony:

Okay. So yeah, two, three years ago. And obviously, when John Kindervag first coined the term or whatever, that was 12 years ago, at least 10 years ago. So it’s been around. In other words, zero trust is not a new thing per se at all. However, I do feel like from what I’m seeing that it is a hot thing.It is a top of mind for 2022, partly in response to where things are in terms of companies being under siege with ransomware and where things are in terms of the blurred lines between cyber crime and nation states attacks. And there are various factors in cybersecurity that are making zero trust have greater value to organizations. And so I’m seeing a lot of people talk about that, the CISA, the government is focused on, on that. So even though it’s not new, it is hot. But I would start with, what is it? What is it to you? What do you think, if a company says they’re doing zero trust, what should that mean?

Den Jones:

For me it’s, first of all, probably one of the most overused terms out there right now is digital transformations, zero trust, XDR. There’s just many of these buzzwords flying around. So I like to think of it as being, rather than the terror, I’d really like to think about the outcomes. In our case, what we done at Adobe and Cisco, actually so Banyan was one of the technologies we used in Adobe, in our zero trust plot platform. So that’s how I got the connection and got to know the team at Banyan. And in all of the deployments, what we were focused on was users accessing applications and services and enabling us to not worry about the network that the user was on. Ideally, you even take your office network and make that a guest network.

Den Jones:

And as you alluded to, if you follow any of the surveys out there, the term zero trust, for most C level people, apparently it’s in their top 10 of priorities. I don’t even know if they know why it’s in their top 10. They probably heard the term so many times they figured they need to put it in there, and the boards maybe expect a zero trust thing these days. And then the other thing you alluded to is security incidents. If you look at most of the security incidents that happen, I kind of believe that a good zero trust deployment, and I’d love to explain what I mean by that, but a good zero trust deployment has the ability to either prevent or slow down most of these attacks.

Den Jones:

So if you think of ransomware, if you can imagine ransomware comes in and the way it comes in is someone clicked a link, and they click the link, their machine got infected. Now in a traditional office network, I can see your computer, you can see mine, it’s a wide open office network. And maybe from a segment perspective, I can’t get into the data center network or an AWS network without going via a bastion host. That would be nice, or a lab network might also be segmented. But it means in your office network I can still maybe see thousands of devices. Now, if my machine’s compromised, I can then launch the attack as the bad actor to all the thousands of machines.

Den Jones:

Now, a good zero trust implementation for me is where you get to the position where your office network is configured from security policies to only allow to get to the internet. And when you get to the internet, you get to a zero trust platform that allows you to access the applications and services that you’ve published. You can’t get to the full network. You don’t get all the ports and protocols. You only get to the app and service that you’re publishing. And as part of that, we’re also doing a posture check on the device. And then as part of that, we’re enforcing a minimum security bar, like 2FA, not using passwords any longer. So a lot of passwordless things in the industry. So if you can think about these attacks, if you do this right, you can start to really minimize or eliminate a lot of these attacks.

Tony:

Okay. So let me give you, so sort of my personal take on zero trust, and let you respond and either agree or disagree. To me, and back from, when I started in cybersecurity and got my CISSP and stuff, one of the primary focuses was on least privilege access. And when I was in network admin, all the things were, “Okay, well, don’t let your users have admin rights on their local machines.” And so a lot of cybersecurity revolved around saying, “Look, well, if Den Jones’ credentials get compromised, the attacker’s going to be able to execute malicious code with the provisions and access that Den Jones has, so let’s just make sure he doesn’t have that much or try to contain it.” Which makes sense, on some level.

Tony:

To me, zero trust is an evolution of that. It’s basically saying, okay, yeah that’s true, it would be good for us to limit what you have access to. However, it’s no longer good enough for me to just say, “Okay, well Den Jones, he’s the CSO, he’s in this department, so we’re going to give him access to these servers or these applications, and then just let you in the door and let you run free.” Because of the way network architecture has evolved and the way the attack ecosystem has evolved, that’s no longer sufficient. Now I have to check more often. I have to say, okay, I guess the analogy would be, I can’t just check our ID at the door, I have to check your ID as you go from the kitchen to the living room, when you go form the living room to the bedroom, when you go from the bedroom to the den. I have to keep checking our ID to make sure you’re still you and verify again, sort of, “Okay, well why are you going to the living room? And do you have access, permission to go to the living room?”, and all those kind of things. Does that make any sense?

Den Jones:

Yeah, absolutely. So I really do see this as an evolution of the identity. We want to know it’s you, but we also know that the way bad actors attack is they attack and then they masquerade as being you. So least privilege is very important, continual authorization or authentication is really important, so we want to make sure that we’ll continue those checks. But then also, it’s not really about just being Den, it’s Den from which device? Den has three devices, and I want to know that the posture of those devices are good. And if one device is compromised, I don’t necessarily have to disable the Den account or change the password of the Den account. I might choose to change the password, but you could pull the certificate or revoke access from the one device that’s compromised and enable Den to still be a productive employee with the other two devices. So it really, for me, is an evolution of our identity and access management defense and depth. I get to now say, it’s not just about being Den, it’s about being Den and taking the context of Den the context of the devices, and say that Den on this device is really one risk, and that Den on the other device is a different risk. And they’re not necessarily the same risk because the devices are not the same.

Den Jones:

One of the things that was really cool, we deployed, built out a UEBA (User Entity and Behavior Analytics) capability, and created a team called security intelligence back in Adobe in 2018, I think, or 2019. And that team was really just looking at all the authentication logs from various sources, but then also other logs, like our travel system, so that if I suddenly see Den logging in from Israel, the first thing is, well, has Den booked any travel to Israel? Corporate travel, not personal travel, but at least we could get the corporate travel. And then you turn around and say, was that Den? And then you can interact with Den. If you see Den coming in at a weird time from a weird device and accessing a weird apple, then you get to really think about, is that Den?

Den Jones:

When we moved over to Cisco, one of the teams, I built the same security intelligence function, and then within there, we partnered with Exabeam, and we delivered much the same stuff. I think using the information and all the logs we’ve got about who’s accessing what applications and services and what their context is, I think is a really powerful thing. And it enables us to do way, way better security, but without being in the face of the users. So we start to now say, “Okay, I might want you to step up the authentication because I’ve seen you do something strange. I might want to prompt for a better security posture on the device, because I’ve seen you come in from a strange country. Or maybe you’re doing the same thing Den does every day, and you’re not behaving weird, you’re not accessing weird applications that you never access and not doing weird stuff. So maybe I can actually reduce the prompts for authentication. Maybe I’m just letting you in more. Maybe you don’t need to MFA all the time.

Tony:

Yeah. So I think part of what you just talked about, I definitely agree with. So on the one hand, I think that zero trust is kind of an evolution of least privilege access, but it is, it’s identity and access management, but combined with the behavioral analytics. And I think there are probably different takes on that. There are probably zero trust implementations that only have one or the other of those somehow. Well, maybe not without the identity. But I do think that that’s important, because for a few years now, so cybersecurity used to be more, I’m going way back and preaching to the choir, but when you had, “All right, this is our network, we’re inside our building, here’s our perimeter. I can basically trust everyone who’s inside this perimeter. And everyone outside the perimeter is a bad guy and we need to watch that.”

Tony:

And when I was doing network admin stuff, we would look at server access logs and review them to look for issues with people coming in or whatever. And we were looking specifically for unknown accounts or unknown devices trying to connect. And the way the attack techniques have evolved in 10, 15 years, that’s not really the case anymore. It’s much more likely to be a valid user. From the perspective of you, the organization, it’s very likely that the attack looks like an insider attack. Now, whether or not it’s actually Den Jones, that’s a different question. But what I’m really trying to look at is the behavior, because I can’t just rely on the credentials part.

Den Jones:

Yeah. And that’s exactly why we spun up the security intelligence teams in both companies is because the way we’re being attacked is the bad actor looks and feels like Den Jones from an identity perspective and authentication perspective. One of the things you touched on was that concept of if you’re in the corporate network. I remember an early slide that the team came up with years ago as we were promoting the zero trust project in Adobe. And it’s that usual one with the castle and the moat around it. And they’re like, “That’s how we used to think of this, but no longer blah blah.” And really, it is a decent analogy, but the one thing is, I kind of twisted all this round, and I just said, “Imagine a day where your access and applications and services, and you don’t need to use the VPN. Imagine that day, imagine a day where you’re doing that and you’re not entering a password.” And then it’s like, imagine a day where you don’t have to change your password every 90 days. I said, “Could you imagine that future?”

Den Jones:

From a service desk perspective, we’re going to save a ton of money. Imagine a day when lateral movement in your office network’s a thing of the past. And then imagine the big compromises you see in the industry and feeling like, “Great, that’ll never happen to us, because we’ve done something about it.” So when I always talk to people about this, it’s almost a case of get people really passionate about the outcome. The terminology we use and all that stuff, that’s not as cool as being able to tell someone, “Do you want to really lead a project or be part of a project where you’re going to improve security, but you’re also going to improve that user experience?” Because user experience from a CIO perspective and the cost of running IT, that’s hugely important. But if you go to the security executives and you’re like, “Could you imagine not having to use usernames and passwords, and you’ve got a certificate that’s more secure, or we’re not VPNing in?”

Den Jones:

And the one thing about VPN that I think people always forget about is, in large organizations, VPN configuration is usually, the all full-time employees, they VPN in, and they have wide open access to that corporate network. Maybe not the data center, maybe not labs, but they’ve got wide open access. So our proposition, as part of the zero trusts deployments we’ve done before, and one about Banyan’s value propositions, is we enable that access to applications without having to VPN in. And we’re not exposing that one connection to be wide open once you’re in your network. So if you eliminate that one attack, that’s huge.

Tony:

Right. Well, the ransomware attack over, I think it was mother’s day weekend, on Colonial Pipeline, the investigation eventually arrived at that they had this zombie VPN account that people had forgotten about that somehow that’s how the attackers got in. And so you always run that risk, that when you create those accounts, someone’s got to manage them. And companies typically do a pretty poor job of removing accounts. They’re really good at granting access. Because people bug IT, so it’s like kind of the squeaky wheel gets the grease kind of thing, as people are, “Hey, I need access, I need access. I need access.” So IT says, “Okay, great, fine, whatever. Here, I’m giving you access to that.” But when that person moves to another team or leaves the company, the processes that a lot of organizations have for trying to follow up on that are pretty bad. And I know for a fact that I still have an active email address from a company I haven’t actively worked with in eight years.

Den Jones:

It’s really, really interesting this. So one of the things that we done in Adobe with the security intelligence team, and it’s really not user behavioral analysis, it’s just simple, “Have you used this thing or not?” So we started to look at stale accounts, and if it was a stale account, then we’d reach out to the manager of the account. Normally, what you find in organizations, especially the large ones, full-time employee accounts, usually they’ve got great hygiene around that, about disabling that on exit, because that’s tied to an HR record. But the vendor accounts, genetic accounts, service account type things, those are the ones that get created, they get their permissions, and then they get forgotten about. And if John leaves a company, then the three service accounts that John was managing, they are just left. And no one really knows what to do now. In our Adobe days, we done a great job of handling those accounts and handing them off to the manager of John, and tell the manager, “You’ve now got a responsibility to do something.” But you’re still waiting on them doing something.

Den Jones:

So what we start to do is say, “Well, wait a minute, let’s flip this the other way.” If we don’t see these accounts logging into any applications or services over 90 days, we’re just going to disable the account and notify John and make it easy for John to re-enable or make it easy for him to add the access back. And then the other thing was, is all accounts, including your full-time employees, we used Okta heavily in Adobe, it worked brilliantly for us. What we were doing is we were tying every published application to a group in AD, and basically saying if you haven’t accessed that application via the Okta platform, then we know that you’ve not used it, you’re not an active user. So we remove you from the group. So from a course grain access control, we’re just removing you from the group. We’ll notify you we’ve removed you. And then say, “If you ever need access again, go here and request it, and it’ll be automatically provided.” But it means that you’re not granting, they might request it, they might use it for a month, but then you’re not granting that long term access to things that people don’t use.

Den Jones:

And going back to the Colonial Pipeline, it’s not a zero trust play, but the reality is account hygiene is the basics of our industry. If you don’t get the identity piece right, regardless of who you are or what you’re doing, then you’re just increasing that risk significantly. That was a great example of it.

Tony:

Well, and sort of a peripheral conversation to zero trust itself, is we talk a lot in cyber security about, “Okay, well, you should have these best practices. You should have these tools. You should patch known vulnerabilities. These are all the things you should do.” And it’s sort of shocking how many times you see an attack that succeeds and makes headlines, that they did all those things. And it was just some other stupid thing that wasn’t on the list. It’s just something someone missed.

Den Jones:

Yeah. I think there’s an acknowledgement in the industry that you can’t get everything. There’s always something hidden in some corner under some rock that you might forget about. But I kind of look at this as saying, there’s a reality of people, process, technology, let’s start with our people and have them educated to do the right thing and know what the right thing is. Patching is an example of one of those basic table stakes. When you get to things like a account hygiene, when you get to things like configuring your app to use MFA, we need the application teams to understand that that’s good and that should be done. So engage with your identity team.

Den Jones:

One of the things I wanted to circle back on was when you think about VPNs versus identity. So we give permissions at the identity level, we’ll add you to a group to say you’ve got access to the app. But then when you do VPN, you also have these ACL and VPN lines of code, usually, that go in there, that a network level are now giving you access to something too. One of the great propositions on this thing done right is you no longer need to duplicate that work. Basically, if you’re in the AD group or the directory group that gives you access to the app, then you don’t need to duplicate the work at the network level ACL and stuff. So that for me is really cool.

Den Jones:

And here’s the thing about it. So now coming back to your point, there’s things you forget because you don’t have time to do it. We’ve all got limited resources and limited money. And because we’ve got that limited stuff, the value proposition that I would always take to the executives is if we do these things here, you’re going to reduce the amount of time we need to spend on managing your VPN. You’re you’re going to reduce the time at service desk, and that frees people’s time up so that they can go do some of this other stuff. So ideally, we’re simplifying the operation, which means there’s less things for us to lose and forget about, as you just mentioned. So that one VPN account at Colonial, they didn’t have time to find it maybe. Or maybe, if they had saved money elsewhere, like what I always talk to people about, saving money, they could reinvest that wisely and build a security intelligence team. Because if they did that, they would’ve found that account and realized that account was stale. It’s not tricky.

Tony:

Yeah. One of the other things that I think is a more recent development that is continuing exponentially that a lot of people don’t really think about, is when we think of zero trust and we think of identity and access management, we generally think of it in terms of I’m giving Den Jones access, I’m giving Tony Bradley access. But the way things have evolved in terms of devices and network architecture, the device to device, machine to machine, those permissions are a hundred fold, a thousand fold the users. And you start looking at containerized applications and stuff. And just the volume of permissions is far greater than the number of people.

Den Jones:

Yeah. Yeah. And this is where device to device, so device to device is something that I think is an evolution of our problem. At the end of it, you’re really still saying, I’ve got, in this case, maybe it’s APIs, but somehow you’re still talking about granting something permissions to talk to something else. And as you mentioned, this stuff spirals out of control, especially as you build large scale cloud environments. We spent a lot of time at Adobe, Cisco, and Banyan has a huge focus on this as well, is, how do you protect those communications? From a visibility perspective at CIO level, they don’t see that problem as much, because that’s something that engineers just tackle and take care of. And you don’t think of that as being something that spirals out control and then as a bigger risk.

Den Jones:

Usually if you do dev ops well, then you’re securing that stuff early on in the cycle, and any scans that are going to pick up things like vulnerabilities there or any open doors, right. But at the end of it, it’s a bit of a hidden problem, because you don’t have all your users, your workers in the company complaining about the experience of that. Whereas your employees complain about the experience of logging in, they complain about having to change their password, so it’s a very vocal and visible experience problem. Whereas the device to device stuff, it’s engineers just kind of take care of it and it doesn’t ever bubble up as being something that needs attention. But it certainly does, because if you don’t secure that stuff very well and one engineer device gets compromised, then within your ecosystem, that device to device communication will enable a bad actor to move around pretty quick.

Tony:

Yeah. On a semi related note, in the beginning you talked about trying to be passwordless. And I know there’s been a push with that, Microsoft introduced the ability to go passwordless, at least for Microsoft stuff. So maybe it’s a step in the right direction, but on my windows machine I have a bunch of other stuff too that’s not Microsoft, so that’s only a partial solution. You’ve got other vendors like transmit security trying to work on that stuff that applies more broadly, but still only applies to the companies that sign on for that.

Tony:

But I was going to go into a little bit of password management and strong passwords and two 2FA, MFA, all that, in that I’ve noticed that on both the Windows side, when I’m in the Edge browser, or if I’m on my iPhone, that features have been in introduced where they try to automatically just go, “Hey, you know what? You need to create a password. Let me create this secure password for you.” And it creates 20 characters of gibberish.

Den Jones:

Yeah, yeah.

Tony:

Which on the one hand, might be okay. Like you’d say, “Okay, well, that’s probably better than me naming it after my dog or my birth date or whatever.” However, I never accept those, because then it’s only on that device. Now when I go to log into that same application or service, if I accept the 20 character gibberish password on my iPhone, now when I go to log on my Windows PC into that same application, I have to try to remember what the hell was that password? And then you have things like Last Pass, or other password vault type things, which I’ve used, but then I keep seeing last pass seems to come up in the headlines once or twice a year for possibly having the master passwords breached. And I’m like, “Oh, that’s a big problem.”

Den Jones:

Yeah. Last Pass is not a password manager I use any longer. I was one of the original options that we shared with people in Adobe. I’m a huge password manager fan. And here’s why, because like you say, if you’re using your browser, it will be on that browser, on that device, depending on the browser. Chrome, for example, might say, “Oh, let me share this with your other devices that also have Chrome.” But I don’t always just one browser, sometimes I’m Chrome, sometimes I’m Safari. So I might jump about between browsers depending on the application or service.

Den Jones:

And then the other thing is I’ve got a work device and then I’ve got a personal device. I’ve got several personal devices. So I don’t use my work device for doing any personal type work. So I use that just for work. And I don’t use my personal devices for any work stuff. So I like to have that separation. The one thing I do want to do though, is have a password manager where it is continually creating passwords that I don’t know, where I do need a master password, where I do need 2FA to get into it. And that enables the passwords to basically be consumed and available on any of my devices, on any of the browsers, at any time. And it also enables me not to worry about passwords.

Den Jones:

If in your corporate environment, the company does a really good job and they tie all the applications you use to your identity stack, so they’re using your IDP, and as part of that authentication with your IDP, you’re doing a password list type scenario, which what we promote, then your corporate username and passwords, there’s really not much there. You’ll have some things, especially if you’re an admin and you might have some [inaudible 00:34:29] glass accounts or things of that nature. But ultimately, there’s not many passwords in your corporate environment any longer. But my personal environment, my personal password manager has hundreds of passwords, because I’ve got so many things. It could be your Netflix account, your bank account, your whatever, whatever.

Tony:

Well, there’s so many things that make you create a sign in, and it’s just … I’ve created profiles on websites that I have no intention of ever going back to, or I might use it once every three years, but part of using the website in the first place required me to create a username and password. And I’m like, “All right.” Those things, that’s a whole separate conversation of, I think businesses need to reconsider how they do that, because I’m like, “Why are you forcing people to create these, what are destined to be zombie accounts?”

Den Jones:

Yeah. And absolutely it comes back to the business thinking they want to understand who they can market to. They want to understand more about you and your habits and things of that nature. But the principle and security is don’t don’t capture any data that you don’t have to. The least amount of data, just the basics you need in order to deliver that service or capability, and don’t go one attribute beyond that. Because you shouldn’t be, as a business, storing any information that you don’t truly need for delivered in that service.

Tony:

Right. Well, so related to all that, on when it comes to like the two-factor, multifactor, there’s a ton of things that will say, “Hey, I’m going to send you a code to your phone.” Just in the regular course of an average day, I probably have that happen five times with different apps and services, where it’s like, “All right, we’re going to send you a text to code.” But I’ve also got, on my phone, three different applications called authenticator, if I just search. So there’s the Microsoft authenticator, there’s the Google authenticator, and there’s ID me, which is like the federal government authenticator. And then I also have Okta. On the one hand, it’s somewhat trivial. It’s a silly thing for people to complain about. It’s the silly thing for me to complain about. It’s really not that big a deal. But that is something that I think that’s where the users are going to push back. Users are going to be like, “Okay, well, you’re asking me to do this two factor authentication or whatever. You’re telling me I need to do that for better security. But now all of a sudden I’ve got 20 different services that are texting me codes. I’ve got five different authenticator things on my phone that I have to verify against.” And it’s like, can we just consolidate all that to one?

Den Jones:

Yeah. Wouldn’t you love that? I think the reality is that, I just checked, I’ve only got three, Tony, so you’re beating me if we’re going up by who’s got the most. But yeah, I’d love that. I think that the reality is your corporate life, they’re pushing the Oktas of the world. And then the other one that’s heavily is the Symantec VIP access. So that’s one that I’ve seen a lot of people use. But then for me, I jumped on Google authenticator for my personal stuff, because it’s such an easy MFA app to use.

Den Jones:

I always think of companies, from a business perspective, and they must be using MFA. That’s not a question in my mind any longer. In your per personal life, I don’t think everything needs to have MFA. But I certainly think if anything that’s tied to your money or your personal really sensitive information, like your social security number or any of those things, government sites that you might use for your taxes, any of these things, if at all possible, those you should use MFA for. So I’m a big fan. But I’ve been in the identity game for so long now. So for me, that’s just table stakes. But if I go speak to my parents about it, they’re now beginning to realize MFA is a good thing, but they don’t know why. They only know because I’m telling them. So there’s a bunch of people out there that aren’t really tech savvy that aren’t necessarily going to be all over the MFA business. And that’s the world we live in, right?

Tony:

Yeah. Well, and I know that there are potential issues with the SMS texting code version, because that can be hijacked and redirected and such. But I generally, especially if I’m actually doing something on my phone, prefer that one. Because at least in iOS, and I assume Android does the same thing, I don’t know, it will auto populate it. Like you’re in the app, and as soon as the thing comes in, it says, “Hey, do you want to use this code?” And it’s like, all right, cool. I don’t even have to look at the code. I don’t have to know what it is. So that’s kind of nice. But like I said, it is, it’s definitely a first world problem to complain about. “Oh my God.I tried to get into my Netflix account and it made me enter a code from my phone.”

Den Jones:

Yeah, yeah. I know. I tell my kids that all the time. It’s like we have first world problems. The things that we complain about in our life, there’s many people way worse off than us. And I would be glad if people in the corporate world complained about using MFA, because at least then I know they’re using MFA. But I think the reality is, it’s really our responsibility as service providers in that case to say, “Okay, I do want you to use MFA.” I always said to people, “It’s not single sign-on, it’s never been single sign-on.” And it’s not always two factor. I always think of it like dynamic authentication, because really what I want to get to position to is we have enough data in the back end to be able to really accurately determine whether your account is in good standing or not, or whether your account may be compromised.

Den Jones:

And with all that data we’ve got, we could get smarter about the user experience and say, I’m not prompting for second factor as many times in a day, because maybe you just done it once. And I know enough about the device, the context of the device, the user, and the context of the user combined with that device. And we know it’s Tony. We know Tony’s got a device which has got all the security goodness on it, and we know he is coming in from the exact same space, doing the exact same stuff. Why do I need to prompt the guy to log in again? So I really want the industry to kind of keep moving in this direction, because there are a lot of great vendors out there that are pushing a password list, more dynamic security context aware kind of experience.

Tony:

Well, it would be nice. I’m a huge fan of the just logging in with facial recognition, both with face ID on my iPhone, with Windows Hello on my PC. That’s basically the only way I log in. So I agree that all those things are good, and I think people just need to get used to it. It’s sort of like when they started making people wear seatbelts again. I’m dating myself, because there’s a whole generation of people were like, “What do you mean? You didn’t have to wear seatbelts?” But there were people who felt very put out and like, “Oh my God, why are you making me do this?” And eventually it just becomes second nature and you can’t imagine not doing it. And I think that’s kind of where we have to get with that stuff, but it’s interesting to see the balance between, on the one hand, having the authenticators and the two-factor authentication and all of that, and then on the other hand, kind of going in the completely other direction of having facial recognition and just saying, look, yes, you recognize me. I’m me, just log me in.

Tony:

But I think what you mentioned in the beginning and just kind of hit on again, with the way you’re implementing zero trust, it is dynamic. Because it’s like, okay, well, yes, if I don’t know you, I’m absolutely going to double check this and make sure that you’re someone that I should trust, and I’m going to keep on checking. But if I do know you, and you’re coming in from the same device you always do, from the same source IP address that you always do, you’re accessing the same applications that you always do, then yeah, I really don’t need to keep bothering you.

Den Jones:

Yeah. Yeah. And so one of the things I was thinking about this, I used to say to people, “Oh, if you were logging into your bank account, you want to have 2FA, because you like to keep the money in the bank and you don’t want bad people to steal it.” But I think that’s evolved over the years, because A, that’s quite a rare risk, but kids today, especially younger people, they would be totally, totally put out if their social media account was taken over by someone, then some really bad stuff was said on their behalf or whatever. Or they looked stupid that were made a fool of on social media. So it’s funny. And I do think, now in corporate life, I think a really good zero trust implementation or just really good hygiene. We’re in a position now where we do know more about the devices, I think, of biometrics and stuff like that.

Den Jones:

10 years ago, before Apple and the consumer market started to use things like your thumbprint to unlock your phone, then in the corporate world, the use of biometrics was something that people really shied away from. They didn’t really want to do it. But the minute it became a consumer friendly experience that people really enjoyed, then in your workplace, people started to expect it. I remember my first ever biometrics deployment was around 1995, and I worked in a factory in Scotland. And what we were doing was with Compaq and Navel, and Compaq would ship a little biometrics reader that you could configure in NDS. And people would actually be able to use that to log in. And that goes all the way back to the late ’90s. And it really took like 20 years for that technology, A, to improve and mature, and at a price point that was usable, but then really consumers to actually want to use it and be able to use it in a way that was not something that you’d have to train them to do. And you don’t have to train someone now to use their biometrics on their device or their fingerprint to log into their laptop.

Tony:

Right. So, all right. Well, I think this was a fun conversation. I appreciate having you back on. I look forward to chatting further, and hopefully, we talked a little bit before we started about how RSA got pushed back to June, but I plan on being there. I assume you’ll be there. So fingers crossed that COVID chills out and we all get to go to San Francisco in June.

Den Jones:

Yeah. I’d love that, Tony. It’d be great to catch up in person, and hopefully, for everybody out there. If they’re at RSA, then certainly feel free to look us up banyansecurity.io. And we’re going to be hosting a whole bunch of events, so I’m looking forward to meeting people in person. So yeah, hopefully COVID doesn’t get in the way of that. It’s already got it pushed out, but hopefully we get this thing going forward.

Tony:

Awesome. All right. Take care.

Den Jones:

Thanks, Tony. All the best, everyone.

Tony:

I appreciate you investing your time to listen to the podcast, but I also invite you to engage on social media. Please go like our Facebook page and follow @TechSpective on Twitter and Instagram. You can feel free to let me know what you like, let me know what you don’t like. Let me know if you love it, let me know if it sucks. And let me know what products you’d like to see reviewed or what questions you’d like to see answered in future posts.

Close Transcript

< Back to Resources

Book Office Hours with Den Jones

If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.

Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.

Make an Appointment