Case Study

Zero Trust Journey – A Security Leader’s Story

Most security professionals acknowledge that the traditional “castle-and-moat” approach to security no longer works, and would like to instead achieve a Zero Trust security posture in their organizations. Zero Trust, of course, is the idea that trust should not automatically given to anything inside or outside its perimeters, but rather everything and anything trying to access resources must first be verified. The principle of least-privilege access and continuous authorization are compelling, but actual implementation of these concepts can seem daunting. In this webinar we’ll talk with Robert Davis of Chick-fil-A about his journey from compelling idea to actual implementation.

View Transcript

Charlene O’Hanlon:

All right, well, good morning, good afternoon or good evening, depending upon where you are in the world, and welcome to today’s Security Boulevard webinar. I’m Charlene O’Hanlon, moderator for day’s event, and I welcome you. We have a great webinar on tap today. I am super excited about this one. I think it’s going to be a great case study, lots of information to impart. But before we get started, we do have a few housekeeping items we need to go over. First of all, today’s event is being recorded, so if you miss any or all of the event, you will have the opportunity to access it later on. Following today’s webinar, we will be sending out an email that contains a link to access the webinar on demand. We are taking questions from the audience, so if at any time during today’s presentation you have a question for either of our speakers, please, don’t wait, don’t hesitate, just use your question and answer tab on your interface and submit your question, and we will try to get to as many as we can near the end of today’s webinar. Also, happening at the end of today’s webinar, we will be doing a drawing for four $25 Amazon gift cards, so please stick around. Hopefully, you’ll be one of our four lucky winners.

Charlene O’Hanlon:

All right, let’s go ahead and kick off today’s webinar, which is Zero Trust Journey: A Security Leader’s Story. Our speakers today are John Dasher, who is the VP of product managing, product marketing, I should say, at Banyan Security, and Robert Davis, who is the director of cybersecurity at Chick-fil-A. Gentlemen, thank you so much for joining me today, really do appreciate it.

John Dasher:

Thank you.

Robert Davis:

Glad to be here.

Charlene O’Hanlon:

All right, well, John, I know you’re kicking it off. I’m going to take myself off camera, put myself on mute, and let you get right to it.

John Dasher:

All right. Well, this should be a great, great session here today. As we think about security, many of the tried and true concepts we were taught or learned as we were coming up through the profession are getting updated fairly significantly, and, in some cases, outright replaced. Acknowledging that the traditional castle and moat approach to security needs retirement, zero trust especially has been generating a lot of interest. Zero trust, of course, is the idea that trust should not be automatically given to anything inside or outside its perimeters. We shouldn’t trust something just because it’s on a specific network, but rather everything and anything trying to access resources must first be verified. The principle of least privilege access and continuous authorization are compelling, to be sure, but the implementation of these concepts can seem daunting.

John Dasher:

I’m excited about this webinar today because we get to talk to somebody who has walked a mile in those shoes, as it were. Today we’re going to talk to Robert Davis of Chick-fil-A about his journey from seeing zero trust as a compelling idea to actually being able to implement it in his organization. So with that, let me welcome Robert. Robert, welcome.

Robert Davis:

Thank you, John. It’s good to be here, really excited about this.

John Dasher:

Tell us a little bit about yourself and how you ended up at Chick-fil-A.

Robert Davis:

So going through college, I was a computer science major, and fairly quickly realized I didn’t want to be a programmer for the rest of my life, and so I started trying to look at other options. Going through a career fair, I saw Chick-fil-A and thought to myself, that is strange. I don’t know a lot about Chick-fil-A, to be honest, but it seems odd that they’re here at this engineering career fair. But as I talked to them, it made a ton of sense. Everyone has technology to help them in some way, and I got really interested in Chick-fil-A as a company, as an organization, made it through that process, and I’ve been there ever since, which it’ll be 16 years this summer. So I’m currently the director of cybersecurity for Chick-fil-A.

John Dasher:

Outstanding, outstanding. Well, welcome. So let’s kind of rewind a little bit and talk about those beginnings where you started to learn about some of the concepts regarding zero trust. For many of us, the beginning was hearing about Google’s BeyondCorp, their concept of leveraging untrusted networks, i.e., the internet, to allow people to do their jobs, and then, of course, related directly to that, zero trust, again, this concept of assuming that nobody’s to be trusted, regardless of where they are, what network they’re on, who they are, and continuously reestablishing that authorization and that trust and principles like least privilege access. Where was your first learning about Google’s BeyondCorp?

Robert Davis:

So I ran across the very first USENIX whitepaper from Google on what they were building with BeyondCorp. I think it was late 2016-ish when I came across it. To be honest, I’m not even sure how I came across it, but it came across my desk, and I read it and got really, really interested in just the concepts of how you can increase your security in this ever changing, more mobile world. Of course, that was even a little early back then, but it was fascinating for me to read that and to see that new way of thinking about network security. I kept watching and kept reading. They released a few more whitepapers on some specific design and the access proxy and that sort of thing, so I just kind of kept up with it from there.

John Dasher:

Was this also when you were first exposed to the concept of zero trust?

Robert Davis:

So I had been exposed to it previously, but almost every exposure that I had previously was almost solely dedicated to the concept of microsegmentation where you’re separating workloads and that sort of thing, and less about the front end and the user experience. So this was really the first exposure to a more practical use of the zero trust concepts in the model.

John Dasher:

I mean, like many things in security especially, there’s things that are super cool, neat ideas, and then sometimes they kind of cross the chasm to, wait, I can actually implement that super cool idea? I’m curious. From a zero trust perspective, early on, what did you think would be the thing that you would first grab on to?

Robert Davis:

I think, for me, the very first thing was just rethinking VPN. There was a lot of … If you look at breaches, some of the commonalities are a user workstation gets compromised, and then from there they leverage that network layer that the VPN provides or if you’re on site. So you have, essentially, a trusted network. You’re on this thing, and now you’re trusted because of where you were. This was a different way of looking at that and removing the easier possibility of things like lateral movement because you’re not trusting the network. There is no network layer connectivity in that sense, and therefore you get this added level of security. So that was the first thing that really drew me in to the concepts.

John Dasher:

So in your intro, you talked a little bit about how you stumbled on to Chick-fil-A. Of course, for those of you who might not know, Chick-fil-A is a worldwide brand famous for their chicken sandwiches, has been super successful, and, in fact, has managed to be even more successful over the last year at a time when many businesses are struggling. It might not be obvious to folks how a quote, unquote restaurant, a quick serve restaurant, has software as something that’s strategic to its core. Why don’t you talk to us a little bit about what role software plays at Chick-fil-A?

Robert Davis:

So if you think about Chick-fil-A and where we were and where we are now 16 years later for my career, the growth of Chick-fil-A has been just outstanding. It’s been a very consistent thing since I’ve been there. With growth, at the rate of growth that we’re seeing, we have to be more efficient in how we do things. One of the best ways to be more efficient is to leverage software to help with the process-

John Dasher:

Automation software, yeah.

Robert Davis:

… and automating and that sort of thing. In our restaurants, the volume of customers that we have, generally speaking, on a given day is pretty high, and our restaurant footprint sometimes isn’t quite there to handle that volume. So that really necessitates a need for these digital platforms, mobile ordering. We got into mobile ordering a fair number of years back now. That really set us in a good position coming into the pandemic, and that really let us maintain that level of efficiency and, in a lot of ways, get more efficient, because you start shifting the ordering process to mobile. You eliminate a big bottleneck at the actual restaurant, so software there is extremely strategic in helping us achieve higher numbers than we would had we not had it.

John Dasher:

What percentage of ordering is mobile now?

Robert Davis:

That’s a good question. I wish I knew the answer, but it’s significantly higher now than it was a year ago. I know that.

John Dasher:

Sure, sure. So when you were thinking about your goals of making progress against moving Chick-fil-A’s security toward zero trust principles and architectures, how did you think you’d get started initially?

Robert Davis:

Initially, really, because the paradigm and user experience is so different, I really wanted to start with my team first, so the security team, and say, all right, we need to eat our own dog food here, try this new thing out, understand all of the potential pain points that might be there for users as we eliminate VPN, so really understanding, one, what was VPN used for? What were the applications and systems that people rely on daily that the VPN was there for?

John Dasher:

This was pre-pandemic?

Robert Davis:

This is pre-pandemic, yep. We started this journey of practically looking at zero trust and going down that road. We started that journey a couple of years ago. So it was really just start with my team and try to remove VPN, see if we can still work the way we need to, and then from there you would move into choosing a couple of smaller, less critical apps to test with to start expanding beyond my team and maybe looking at getting some of the IT department to leverage it, and then eventually looking at business users and getting them involved to get that feedback going before you really implement this holistically across every application. For us, the last step will be, basically, implementing this everywhere and blocking access to sensitive or critical apps if they don’t meet the trust tiers that we’re looking for.

John Dasher:

Let’s come back to that in just a minute. Why don’t we do a poll question and get a feel for the audience in terms of where they are in their zero trust journey.

Charlene O’Hanlon:

So we do have a polling question that is now open to the audience. The question is, how many folks have started implementing a zero trust project? We haven’t started. We are researching solutions. We’ve begun implementation. Or we’ve deployed and are using a zero trust solution. So the polling question is right there underneath the polling tab. You should see it there. You can go ahead and make your response. I’m going to leave the poll open for you guys for a few minutes. John, you can go ahead and continue with your presentation, and we’ll circle back and take a look at the poll results later on.

John Dasher:

Sounds great, thank you. All right, so let me set the stage a little bit here just to make sure we’re all on the same page. So when we think about zero trust, zero trust remote access, there’s really a few common shared traits that a great zero trust solution has at its core. The first is you have to be able to trust that the users are who they say they are. For most organizations, this means I’ve got some sort of identity system in place, a single sign on system in place. The second thing you need of course is device trust. You’ve really got to be able to trust that the device they’re using is in fact trustworthy, whether that’s a corporate issued and managed device or an unmanaged device that maybe your contractors are bringing to the party or BYOD. As Robert mentioned, especially as the world went mobile, the plethora of the devices is certainly out there. So having some level of confidence that the devices that are connecting to your precious resources are trusted is important.

John Dasher:

The third thing you want to do is be able to take advantage of the tools that you already have. You’ve got security tools. You’ve got infrastructure monitoring tools, and they throw off signals that are helpful in determining whether we can trust the user and their devices. So to the extent there are signals that we can take advantage of, we should absolutely do that. With regard to distributed enforcement, we want to make sure that the enforcement of access policy happens as close to the application or resource as possible. Unlike a traditional VPN which acts as a centralized choke point, we want enforcement to be in the logical traffic path because it’s best for performance, scalability, efficiency.

John Dasher:

Then the last building block is this idea of continuous authorization. Simplistically, bad things happen, and sometimes they even happen during a connection session. A device and a user that were trusted and known good a minute ago could suddenly have an issue. We want to be continuously reevaluating the user and the trustworthiness, the security posture, if you will, of that combo against the backdrop of the sensitivity of the resource they’re accessing. As one of my colleagues likes to say, “If someone’s trying to access the cafeteria menu, that’s probably low security, and I don’t care too much about who’s accessing it and under what circumstances.” But when my backend finances are getting accessed, I care deeply both about who’s accessing them and about how much, how broad is that access. So things like least privilege access come to play.

John Dasher:

So, anyway, those five things put together really yield a lot of benefit in terms of both security and manageability, giving your users a consistent experience. Of course, over time, like anything where you’re able to automate and improve the administrative capabilities, as well as the user experience, you lower risk, and you lower your costs. It’s kind of interesting.

John Dasher:

Robert, I’ve been doing security a long time, and you’re kind of taught both through experience and education wise that security and IT are at odds. IT’s charter is to ensure productivity, and security’s charter, of course, is to ensure the security of our data and our intellectual property. By making something more secure, by definition, it’s not less usable. Productivity goes down. Security goes up. Or I throw open the doors and make it easy for everyone to do their jobs, but I’ve got to throw security out the window. It’s a seesaw. One goes up, one goes down. I’ve been learning that one of the interesting things about zero trust that I just haven’t seen often in security is this idea that, actually, both can go up. I can provide a better user experience for my users, and I can get better security and better manageability. It’s not often we see that, is it?

Robert Davis:

No, not at all. I agree with you. I think this is one of those times when it can be a heightened level of security for the things that matter the most, but still allow for that flexibility and usability, which it’s definitely something that’s very attractive about the zero trust model in that regard. So I agree with you.

John Dasher:

So we’ve got some results back from the poll. Charlene, do you want to talk about that?

Charlene O’Hanlon:

Absolutely. Let’s take a look at the poll results. The question was, just to refresh everybody’s memory, how many folks have started implementing a zero trust project? The majority, 46%, said that they are researching solutions, followed closely by, “We haven’t started,” at 36%, and then, “We’ve begin implementation,” garnered 10% of the responses, and, “We’ve deployed and are using a zero trust solution,” 8% of the audience is doing so. So it looks like we’ve got some people closer to the top of the funnel, if you will, than the bottom, mid part of bottom, but great responses all the way around. Thank you to the audience for submitting their responses. Please know we do have another polling question coming up pretty darn soon, so keep your eye out for that, and we’ll definitely let you know when it’s time.

John Dasher:

We have one more poll question, and then we’ll do some Q&A at the end. I won’t poll question you to death here. Let’s keep going here. So, Robert, we talked a little bit about the pandemic, and certainly there’s no shortage of studies that talk about how, in the enterprise, we were seeing greater and greater use of remote access of work from anywhere, if you will, certainly mobility, as you mentioned, going back to 2005, 2006. Mobility rapidly taking off, I think, forced a lot of that, the availability and cost reduction of laptops and all that. But, really, when COVID happened a year ago, that all of a sudden threw us into a send everybody home. They’re working from home. How did the coronavirus pandemic and work from anywhere affect your thinking on zero trust adoption?

Robert Davis:

So, for us, we invested so heavily SaaS over the last few years that our VPN usage, generally speaking, was fairly low, as it was, percentage wise, across the board. So when the pandemic did hit and everyone was forced to be at home and those that traditionally might not have used VPN much then started having to use it, that put a little wrench … And like most companies, we had to beef up our VPN, make some changes, make things work. Then in the back of my mind, I’m thinking, wow, it sure would be nice if we didn’t have to worry about this VPN right now, as we had started out implementation the year before, so in 2019 we had started, in a very small pilot, just really making sure we understood everything about the concept and the model. So it definitely made me think, okay, we’ve gotten through this, and there’s still a scent amount of VPN usage. Now is the time to start moving really forward with the implementation. We actually did secure a project this year to do a much more broad implementation of it.

John Dasher:

Let me ask you to put your prognosticator hat on just for a moment. The vaccine is now, obviously, available. We’re starting through that process globally. Have you and your leadership team been talking about how you think remote … What percentage of your employees will still be working remotely, say, at the end of the calendar year? I mean, have you started to play those games? Or are you kind of taking a wait and see approach?

Robert Davis:

There have been a lot of discussions about that. Chick-fil-A is a company built on relationships. In the restaurant, we value relationships with customers. Same is true at corporate, where we value relationships with each other and with partners and customers. So that becomes very challenging when it’s remote, so we’re still in a lot of discussions about it. If I had my personal preference, I would be able to work remote for the rest of my life. I really enjoy that extra time in the day that I get back not having to commute, but that’s still TBD at the moment on what the long-term plans are there.

John Dasher:

So would it be your expectation that there will be some mix going forward?

Robert Davis:

I would imagine so, yeah. What that mix looks like is the big question.

John Dasher:

So let’s talk a little bit about your starting point. You started getting into it, and I kind of rudely cut you off there. What we see at Banyan Security is, for most organizations, the easiest way for them to get started with zero trust is some sort of a targeted proof of value project. Sometimes it’s with a group. You were mentioning you started with your own team. Sometimes it’s with a specific application. Sometimes I think people, especially those folks that are researching, think it’s this gigantic all or nothing, boil the ocean, and I’ve got to rip out the entirety of my VPN, and overnight I’ve got to replace it and pray to God it works, blah, blah, blah. That’s really not the case. I mean, you can really kind of have a granular, constrained project to get started with and grow horizontally, almost like you’d scale in the cloud. How did Chick-fil-A … You told us that you started with your own team, but what exactly did you do for your initial deployment?

Robert Davis:

So we’re still in the implementation phase, of course, but, initially, it’s basically getting my team … My original thought was, let’s get our team using this model for as many applications as we can, specifically for this team, and then as we’re starting to do that now, really understand the pain points. The next step will be, okay, let’s get some non security representation here and get their feedback and pain points and just keep moving down that path. But to your point, there’s no need to boil the ocean, provided you choose the right solution. You should be able to choose a solution that allows you to do one thing at a time, like start with one application. Best guess, you could even start with a non-enforcing mode, where it’s there and it’s usable, but it’s not going to stop somebody while you understand the pain points. So that’s what I would recommend is just making sure whatever solution you go with allows you to have flexibility, because that’s going to be key to successful implementation, because it’s a decent change for user experience, in mostly a good way, but it’s still a change. People are usually not super excited about change.

John Dasher:

So was that one of your bigger challenges? I should say, what was your biggest challenge in starting your rollout?

Robert Davis:

To be completely honest, I think the biggest challenge was not accepting this model and knowing the user experience is going to change and things in that nature. The biggest challenge, quite frankly, is just getting resources dedicated to doing this work. Chick-fil-A’s growth, again, has been phenomenal, which is wonderful in a lot of ways, but it’s hard to keep pace with the growth. So new projects and new ways of doing things become challenging because we oftentimes have to play catch up in the security world. If you want to be innovative as a company, security … You have to find the right balance, of course, but security is not going to be out in front of everything. So that’s still our biggest issue today, but, like I said, we’re slowly but surely tackling this problem, one thing at a time, and we’ll get there. Hopefully, by the end of the year, we’ll be there with full implementation out there.

John Dasher:

Excellent, excellent. Why don’t we do our last polling question and let the audience weigh in and see to the extent they’ve begun thinking about their starting project? Let’s see where they are.

Charlene O’Hanlon:

All right, we’ve got one going out to you right now. The question is, for those of you who are planning or have deployed a zero trust solution, where did you start? You can choose from developers’ access to IaaS infrastructure, security slash IT access, third-party remote access, or broad VPN replacement. You can go ahead and make your choice. As with before, I will keep this polling question open, and, John and Robert, you guys can continue your conversation. Then before we get to the question and answer period, we’ll take a look at the responses.

John Dasher:

Sounds great, sounds great. Let’s move on a little bit here. So you mentioned earlier, Robert, talking about thinking through what your solution would be to begin to implement zero trust. What was your evaluation criteria for evaluating vendors and their solutions?

Robert Davis:

So, for me, as I was researching the zero trust space, I think the most common thing that seemed to come out of any solution that was being pitched was they were calling zero trust, essentially, MFA plus. So they were looking at it and going, the identity is protected by MFA, and will add some contextual, adaptive nature to their authentication. But they almost never talked about the device, and that always bugged me, because you have to have the device in the equation for this to really be zero trust, for me. So device level checks, having the ability to do some form of check on any device, whether it’s managed by corporate or BYOD or a mobile device. We need to be able to know something about that device, and if we don’t know anything about the device, maybe they can still access some of the extremely low level, low tiered, cafeteria app, for instance, but they will never be able to access higher level tiered trust.

John Dasher:

Well, and we’ve certainly seen in recent security and news stories, MFA, yeah, you should probably be using MFA, but it is by no means a guaranty that you are now hack proof or you’re done with security, because it can be bypassed. There’s no shortage of recent demonstrations of bypassing MFA, so I can see why device level checks would be an interesting thing to look at. What came next for you? You had mentioned the flexibility of a solution.

Robert Davis:

So I was kind of talking about this a little bit with the implementation question, but it has to be something that’s flexible for our use cases. So it needs to be able to work for on premise applications, so, basically, replacing VPN in a lot of ways. It needs to work in the cloud. It needs to work with our SaaS solutions. It needs to work with our identity provider. I don’t want a new identity provider, so it must integrate with that today, there you go, the third criteria. But being extremely flexible in how we can implement it, starting with one thing and then eventually adding additionals, or starting in a non-enforcing mode across the board, just to gather the data, those things are critically important for success.

Robert Davis:

Then continuous authorization, I think that was actually … As I was doing some tests and understanding solutions and trying to figure out the best one for us, continuous authorization was at the bottom of my criteria list, and it still is, because if you don’t have those first three, then the bottom one doesn’t really matter much. But when you see it in action … I did some proof of concepts where I infected my machine, and then that infection then triggered a deny through the solution, and I was wowed by it, because you don’t get that in any traditional network security model. But because of the way the solution is architected and that ability to check every, in this case, HTTP-type request to a web app and check for that authorization … Is this identity and device … That was the key, “and device,” not just the identity. They’re both still good, so you can access it. But the moment one of those goes in a lower trusted tier, you can block that access. I was running around going, “Guys, you have to check this out. Watch this. watch this.” I didn’t think I would get so excited about that, but it’s a pretty powerful mechanism.

John Dasher:

Who would have thought failure to authorize would be exciting?

Robert Davis:

I know, I know.

John Dasher:

So as you look through your list of criteria, were those the right … I mean, now that you’ve had time to embark on your journey and get a fair pace down the road, were those the right criteria for you?

Robert Davis:

Yeah, definitely for us. The only criteria in that first four that you might be able to push aside to the next phase of whatever you want to implement is the continuous authorization. It’s really, really cool, but, at the same time, if you don’t get those first three right, it really doesn’t matter that much. So, for me, yes, being able to check the device, know something about it, being very flexible, and integrating with existing identity stack and other tools that we have, those are still my top three criteria.

John Dasher:

One of the things that we will hear from prospects and customers that didn’t necessarily click earlier in their process but later you could watch the light bulbs go off is going back to that device level checking and the idea that that one thing spans all of your infrastructure types, all of your device types. So as you were pointing out, whether that app is on prem or in the cloud or is a SaaS app, it’s the same device trust, and you can manage it as device trust, regardless of the app or where it is or who’s using it or from what device. I think sometimes people just don’t understand, don’t quite get the value of it. They nod their head, and they hear the words. But once you start doing it, you’re like, oh, I finally have a uniform way of checking device posture, and I don’t have to be caring about the specific situation.

Robert Davis:

Yeah, exactly.

John Dasher:

Looking back on it, would you add any criteria, stuff you wish you would have looked at that maybe you didn’t?

Robert Davis:

That’s a good question. I would probably get a little more in-depth with the identity stack. So there’s one thing to integrate with an identity stack and understand OAuth or SAML and do that. But it’s another thing entirely to be able to do that and understand the stack from top to bottom and know how flexible the rollout can be. There are things that you can do with certain identity stacks that go beyond just creating an OAuth client for every single app and making it a little more generic, so I can implement zero trust with really any app I want without having to touch the app itself, because that was really the key. So in an identity world with OAuth, you’re generally … If you’re going to make changes to that in any way, that means you’re impacting the app side, so the deployment team has to go make a change to how their OAuth configuration is set up such that you’re now in the middle with this new zero trust model. But just understanding that a little bit more I think is probably the only thing, getting closer to your identity stack and understanding all of the switches that you can turn on and off to make things easier.

John Dasher:

In your organization … As security, do you have responsibility for identity, or is that on the IT side of the house?

Robert Davis:

Security is within IT, so we’re all under the same umbrella, but identity is not under the security umbrella. It’s under our more shared service, shared platform team.

John Dasher:

I think it’s fairly undeniable, in the last, I don’t know, what, five years, we’ve seen IT and security certainly be more collaborative and work closer together. Sometimes it’s like you said in your organization where, really, you’re all under the IT umbrella. Sometimes they’re separate organizations. But clearly there’s things that we’re talking about here with regard to zero trust that cross the traditional security and IT border lines, if you will, and so that level of collaboration can only help a zero trust deployment and, as you point out, in fact, is required, really, especially on the identity side.

Robert Davis:

Exactly, yeah. Us growing up kind of … identity maturing alongside security in the IT world, versus us being completely separate and just going to that identity team and saying, “Hey, we need to do X, Y and Z,” and they have no idea what we’re talking about. We’ve kind of grown up together, and it made the implementation pretty seamless for now. So it’s been good.

John Dasher:

Turning this around, if you were a younger company, a startup or a small company, you really do have to have identity in place before pursuing a zero trust solution. I mean, it’s kind of the bedrock core. We started off talking about the principles of zero trust, users … the first thing we talked about. So you really do have to have your SSO in place and operating before taking that next step. Would you agree with that?

Robert Davis:

Absolutely, yeah. You’ve got to have SSO, using the more modern authentication protocols, OAuth, SAML, and then on top of that, MFA. If you’re not doing MFA first, I feel like there’s no real reason to go down another road, because MFA is the-

Robert Davis:

… key, yeah. It’s that first key.

John Dasher:

Cool. Why don’t we talk a little bit about the result of the second poll question? That was around where people are in their journey. What was their pilot project? Charlene, do you want to review that with us?

Charlene O’Hanlon:

Absolutely. So the second polling question is, just to reiterate, for those of you who are planning or have deployed a zero trust solution, where did you start? The majority to folks, 58%, said that they started with security slash IT access. Then about half of those, a little less than half, 21%, said developers’ access to infrastructure as a service. The remaining two, 12% said third-party remote access, and only 9% said broad VPN replacement. So those are pretty telling answers there. I wonder. Does security, IT access, does that make sense to you as the most popular response?

John Dasher:

I’ll let Robert answer that. I mean, that’s the path you went down.

Robert Davis:

For me, it definitely does. It really starts with … That group, in some ways, may feel some of the pains more than others, but also-

John Dasher:

Is that because of the complexity of their typical environment, or why?

Robert Davis:

Yeah, I think, yes. So the complexity … So they’re accessing infrastructure, for instance. A normal business user might not do that, but they will, and so they’ll run into some pain points that business users won’t. They will also, in some ways … This is a very general statement, but they may complain more than some of the business users, especially some of the power engineers. They’ll let you know right away if something is impacting their workflow, and they don’t like that. So I think starting there makes the most sense.

John Dasher:

You probably get a level of technical information with that complaint that you might not get from a business user who’s simply logging into Salesforce.

Robert Davis:

Exactly, yep.

John Dasher:

So I’ve got exactly one slide of talking about Banyan Security we’ll walk you through, and then we’ll take some questions here. We’ve got a few things that we very consistently hear about why people choose Banyan Security. Our customers are very consistent in this regard. One of the main reasons … One of the first things we hear about is that we support a heterogeneous IT environment. We view heterogeneous as a big, broad word. It’s heterogeneous infrastructure in terms of where stuff lives, your private, hybrid, multi-cloud, on premise, as Robert was saying, heterogeneous in terms of the devices, managed, unmanaged, BYOD, in terms of your users. It’s not just your employees. Especially now, I think we’re seeing more and more companies make broader user of gig workers, contractors, consultants, that sort of thing, being able to get them access to what they need. Then, again, just in terms of the resources, web apps, SaaS apps, servers, even APIs. We’re seeing people take advantage of zero trust to cordon off which APIs are accessible and to whom and under what circumstances. So that’s number one.

John Dasher:

Number two, we focus on the capabilities that companies need, especially when software is at the strategic core of their business, or if they are software companies. We really pride ourselves on our ability to provide one-click access to infrastructure. As Robert was saying, it’s complicated, and if you can get that nailed, everything else kind of seems almost easy by comparison. We started on the principles of BeyondCorp, Google’s original project that we talked about earlier, but we continue to drive those principles further. We’ve really worked hard to make sure that there’s an easy … a privacy friendly way of incorporating device trust. In other words, we don’t have to have an MDM. If you’ve got one, great. We can take signals from your MDM, but you don’t have to have one. We certainly don’t need to route your traffic through any centralized choke points or anything else that might be viewed, from a privacy perspective, as intrusive.

John Dasher:

Then making sure that we are taking advantage of continuous authorization. We can put a real-time trust score in place so that you always have a feel for the security posture of those devices that are accessing your resources. So the key point there, being able to have a policy that leverages device trust. Every security project has got policies, no doubt about it, but being able to incorporate device trust in those policies and then do so real-time is a neat way to be able to handle some of this stuff. So those are some of the core things that Banyan Security feels like are key to our DNA, who we are and what we’re offering. We would certainly love to talk to you about that at your leisure. You can go to our website, www.BanyanSecurity.io. We’d love to have a deeper conversation with you all.

John Dasher:

But before we get to that, I promised we’d reserve time for Q&A. We’ve got a great resource in Robert. So why don’t we open up for some questions?

Charlene O’Hanlon:

Great. We’ve gotten some questions in, but there’s plenty of time for questions, guys, if you do have one. Go ahead and use that question and answer tab and submit it. You can also put it in the chat, and we’ll just move it over for you, no big deal at all. The first question is from Mike, who asks, “So is zero trust a misnomer? You say you need both trusted users and trusted devices. Isn’t the assumption of at least advanced persistent attacks that either users or devices on your net are compromised?”

Robert Davis:

I think that is a terrific question. I think zero trust is a buzzword that is, unfortunately, required to make it known this is a new way of thinking or doing things. But, for me, it’s zero trust network, meaning I don’t care where the device is. It can be at home. It can be on my network. It can be somewhere else.

John Dasher:

Starbucks.

Robert Davis:

Starbucks, yeah. But I don’t trust the device … I’m sorry. I don’t trust the network they’re coming from, no matter what. I have to build some level of trust in some way, and that’s where users and devices come from. The assumption that APTs are infecting a user and/or device, yes, absolutely, that’s true. So zero trust does not end with having a user and device level check. You still absolutely need to be doing the security monitoring, the security detections, looking at EDR. Adding those to your security program are still important, but you’re going to do that whether you have zero trust or not. Zero trust now gives you some flexibility to do things differently.

Robert Davis:

Then on top of that, if a user’s device does get compromised but there’s no VPN connectivity back to the corporate because you’re leverage a zero trust network model, lateral movement, which is critical to these types of attacks, is much, much more difficult. It’s not impossible, of course, but it’s so much more difficult when you don’t have that network layer there.

John Dasher:

Both the least priveleged access and the prevention of lateral movement key, absolutely key. As you’ve seen with other threat vectors, ransomware and other things, really almost require that lateral movement to affect. So being able to shut that down is super important.

Charlene O’Hanlon:

Excellent, excellent. Next question here from Sanjeev. He asks, “How does zero trust access prevent supply chain attacks?”

Robert Davis:

Ooh, that is a good question. I think with the most recent types of supply chain attacks that were really attacking infrastructure within data centers and corporations, and less about attacking the user side, that’s going to be a very tricky one. But if you leverage zero trust between servers in the back end, there could be some benefit there potentially, again, the lateral movement play. But you can also achieve that, and you should be, with network segmentation, doing that properly. So there may not be a direct correlation. Now there may be in the future state of supply chain attacks that impact users more so than infrastructure, and that goes back to the answer before in that, without network level connectivity, it makes things much more difficult to go from one device to another. So they’re less effective.

Charlene O’Hanlon:

All right, great. We’ve gotten some great questions in so far, but there’s still plenty of time. If you have a question, go ahead and use your question and answer tab, and we’ll try to get to as many as we can. Next one here is from Griza, who asks, “Can SSO still be integrated with passwordless authentication, taking into account zero trust?”

John Dasher:

Oh, great question.

Robert Davis:

I mean, John, if you want to answer that from a Banyan perspective, go for it, but I would say, yes, absolutely. But it will be somewhat dependent on your identity stack as well.

John Dasher:

Absolutely. It’s one of my favorites because I still get a giggle out of … I have a password manager, yes, on my devices, but being able to allow employees to have a passwordless path to the resources they need is really nice. I mean, let’s face it, we’ve got no shortage of passwords on this planet. Being able to be secure and do so without having to manage passwords is really, really nice. It’s nice to not have to file IT tickets to password recovery. It’s nice on all sides of that equation.

Charlene O’Hanlon:

All right, great. We actually just got a little chat in I thought I might share. It’s from Alexander. He says, “Zero trust is not only about users, but about suppliers as well, so trust no one, check always.” That goes back to that supply chain question. I love that comment. What do you guys think?

John Dasher:

Yeah, and I’d add on that. Not only check always, but it’s not just the initial check. The real groundbreaking idea here is continuously check, even after you’ve checked and verified and validated. Things change. We live in a dynamic world, and just because you put somebody on the approved vendor list doesn’t necessarily mean that the device they’re using at this moment in time is good. So, yeah, absolutely.

Robert Davis:

Yep, agreed.

Charlene O’Hanlon:

All right, excellent. Moving along, next question here, it’s another one from Mike, says, “Did we used to call zero trust least privilege? In that zero trust, we always limit what any user or device can do on the network.”

Robert Davis:

I feel like zero trust is an evolution of least privilege, so in some ways [crosstalk 00:48:37]

Charlene O’Hanlon:

Yeah.

Robert Davis:

Least privilege was always about the user, and this is taking it another level and looking at device, so, yes, it’s an evolution of that.

John Dasher:

The other thing that I would add to that is it’s not just limiting what a user or device can do on the network, because, again, the network is no longer our focus. It’s about what the user or device … what resource they can access. Again, you can even go down to the API level and say, hey, my full-time employees who are doing production level work can access these APIs, and then contracting team I hired to do some backend work temporarily can only access these APIs. So it’s really less about … It’s not about the network, and it’s about what that user and their device have access to from a resource perspective.

Charlene O’Hanlon:

All right, all right. So we are about 10 minutes to the top of the hour, which means we have about eight more minutes for question and answer period. So once again, there’s plenty of time. If you have a question, please send it on in. Our next question is from Charles, my buddy Charles. He actually-

John Dasher:

Charles!

Charlene O’Hanlon:

I know Charles, yeah. Chick-fil-A.

John Dasher:

Everybody knows Charles.

Charlene O’Hanlon:

“Chick-fil-A’s mobile app is the best because of how well it integrates with the store system. Did you need to do extra work to ensure that mobile orders are not a gateway into your POS, point of sale system?”

Robert Davis:

Yeah, absolutely. There was a lot of architecture design security baked in from the beginning when were thinking about the way the mobile ordering system works. So, yes, there was some extra work involved there, for sure.

Charlene O’Hanlon:

All right. We have another one here that kind of connects zero trust and least privilege access. Where in your zero trust adoption has least privilege access had the biggest impact from a security perspective?

Robert Davis:

Where in the adoption? That’s a good question. I’m just trying to think of the best way to phrase the answer. I would say, when it comes to cloud infrastructure … So as we started to adopt the usage of AWS, one of the things that we did was we tackled it from a multi account strategy perspective. So we have, let’s say, over 200 accounts, and each one of those accounts has a limited number of people that have access to the infrastructure within that AWS account. So having least privilege there and then adding in zero trust to that, we will get to a very solid point of knowing who and what is connecting to infrastructure at any given point. So I would say cloud infrastructure, for sure.

Charlene O’Hanlon:

All right, great. So I think we have time for two, maybe three more questions, so please send any last-minute stragglers in, and we’ll try to get to as many as we can. Next question here for you, Robert, “What is your opinion on trust-based access control versus old school role-based access control?”

Robert Davis:

I still like old school role-based access control, but this is similar to the least privilege question. It’s an evolution of it. So you still need to do role-based in some ways, but now you can just extend it to, this user is in this role and can do these things, but only from this device or this type of device, so it’s just an extension of that.

John Dasher:

With a specific trust level, yeah.

Robert Davis:

Right, with specific trust levels involved.

Charlene O’Hanlon:

All right, great. Mike has yet another question. Mike has got some really great questions.

Robert Davis:

All right, Mike.

Charlene O’Hanlon:

Yay, yay, Mike. “How does the zero trust network prevent protocols tunneling on other protocols? I recall articles about getting full internet access through an airport’s DNS service by tunnel. How do you prevent exfiltration through non-obvious routes?”

Robert Davis:

So exfiltration is a very different problem. I would say zero trust network, for me, is all about inbound access and who can access, to John’s point, what resource, and what trust level is required to get there? Exfiltration is handled from a very different perspective. I wouldn’t necessarily tie those two together. Preventing exfiltration, in a traditional sense, that’s leveraging proper IPS, proper, I’ll call it, next gen firewalls that look at applications versus traditional traffic. So it would inspect your DNS traffic and say, oh, this isn’t real DNS, denied. But that’s not a zero trust network issue. That’s a different problem.

Charlene O’Hanlon:

All right, all right. We have one more question here in the queue. But, like I said before, there’s a few minutes left, so if you do have a question, go ahead and get it on in. Let’s see. The question is, “How hands on were you during your solution evaluation?”

Robert Davis:

I have loved this space ever since I read that first BeyondCorp paper that I have been fully hands on and sending numerous complaints and/or issues and/or-

Charlene O’Hanlon:

Hopefully compliments too.

Robert Davis:

… things that I like, compliments, yep, compliments too, for sure [crosstalk 00:54:40]

John Dasher:

That’s how we get better.

Robert Davis:

That’s right. I’m helping people get better. I was talking about the continuous authorization. That was me playing with that capability and trying to really understand it and getting as hands on as I possibly could, so extremely hands on.

Charlene O’Hanlon:

Excellent, all right. All right, well, we are about five minutes till the top of the hour. That is all the questions that we have currently in our tab. I will go ahead and leave the question and answer tab open to see if we get any last-minute stragglers in. While we are waiting, I do want to quickly remind the audience that today’s event is being recorded. So if you’ve missed any or all of the webinar or if you just want to watch it again, you will have the opportunity to do so. Following today’s webinar, we will be sending out an email that contains a link to access the webinar on demand, and the webinar is also going to be living on the Security Boulevard website. So you can go find it there. You can just go to SecurityBoulevard.com/Webinars. Look in the on demand section, and it should be right there waiting for you.

Charlene O’Hanlon:

All right, no other questions have come in, so I’m going to go ahead and close out the question and answer period. I do want to thank everybody who did submit questions, some amazing questions today, guys. Thank you so much. I do appreciate your engagement with the question and answer period, and, as I said, lots and lots of really great questions came in, so thank you again. All right, so I think the last thing I have to do today now is to do the drawing for the four $25 Amazon gift cards. Let’s go ahead and do that. I know it’s what everybody’s waiting for. All right, our first winner today is Dan B. Congratulations, Dan. Second winner is Bryan O. Congratulations, Bryan. Our third winner today is Rachel B. Congratulations, Rachel. Our fourth and final winner today is Brent B. Congratulations, Brent. We’ll be following up with all four of you via email to get your Amazon gift card over to you, so please check your inbox. If you don’t see anything there, please check your spam folder.

Charlene O’Hanlon:

John and Robert, great presentation, lots and lots of interesting stuff. I really enjoyed your conversation. Judging from the comments and the questions that came in from the audience, I can tell they got a lot out of it too, so thank you very, very much, really do appreciate it.

John Dasher:

Thank you, Robert. Thank you, Charlene. Thanks for everyone at media ops for putting this together. But, Robert, thank you so much for your time. I know you’re a super busy time, and I really do appreciate you walking us through some of your journey so that we can all benefit from that.

Robert Davis:

I had a great time, so thanks. If anybody ever wants to talk zero trust or security or just general stuff, feel free to reach out to me on LinkedIn, love to make a connection.

Charlene O’Hanlon:

All right, all right. I as well want to thank the audience for joining us today. This is Charlene O’Hanlon, and I’m not signing off. Have a great day, everybody, and please stay safe.

John Dasher:

Thank you.

Close Transcript

< Back to Resources

Deploy in Less
than 15 Minutes!
Simple, secure, & free!

Quickly provide your workforce secure access to corporate resources and infrastructure.

Get Started Now