AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices

Season two, episode 16: Zack Butcher discusses building upon NIST’s Zero Trust policies and standards, and ZT’s influence on a service mesh as it relates to microservices.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

There are several guiding concepts that make it easier for organizations to build a Zero Trust strategy. The first that typically come to mind come from CISA and NIST. These core elements, ranging from the five pillars through to building a ZT architecture, offer a vendor-neutral path towards removing implicit trust. Organizations like CSA also do a great job of expanding upon this knowledge with more contributions from technology and service providers. This week, we take our first step towards understanding what goes on behind these policies, standards, and recommendations, and for that we have a well-equipped guest to walk us through it.

Zack Butcher is one of the founding engineers over at Tetrate, a vendor that provides a consistent way to connect and protect thousands of individual microservices and deliver Zero Trust security operations across any environment. They also have their roots stemming from a team that worked at Google, which many of you are likely familiar with their connection to Zero Trust through BeyondCorp. However, he is also the co-author on NIST special publication 800-207A. If that looks familiar, it’s because it’s an expansion of the earlier mentioned core NIST resource, 800-207.

NIST SP 800-207A builds upon that core architecture piece and hones in on access controls in cloud-native applications in multi-cloud environments. That is a bit of a mouthful, so here is Zack on what you need to know.

When we talk about Zero Trust at runtime, there's a lot of FUD and a frustrating amount of FUD in the in the marketplace and a lot of vendors claiming certain things are Zero Trust and not.

And you know, in that landscape, I wanted to really kind of push for people to have a very clear definition of Zero Trust at runtime, and it's a minimum definition. Let me be clear. You can do a whole lot more than what we talk about in the SP, but I try and give a very, very simple minimum definition. And that is five policy checks at runtime, and we call that identity based segmentation.

Butcher also co-authored NIST SP 800-204A that focuses on building secure microservices-based applications using service-mesh architecture. So this week, Neal and Butcher ran down the rabbit hole of expanding upon these core Zero Trust resources, implications of a more secure environment at runtime, and identity-based segmentation.