Adopting Zero Trust

For more than a decade, Zero Trust as a concept has moved from a philosophy and now into a practical architecture and strategy that organizations can adopt. While Zero Trust encapsulates much of what has gone well in cybersecurity for the past 30 years or so, does it truly offer an innovative approach or just iterative change? Is the concept positioned well so others can adapt it to their needs and prevent greater cyber-related risks? While we know it’s certainly not a silver bullet, and use cases are still reasonably immature, there is a firm argument for it helping to drive cybersecurity innovation forward.
This week on AZT, Neal and I chat with Andrew “AJ” Grotto, current Stanford University Fellow and Director of Security at Turtle Rock Studios (makers of Back 4 Blood and other popular video games). Prior to his current roles, AJ was an advisor at NIST and was the Senior Director for Cybersecurity Policy for The White House National Security Council. As a practitioner and academic who danced the line between public and private sectors, AJ is well suited to help us navigate the question of what drives innovation around cybersecurity if the federal government is behind the curve or creates chain reactions, and where policy comes into play.

This week on AZT, we chat about something timely and impactful to everyone in the cybersecurity and users impacted by related decisions: the new National Cybersecurity Strategy (full strategy here). Our guests this week are Tony Scott and Ilona Cohen, both industry powerhouses and experts well-equipped to navigate this complex document.
 
Ilona Cohen is the former General Counsel at Office of Management and Budget (OMB), was an Associate White House Counsel and Special Assistant to the President during the Obama administration, and is currently the Chief Legal Officer, Chief Policy Officer, and Corporate Secretary at HackerOne.
 
Tony Scott is the former U.S. Federal CIO during the Obama administration, has worked for brands such as Disney and GM, and is currently the President and CEO of Intrusion.
Together, they both experienced the Office of Personnel Management (OPM) breach of 2015, and have been involved with the ever-shifting threat landscape that impacts and leads to new initiatives like the latest National Cybersecurity Strategy. In particular, it resulted in the Cybersecurity National Action Plan, which resulted in the first bug bounty program.

This week Neal and I continue with our exploration of new formats, and this time we go one-on-one with the Founder and CEO of Netfoundry, Galeal Zino. Prior to Netfoundry, Zino spent much of his career traversing R&D, and later moving into a key role for Tata Communications. 
Though Netfoundry’s bread and butter is a Zero Trust Network Access (ZTNA) solution that can be built into other technology via API and even supports IoT systems, and they also manage OpenZiti. OpenZiti is an open-source self-hosted solution of a similar nature with input and contributions from Zero Trust and developer communities. Rather than honing too deep into the technology aspect, Zino and Neal go down the rabbit hole of open source tools and communities and why they are so critical to much of today’s existing security infrastructure.

Zero Trust as a concept or strategy on the surface appears simple in nature. Heck, it’s only two words. However, when push comes to shove, and it’s time for organizational adoption, Zero Trust impacts every aspect of a business in the form of a digital transformation. Fortunately, for every complexity and question, there is an answer and solution, which is where our latest guest comes into play.
This week on Adopting Zero Trust (AZT), we chat with infosec author, practitioner, and educator George Finney about ways to make ZT more approachable. Finney is the best-selling author of Project Zero Trust, which currently offers the most approachable way to understand John Kindervag's 5-Step methodology for implementing Zero Trust, the four Zero Trust design principles, and how to limit the impact of a breach.

This week we have a two-for-one special and feature our newest panel-style format. On the practitioner side, we have crowd favorite Andrew Abel, who currently works with a financial institution, but has worked across multiple other industries in the past. On the Zero Trust technology side, we have Michael Loewy, Co-Founder of Tide Foundation. 
Tide Foundation lives between authentication and micro-segmentation, or if we look at CISA’s Foundation of Zero Trust principles: identity, network/environment, and data. The solution also impacts devices and application workloads, which means they fully align with the philosophy behind Zero Trust.
On today’s episode, we ground Zero Trust back to reality with how much implicit trust can truly be removed, dig into the concept of Zero-Knowledge Authority and how it chips away at ZT gaps of today, and follow up with Abel on how ZT has changed over the past 6 months.

This week we chat with Ismael Valenzuela, VP of Threat Intel at Blackberry, a 13-year SANS instructor, and has balanced his time between educator and practitioner for decades. Before peppering Ismael with our usual questions and falling down the rabbit hole, we dug a bit deeper into his background and what drives him to split his time between educating peers and working for some of the biggest names in tech.
On the docket for this week is Zero Trust as a philosophy, why Less Trust is a more applicable term, and the need for a threat model to narrow down your protect surface. As a side note, Ismael also just published a new post highlighting findings from BlackBerry’s new global threat intel report. The team will also discuss these findings today (Jan 26) on LinkedIn live.

Welcome to the last episode of season one, where Neal and I go on a rambling adventure and look back on some of the interesting and eye-opening conversations we’ve had over the past few months. To wrap things up, and what was supposed to be a 20-minute conversation, we felt it was time to better introduce ourselves to our listeners, discuss some plans for season two, highlight perhaps some aspirations of bringing AZT into the real world at a conference or two in 2023, and that we will finally open the doors to Zero Trust technology vendors.
 
Since this is our season one wrap episode, and much of what we cover is a stream of consciousness, there are no key takeaways. Swing back around in January as we kick off the next season with another group of amazing guests. We have plenty of surprises in the works, too!
 
We hope your year winds down well, and we will cross our fingers for no X-mas cyber incidents.

This week we chat with Chase Cunningham, Doctor Zero Trust himself, about the decade-overnight success of Zero Trust, how he got involved with the concept, and methods for navigating vendors wanting to shape the concept. For those initiated into the world of Zero Trust, you are no doubt familiar with his podcast, regular LinkedIn musings, and history as a Forrester analyst. Beyond the podcast, Chase is the CSO for Ericom Software, has a long history in threat intel, and built a significant track record while at the NSA as a chief cryptologic technician.

This week we chatted with Chris Reinhold, Director of Innovation at Core BTS, a managed security service provider (MSSP) and IT consulting firm. We dig into the long-awaited answer to our previous call, pen testing Zero Trust systems. Plus, we chat about the idea of Zero Trust as a certification and the always relevant factoid that compliance is not security.

This week we chat with J. R. Cunningham, Chief Security Officer at Nuspire, and we dig into Zero Trust as a journey. Nuspire is a managed security service provider that provides support ranging from managed detection and response (MDR), endpoint detection, vulnerability management, and of course supporting their customers with adopting Zero Trust. This week we chat about unpacking the idea of Zero Trust when a brand wants to pursue it, the increasing threats targeting the automotive industry, and Nuspire’s ongoing threat reports.