Right, So today we're diving deep into zero trust networks. It's this model kind of flips the script on how we think about network security, you know, turns that whole castle walls idea on its head. And our guide for this whole thing is Evan Gilban and Doug Bart's book Zero Trust Networks Building Secure Systems in untrusted trusted networks. You know how companies they spend so much on floer walls and all that to keep like the bad.
Guys out right, keep them out? Yeah, well, zero trust, zero trust's different. It starts with this whole other question what if what if they're already in Exactly, it's a fundamental shift, and it is instead of just focusing on this strong perimeter zero trust, it kind of assumes that the breach has already happened, and it builds security from the inside out.
So it's less fortress more or like a super secure city. That's a great analogy, always on guard.
Think of it like in a zero trust network, every single user, every device, every application has to prove that it's trustworthy all the time. No more free passes just because you're on the internal network.
And that's that's what really got me with this book. From the get go, they start with this story about this e commerce company. Oh yeah, they've got like all the bells and whistles, right or firewalls, firewalls, all these security zoned. But guess what they.
Still got hacked.
Hacked.
Yeah, the attackers they got in they moved laterally within the network. Oh wow, and all their defenses they just didn't see it coming. It just exposes this weakness in the whole perimeter.
Model, right, yeah, that assumption.
That everything inside a zone is safe, yeah, is trustworthy?
Yeah? Okay, I'm starting to see the problem here. Yeah, but like how does this how does zero trust actually work? You know?
Well, at its core, zero trust it boils down to three man things user and application authentication, device authentication, and trust. But before we like dive into the technical stuff, we do to understand the philosophy behind it.
Okay, I know, I like where this is going a little philosophy, I'm in.
So, where does trust actually begin in a zero trust system? Okay, Well it starts with us humans, We as the operators, were the like the first source of trust, you know, and from there that trust it kind of flows down to our systems our applications through a whole chain of things, like especially digital certificates. Think of it like a chain of command where every single link is really carefully vetted.
Okay, so you're saying our human trust gets like translated translated into this technical chain of trust like certificates.
Exactly. So these certificates they're issued by these really carefully vetted certificate authorities.
Right.
So they're like digital passports. They vouch for, you know, the identity of users, devices, application. But it's not like set it and forget it, right. You know, we're always checking these certificates making sure they're still valid, haven't been you know, messed with.
Right, because things change exactly. That's where that that whole idea of a web of trust comes in, right, Like instead of just having one central authority.
Right, we've got this whole interconnected network of trust relationships. It's it's kind of like this complex ecosystem where trust is constantly being evaluated and reevaluated based on like a bunch of different factors.
That's like a living breathing.
Yeah, yeah, exactly.
Okay, this is this is making more sense now, good, But I got to ask, how do you know which threats prioritize. I mean, there's so many out there, so many.
Yeah, So that's where threat modeling comes in. Okay, It's it's key for any zero trust implementation. It helps us figure out who's most likely to attack us, what their tactics are going to be, so we can, you know, focus our defenses.
So instead of trying to defend against like every possible thing under the sun, everything, you focus on what's.
What's most likely most likely exactly.
But then wouldn't that leave you open to less common attacks?
Not necessarily. Remember we're always watching, always adapting, right, So while we may prioritize certain threats, we still got stuff in place to catch those unexpected things. It's all about balancing risk and resources.
You know, it makes sense. Okay, So let's say you've got, like you've figured out your top threats. How do you actually verify someone is who they say they are.
That's a good question.
That's where authentication comes.
In exactly, and all those mechanisms, especially in a zero trust environment, we can't just rely on on like simple passwords anymore, right, right, We need we need strong stuff that can really stand up to sophisticated attacks.
So are we talking about like layering those classic authentication factors. Oh yeah, like something you know, likeword, passwords, something you have token, yeah, like a token or something and something your are, biometric, biometrics, the whole shebang, the whole the whole thing, you got it.
And combining them that's essential, right, multi factor authentication, multi factor that's that's key because it ensures that even if you know, one factor gets compromised, the attackers still can't get in.
Can't get in. But I could see that being a real pain for users, like constantly having to enter passwords and scan your fingerprint or whatever.
Right, Yeah, it's it's a challenge, you know, And that's where good design and user education comes in. We need to you know, implement authentication in a way that.
That makes it easy, yeah, easy for users, but hard.
The hard for the bad guys, for the bad guys. Okay, And remember it's not about like making it impossible for people to work, right, It's about making it really really hard for those.
Attackers to take advantage.
To exploit any weakness, right.
Right, So it's like strong authentications kind of like that the front line line of defense. Yeah, and the zero trust network. But what about all the stuff.
The stuff behind the scenes.
The servers and applications all that. How do you secure all that?
So that's where device identity becomes really important. Like, you know, just like users devices, they need to be authenticated too, so we know they're legitimate, legitimate.
Haven't been messed with. And certificates are part of this too.
Oh yeah, they're key here.
So it's like each server gets its own.
Little digital ID card, digital.
ID card, I like that. But those certificates have those private keys, right right, Yeah, how do you keep those safe?
That's where hardware security modules or HSMs come in.
HSMs.
Yeah, think of them like these tiny super secure vaults. Okay, designed to protect those keys.
You know.
One common type is a TPM Trusted Platform Module, which is often like built right into the computer.
So it's like it's like giving each server a little bodyguards for its secrets.
It's most valuable secrets.
Yeah, okay, this is all starting to click. Good, But how does this play out in the real world, Like, are there companies actually doing this at scale?
Absolutely? In fact, Google's beyond COREP initiative. It's a prime example of zero trust in action. Okay, they took this really radical approach. They basically treated their internal network like the public Internet.
So they just decided to ditch.
Basically, they said, it's inherently untrusted the whole perimeter the public Internet.
That's bold.
It was. It was a huge undertaking, but the recognized that the traditional approach just it wasn't working anymore. You know. They needed a new way to secure their their massive network, their applications.
So how did they actually do it? I mean, I'm guessing it wasn't just like a flip a switch.
They developed a system that verifies the user and the device before it grants access to any of the applications. So it's like every request goes through airport level security no matter where it's coming from.
Wow. So like no more just scrolling through the employee entrance. Everyone gets the full everyone gets checked checked. But Google is Google.
They have the resources.
What about companies that don't have that.
Don't have Google sized resources. It can still be done. A great example is Page your Duty. A smaller company, they took a more pragmatic approach, so instead of building everything from scratch, they used their existing configuration management system, which was CHEF, to implement those core zero trust principles.
So they like use the tools they already had. Yes, they start building out that framework. Okay, that's that's encouraging for companies that are, you know, maybe a little intimidated by all of.
This intimidating they do. So they focused on dynamically calculating and enforcing firewall rules on individual hosts. Okay, creating this like micro segmentation, you know, within their network. It's like building many fortresses, many fortresses around each of those.
Assets, around each one. Yeah. I like that. I'm curious how did they, like, how did they deal with encryption?
Yeah, so they were smart about it. They prioritized out of process encryption. Okay, so that means they separated the encryption from the application, from.
The applications themselves instead each application.
Yeah, they created this dedicated security. It's a much more centralized and standardized approach, which makes things more secure.
More secure. This is all super fascinating. So we've seen how like zero trust can be done by by big companies and mall companies. Yeah, it seems like there's more to dig into here. Absolutely, What are some of the like the deeper implications of this whole approach.
Yeah, you're right, we're just scratching the surface here. Zero trust it's not just tech. It's a way of thinking about security.
You know. Okay, and that's where it gets interesting.
It's interesting.
Hold on to that thought. We'll be right back, be right back after a quick break, quick break to really dive into the world of zero trust networks.
Zero trust networks.
All right, So before the break for the break, we were talking about how zero trust it's more than just the tech.
Yeah, it's it's a whole different way of thinking about security.
Yeah, like a whole whole new mindset exactly.
And that that mindset, it leads to some interesting questions like how do you measure trust in a in a digital world.
It's not like you can I can look someone in the eye exactly, So how.
Do you how do you even start building trust? Yeah, well you gotta look for clues, okay, what we call trust signals.
Trust signals.
Yeah, so these are like bits of information that help us kind of paint a picture of how trustworthy a user or a device actually is.
Okay, you know. So it's it's like.
Being a digital detective.
A digital detective. Yeah, I like that.
Yeah, we're looking for patterns, anomalies, you know, anything that looks kind of strange. Like let's say someone tries to log in from a country they've never been to before.
That's a red flag.
That would be a red yeah.
Yeah. Yeah. Or if or if a user suddenly starts accessing all these files exactly that they've never touched before, match before. Yeah, that's that's a little fishy.
That summs up.
Yeah.
We also look at things like you know, device.
Posture, device posture, Yeah, like.
Is the device like up to date, is it patched, you know, is it running non malware known malware? Yeah, the more of these trust signals, we can get better, we can assess assess the risk.
But wouldn't all this create a ton of false alarms? You know?
That's a good point, Like what if I'm.
Just traveling for work, and right if you need to and I need to access these files from this new location, right.
Yeah, that's why we need to find that balance, okay, between security and usability.
Right.
We don't want to lock people out for no reason, for legitimate reasons. Yeah, So that's where things like machine learning and AI come in. Okay, they can analyze huge amounts of data find those subtle patterns anomalies that we might.
Miss right, So it's not just about blindly blocking, yeah, blindly blocking anything.
Anything that looks a little off. It's about being smart, using technology to be smart exactly. And you know, at the end of the day, humans are still a big part of this.
Okay.
You know, the system can analyze all the data it wants flag those potential problems, but ultimately it's up to us security professional to make.
The call, to make the decision. Yeah. Okay, So so we've got this system verifying identities, gathering all these trust signals, yeah, making.
Decisions decisions about access, about access exactly, how do we actually like, how do we build it, build this, put it all together?
Yeah.
So the book recommends starting with a prioritize list, okay of key things to consider. Okay, you can't do everything all at once, right right, right, You focus on the most critical stuff first. You know, for most organizations, it's a journey. It's a journey, not a sprint, not a sprint.
Okay. So, like like building a house, like building a house, start with the foundation and then you go from there.
Yeah, okay, so what are some of those those foundation pieces for a zero trust network?
Okay, So one of the like the most important things, Yeah, is that everything, every every network flow has to be authenticated before it's even processed. Okay. So that means like you're checking.
We're verifying the center.
And the receiver of every single.
Every single packet of data. So you're not just some more trusting trust because it's inside yeah yeah, yeah, okay, zero trust. It gets rid of that assumption, okay, okay. So another key point is that you're authentication Okay, it shouldn't rely on public PKI providers public key. Yeah. Instead, we should use our own private PKI system. Man, it's all that, yeah, to manage all of our certificates and keys.
So you're you're basically saying, like we control our arm we have to control our own desktomys cystany.
Yeah, we can't rely on on someone else, right, someone that we don't totally control.
Right, Right. And then and then of course there's encryption. Encryption, Yeah, gotta have.
Gotta have encryption. Encryption, everything at rest in transit, it all needs to be encrypted.
It's like that dead armor. It's the armor that protects the.
Data even if it falls into the wrong hands.
Right, but doesn't doesn't all that encryption slow things down? Yeah, slow things down, especially in in like large networks.
Yeah, it's a concern. But the thing is modern encryption. Yeah, it's much more efficient than it used to be, and the cost of a data breach, oh yeah, way outweighs any performance hit that we might see from encryption. Plus there's there's techniques okay, like hardware accelerated encryption to help with that to kind of minimize that that overhead.
Okay, so encryption is a must have. What else, like, so another thing companies prioritize is a.
Really detailed system diagram.
Okay.
It helps you really see the network, identify any any gaps in security, and prioritize what you need to do. Give me a big.
Task, like a huge undertaking.
Especially organizations are large organizations, organization with networks, Like.
Where do you even start?
You start by by identifying every single device, every application, all.
Those data flows within the network.
Within the network. It can be overwhelming a lot. Yeah, but there are tools to help you know, automate that.
Okay, So you're not saying like we got to like no pen and paper, pen and paper map the whole network.
Out, No, no, no, there's there's network discovery tools and asset management solutions to help you create that inventory.
So you've got your diagram.
Diagram, then you need to figure out all those network flows, you know, document what they're supposed to be doing, who's supposed to be talking to who, and why. That information it's crucial for creating those granular policies that control access to your in a world that's that's constantly changing.
Dynamic and always changing. Wouldn't that be like impossible to keep track of?
Oh, it would be it would be impossible to do it manually. Right, That's that's where automation comes in. Automation comes in.
You know, we.
Need tools they help us that can automatically discover, monitor, and force all those policies.
So it's like having like an army of an army of little digital security guards.
Digital security guards patrolling making sure everything's in check in check.
Yeah.
Configuration management systems like the one page your duty used, they can they can really help here.
They help ensure that all the devices configured directly, insistently, and then the.
Security policies are across the board, across the entire network. Right. Okay, so we got a plan. We have plan for building.
Infrastructure for structure right, what about the people, you know, the human element, the humans.
How do we get them on board, on board with all of this? You're right, that's that's critical because change is hard.
Change is hard. User education and training.
Okay, so important any of this, Yes.
Especially for something like zero trust. You know, we need to explain to people why this matters, how it helps them, how it's going to like affect their day to day work.
So instead of just like throwing a bunch of rules at them and saying, like, do.
It to it, we got to bring them along. You've got to bring.
Them along, bring them along, and it's not it's not a one time thing. You've got to constantly reinforce the importance of security, provide updates on new threats, best practices, and make sure the systems are actually designed with the user in mind, because.
If it's too hard to use, they're going to find ways around it.
Exactly. We've got to find that.
Sweet spot, sweet spot.
Yeah, Okay, between security and usability. People need to understand that this isn't about spying on them making their lives hard.
It's about protecting everyone, protecting everyone all these new threats, right. Yeah, Okay, so we've covered like a lot of ground here we have.
From the very basics of zero trust, like how do you actually do what?
How do you implement it? Right? But no security is like perfect, It's.
True, nothing's fool proof. In fact, the book actually spends a whole chapter looking at zero trust from the attacker's perspective.
Okay, so let's let's put on our black hats.
Let's do it.
If if we were going to try to attack a zero trust network, what would we look for.
Well, one thing that could be a weakness is complexity. The more moving parts you have, the more chances there are for something to go wrong.
So like a firewall rule.
Yeah, a misconfigured firewall rule, or a certificate that's been you know, compromise, compromise that could create.
A vulnerability that someone could sneak through.
That an attacker could exploit r exactly. So that's why testing and constant monitoring are so important.
Always got to be.
You've got to be vigilant, always on the lookout for any signs of.
Weakness or compromise or compromise. Yeah. Another challenge I could see is like how it impacts the users.
Yeah, that's a good point.
You know, if you're always check in every little thing.
If we're verifying every action, requiring.
All this multi factor multi factoration authentication.
Yeah, I could definitely slow people down, create some friction in their workflow.
So it's it's that balance again, It's that balance security, security and usability, usability. We got to find that sweet spot, that sweet spot. And let's not forget about cost. The cost.
It's expensive, all this hardware of self works, all of that. You need, you need resources, you need people. Right, it can be a significant investment. But remember they don't have to do everything at once. Okay, you know, start small, focus on your your most important stuff, you know, your your crown jewels, your crown jewels, and expand from there.
So it's it's not like all or nothing exactly.
It's about taking a strategic approach, you know, prioritizing based on what you need.
You need resource resources.
And there are ways to leverage what you already have right to help with the cost.
Okay, so we've talked about like the potential downsides downside, but there's there's a lot of benefits.
Oh yeah, tons of benefits to zero trust. It's a much stronger, more resilient security model. Just then the traditional like perimeter based approach. It helped reduce the attack surface.
Limit like the damage if if there is a breach exactly improves data protection.
It enhances data protection overall. Yeah, and especially as we move towards more cloud computing, more mobile devices, remote work, remote zero trust is it's becoming essential.
Yeah, it's it's how we secure sure all our digital.
Stuff, all our digital assets are operations, are operators a world where the network is is it's all blurring together, blurring.
Okay. So as we wrap up here our deep dive, it's it's important to really hit home that zero trust.
It's more than just the technology. It's all the mindset.
It's about moving away from that idea.
Of a trusted perimeter. Yeah, you know, it's about embracing the fact that threats can come from anywhere, anywhere inside the company.
Your organization. You've got to verify everything. Don't trust anything, blindly trust nothing.
Build security, Build security from the inside out, from.
The inside out. Yeah, and it's it's understanding that securities.
It's not a one time fix.
It's ongoing.
It's a process.
You got adapt, adapt, you got to improve all the time always. Okay, So for the listener out there who might be feeling a little little overwhelmed by all that's what's like the one thing they should take away.
You know, just start somewhere, Start somewhere. You don't have to do everything all at once. Okay, start with your most critical assets, secure those first, and then go from there.
Iterate, iterate, and build it up.
Build up your zero trust posture over time, over time. And remember it's a journey, not a race. There's going to be bumps along the way, but the benefits they're worth it, zero truck. It's all about creating a more secure, a more resilient digital future, digital future for your organization, for your organization.
Very well said, thank you. So before we wrap up completely, I have one final, like thought provoking question for our listeners. So, if you could like redesign your whole network security setup from scratch, from scratch, knowing, you know, knowing all this all this about zero trust, what what would you do differently?
That's that's something for you to think about. Yeah, you think about your own organizators, think about your own like challenge, your own unique security challenges. You know, how could how could you apply these zero trust principles to make things better, stronger, stronger.
Yeah, what what system.
The data is? What data most important?
What are the most likely threats you're going to face?
Right?
And how can you how can you build a security posture that that kind of assumes that.
Those threats that they're already there.
They might already be there lurking, lurking inside your network.
This whole, this whole deep dive has really opened my eyes to how, you.
Know, security is not just about security, is not just about building higher walls, higher walls.
It's about it's about changing, changing how we think about trust, how we think about trust. Yeah, zero trust, it's it's a journey, a journey, not a.
Not a destination.
It's it's constantly vigilance, adaptation, a willingness to like challenge what you think you know. But if you do it, you'll create a more secure.
And resilient and resilient digital future.
Digital future.
I think I think we've really, we've really gone deep into this whole wars zero Trust, the world of zero Trust. Yeah, and you know, thanks to Gilman and Barth, Gilman and Barth for writing that.
For that awesome book.
It's a great book.
And to you listener, thanks for coming along with us. Thanks for joining us this deep dive.
On this deep dive, we hope you got some some good stuff out of it.
Yeah, some good stuff out of it.
Maybe maybe some.
Uhha moments, aha moments.
Remember the best way to learn is to keep exploring, keep asking those questions.
Keep asking questions, push those boundaries, push the boundaries.
So until next time, stay curious, stay curious, and stay secure.