You're listening to the identity of the center podcast, this is the show that talks about identity and access management and making sure you know who has access to what let's get started. Welcome to the identity of the sender podcast, I'm Jeff and that's Jim. Hey Jim hey, Jeff, how are you and happy New Year? Happy New Year. Welcome to 2022.
The first show of 2022. Yeah, the first call I had was on Monday coming back from the long break and I felt like I couldn't even concentrate, but I've been on the phone all day. Now for you know the behind-the-scenes this Wednesday afternoon years and yeah sorry. Get back on track and my favorite part is trying to remember what it is. I do for a living and how to do all the different things that I that I just don't do very often and have to start again, the new
year. So it's always good times. I'm sure other people are like that too. Was always a big time for password resets coming home security Hobson. No doubt no doubt in for what we do, you know I just was reminded of one of the interesting aspects today which is, you know, we hold workshops with our clients to help. Kind of develop their I am strategy and we're meeting with people throughout the
organization. So we might be meeting with somebody from the business continuity test Disaster, Recovery side or logging, or you name it, any other part of eyeteeth. Pmo. And if folks aren't prepared or understand why I am might have something to do with their area or their area might have something to do with, I am the last question. It's like why are you asking these questions? What we know, what is my what I do have to do with what you do?
And so I think that goes for a lot of parts of life, though, right? I mean, you got to kind of set the context. You got to kind of set the Baseline and just, you know, I felt reminded of that today. And that was, you know what I wanted to share? Yeah, context is key in any in setting expectations for any conversation you and I were part of that same conversation and Hopefully, I brought it back to try and rescue kind of where things were going but you know, I think trick in full
transparency. It wasn't a great start but we figured it out. Yeah, well, I mean, it's something we've run into many times over many years or so it's something that, you know, I mean, it's it never goes away. I used to call it, stump the chump because you get this, get in a situation where, you know, you kind of feel like some of those questions are Are you know, trying to get you rattled. It really kind of depends on the, you know, how aggressive the the person gets in terms of white.
Why are you asking these questions? But I think for the most part people are just trying to understand like why do you need to know this information? Because we're all kind of Guardians of the information that were responsible for and you don't want to just give out your give out that information willy-nilly we especially if it's secret to that business. Yeah. Plus I'll so people don't want to waste their time. Right. Why am I here was you know,
what's the point of this? This could have been an email instead of a meeting, right? All that all that stuff, too. So it goes with it. We also started something new over the break. You want to talk about that? Yeah, so it's idac identity at the center or idac dot live. It's a YouTube streaming. Page, if you will, we're going on once a week and we're streaming video, we've always been resistant to doing video with the podcast.
And when you see the podcasts are when you see the video, you'll know why that's probably true. But I think it's interesting because we do the podcast and it's more formal more structured. So he's guess where it's the streamers issue and I and it's a little less structured. We pick something like an
article, we read. Recently and just share our thoughts and our experiences relative to that or whatever comes to mind and I think people will like it as I think, you know, I I follow a few podcast myself and, you know, definitely, you know, you start down your podcast route based on what your interest areas are and you want to, you know, hear what these experts in whatever field it is talk.
But after a while, it's The personalities and the Side Tracks that keep you interested in it and if you like this personality should keep coming back for more and hopefully, you know, people like our personalities and come back for more with the with the stream. Yeah, it's fun. I like it, it's it's different. We're still kind of figuring out, I think format and length, and time.
And when to do it and things like that, but I like that it gives us the opportunity to be more current with things. And also, if you're watching Seeing the stream or even after the fact, right? You can always comment and we can engage in a conversation kind of real-time and answer questions and get you know what, what people give our two cents on what it was there thinking, you know, we've we've done it a
couple times here so it's cool. You know, the why, the wild Madman ramblings of Jim and Geoff when it comes to I am and whatever else strikes our fancy for that particular day. Absolutely. Well let's pivot this to where we want to take this conversation because Speaking of like Smooth Transitions and the wild ramblings. I feel like zero trust has been one of those for the last couple of years. It has not stopped.
It is, you know, gained steam over the last, I'd say really the last year is when I've seen kind of a lot of growth in the area. And we're very fortunate that for our first guest to 2022. We've got Dan Jones, he's the chief security officer at Banyan security and he's also an Advisory Board member with the identity defined security Alliance. Welcome to The show Den. Hey guys! Thank you very much for having me and happy New Year. Everyone, it's great to be here.
Yeah, happy New Year and I should also, I'm going to T, something. We're going to talk about later. Also known as Urban punks. So we're going to get into what that means a little bit later because I'm totally fascinated
by this. But before we get there, let's talk a little bit about identity and this being the first time he on the show, we always like to kind of find out what the identity origin story is for somebody, whether it's Identity or info suck at Large. Is it something that you chose or did it choose you? How did you get into the space? Well, I tell you so I was a young kid at College back in Scotland, in the mid 90s and, you know, back then it was pretty hard to get a job out of college.
So I of their a class members. I was the one person to go to job and the first sheet of leaving college. And I just happened to join a factory working in a small, it team and my first job. Was I was going to be in the vale admin a network admin server admin and email admin all of all of the above you know like all these smaller it teams. So my first identity gig was really working with NDS Novella version 3.0 11. I think it was back in those
days. And so I'd say in desperation, I got the first job that came along so I kind of You have picked me. I think what I just wanted a job. So, worked hard there and, you know, to start to learn more things. So then it was really a jack-of-all-trades. So I know you kind of had like that, it background. What is it? That I guess what was the pivot from managing? Like an IT infrastructure? We like yeah. Give me infosec like, that's what I want. I'm crazy.
Yeah, it was really bizarre. So I left that company. Sometime done some contract, work and landed in Adobe back in there and brofist, European it team. And then in 2001, move to the US.
And if anyone follows the Adobe history, we certainly had our challenges from a security perspective and it's some point as part of a huge investment, Adobe were making to try and, you know, get on top of all all of their challenges, they created a central it security team and I was part of that and what I It was all of the directory and authentication
stuff all the privilege stuff. So I really everything was all centered around the directory type Services because that's that's what I had been doing for pretty much 20-odd years. So I knew even within Adobe, I'd been in Adobe that point for over 15 years. So I knew where the skeletons were because I knew about privileged because I knew about About how the server team ran their stuff, so privileged identities on servers. I knew how we done a Social
Media stuff. I knew about our Banking and Financial systems because I had led Services, they care to those. So when you think of identity identity is not just the regular personal logs in and checks email, right, there's privileged identity, especially is where you get into. It's not just an API account. It's not just an engineer, it's all of, it's all of the above and more. So yeah.
So that was a fascinating change and you're not the first person from Adobe, we've had on the show we had Eric Anderson on a few months back. Last year I guess technically at this point and it was a great conversations I think it was episode 91 if I if I remember correctly so courage people to go back and check that out and also shout out to Eric because I had forgotten how good the struts were and based on our
conversation on that one. They totally, they owned my Spotify listening habits for 2021. So, But I digress. So at this point, then you're with Danny and security. What is Banyan security do? Because you know, for people who aren't as familiar with the organization, I guess, what are? You know, some of the issues or challenges that you guys look to solve? Yeah, well, well, the first thing to clear up is we're not
the Banyan veins team. If you know anyone who's been in the industry long enough, will know, there was this old company called Banyan Vines II, never use their technology so I don't really know too. It's about them, but I can tell you about us which is, were small start-up in the zero trust space and we will get back to what do we mean by zero? Trust, I guess soon but in the zero trust space I was a customer of Banyan when I was at Adobe.
Eric and I and our team we adopted by a platform early on, we were really excited about it years later because I'd left Adobe a few years. Then I rejoined but I joined Banyan with really some enthusiasm because their proposition in this space I think is pretty unique their ability to get up and running really fast is brilliant.
It's a really customer great user experience, you know, user experience friendly platform and then one of the other things is VPN or not to VPN, they not only help you recognize and solve that. That question but they will show you and help you understand where you are in your journey of zero trust which is really unique. There's there's not a lot of players in the market that do
that. So I knew the co-founders from working with them before in Adobe and you know, they reached out they wanted to bring in some people who'd had practitioner experience. So me having led the team, Adobe to deploy, zero trust, then led the team at Cisco. I'm uniquely position to talk. About the scars and the war wounds of actually delivering zero trust and how did you pull that off? So it's an exciting thing.
The good thing is I'm not a big fan of salespeople, so I don't mean to disparage on them but they're not. My favorite type of people to engage with. So one thing that we've got which is really cool, you don't need to talk to her sales team, you can just go to Banyan security dot IO and you can take this test drive and for a small team it's actually my teams Edition which is free and you can get Running in 15 minutes so you can you can get started and
it's pretty cool. So I don't want to do the sales pitch. That's really not my job. I don't want to be a sales guy so I'll let people go figure that out for themselves and you know they'll find out who call the sales team if they want that. Tim love, the origin story is kind of a blast from the past.
Think about the directory days because I think if you're involved in, I am and account security, you know, 15, 20 years ago, it was all about ldap, it was all about Netscape directory or sun directory or even active directory, which was kind of the, you know, it was frowned upon and in this establishment in terms of being a true directory.
It's interesting. Today how much, how much more is looked at as the de facto directory standard or maybe not the standard, but at least the standard-bearer it's, I am also glad that you brought up the Banyan bind speech because I do think I'm going to go on a limb here, Jeff. And because we had one guess to part of their origin story, was they were a banyan, binds administrator and I think it was Jackson Shaw episode 52. Back in July of 2020. So I'm going to go back and listen to that.
I think it was him. If I got that wrong, it's my bad. But yeah, you don't really run into that many folks who are, you know, have banging binds in their origin story. Yeah, I don't know for sure when it was, I'll be honest, but it's old school. I a, I think a banyan I think of Steve Banyan from well, that's different. Steve, Daniel. But I think of Banyan from Seinfeld. So that's just me. Yeah.
That's that's funny. So but so we're going to talk today about zero trust and I'm not sure if you've heard of it, but if you have you know, maybe you could give give us a. What is your definition of zero trust. What does it really mean to you? Is it a product or is it something something more? Yeah, that's it.
It's a great question. I always say people if you get 20 people in the room and you ask them what zero trust is, you'll get 25 answers and I still think after all these years you can go, you can go back to the junk in the rug days, wherein photo store, you know, he's got the paper out and says what it is, you can go before that where you talk about the government US Government defense, where the they have their views on that and then you've got Google's Beyond Corp,
I kind of look at it. Like Is an architecture is a principle. Is it, you know, an ideal ideology. The reality for me is I sum this up really simply is I try and see it away from the terror now, because I really want to focus on the outcome. I think so many people get wrapped up in what they mean by zero trust that they forget what actually here to run a business. And the biggest part of the outcome is the way the identity industry is moved far. Or word years ago.
I needed to know. It was Dan, it was going to access the app. So I put in a username and password and there was no thought of trust, given to the network. You are on. So that whole idea of you've got your firewall, and if you're inside the corporate Network, you're good. Well, that I think is obviously evolved over the years. The way we're being attacked by bad, guys. So, I just kind of look at this. Like it's a bit of an
Eeveelution of how we access. And services taking into account that the networks and the environments were coming from, have a totally different level of trust. So what we're really trying to do now is establish a better level of trust and in some cases when you get more mature, you might talk about that trust level might be more Dynamic, right? I don't know. The type of app I'm going to the kind of role I have the kind of device, I'm from the country, I'm from.
So when I think of this is no longer Simply am I in the network on my corporate computer where I just go straight to the app internally? Well, we've evolved, we've got so many more Cloud apps will get so many traveling Workforce, especially when the recent years with all the work from home, then that's totally changed our concept or our thinking on a what this but how we're being attacked, you know, we're no longer being Brute, Force attack. Let me break your firewall and get in.
We're being here's an email. Just click this link and All of a sudden the Bad actors on your device with your credentials. So you know for me it's it's a different mindset. I just see this though as an evolution of what we've really been trying to do in the industry on guaranteeing that it's you and that it's not a bad guy pretending to be you.
Yeah, I kind of feel like if you were to put together degree program in identity and access management zero trust, would have to, at least be one of the one of the courses and for me required reading would be the newest paper. 800-218-4243 starco texture. It's it's heavy, right? That's kind of putting it in that University context, a lot of reading, but it's good reading, right?
I think if you really want to understand your trust and kind of build a footing in it, it's a good place to start. I think the other thing is how to talk about zero trust because there's the selling process within the organization, right?
The first time I heard of zero trust you know, it did cross my mind, what you don't trust me. And I kind of always feel like when we talk about zero trust you, somebody who's not an I am lifer or security lifer, that's probably the impression that they get what you don't trust me. What do you think of that? Kind of selling processor zero, trust from C? So perspective, are you have to talk to non non information security? Nerds like us and make them understand what it is and why
it's important. And so how do you do, how do you do that and get past that those kind of hurdles? Yeah and there's three main audience is, you know, so I was in Adobe it was a uniquely different experience because the term zero trust wasn't as mainstream as it is now. So we're going back to late 2017. And the, the way I phrased this and I was blessed either. Good, architect was in our team that really was hit my head off a wall. Saying, hey, we should look at this. We should do this.
It wasn't my brainchild and Adobe to start the program off. I think re-architect Benzie John, he was hit my head off a wall thing, but but look think of this thing. So it started with him selling it to me and he was selling it to me, really a technical level But then an emotional level and the first thing I thought of is okay, this thing actually would be brilliant, totally, they don't know, I'm sold in the principles of the easiest sales technique.
There's three audiences. There is the person that runs it. There's a person I run security and then there's your user base. And if you start with your user base and you turn around and say, would you like to never have to enter your username and password again? Right, I'd sounds like an easy question. So, would you like to never have to login via VPN again? Okay, sounds like an easy question. How about you never want to change your password every 90
days again? And that sounds like an easy question. So if you got your user community and you say, hey, do you want some of that? That's easy. If you go to your CIO and their leadership team, they are all about user experience in the organization and that all about saving money, right? Cios are under extreme pressure. To reduce the operational cost. So if you turn right into them and you would say, how would you like to reduce the service desk ticket?
Related to password change by 60 to 80%. They're all over that if you would like to say to them or and how would you like to not have to have users change passwords and user passwords? And, and when you tell them the same thing, their eyes light up because they get it, and they can translate that to soft dollar value that they can take back to their leadership. Now, if you go to the, the security leader, now, in those days, in Adobe, I was the Right
to reporting to their CSO. When I go to our CSO, an adult. We I was like, hey, how would you like to improve security? And these ways? Oh, and by the way, your peer, the CIO, she'll reduce our cost by X y&z here. Here and here, At that point, the security conversation is really good. Would you like to improve security? So, the bad guy is kind of scraped passwords and we're doing more more male factor or more Dynamic than to keishon. Would you like to remove the
ability for lateral movement? Would you like it so that when you VPN the employee, who vpns and doesn't have full access to the corporate Network? Because most companies when they build VPN Solutions They lock it down for all these groups, but generally, the full time employee Group, which is your biggest group. They're not locked down. They usually get full access because locking it down was very expensive, and very complicated and usually flawed anyway.
So when you tell these people, that all of a sudden these three audiences, they love with the here and you're not mentioning zero trust because you don't have to say, Would you like some zero trust, especially nobody really agrees? What zero trust us? Yeah, it's not like there's like an easy button right for it. So, so Dan, you sold me. I don't want to change my password anymore. I don't want to have to enter the one.
I do have as often now comes the hard part, I think in a lot of people's minds and that is where do I even start? I guess my question to you would be how do I get started with zero trust? And if you can kind of help me understand that I think that would help a lot. People out there. Yeah. So there's there's people process technology but just from a you know, most of us are in the listeners are technologists, right? So let's talk about technology.
So I was in charge of the identity management of both companies Adobe in Cisco, and you don't need to ask permission to improve the experience of the authentication workflow. So I started there, I said, well, wait a minute, I'll improve the experience. We connected our alte platform in Adobe to r0. Trust platform for posture check. So, the very first thing we done with we do not really small pilot where we built these little environment. You know, the pilot environment
and we took OCTA. And in those days, it was a VMware, the IDM and Five, apm's for the reverse proxy and we built these things together in a small pilot to prove that we could use a certificate instead of the password that we could do a posture check on the device and then we could seamlessly let you into our applications on the network but only to the specific selected applications. So basically we were internet enabling those apps. That was the kind of feel in
your giving. For someone who's on the device which has the zero trust stuff. So in our case is zero trust off was, was it managed did have our endpoint protection on it or we look at the iOS version. Do you look at the patch version and your journey of zero trust? You know that that posture check can improve? We didn't start to off
complicated at all. It was latest OS and was it managed and then with the endpoint protection, And our certificate have our certificate existed that was, you know, a big thing because we use that to hide the username and password. So if you can inject into the authentication flow and then do the posture check and then divert traffic. If it's an internal app via your proxy. That's not a complicated architecture to build out.
We built our pilot environment in a couple of months and then actually to expand that to a production friends. And Family launch get some feedback that that for us in Adobe was a seven-month project to go from concept to actual fill go live with 40,000 users and along that Journey. We were just testing out with larger groups but the architecture wasn't very complicated. So I think people that think how do I get started? I've heard all sorts of nonsense.
I've heard someone say asset management and it's like, what do you mean asset? Judgment. I don't think in 20 years I've ever heard of the cmdb ever been right? And asset management ever been
great, you know? So for me one thing I could do though as I could say using our zero trust platform, we could scrape the data of the, your device, and the fact you logged in. And we can fair that we see you every day on this laptop week, them fair that, that laptop is there for yours or were tagging it to you and then then we'll drop that in this. Cmdb and then and you would have heard Eric talked about this on your show how we gamified and we
showed that devices. So if you logged into an application from a device that had nothing like didn't have any of our zero trust. No end point. We would throw it under your name on that portal and give you a flat zero. You've got really low score so if I wanted my organization of a good score then hey guys, I better get to a position where that device Is managed because any unmanaged device is a log in to any of our apps from. I'm going to get a bad score so you can scrape that information
and stuff. Like that was really cool. Well I think of zero trust for me zero. Trust says, I don't trust a device that doesn't have at least three things that we wanted to have and we would which grape that. And then you get to the position as well. We're within that. Same thing that you built out, you could deny access to the application. Even if you were zero trust enabled meet in our minimum posture and that's the really
powerful piece. So I have a quick comment around gamification and I just this is my brilliant identity software. Feature enhancement idea for 2022 that I'd love to see someone build and that is take the idea of Spotify unwrapped right where it listens to your music history and kind of comes
in with, here's your things. Do the same thing for authentication except gamify in a way was like, oh, you typed your password in X number of times this year, or you took advantage of x y z, you know, methods whatever. Maybe that's how big of an identity nerd. I am. And I'm sure that somewhere out there. Someone wants to build something like that. Well, we were doing. Yeah, in the Adobe team. So in 2001, we build a portal myself and this one lowest notes developer.
Believe It or Not, Eric. Talked about this poor old where we used to allow self-service for groups, right? We done groups and password that lipstick on the pig in front of all these platforms that we had an adobe. Well, myself, in this guy, venkatesh, we built this and then the original version of it. He built a Lotus Notes, front end, and I had batch files at the back end, all going to active directory and there's like net group, blah, blah,
blah. And so, we were, adding removing users from groups way back in 2001. And in, for me, I wanted to evolve that thing to where we were going to be like, like a dynamic playlist. So I remember Tallman your show, talking about role-based access control. And for me, I was never a fan of it because it never really, it was always expensive, right?
So I was like, well, why don't we create it that you as a user could go in there and you could create rules, but you can create roles in the form of a dynamic playlist. Hey, if you didn't this org, you've got this title.
You get in this country, I want you to be in this group and this group has access to these things and then all of a sudden we just do the look up every night and we'd start to see that and then all you know you can't have no gamify it but you you make it all self-service, my whole thing in my career was I don't want to have to work really hard. I want to build things that enable things to happen without being intrusive to our users, and and sense. That makes me don't work so
hard. So Dan, one of the things that crossed my mind? Well, first, I have to kind of go back to the cmdb point because I just thought this is funny Jeff. And I, we were during our stream this morning, you know, both in lockstep need to cmdb need, a good asset inventory, right? I mean, but I think the point that you're making, right, is you never seem to seem DP this perfect. But have you ever seen a non-existent cmdb or One that is like such garbage that you can't
even use as a starting point. That's the problem that I run into a lot. And it's like you at least need to know the basics of your environment. Because how are you going to get control of access to your environment? If you don't know what your environment is? Yeah. Yeah, absolutely. No. I've never seen one that's been so garbage that you've wanted to just throw it out and start all over again. I've seen some fancy Excel sheets.
I remember really in the early days in Adobe we had before this is all automated. A lot of our networks were all Excel sheets. I mean it was all, you know, this huge big tables and tables and tables. And in the end we we deployed you know, bmc's platform. But we also deployed in four blocks his platform, we integrated them. And then we go bmc's Network
automation technology. So that it was always bring that In and I think the principle is a good cmdb is something which is derived via, you know, Discovery and automated means. So if you're if you've got a nice, you know, is our Cloud platform where you're building compute, you do have a choice to say, if I'm going to build a computer where it's only going to last 15 minutes. However, going to record that thing existed for 15 minutes and then was pulled down like these
kind of decisions. I think where you get into the net Nitty-gritty of it. But ultimately, I can look at this, like, we have enough logs. We've enough automated processes where it's not hard to put it together. It's just about dedicating resources and time to kind of make that effort. And, and, you know, a lot of cios, they all talk about cmdb has been brilliant, but at the end of it when they're really pressured about, where do they put their money, they put their money on.
Things are very visible to the business and sometimes the cmdb and he's back end Services. They're just not so visible. So they don't really enjoy the same level of funding attention and love that you really need to have, you know, but that's life Point. I've definitely seen that. One other thing I wanted to mention about the selling process of zero trust as I think even people might start with the question, like well why do I need to see row trust that?
All right, what is Protecting me from like, what is the benefit I get. And I think if you kind of dissect a data breach or ransomware attack and you kind of go through the parts and pieces of how somebody gets in and then what they do from there, so you talked a lot about
authentication, right? Which is the, how do they get in or, you know, but there's other ways that you can have a ransomware attack which is somebody's machine, could be compromised at a Starbucks. Buck's location or they're working from home and click officially part of the, the smart thing about ransomware containment is containment right, making sure that that can spread laterally.
And when we talked the other day, you brought up an idea, which I hadn't thought of before, which was brilliant around. You know, when you, you join the corporate, when you come on the corporate Network, right? You're in your own little cell kind of like when you Go to a Starbucks or something, you join a public public Wi-Fi, right? You're not. You shouldn't see the clients who are our next to you also on that Wi-Fi, maybe you can, but that would be a security flaw. All right.
It reminded me of, you know, 15, 20 years ago when you would go on to corporate network with your Windows machine and you go into Network Explorer and you see all these computers and all these printers and you could just go and see what are they sharing in a people? For oversharing potentially could get into their file shares and and do things, right? I was kind of like a network guy.
So I was always goofing around like looking around and people over share all the time and you know, I mean who could who could be completely aware of all the settings and what they're sharing on their computer. But sorry, I wanted to turn it over to you to kind of explain what your idea was around that because I thought that was really interesting. Yeah, this is so, One of the earliest things that I shared with our CSO was, you know, what do you wanna do, you want to?
And I put the word almost eliminate lateral movement because in every big attack. The bad actor comes in, they get a machine. And from the machine, they start spreading out and they can spread out in seconds right there. No, this isn't over months. It's this, this they can be hiding for months, but they can spread out over s. So, one of the things in that concept was If you just look at Network segmentation and the
industry. So, first of all, a lot of security people, a lot of their Origins are networks, so they think of it like Network segmentation and firewalls solve all problems, right? Or most of our problems, I'd like to expand on that little bit farther and say don't don't necessarily disagree that they solve lots of problems. But, if you take a network, you say, look, I've got a data center. I've got a lab Network and I've
got an office Network. so just those three kind of based Networks, To get from the office Network to the data center. Normally every good company with a Bastion host and they should require multi-factor authentication. So there's some level of gate to get in there and and lab networks. You know, maybe they're a bit twice eaten unique so they may have that they may not they might be wide open to get to. But if they were then why would you segment them off to begin with, right?
So the office Network, that's the one where the Massey's are if you think of your privilege. Users. They're usually always in the office Network before the get privileged and go into, you know, their computer horse bastions or whatever. But if you took that office Network and you turn that into a guest network and on all guests networks Starbucks, for example, is like a guest Network, all guest Network. So you've got the principle of all I can do is get to the internet.
I can't see those arriving to me, right? So if you do that, That to your office Network and your applications and services at all behind your zero trust platform. Then you're not VPN again to get any white access. The only thing you can do is connect to your zero, trust available applications and you get to the app and nothing else via that port and protocol and it guarantees, and ensures your device meets a minimum security posture.
So, the problem with things like ransomware and all this other stuff, is it cancer? Right really quickly to things you don't want and and it gets in really quickly because usually the point of entry, is someone clicked a link and their endpoint security software, didn't catch it. So do you have good endpoint? I don't know, like which one's
the best. I don't want to debate that but the reality is is give yourself a Fighting Chance as an organization by saying I will require that device have a good awareness, be patched have good. A software, good logging and require multi-factor. You know at least a basic hygiene that we know is all goodness. So the problem is is traditionally before zero trust before what we were building, it was just username and password regardless of the device posture and it was on a network that was
wide open. So if I can see for a thousand devices inside a corporate Network like Adobe or Cisco or whatever, right then that means A doctor, once they're in they can spread that far that far that fast usually in those Networks you're going to find devices evading stay of quality of security posture. So me you're gonna have a, you're going to come in on the one machine, you're going to scan, whatever you can scan, you know, in the lateral way.
And then if you can find another device and in fact it Take over that device, use whatever authentic, whatever accounts have been, authenticator hashes exist on that computer and then we play that until you get to the point where eventually, you can own the active directory and then it's game over, right? That's when you pay the big Ransom, whatever. It's going to take because your company's been brought to its
knees. But interesting, one thing I wanted to key off of the you talk about their, she talked about corporate networks, I haven't been on a corporate Network and Two years, right? I haven't gone into an office in two years, but I VPN in and I'm wondering, you know, I learned a lot about ztn a over the past two years, you know, especially over this past year and I'm wondering, is that the Next Generation for VPN is VPN going to the go the way of the
dinosaur? Is that the TLs instead of HTTP? If you're following what I'm here? Yeah, so it's great. Great quite so I great question when I've done a lot of presentations. 2018 onwards on on our zero, trust efforts over the years, both the Adobe stuff on The Cisco stuff. And most of the questions that people gave me were, is this a VPN replacement project? Or did you justify the funding for your zero? Trust by using funding from VPN in an Cases.
I said no there's there's a place for VPN and I never used the funding for it. Why did use though was the luxury of saying? Hey we're going to deploy this zero trust thing and if ever this thing doesn't work you can still use a VPN stuff. We're not taking that away just now and then over the course of the maturity of your efforts you
get to decide. Are you going to reduce the investment and VPN One of one of the things that people really struggle with on any zero trust initiative, where they're trying to reduce the VPN usage is understanding the VPN stuff and you know what activities happening over there VPN network. I would always just say to people. There's a lot of players in the market. One thing I love about what we're doing is we enable that visibility. We actually do have a VPN solution as well.
So we do, we do acknowledge that you might not be comfortable taking VPN away, there may be usages for that but we use that to our advantage as part of your journey, I look at it. Like there's vpns are usually wide open to your network with any port and protocol. Well our proposition is with zero, trust deployments is to say, it's only that application and only that Port protocol that you need. Need to get to the application and you don't get to the rest of
the stuff inside. Get ecosystem, which from a security perspective is huge. And from a user experience perspective is huge because you don't know where the app is. You don't need to know where the app is and you're not VPN again. I think the first scenario is less administrative effort. You can just have access to everything, the others more administrative effort by much. Secure you know, the last question I went to kind of hit on relative to zero.
Trust was you were talking about how much money you can see for passwords and sticky from the CEO, I'm thinking to myself, I don't want to spend anything on passwords. It's like you came to my house and said you know, I could put it in a new well and it's like already have a well I don't want to spend money on that but just thinking of. So another words where I was going with that is like I'd
rather. Ergo password less, you know, you talked about, you know, the days of people trying to Brute Force passwords is over, but people are still trying to use the password as a way, as probably the most common way to start a ransomware attack or at least a data breach or any way to infiltrate a network or an application is through a stolen password or you know, commonly use password things like that, go to possession based authentication to me seems like
It's a critical component of zero trial straight. It's a it's your level of assurance that the person is who they say they are of course much more by going past from this, would you? Yeah. Yeah. Absolutely. Now I'd love to come by to one point, you mentioned on the VPN and the cost of administration. One thing to think of in the ztn platform zero trust. Environment is you're not worried about the network articles and all that business.
So there's Nothing of that. It's a few two members of the group that has access to the application. So it's really just by nature of you being in the directory group, you get access to the app. So there's absolutely zero Administration from a VPN equivalent, which is a great cost saver from an operational perspective from a password list perspective, I've been trying to go password list since about 2011.
I think I wrote a way, Paper internally to do, be working with PWC, just own identity strategies and in this idea of being able to go password list was just, you know, always intriguing to me because, yeah, look, we always just write the same crap down on a Post-It note, you know, back then. And you'd be like, password, and then it's like, okay. But you got to change your password 10 times, you know, or like every so often. But you can't reuse the last 10.
So you're paying the The 1 or a 2 and a 3 and you said it's always the same format, we're human, we're not, we're not that creative. If we use a password manager, now that's brilliant. But from a corporate perspective and this was great in Adobe, we used to give password managers out as part of, you know, just being an employee. But at some point we ended up saying, look, we're not going to
pay for this anymore. We'll arrange a discount and here's a discount code because Corporate ways we had over 2,000 applications tighter opta platform all requiring MFA so when we use certificates as part of that first factor or not password we're like what's that password manager doing within our corporate really not much in your home like you may still have hundreds of things because they're not easily tied like that. But the desire to go password list is if I'm not entering a password.
I've nothing for a bad day. Actor to scrape and that's a big thing, right? So for us, it's like, it's changing the security posture at the same time as it's changing that user experience. I think that's the key part of password list, right? Is removing that, that hash that can't be compromised. Yeah, we've covered a lot of ground on the Zero trusting and it's, you can see why people are confused over it, just on this conversation alone, sometimes
where it's sprawl. So much of the infrastructure and The network and the internet and all the different things that are out there which leads me to my last question for you done. And that is what is good enough? Look like 40 trust in the year 2022 because I feel like sometimes we get lost and say, oh, you need to have the latest and greatest all the bells and whistles and you're never truly done. But I think about this from a more pragmatic perspective is, okay, how do I get to good
enough? Because this is not the only fire as a sea so that I need to fight. Yeah, I know that's a brilliant question, Jeff. And it's funny, right? So, my both of my team is but my Adobe leadership team that I worked with for years.
Great, great, great team. But they would give me so much grief because I'd use a term good enough all the time and they're like, if I told the organization had good enough, they're thinking that I'm loading my standards and it's like no I don't want to lower the standards, I want to recognize that we have other things, I don't think are good enough. So let's get this to good enough and then decide how far You want to take it, right?
So, good enough, if you haven't taken any steps and zero trust, I want to say look, it's easy. You're not having to bring in a million players. I need one person to my staff and Adobe we use the existing team that does the existing endpoint, the existing Network that exists, all the existing people, you know, they're just working together and the good enough for me was get them working together, get a small. Pilot going and then expand the pilot into production.
And the first thing you want to really do, say, can we do a posture check as part of the authentication from? If can we get to the internal applications via a reverse proxy or some other capability? And if you can, if you can get to a position where you can see, let's let's do those things.
Then for me, that that be a great accomplishment, as you go through your year, you get to Further, you know, the network concept of turning your network and two guest Network or if you're doing an m&a try not connecting their Network to yours and have the things that that company needs. Those people needs available via zero trust zero. Trust enabled their devices we done that in Adobe a couple of
times and it worked a charm. I would just say you know take one step forward every day that gets you in a position where you would a little bit better. Better off than you were yesterday. One of the big things that people get hung up on and they don't take a step forward is because it's not perfect. So, good enough for me, is a brilliant term because it simply means I want to be better today than I was yesterday. And I want to recognize that
this week, I might Focus here. And next week, you might focus on security intelligence or something else. It's okay to get smarter, right? What is he doing? Sorry, good sorry. I was just going to say look we don't have enough money and resources as Enterprises to do all the things you want to do. So you have to be really smart and pick your battles wisely and just know, you know, not try and boil the ocean on Everything You Touch.
So I know that we normally would do like predictions at the end of the year, so it, but we're weird. And we're going to start with, or at the beginning of the year real quickly, because I know we're running short on time. Is what is zero trust? Good enough look like next year in 2023 of table Stakes right now, in your mind is being able to do that posture check, what should I be planning for as
table Stakes for next year? I would say, you know, especially as people will return to the office figuring out how to start. Learning office networks and two guest networks and, you know, allow listing core services that you just couldn't zero trust and able and and for everything else have users, just go to the internet to get any internal Services acknowledging that you have a blend of internal and very likely, a lot of cloud services.
You can do that. That would be that because ransomware is not slowing down, right? And that's something that can really help save and reduce the Impact of any, you know, ransomware attack. That makes sense. So let's it's--this at the beginning of the of the show. When I mention Urban punks. So who / what is urban Punk's dead? Yeah. It's brilliant. You don't link link to the I guess I left sitting in there that, you know, co-founder of our Urban Punk's.
Not for we originally, Urban punks was my idea where I've got a big musical background and I just had the idea. I wanted to get a collective of producers together and we would collaborate on every song that we released, but I got really busy in this work business so I never got to get the other people together. So Arbonne Punk's is just one. Punk is to still just me where I over the years, I've released music under many names are Ben Punk's was the the most recent
one that I've used. I'd been releasing music since 94 released my first First single on vinyl hoping everyone remembers what vinyl is because it's making a huge comeback. I say it, it's the new rage right now again like yeah it's right up there, a bell bottoms. Yeah, yeah, is right.
So I was fortunate enough to get a record deal in my early 20s played gigs release Records Was a ghost ghost writer for other bands and DJs so, you know, I done I don't know a lot of that stuff in my mid-20s and then when I moved to the u.s. in, One, I continue to do it, but just know as not know, I successfully or not as busy I guess, because I was focused on
this, it career. So the type of music, you know, you were kind enough to share kind of the SoundCloud with it and is I guess electronic dance music but I don't want to over generalize it. How would you describe your music to someone's like, okay, what the heck? What the heck am I listening to? Yeah, I mean it's it's electronic. It's based on sense and that style of gear, you'll not find much in the way of a guitar and
a saxophone in my music. But sometimes I've been known to drop them in there and, and, you know, I try to think that it was house techno trance, but I never seem to think I faii easily in any of those genres. So, I try not to label it. It's a hobby, it's fun. You know, and I'm trying to not like, Pressure on myself to try and like get the next top 40 hit I guess although that would be nice. So I guess you've been kind of, we're actually going to play one
of your songs. I'm going to append it to the end of the show here, so people will check it out. It's a track called gee, I guess, tell me what the inspiration for that is, well, it's funny because all the names of the songs is kind of like, going back to the days where I was sharing earlier, you know, naming servers, when I was building servers. I could never think of a name.
I could build this error quicker than I could think of the name for this Arbor So usually I'm pulling names from famous actresses, actors TV, movie characters and things like that. So randomly these names just pop up. I guess, I don't really know where they come from. Usually with enough of the right, the right liquid refreshment. Then you can come up with some creative names that is known to been to be truth, the world
over. All right, well, I think that's a pretty good spot to leave it. It for this week real quickly. Any final thoughts Den on the topic of zero trust or or anything. That's kind of spark at your brain right now that people should be taking away from this specific conversation. I mean I yeah I mean I think well first of all zero trust is going to continue to be a huge Buzz board and probably become mind-numbingly boring as a term, I really just say focus on the outcomes.
Don't focus on the term, focus on the Outcomes and focus on that business value and find a way to connect with the leadership above you and the the customers around you. Because if you can get connected there without emotional level, then you'll find that they want those outcomes. Jim. How about yourself?
Well, something that I think Dan just kind of touched on very briefly, which is around, you know, the idea that we want to invest in something that's something that can be seen or felt or, you know, I think in it a lot, it's the user experience, right? It's improvements to the user experience, so even if that's most of the money is going in behind the scenes, if you can, you know, remove somebody's
ability. Or requirement to put in a password, you can improve security, but also improve the user experience. So I know that in our past conversation, when you hit on it too much on the call today, but in our conversation previously, with then we talked quite a bit of a lot about that. And I think that ought to be kind of a minor take away that people tie that user experiences way to sell something like zero trust, or the parts and components of a zero. Trust are Architecture.
I don't care how good your product is, if it sucks to use, no one wants it. So and very I was going to say Jeff from very rarely in your career do you get a chance to improve the user experience and improve security. This is one of those rare things where you get to do both. Yep. This is why I like the, I am space. It's the opportunity to fix process through the proper application of people, process and technology. So, how's that for a nerd speak?
All right, so I think we'll go ahead and leave it for this week. You could learn more about Banyan security at Banyan security dot IO. It's be a ñ, ÿ åý, ñ security. .I o if you want to learn more about us and the show we're at idac podcast.com and you can follow us on Twitter at idac podcast and come on, check out our YouTube show that we're doing weekly. It's idea CDOT live, that'll take you right to our YouTube
channel. Again, kind of a A work in progress as we work through it. But hope to see more and more people kind of attending live and continue the conversation with that. So, rather than our normal clothes out, I'm going to through the power of audio editing, insert Urban punks and a track called Gia. So thank you all for listening and here's that, Thanks for listening to the identity at the center podcast.
If you like what you heard, don't forget to subscribe and visit us on the web and identity at the center.com.