Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 86. This week is another one of those special episodes.
It's just myself, Michael and Mark. But Mark is not only a co-host, he's actually also a guest this week because he and his partner in crime, Nikhil Kumar, are here to talk about a book that they have co-authored, which is going to be one of a series of books called the Zero Trust Playbook. And the first book is called the Zero Trust Overview and Playbook Introduction. So because it's a special episode, we won't have any news.
We're just going to get straight into it and talk to our guests this week. So Nikhil and Mark, thank you so much for joining us this week. Nikhil, why don't you give us an overview of what you do and let our listeners learn a little bit more about you. Yeah. So what I do, I am a biologist, computer scientist and engineer, and I do enterprise and security architecture most of the time. This journey started long ago.
It started basically building real-time operating systems and sensitive defense systems almost 37 years ago. And you started worrying about the original side channel attacks. And then it evolved through a variety of different sectors, from the OT sector and manufacturing, through life sciences, through healthcare, through fintech. And eventually you learned the lessons through like, you know, hard knocks to figure out what is right and what is practical and what really works.
And that was the foundation for Zero Trust in general. And one day at a conference in Scottsdale, I'm sitting down with the MVP for the cybersecurity forum in the open group, Jemma Hytala. And I think it was over a glass of whiskey that we came to, or maybe a cup of coffee. I think it was the whiskey. We decided, hey, you know, let's do this thing about Zero Trust. And that's how the Zero Trust initiative started. And then a little later, Mark joined us. And that's how the world changed.
Thanks Nikhil. Yeah. So for me, like the Zero Trust thing, I sort of came at an odd angle to security, right? So I didn't come up through the standard firewall, IDS, IPS, you know, sort of technology stack. I actually started at Microsoft in about 2000. And so I got to see the big security stand down, the focus on SDL. I worked with customers that were trying to get their Windows baselines configured and help set the DoD standard, USDOD standard, et cetera.
And so I always sort of had like an infrastructure eye view of security, but I also had the blessing of looking at it through the work of Michael and others, like through that sort of holistic Microsoft lens early on. And I also started at Microsoft in the Active Directory group supporting it. And so I got to understand the identity side long before I got into the sort of network side and the sort of classic security view. I never looked at security like the security industry did, right?
And then along comes Pass the Hash, and I helped with the Pass the Hash white paper, co-authored that one, version one and version two, and then built some of our privilege access guidance and all that. And then I sort of had to back learn the networking stuff. And I was like, why aren't you all caught up, right?
Because I just started in that unusual spot, which when the identity-based attacks came along, I was just uniquely prepared because I know way too much about how the internals of AD worked. And I got connected up with the Open Group through Sean John out of the UK, who's like an MBE, I think, or something like that, for her work in cybersecurity. And she was like, you need to work with some of these Open Standards groups. And I was like, okay.
And I met Nikhil and just started to really work together really well, and we're working on the Zero Trust standard. We're like, you know what? This is really going to need an implementation guide. This is going to need a playbook on a role-by-role thing, because security is really complex and everybody's role is changing, maybe a little, maybe a lot.
And so yeah, for me, the Zero Trust thing was extremely natural, because I was always looking at security in sort of that different light, the traditional networking one. It's like, okay, how do we help the world sort of see a better way of doing security? It's interesting as you bring up the holistic view of things, because you dropped my name in there for reasons I don't understand. But the reason I say that, my focus is almost exclusively on software development, right?
So looking at security design, secure coding, tooling, libraries, static analysis, dynamic analysis, and all that sort of good stuff. But like you, even though I had my area that I just love and enjoy, being at Microsoft, in fact, just being in industry in general, I guess, you sort of do get to learn a lot through osmosis, right? Just by being around people who are dealing with specific areas. So you might not be- You're meeting smart people that are working on something else, yeah.
Yeah, exactly, exactly. All right, so that's a good way of sort of kicking this thing off. Well, actually, Michael, I would like to add a couple of words in that, right? So when I was dealing with the Open Group, there was a guy called Steve Whitlock. He was the CSA for Boeing, and I run my own small little company, but I was dealing with Steve and they had a thing called the Jericho Forum, and actually, Mark knows Steve too.
And Steve and I, I mean, I talked to him and Carl Bungee, I think, who was also either the CSA or whatever it was for Boeing in those days. And there was a small community of people running the Jericho Forum. And they came out with the Jericho Commandments, and they were really practical. They were very valid, very practical for somebody who was really trying to implement security in a mid to large sized enterprise at that time.
And I was like, well, here is something that I can, you know, I'm polite, I like things that work. So here is something that resonates for me. And so that was a large part of the foundation for our vision of Zero Trust. And you know, Mark and I have talked about it a lot in the past. And it was something which just was, I think, Mark, you had a session with Steve Olson, this topic.
Yeah, we co-authored a blog, actually, talking about the Zero Trust versus the Commandments and how it sort of evolved those. Yeah. The thing that was kind of interesting is like when someone first pointed me at the Commandments, I looked at them and said, well, that just makes sense, right? And I didn't really think anything of it.
Because I didn't really appreciate, again, that network-centric view of how much the industry outside of Microsoft at the time was focused on networking and how important it was to sort of break that perception. And so later on, like years later, as I sort of started working with the Open Group more and connected with some of the folks in it and then looked at the Jericho forum, so that lens I was like, oh, these are like the first formal roots of Zero Trust, right?
Like this is the first sort of written down, this needs to do it. We've always had that sort of, I can't remember who made the quote of the crunchy outside in the soft chewy center of the firewalls. Bill Cheswick, I think. Yep, yep. Thank you. And when you look at like, okay, where did Zero Trust come from? I mean, there's a huge surge thanks to John Kindervag, got a head nod over to that good work that he did there at Forrester.
But when you look at like the overall like where did Zero Trust come from, I mean, you can date this back to not just the Jericho forum, sort of applying to cybersecurity, but like you can look at the early days of computer security and the least privilege in the first documentation of that. And then you can even trace this easily into the physical world of security and any kind of game theory and any types of conflict situation.
Like Zero Trust is basically like saying, okay, now that we've ripped out the whole firewall makes a safe idea, what do we do? And we're able to draw from like sort of like everything human conflict. And so that's the thing that I really enjoy about it. And I'll add some color. In today's world, Zero Trust is not just about, you know, a small localized thing about a network or something like that. It's really more holistic thing.
It's the cybersecurity for the digital era, which is a big shift in the traditional way of thinking. When I think about what the cybersecurity industry has gone to is like, hey, it used to be here's a group of tech geeks in the basement with the IT folks, right? You know, the organizational basement, you know, kind of not literally, you know, all of a sudden it's now a board level issue, right?
And boards look at risk in a very different way than security people do because they have to take risks to succeed and excel in their business. You know, so they have to calculate and take calculated risks and they're always accepting that something could go wrong.
And so, you know, that's the thing that's been sort of interesting is seeing just the language and the culture collision as security became a board level issue and a business leader level issue, you know, and having to connect and translate between those. So that's like a big part of why we wrote the book. In fact, there's like a couple of pages in there dedicated to here's a word that is used very differently depending on who you are as a reader, like operations or what have you.
And so that's been one of the things that's also interesting. So I always raise a couple of questions. First one is if you had to explain zero trust in an elevator and you only got 15 floors, so don't be there all day. How do you explain zero trust to somebody? Which is technical, but not necessarily an expert in security maybe. And then there's the second question.
So I look at Microsoft's documentation around zero trust and it talks about, you know, authenticate and authorize explicitly, perform actions at least privilege and assume breach, which by the way is my favorite. And then you go to look at NIST documentation and they talk about different things as well. So does that mean people have a different perspective on zero trust or is it kind of the same stuff just through different lenses?
So on the first one, which sort of gets into your second question a little bit, it really depends on who I'm talking to. And I'm not saying that in a deceitful, like I tell a different story to different people.
But like when you talk to a board member about security in general, because zero trust is just a modern version of security, they're going to have a very different view and level of caring and level of exposure to terminology than would, you know, a CEO, a CFO, a CIO, a CISO, a security analyst, someone that's in the security team, you know, working as like a SOC analyst or an engineer, an architect all the time versus an IT person where it's like 10% of their job.
So the answer is always kind of dependent on who I'm talking to. So if it's just a general IT person, you know, I'd be explaining, listen, this is a new way of doing security. And you know, it uses some of the old stuff, but ultimately we're just, we can't count on the firewall anymore because there's attackers in our network and our stuff is off the network.
And so we're just trying to figure out how to protect those assets and those things that really matter to the business, you know, as if everything's on an open network. We're not getting rid of the firewalls today, but we're definitely, you know, trying to protect in a way that's realistic to today's threats and the world we're in and the systems you deploy.
So is that the big driver then, the fact that internet firewalls, I'm not saying they're useless because they're not, but their value and their requirement as a hard boundary that has kind of disappeared because of things like mobile devices, remote work, all that sort of stuff has just changed the security landscape. Is that why Zero Trust is so important? In my mind, yes, because we've had a dependency on that and we've had an assumption that that was more effective than it is.
That's why I cite the firewalls because that's what classic security thinks of it. But Nikhil, what's your thoughts on that? Well, you know, I mean, having done this and actually sat on the board in times, I've sat in multiple organizations, right, and startups. I was an MIT mentor for a bit and different kinds of roles, right. And I've sat in large organizations in the board. And what happens is when you talk security, people's eyes glaze over.
They're like, oh, you're coming here, you're going to come up with a compliance requirement and ask for a dollar bill, right? And that doesn't work consistently, right? You need to think about the risk tolerance of the organization. And one of the things about Zero Trust is you're operating in a world where you cannot spend two years taking a decision or three years. The world doesn't wait for you. So you need to be able to kind of dance, right?
And so whatever paradigm that would have to come from what I hate putting it, but it's the ossified past, has really got to be a paradigm where you can be quick and agile on your feet. And so, and you have to be able to realize that your threat vectors are going to be. Who would have thought about AI being such a big driver one year ago, right? So things change. And who thought about COVID, right? Well, COVID came in and it was like days, weeks, right?
So being able to adapt that fast has changed the playing field significantly. A business has to be able to enter a new domain very quickly. They can't wait two years, three years, five years. That's not an option anymore. So you need to have a cybersecurity paradigm, which is agile and allows you to operate with a level of uncertainty. And that's one of the drivers behind like assumed breach. That's your level of uncertainty in your conversation.
And so that's one of the drivers behind Zero Trust from the leadership perspective. When you go down the ladder, you go to the enterprise architects, you go to the security architects and then you go down to the delivery folks, the drivers are different. And that's exactly why Mark and I actually wrote the book, because the drivers are different and you want to be able to address it from different people's point of view.
But if you were to think about it, that's why I said Zero Trust is the cybersecurity for the digital era. It addresses agility. It addresses the ability to move quickly and provide acceptable security. Those are, I think, the main things which kind of start defining it differently, right? Yeah, and I was going to say, for a business leader, I would love to, it's very simple.
It's like, listen, this is an agile approach to security that protects your stuff in a dynamically changing way and aligns to your priorities. There's a little bit of work for you. I always try to tie in and give an obligation there that you've got to help us figure out, if I was on that security team, what's important to you? So they're given a take and they sort of get that. But that would not work with a technologist.
It would not work with an architect, depending on maturity and other factors. And so it's really, really important to understand the collision of languages. Kind of agree with that completely, right? Because different people, different ways of looking at things, and like I said, that's why we were writing a playbook series, not a playbook. We tried to write a playbook and then we discovered it would be a 1,500-page playbook. And then we said, oh, this is going to work. Let's split it up.
Yeah, we had to break it up. So let's talk about why we're really here, which is to talk about the starts of the book series that you two are working on. So why don't we kick things off with, Nikhil, why don't you give us a background as to why you started with this book, how you sort of arrived at, hey, this is going to be a series of books and not one book. And then let's cover the main goals of the book series. So why we arrived at this book really is Zero Trust was a new topic.
We came out with a thing called the core principles and that really resonated with the industry. And this incorporated it in there and were participants in some of the feedback we got. And it got incorporated in the president's cybersecurity directive. That was the open group core principles. Yeah, the open group core principles. And at that point of time, we looked at it and we said, how can we get this message out there meaningfully to people? And how do we define it?
Because there's a lot of confusion about what Zero Trust means. And the book, for example, defines it in their own context, right? And then people who have always had these, what I would say, as a prior assumption, which we need to revisit all about the network and network centricity, etc., and 100% guaranteed security, which never exists, by the way, because you have a daily breach. But people are always kind of thinking that way and they're locked in into that.
So we thought about, well, we need a book to start helping to clear the air and set up clear direction along with those standards that we were rolling out of the open group. And so that was the start of it. And then we said, well, how are we going to do it? It can't be for an individual. It has to be role-based. So when we wrote up the list of the table of contents or the outline of the book that the publisher asked for, we had that thing about what is Zero Trust? And what are the stakeholders?
And Nikhil was the one that came up with the concept of the playbook and proposed it to me. And I agreed with it, hey, we need this. And then as we got deeper and deeper into writing with it, I started to appreciate more and more. As you look at it through the different roles, it's such a different view of things. And the things that you would do as a chief legal officer, a CEO, a SOC analyst, an enterprise architect, a cloud security or a cloud engineer, versus identity operations person.
It was just so radically different. And all of them had an important part to play. The playbook format ended up being just this amazing way to look at things and get some clarity. It was really hard to get in security in general, let alone the modernization transformation changes with Zero Trust. As we went through and did it. And to be honest with you, it was some of the hardest writing I've ever done, especially this first book.
Because it's like, how do you actually communicate effectively to a member of a board of directors with limited experience and security at the same time as a SOC analyst? And so we had to go deep into what is the human experience? What is computer security, information security, cybersecurity, all the same thing. But what is that that actually existed in the real world before it showed up on computers? Because at the end of the day, cybersecurity is conflict on computers.
And so each of the angles of it, like extortion, well, there's been extortion forever. Like your protection rackets from the mafia and all that kind of stuff. Extortion has been around forever and it's now ransomware. That's the way that people make criminal money on that. And so we had to go and find that sort of normal human origin for all of these important topics that are hitting cybersecurity.
And so it was a challenge, but it was definitely worth it because the clarity that came out of that was pretty awesome. And the reality is there isn't anything like that, right? Because of two things, right? Firstly, it's a fundamental change in cybersecurity impacting pretty much the entire organization. So somewhat like digital transformation, the journey of zero trust delivery process is roadmap. And it reflects essentially the ability to transform an organization.
There are different ways we do things. There's a different level of agility to be thought about. Different stakeholders have to be engaged. And I don't think we really have that otherwise right now in the industry, in the cybersecurity industry. We have siloed, sometimes arcane assets, but not something which goes end to end and takes people down that journey. And we saw the need for it and we said, okay, well, you know what?
With the agility that we need to provide something to the industry, the Playbook series made a lot of sense. And we were literally giving people a Playbook. So if you're a senior leader, if you're a small business, mid-sized, large business in different domains, what does it mean to you? What does it mean to you in the context of a day in the life? What does it mean to you in the context of a day in the life? And also, what capabilities do you need? How do we stitch them together?
Those are all things which are really important. And as I said, I haven't seen anything like that in the industry. What about you, Michael? Do you think we've seen something like that? Or Mark? I haven't. I have looked at some of the table of contents for the books. I've got an idea of what's in there. I don't know of anything. But that being said, it may be worthwhile, actually talking about what is in the first book. What sort of topics do you want to cover in the first book?
And then how does it sort of fit in terms of the rest of the series? And then at the end of it, I think we've got to ask the hard question, when you guys ship in this thing? So yeah, so we just start off at the very beginning, which is basically, hey, this is what we're going to cover in the book, the first of many, the following books, and then yeah, we can have a date.
The title of the first book is longer than I would prefer it to be, but it was actually kind of necessary because the first book in the series really does two different things. It does introduce zero trust and put it in that simple, plain, straightforward language that everyone can understand and addresses some of the myths and misconceptions right up front.
So that's sort of like the first part, the second group, and a bunch of standards as well, the zero trust commandments and the like, that help define zero trust and clarify, okay, this is what it is. And that's sort of like the big theme for the first half of the book.
And then the second half gets into, okay, this is the introduction to the series, and so this is how to read it, how to look at it, what stuff you're going to find for each and every role, and so that's really sort of the second half of the book. First part, zero trust, this is the way, it's a very short chapter, straight up, here's the summary of this is why zero trust is important, what it is. Second one is like, okay, how do you read the series?
That's chapter two, and you can either try and read the whole thing, which may or may not be appropriate, or if you want to skip ahead and skip to your role, here's the stuff that you need for context as an investigation threat hunting analyst, as an enterprise architect, as a business leader, what have you. Here's the stuff you need to read before you jump straight there. That's what chapter two is about.
And then three, kind of explaining, hey, zero trust is security for today's world, and kind of answering those, kind of the myth-busting thing of, can't we just do this, can't we do this, all the sort of standard shortcut questions and myth-busting in that one. Standard zero trust capabilities, this is sort of the capability-oriented approach of the open group. We just released the zero trust reference model actually the day we were recording this. And so that's been very popular.
Lots of LinkedIn reactions and reshares and whatnot on that. And so we based it on those capabilities, because we need a consistent way of describing security, right? And that's what the open group reference model did. It's AI, because today's world, you've got AI just changing so much stuff and changing so many assumptions. And so we wanted to cover, what does that actually mean to security? What does it mean to zero trust? How do you manage it with zero trust?
And so that was sort of chapter five. Getting into six, is scoping sizing starting? Because that's a big question. It's like, okay, this is all fine and good, but I don't know where to start and I don't know how big to go. Success is set six and success criteria is seven. The three pillar model, which I want to let Nikhil cover that one because he's got a great way of explaining that. And then we turn that three pillar model into a six stage plan, which is chapter nine.
And then chapter 10 is like, hey, here's the role by role what we're going to tell you for every role. That answers this question. What is the success criteria? What are the success metrics? What are the processes and methods you need to do? How does zero trust change your existing job? All those kinds of questions. Where does this particular role come from? Like if I'm in a smaller organization, who does this job if I don't have a dedicated person for doing threat hunting or whatever?
Who would do that? Who would do investigation or triaging of it if there isn't dedicated people for it? So we cover all those kinds of things to help people adjust the playbook stuff to a large Fortune 500 sort of organizations, but also to smaller organizations as well. So people can say, oh, okay, that would go to Joe or Mary or Nikhil or what have you to do their thing. And that's the first book. So Nikhil, I'll let you. All right.
So to add some color, I mean, the first thing that everybody that I've seen asks is why do zero trust? And I think what that first book does is that Mark was talking about is about that why, the whiff of it, right, what's in it for me as a reader. And again, because this is such a broad space and has such overarching impact.
One of the things I always tell business leaders and IT leaders is when you do zero trust, it's not just for protecting what you got, but for enabling you to play in different areas faster and becoming competitive advantage for the business. That's something I just always like to tell people because that's not how it's perceived. Security has not been perceived that way forever. And then the other thing is we have those three pillars. Why are they there?
You know, the three pillars started with some work I'd done on the SOFR BT and sort of our methodology for the company I run. So that's how it started. But they came about, again, to hard knocks, right, and what we did was we said, okay, the first pillar is about kind of defining your strategy, identifying your mission and your vision and goals, defining capabilities, technical capabilities so you're not locked in into a particular solution because things keep changing every six months.
And by the way, procurement takes more than six months in many organizations. So that journey, that just is an example, right, procurement is just an example. How to make it agile and fit into an agile delivery methodology, for every, you know, whatever methodology you use. And then how do I translate it? How do I kind of make sure it fits my organization's business models?
Because far too often people, you know, especially technical people, think about what's the best way to do it, forgetting what the organization is focused on from a fiscal and a cultural perspective because that's not what they're trained in, that's not what they're going to go implement, that there's basically an impedance and you can't execute and millions, sometimes hundreds of millions, are spent before that lesson is learned, many times with failed projects,
especially transformational projects. And so we have, in the third pillar, we call it the operating model pillar. So we have that operating model which allows you to look at your organization and decide where to focus. And that really is a force multiplier. It helps you become successful. And if I can jump in for a second, like the thing, it took me a little bit, honestly, to get my head around the three pillar model.
And Naquil remembers, like, you know, taking these times and sessions to explain it to me as we were writing the book. But once I sort of got my head around it, I was like, because I was taking that very technical view of it, and I'm like, oh, this is where we translate all of that technical goodness into business terms and into business processes and into pillars that the business can recognize so that they can say, oh, okay, now I can track it, I can govern it, I can manage it.
And that was sort of like that, that was like a big epiphany for me, was just like realizing that this is a good method for connecting that business strategy element to the technical reality that's often missing in a lot of organizations. And that's for this first book. Everyone. I think Mark hit it. It's literally for everyone.
We are point-of-recommended for business, technical, regulatory, compliance folks, for IT folks, as well as for, you know, and we keep talking about business leaders, but I dealt with a mortgage company. And guess what? The people on the ground, they're the people who are really implementing Zero Trust and who are feeling the impact of it, right? There is an impact. You can't have the full credit card number in front of you anymore.
So there are these impacts for the people who are on the ground doing the work. And it makes sense for them to understand why. If they don't, it becomes hard to execute. So we recommend that you read it, whoever you are, especially, you know, I mean, tell me which industry today does not deal with the digital world. So I don't know of any area that you would not get impacted.
So I think this is intended for the general audience, and then the books that follow are for your specific roles, and that's where you go into and you look at, hey, I'm starting this journey, I want to build a strategy. Okay, here are some, we call them the ACME examples, which will kind of illustrate what it means to be in my sock, what are the implications, what's my day in the life like? And so we take that playbook and just take you down that journey in the following books.
You know, that's kind of what we're trying to do, to give people that shared context and then be able to dive into specific things. Yeah, I mean, it's exactly that. So the intent is the first book is for everyone, and everyone's on the same page, and then if I'm a sock analyst, I would move on to the security operations playbook. If I'm an architect, I would go to that one. Now, architects have to work broadly, so they may end up reading some of the other ones as well.
If I'm just an IT operations, IT engineer, or identity operations, identity engineer, I would read the operations engineering playbook as well as the intro. So this is really meant to get everybody on the same page and start the journey for everyone, people that want a career change, people that want to learn what life is like in other jobs that they aspire to. So we tried to make it clear for those paths as well because of how much we have a shortage of talent in our industry right now.
So let's ask, well, what about the hard question then? So when's this thing going to be available? The first book anyway? So it will be available very shortly after the broadcast of this podcast. It's actually already up on Amazon, it's a great online website. We'll put the links in there in the show notes. Zerotrustplaybook.com should forward you to one of those places where you can get it.
It's in pre-order status right now, but sometime in the first week or two of November, I think, is when it will be actually shipping and e-booking and all that kind of stuff. But it's available right now for order. I've never seen getting a book done. It's always very exciting. Well, it's my first time, so I'm not quite as seasoned as you, Michael. I remember when I first came on our Microsoft cybersecurity team, and so Michael came on and he was like, so what books have you all written?
I'm like, none. It's all good. So let's just wrap this thing up. It's really exciting, again, with a new book. I've looked at the table of contents, and I've been doing a playbook format. In other words, it's not just theory. It's just stuff that you need to really consider doing and here's how to do them, how to measure them, and that sort of stuff. I think that's just really, really awesome. So to wrap things up, and Nikhil, you may not be aware of this, Mark definitely is.
So one question we always ask our guests is, if you had just one thought to leave our listeners with, what would it be? So, Mark, why don't you kick things off? In the context of this one, what would it be? Anything that you want to see in the following books because those are still being typed? Nikhil, do you have any final thoughts? Put two things in there.
One, I'll echo what Mark said, and two else, I'll let people remember that Xero Trust is not just about protecting a network or protecting an individual asset alone. It's a holistic conversation covering literally all of the networks. It's a lot more. And so with that in context, we have to think about why we have written this series. Go read it. Yeah, it's about Xero Trust, not Xero Trust Networks. It's about the whole impact to security. Big, that's an awesome point, Nikhil.
Yeah, actually, Nikhil and I, before you joined, we were discussing that, and when he said that, oh my God, a penny just dropped. This isn't Xero Trust Networks. This is way, way, way bigger than that. It's just a common, so yeah, it made a lot more sense. All right, so with that, let's bring this episode to an end. Gentlemen, thank you so much for joining us this week. And to all our listeners out there, we hope you found this podcast episode useful. Stay safe, and we'll see you next time.
Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net. For more information on the podcast, please find us on Twitter at Azure Setpod. Background music is from ccmixtor.com Background music plays