Zero Trust as a Mindset: Identity, Governance, and Access | Interview with Andrew Gault
Welcome to Secure and Simple Podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CSOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple Podcast. Today, my guest is Andrew Gault, and he's the CEO of ZeroTier, a secure overlay platform.
Dejan Kosutic:And ZeroTier is building the next generation of secure network infrastructure. So in today's podcast, you'll learn a lot of the latest trends with Zero Trust and how to set up cybersecurity governance related to it. So welcome to the show, Andrew.
Andrew Gault:Yeah, thank you. Pleasure to be here. Great to have you here.
Dejan Kosutic:So tell me, is Zero Trust actually a technology or is it an architecture or is it something else?
Andrew Gault:I would frame it as a strategy, I think. Something kicked off on twenty ten ish era. Historically, we've always thought of network security as being perimeter based with remote. Once you get inside the network, have access to everything, right? It's the traditional, they're the campus.
Andrew Gault:If you're on campus, can just plug in, you can access the server. If you're remote, there's a VPN. Once you get on the VPN, you can access everything. And I think it became pretty clear pretty quickly that that's not maybe as secure as you think because you have a weakest link in the chain problem, right? If someone is remote and on a VPN, well, do you know really who is on that remote laptop?
Andrew Gault:What about when there's a guest in the building and they plug in? And so zero trust, I would frame it as a kind of a mind shift, right? Let's remove the perimeter. Let's just have, you know, think to ourselves, what if everything single device, server, application on my network was just exposed to the raw internet? How would I secure it?
Andrew Gault:I would have to not trust anything, not trust any access, not trust any device. I would have to have zero trust. And I think that mind shift, that strategy is what most of us term. There are technical definitions. I think NIST has a technical definition.
Andrew Gault:Gartner, the DTNA, they have their technical definition. I think what they're all getting at though is that strategy, that way of thinking about network security.
Dejan Kosutic:Yeah, this is a very good explanation. And if you had to explain zero trust, let's say hierarchy in some layers, what would kind of be the principles or the standards or patterns or whatever is important here?
Andrew Gault:Well, I think you start with identity, right? You have to know who is connecting both the user and the device, and you need a way, you need some kind of identity manager system. You have to have thought through who do I want to give access to. Then below that next to her down is policies. Many ways you can do it.
Andrew Gault:Again, you can you can some of these standards are quite prescriptive, but I would say just in general, how am I going to score this connection? How am I going to verify? You know, how am I going to encrypt? So on. And then, constant, that constantly observing the devices and all network and checking that they are all within some kind of isolated plane or behind some password protection.
Dejan Kosutic:How does zero trust actually work or let's say function if this is not only within one organization, you also want to include in this, let's say, strategy also your suppliers? So, is it possible at all? And if yes, how?
Andrew Gault:It's a great point because if you think of an application in enterprise, it's there's usually one way in. Right? There there's a login page. There's a there's an API call. But once you get beyond that, there's probably multiple servers.
Andrew Gault:There's a database server. There's an application server. There's Take your pick. Right? There's probably a collection of servers.
Andrew Gault:And you need to think about it as well within that application. Right? Each of those servers needs to also be verifying who's connecting to me. Right? We need to, by default, have no access.
Andrew Gault:I've got to enable a single port. I've got to who's coming? Where are they coming from? What is their password? And I think once you that you think in that terms, it doesn't matter if it's my vendor.
Andrew Gault:Right? Is it does it matter if this is a SaaS vendor where my users are just coming in the front door? Or is it on some kind of compute cloud where it's part of the architecture of my application, I still need to enforce identity and constant checking and default deny to everything coming in to ensure the security, ensure that if anyone gets in, they cannot move laterally. And it doesn't once you think about that, I said there in kind of the intro about describing it, the mind shift of what if everything was on the internet and globally exposed, don't do that, but that should be the mind shift, right? Doesn't matter if it's an external vendor server or your server.
Andrew Gault:Not really. He's gonna treat them exactly the same.
Dejan Kosutic:So what does this mean? Let's say that you have multi let's say that your company is using external, let's say, software developers, and let's say that you are using three different software development teams from three different suppliers. Is it possible actually to enforce this concept or strategy really on various different companies, various systems?
Andrew Gault:Well, yes, I think the complexity there is identity management. Frequently identity managers are bundled with, you know, the user login with the email. And Google Workspace is a classic example of bundling it all together. It kind of breaks down if your outside vendors and outside developers are logging into your systems with their identity management platform with their email address. Then you get into a of a rather complicated process of how do I get their identity into mine?
Andrew Gault:Do I want my application looking at two identity providers? I would strongly encourage the answer to be no. I would have that external vendor. And what are we doing in my company? We, you sign a consulting agreement, we give you an identity on our servers and you will use that identity whenever you talk to any of our systems.
Andrew Gault:And that way we know exactly who you are. We don't have to go server by server or application by application. And if the contract should be terminated for any reason, we can just switch off that identity in our system in one place and we're confident that there are no, there's no holes. There's no exception being made in any of our systems to allow the external vendor in.
Dejan Kosutic:Okay, great. And what would you say, which kind of risks can zero trust actually effectively decrease or simply eliminate? And on the other hand, which risks cannot be eliminated through Zero Trust?
Andrew Gault:Well, think the first question is quite easy. I think it's lateral movement, right? And it's again, at the highest basis, it's that if I only have a perimeter around my campus, anyone on campus could go anywhere. Zero trust, it really, people are gonna get in, right? It's, you know, there are security patches all the time.
Andrew Gault:There's gonna be a server that wasn't patched. There's gonna be some old login was left and forgotten. You just, there's a little bit of an implicit assumption here that someone is gonna get in, whether I like it or not, no matter how hard I try. And by doing zero trust, well, they're only gonna get in to what they got into. They're not gonna have got into some frivolous system no one cared about.
Andrew Gault:And, you know, the next day they're in our billing system, right? Which is we all care about greatly and what we, you know, have a whole team staring at all the time. And that's usually when you think of in reality, those kind of security issues happen, it's usually some old system no one looks at because there's nothing important on it, had the old login, Someone got in. And then they they move laterally through your network and end up on something, you know, the crown jewels. So zero just fundamentally is about stopping that.
Andrew Gault:You know, there's no we don't it's not that there is no weak link in the chain. It's that we care a lot less about a weak link in the chain. What was the other point? Oh, what might it not prevent? I think shared credentials is probably the obvious one.
Andrew Gault:Right? If I, maybe I'm a good employee, I have a login to the billing system, I'm using a password manager. Oh, but I'm out of town for the next week. Hey, can I just share my login with you? And that would be so much simpler than going to IT and having them grant you access to whatever system I access here.
Andrew Gault:Just have my login for the week. Can't stop that, right? And so I think that's the, the fundamental point here is the identity of both the human and the device. And if those are shared, then it kind of breaks down, right? But that's a policy decision and training decision, I think more than a technical issue.
Dejan Kosutic:More of a human issue, so to say.
Andrew Gault:As they always are, right? Unfortunately. Fundamentally, there's usually a human issue at the bottom of the board when those things break Yeah.
Dejan Kosutic:And do you see some other, let's say, common things or common situations where zero trust cannot be trusted, I mean, beyond this human issue?
Andrew Gault:I think you have to constantly update it, right? There's change of management here. Someone may change their role. May, especially it's a lot of work, right? So I mean, in theory, you should be doing lowest privilege kind of access to everyone.
Andrew Gault:If I have a new system and it's, you know, 50 people, it can be a lot of work to work out what is the absolute lowest. I mean, we've all, early in my career was an administrator and, you know, the constant request to have a certain new role can get annoying. And I think so basically the privileged people or the access people need changes over time. And there is a management overhead cost around that. And I think that it's an ongoing maintenance problem, right?
Andrew Gault:But obviously if you don't keep up with it, you might have someone who changed department but can still access the system that was key to their previous job. And now you have something, you have a problem out there, it's kind of a potential hull.
Dejan Kosutic:Okay, and do you perhaps see that in some ways zero trust can actually increase risks, for example, by making too many services, let's say, or more available than usually? So is there actually a case for increased risks?
Andrew Gault:I struggle to come up with even a hypothetical. I can think of challenges about how you might deploy it, or like the shared credentials, challenges of how someone might work around it. But I struggle to think of a scenario where strategically and then architecturally on how I lay my network out, where things are isolated, there's least access, you cannot, given access to system A, doesn't in any way let me access system B, how can that open me up to more risk? I think it's a net win pretty much across the board.
Dejan Kosutic:Okay, but for example, with, I don't know, AI agents, you know, or these kind of, let's say, non human users or, let's say, entities that access the network, maybe from that end?
Andrew Gault:Well, the thing is, ultimately, have to have an identity. They have to prove who they are. And it's maybe worth talking about actually nonhuman identities. It's the industry in general, and we, as humans, think of identity as being a human. There is a user.
Andrew Gault:The user connects to something. I need to allow the user. Software is usually sold in seats. That's implicit in that, a human. I think as we go forward, it'll be a lot less about the human, right?
Andrew Gault:And you already see this with SaaS companies trying to pivot away from selling seats because now everyone, I don't use that many seats. I only need four seats, but really my human login has been used by my, you know, my robot army of 20 multi agents. And there's a mismatch there between what the vendor is trying to sell or the value that the user or the customer is getting from the vendor and how the vendor is charging. I think going forward, you're gonna feel a lot more of that. So in terms of zero trust, of course, when I say you have to verify identity, it's not just human identity.
Andrew Gault:Are a lot of these systems weren't built with this in place. Ideally, you have service accounts, right? Your systems will have accounts, human accounts, which you can link to an identity provider, and they will have service accounts, a separate thing. You see it in Gmail, where you have an API key that you configure. So it's a specific different type of identity, specifically for machines, devices, AI bots, allows you to track it.
Andrew Gault:Some, I mean, let's be honest, quite a lot of vendors and systems we use, including me and my own company, I'm sure all your listeners just don't have that concept. And you end up with the fake human identity, which works. I mean, in principle, what's the difference? It's an identity, it's an email address you can log in with, whether, you know, an artificial name, you know, failed bot app, whatever your company name is. But I think the risk there is that's almost inherently shared.
Andrew Gault:Not sales bought at as generic. Is it the the the agent running on my laptop, the agent running on your laptop? Right? Should we are we really both gonna create our own account for that? So I think that I personally deal with that, but just be very careful administration because it's impossible to work around if the vendor or the system you're using doesn't have service accounts.
Andrew Gault:I hope that that is very much a point in time problem. I think obviously with the rise of AI agents and where they're going and, you know, you hear, and I tend to buy into it, that, you know, SaaS companies going forward, you know, the bots will be using the SaaS company. Right? Do you really need the UI? You just need an API.
Andrew Gault:Give it a few years and it will only be the, you know, the AI agents that are coming in. With that in mind, I would expect most vendors and systems to start rolling out machine identities as a first class principle.
Dejan Kosutic:Okay, and then what is the best practice actually to manage these identities that are non human versus, let's say, human? So what is the key difference actually in managing these two types of identities?
Andrew Gault:I think that you need someone to own the identity. I think that's where it falls down. Right? If you join my company and I give you identity, you're obviously the owner of it. You are implicitly responsible for who acts with the system as you.
Andrew Gault:And I can train you not to share it. I can, if you change role, there are usually change management processes that will catch that, right? You are in a different department. Oh, something is flagged. Now we know there is a ticket.
Andrew Gault:We have to go and we have to, really, what access do you need? Should we downgrade you? Should we upgrade you over here? Again, it's a process problem, but that's the process we're kind of used to and what we work towards. With machine identities, the machine doesn't really, air quotes here, own its identity.
Andrew Gault:It doesn't feel, you know, can you train it? It doesn't feel, you know, ethically responsible not to share the identity with another machine, right? You can enforce it in programming, but that's where it falls down. And then what if that machine goes away, right? Oh, we stopped using that agent.
Andrew Gault:We're using this one over here. Did that bubble up to your change management process? Did your IT department learn that that's not used and that they can shut down that access? It's a tricky problem, but I think it is a process administration problem. You just have to, for all of these nonhuman accounts, which are not specific service accounts, you got to keep the big spreadsheet.
Andrew Gault:You got to manually check up from them. You got to build that process. Right now, I don't think it's yeah. Like I say, I hope it's a point in time problem because that's only gonna grow. Right now, it's a headache.
Andrew Gault:I suspect I know I and most of your listeners have some of these, but it's in the order of, you know, there's a half dozen of these accounts that are exceptions that the people who matter know that. Fast forward a few years, and I worry that it's gonna be hundreds and hundreds and hundreds and maybe more than the humans. And then, you know, a quick spreadsheet and doing this manually ...
Dejan Kosutic:It's gonna be impossible.
Andrew Gault:It's gonna have a real scale problem.
Dejan Kosutic:Yeah. Yeah. Let's speak a little bit more about governance. So, in, let's say, present day, when you speak about zero trust, what kind of processes would you typically need to control zero trust?
Andrew Gault:Well, think the ones I've talked about, right? The identity and, know, who should have access and then the policies. So, I mean, I guess I've spoken a little bit about here, if you change role, maybe the access you're required might go up or down, but that should definitely be a well thought through policy and not just some IT admin, you know, Oh, someone's bugging me that they need added access here, let's go. You should, I mean, you're doing it right, you will have written policies and you will have scoring, right? And it should be multifactorial, right?
Andrew Gault:It should be who's the human identity? What are the device identity? Where are they coming from? What the geolocation are they coming from? What kind of device are they coming from?
Andrew Gault:What's the endpoint posture of that device? Is it packed? It's very hard to give an explicit list here because like it so depends on your use case and depends on the system. But I think that's the, I would say the key policy that needs to, at the governance layer is like, okay, what do we do? What are the rules that we can then pass down to IT to then enable and manage?
Dejan Kosutic:Yep. Yeah. And from, I don't know, let's say, a standard point of view, like ISO 27,001, they always require that the business side actually approves the access and and these kind of things. So obviously, you would need some kind of policy or procedure, see what you were saying. Yeah.
Andrew Gault:No. I was I was gonna repeat your point. So I almost didn't say it there. Yes. It's I mean, the policy is you've got the scoring, and I I I'm imagining a flow chart here of who the stakeholders that would need to be looped in depending on the system and potentially maybe depending on the risk score of who's coming in.
Andrew Gault:And there are vendors that allow you to build this out, right? And start automating the policy access systems. You have an identity system, which everything should be linked to. You can have a policy access system where I can build that. And it's, you know, it's not actually the IT human getting an email.
Andrew Gault:System can make that decision for you.
Dejan Kosutic:And besides this, let's say, access control, is there anything else from the organizational point of view that needs to be defined?
Andrew Gault:My mind immediately goes to more of the technical side. So we're talking in terms of systems and applications here, and there are many layers in the stack, right? So you can and this is where I loop back to Zero Trust being a mindset. You can do it at all the different layers, right? You can do it at the, you know, the application layer, like who's coming to my application, you know, the web based service at a front door.
Andrew Gault:But you can and should do it all the way down the stack, all the way down as far as the network layer. Right? Is there IP connectivity with that system? Does this device, my laptop in front of me, need to be able to even ping that system over there? And that is where multiple ways to do it.
Andrew Gault:There are some traditional VPN providers. There are next generation firewalls that can allow you to build a lot of this. I think an overlay network is a great way of doing that because it abstracts away the technical layout of your network. The actual, you think about an IP address is really a location in IP space and how to route to that location, which is dependent a lot on where are your offices, where are the switches located. They're kind of rooted in the real world.
Andrew Gault:An overlay network would allow you to abstract that away and just build a simple flat network over the top. And any services within an overlay network of course are completely invisible to anyone not on the overlay network. Your attack surface area basically collapses to the operating system's IP stack. So again, bring that up as I would think of it as well all the way down to the network layer, right? You know, start there.
Andrew Gault:It's not just what system, but which network segments. You can knock yourself out, right, based on time and security risk profile. You you know, you could have a virtual subnet for almost anything, right? You could have infinite of them. So how far you go depends, I think, a lot on the risk profile.
Dejan Kosutic:And who is typically, let's say, owner of each of these, let's say, layers or let's say, elements of zero trust?
Andrew Gault:Great question because it can depend on the organization. So you have the CIO usually concerned with cost and you have the CEO usually concerned with security. And so it will depend a little on the organization and where the budget is, of course. Right. And depend on the system.
Andrew Gault:I would imagine the CISO together with other stakeholders will build the policies and be very involved in, you know, what should we do? And the CIO is much more the only for the practitioner side and actually rolling it out, finding the vendor, much more the nitty gritty of implementing a lot of this. But it's a, again, it's not an architecture, it's not a strategy, it's not really something you buy, it's a mindset. That's cultural. More than anything that is cultural, right?
Andrew Gault:And it should come from the very, very top, right? If you're a technical organization like mine is, then it comes from me, the CEO, right? It's like, this is just how we think about it and everyone should think about it, right? By default, of course, there's denial by default. And then we slowly enable, right?
Andrew Gault:That's just common sense. Obviously, if you're in a completely different industry and your CEO is maybe not with a strong tech background, it may be a bit much to ask for them to be culturally pushing that kind of mindset on the organization. And to be fair, maybe the organization doesn't need it, right? And then it will fall on the CIO or the CSO. But I think it's a culture that needs to be pushed out as much as governance and practices and principles.
Andrew Gault:It really is just everyone all the way down the stack to you really don't want an employee getting upset that they can't access something. And can you just maybe admin on everything? Like, you've almost failed culturally if you get that request. Right? It should be, I hope, very obvious to everyone.
Andrew Gault:This just makes sense.
Dejan Kosutic:How do you actually nurture this kind of a culture that embraces zero trust?
Andrew Gault:Yeah. Again, it depends on the organization. So it's easier for me to answer from a technical organization. In particular, I run a technical organization that sells security software. So it's maybe a little easier because everyone should be thinking about security.
Andrew Gault:Find saying that even in my organization, headlines, you know, we're all human. We all react to headlines, right? We all react to fear mongering whether we like it or not. And it's not the car accidents on the way to the airport, it's the airplane crash that we all dwell on and that gets noticed. And when all industries will have something that hits the headlines And usually, like I said, it's something that wasn't patched.
Andrew Gault:It's rarely a zero day that someone get into the credentials. Usually it's an oversight, it's a change that went wrong. It was some old system that wasn't patched up to date. Someone got in a way that should not have been catastrophic, but once in, they were able to move through the organization or through the systems. And I think those picking a news story in your industry or very closely adjacent to your industry is maybe a good way to scare people a little bit.
Andrew Gault:Just think through what would happen to our organization if this had happened or why wouldn't it happen? And, you know, get that culture in there.
Dejan Kosutic:Mhmm. By the way, is there some kind of statistics which shows that, let's say, that the organizations that did embrace zero trust have fewer incidents rather than those that did not embrace zero trust?
Andrew Gault:That is such a good I don't know the answer to the short answer, but it's a great question, and I kinda wanna go and research that Because it's, I mean, intuition is how could it not, right? It's, I mean, it's just an obvious no brainer. These things are hard to measure, of course, because in general, people don't announce when they got hacked, right? And it's the kind of thing where maybe two departments in one giant organization could compare because someone's above them that knows all the information. I think it's, we rely on it as best practice more than we have that broad data.
Dejan Kosutic:Okay. Okay. Now from the, let's say, auditor point of view, what should auditors typically check when it comes to zero trust?
Andrew Gault:Well, it depends which control set they're running through. I know we've just gone through SOC two in my company, and there it's about access controls, change management, monitoring or revocation of credentials. There's usually something similar in whichever framework might be in. I know as a twenty seven thousand and one, it's much the same access control identity must be used. You must have central identity management.
Andrew Gault:I think auditors are going to look for these things. I think it would be very hard. Actually, a good thought experiment. If I did not do any zero trust, I didn't do any of these principles or do any of it, would I be able to get through one of these audits? I think it would be very difficult.
Andrew Gault:I think you would have to be writing out the exceptions and calling out the workarounds a lot, and your life could be a 100 times harder. I think the auditor just at this point expects to see it because it is, you know, just best practice. Then to one of your very earlier questions, there's no real downside. Right? It's only, it only adds a layer of security.
Dejan Kosutic:From your experience, do auditors, let's say, check only individual components of, I don't know, access control or let's say the logs, or they also check the whole architecture of zero trust and then see if it works, if everything I fits together?
Andrew Gault:I would say, unfortunately the former, I guess the thing with an auditor, and I think with all these compliance frameworks, it's why are you doing it right? Are you doing it to get a badge on your website to market? Or are you doing it to fundamentally increase the security of their organization? And depending on which side, whether you're on the GTM side or you're on maybe the operations side, you probably have a slight, you know, with good reason, a different answer to that question. I think the sad truth is an auditor cannot ever check everything.
Andrew Gault:Right? The cost is just completely prohibitive. All they can do is see that ideally using some kind of system, some kind of vendor. Do you have all these policies in place? Are you using them?
Andrew Gault:And then they could spot check and they should and they do spot check and, you know, it's natural that they will find some things in the spot checks. But if you rely on the auditor, you're relying on spot checks. And, you know, if you have a hole, if something is not right, if you signed off a access control policy or a risk scoring algorithm for, you know, for users sitting in Europe and you uploaded it to your, you know, the framework vendor for the auditor, but you didn't do it, well, the auditor's not gonna find it, right? So I would hesitate to rely too much on an auditor. I think they're there primarily for the social proof of letting your customers and letting the market know you have thought about it, but they're not thinking about it for you, right?
Andrew Gault:There's the, if you wanna do it right, you will not just sign up for one of these compliance frameworks at an auditor, you will read why am I signing up for this compliance framework? What is it trying to help me with? Ultimately, you don't want a badge for your website. You want to not be a headline in the newspaper because you were hacked. Right?
Andrew Gault:And, you know, a whole bunch of PII was leaked. The auditor can help, but I think it's much more the culture that matters far more than an auditor.
Dejan Kosutic:Okay. And you mentioned a couple of these frameworks like SOC two and ISO 27,001. And do you feel that zero trust is, let's say, closest to any of these frameworks? I mean, two are, I don't know, NIST cybersecurity framework of any of these. Is there any framework which is kind of the closest in its philosophy to Zero Trust?
Andrew Gault:Well, is a I mean, I think the term originally came out of NIST, and they had a framework for Zero Trust, very much a high level. This is how we think you should do it. At this point, I mean, obviously you can go off, you can go read that, you can go implement it. I think from a security point of view or a cultural point of view, great. You're probably very secure.
Andrew Gault:We're all running businesses though, and we do all want the social proof of that badge on our website, and that's up to four percent ten to our customers. And frankly, your customers probably never heard of NIST or that particular framework from NIST. They've heard of ISO 2,701 and they've heard of SOC two. But you're not working against either of those frameworks. It's very much now within those frameworks.
Andrew Gault:Like I say, it would be very hard, I think, to get compliance on either ISO or SOC two at this point without having effectively implemented all the bits that matter from the original Mist Zero Trust framework.
Dejan Kosutic:Yeah. I mean, ISO 27,001, it does not mention, you know, Zero Trust, but of course it has several controls around, you know, identity and access control and all of these things.
Dejan Kosutic:It's kind of there, but it's not directly referring to zero trust.
Andrew Gault:I wonder, I think least privilege is called out in ISO 27,001 OL, and that is to me probably the closest zero trust philosophically. It's like the least, the lowest privilege is simply you can't access it. Right? And then I go out from there. I mean, fundamentally that what that is your trust.
Andrew Gault:What else is it? Okay.
Dejan Kosutic:Let's speak a little bit, you know, vendors, I mean, vendors that provide zero trust solutions. So, how can a company that wants to, let's say, thoroughly implement this zero trust strategy, how can it actually avoid, you know, lock in from vendor?
Andrew Gault:That's a hard one because you're almost, you know, you're it depends so much on the vendor, right? And going in with your eyes open. I think it depends a lot on the scale of your business. So I run a startup, so in the grand scheme of things, small business. I, in a past life, have been on the VC investor side, and again, mostly see small businesses.
Andrew Gault:And I'm actually give pretty explicit advice to the founders I worked with, but also my own company of don't think that we think this from first principles. In every market, there is a vendor that kind of is just the default. Just like any mature market has a vendor that is basically 50% of the market. And if you're that kind of company, an SMB, SME, you're probably resource constrained. You have limited brain cycles, you know, just too many plates to juggle.
Andrew Gault:I wouldn't first principle this. I would just, okay, who did everyone use? Great. I'm just going to use them. And I want something that's opinionated.
Andrew Gault:I don't want a vendor that's gonna be, here you go, you can do anything with it, go build it yourself. Because again, I don't wanna bring a consultant in. And the reason I've gone with big gorilla in the space is so that I don't have to expend brain cycles. I personally would go for the vendor that is very opinionated, right? This is how we do Zero Trust.
Andrew Gault:If you buy our products, we will influence Zero Trust like this, or identity management like this, and don't fight that. Right? There's a reason they're 50% of the market. They are the default because their strong opinion on how you do it is probably better than your opinion. Right?
Andrew Gault:That's what they do all day, every day. And you're probably running business not in that area, or you wouldn't be listening to me about what to pick, right? I think things definitely change as your company and organization gets bigger and budgets go up, because then it becomes more the cost of being locked in can outweigh the upfront costs of building it a little yourself, doing a little bit more research over what other vendors are out there. If you can afford to put a team on just go away for a month or two and just research this space, research the best vendor, go have a call with the salesperson at all these vendors, grill them a bit, you know, do do an RFI process. If you can afford that, yeah, sure.
Andrew Gault:You should probably you should probably do that. And you should be very wary of vendor lock in because that's the classic, you know, system of record problem. Right? That's why SaaS companies in the pre AI age, I'm not sure it might be changing this year, but in the pre AI age, SaaS companies, whether it's Salesforce or whoever else, have these massive evaluations because they're under a system of record. And once they're your system of record, it's very, very, very, very hard to get out.
Andrew Gault:And they're just gonna keep raising a price for 20% every year forever. That is very valid concern. So but if, again, if you can afford to do what's necessary to work around that, great. If you're a smaller smaller organization, like most of the ones I work with. And again, I'm sure most of your listener base, I would never think it.
Andrew Gault:I just go with the default and explicitly look for them to be opinionated about how I implement this stuff.
Dejan Kosutic:Okay, great. And once a company actually starts applying a zero trust strategy or a concept, are kind of the best KPIs actually to measure if this is really achieving whatever they wanted to achieve?
Andrew Gault:That's a great question. I tend to think about it in terms of what is not yet in it. There are always, especially when you roll something like this out, it's easy if you just founded the company, right? Do it from day one, then it's almost like getting either 2,701 or SOC two, it's trivial if you don't have any servers. Most organizations are a lot like that.
Andrew Gault:They have over cycles of both technology and team and, you know, the people within a team, they have built up a product infrastructure, which has interesting layers of legacy systems and new and modern systems. And when you try to implement something like this, it's probably gonna be easiest than the most modern stuff that you just dropped in because it was built being aware something like this would exist. In fact, something at zero trust, which is, I think, so much industry is trying to be now, it probably already does it, the new stuff. Right? Where it gets harder then is the exceptions, the legacy systems.
Andrew Gault:The old legacy system, no one really looks at, you know, the team that implemented it left ten years ago. Those, you're gonna skip them the first time around, of course, obvious reasons. But you can't just leave them skipped because they're probably the weak link in security. If someone's gonna get in through a weak backdoor and then try and move laterally, it's probably one of those legacy old systems where whoever put it together has left the organization. So you need to get to them.
Andrew Gault:So I tend to think about, you need to identify the list of all the systems, right? You know, what are all my human identities? What are all my machine identities? What are all the systems we use? What are all the networks we use?
Andrew Gault:You need that inventory. And then I think the key thing is just ticking them off. What percentage is left? What have we not got to? You should, I would strive to try and get everything on.
Andrew Gault:And I mean, there might be some legacy system. My mind's gone blank in an example here where it's like, this is just, we are not going to get this system connected to our identity provider. This just ain't going to happen. Right? It was written in Cobalt twenty years ago.
Andrew Gault:Right? There's no way we're going to go rebuild that system. Well, can I isolate it on the network? Who really needs to access it? Is it my entire organization or just a certain number of users?
Andrew Gault:Maybe it's using its own login method with its own database for the table users, old school, username, password in a table, in its database. Great. Obviously, I would hope you have frameworks and policies about reviewing that table frequently, but it is probably the weak link. So let's isolate it at the network level. That that system probably doesn't need, you know, to have IP access to my billing system or to whatever the I mean, on my website, whatever the other system is.
Andrew Gault:So I could lock it down on a lower layer. Yeah. And then all those exceptions, I think are your weak links. Those are what I strive to reduce and have quarterly targets. You know, okay, we got these system, how much can we reduce that next quarter?
Dejan Kosutic:Okay, very well. So, and the last question is, what would be your, let's say, suggestions to companies when setting up and managing zero trust? What are the top, let's say, things to do or top things not to do?
Andrew Gault:The top, I mean, the top things to do, I feel like I'm beating the same drum here. Well, maybe I'll start from Prince Build. So first, inventory, everything. As I just said, how big a challenge would this be? I think you might be surprised at how much is already doing this because it really has been industry standard for at least ten years.
Andrew Gault:Newer systems will kind of do it by default. You may find there's a newer system which has its own login tables, which supports some kind of single sign on via an identity provider, which you already have. It's just no one enables in that system, linking it to that end of provider. And of course, SaaS services love to charge you, upcharge you per seat for that. It's probably worth paying the upcharge.
Andrew Gault:So anyway, venerate, see really how big those gaps are. And, you know, start working down your list and don't forget the cultural element. I think to the greater organization, why are we doing this? What is Zero Trust? Maybe end where I started.
Andrew Gault:I really don't think it is a framework. It's not that NIST framework compliance framework. It's not ISO 27.1, it's not SOC two. It's just a way of thinking about it. It's like denial.
Andrew Gault:Why just let's us do my firewall. What would I need to do? If you can get your organization culturally thinking like that, everything falls downstream from it. Go from there.
Dejan Kosutic:Okay. Great. Thanks for these insights, Andrew. It's it's been a pleasure talking to you.
Andrew Gault:Yeah. Thank you very much. It was a very enjoyable conversation.
Dejan Kosutic:Okay. Great. Thank you. And thanks everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple Podcast. Thanks for making it this far in today's episode of Secure and Simple Podcast.
Dejan Kosutic:Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living, on Advisera website you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, Dora, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce.
Dejan Kosutic:Check out the links in the description below for more information. If you like this podcast please give it a thumbs up, it helps with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
Creators and Guests
