Artwork for podcast 10 Questions to Cyber Resilience
An honest chat about Zero Trust Security, with Paul Baker
Episode 317th November 2023 • 10 Questions to Cyber Resilience • Assurance IT
00:00:00 00:24:22

Share Episode

Shownotes

Zero trust is a hot topic, so we invited the Director of Cybersecurity from Plurilock, Paul Baker, to discuss the subject in detail.

 

In this episode, Paul Baker from Plurilock and co-founder of Assurance IT, Luigi Tiano, discuss: 

  1. What is zero trust? 
  2. How do you never assume someone is a good actor?
  3. How do you get an enterprise to prioritize zero trust?
  4. Is it easy to calculate the cost to protect a network?
  5. How do you get people to buy into cybersecurity?
  6. What role does zero-trust play in identity access management?
  7. What is continuous authentication? Compared to MFA?
  8. Is continuous authentication safe?
  9. How does a team measure the effectiveness of implementing zero-trust initiatives?
  10. Has zero trust helped you get cyber insurance?
  11. What are the long-term benefits of zero-trust?

 

Resources: 

Watch the episode: https://youtu.be/D5oL9B1-0qw

Paul Baker’s LinkedIn: https://www.linkedin.com/in/paul-baker-uk/

Plurilock website: https://plurilock.com/

Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/

Assurance IT Website: http://www.assuranceit.ca/

 

About Paul Baker: 

A customer-facing manager who collaborates with all levels of stakeholders, from developers and technical staff through to C-Suite executives. Builds solid relationships and quickly becomes the reliable "go-to" person internally and externally. Analytical thinker with a creative edge who deftly identifies client needs and assesses financial and technical viability. Passionate about helping clients discover new possibilities, maximizing investment in technology, and driving revenue for their company. Translates customer requests into detailed requirements, then follows through to delivery and beyond.



About 10 Questions to Cyber Resilience: 

Learn about how IT leaders are strengthening their cyber security practices twice a month. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security. 

 

About Assurance IT: 

Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.

Transcripts

Speaker:

I wanna welcome everyone to

Speaker:

the podcast this morning or

Speaker:

this afternoon, depending

Speaker:

on when you're listening.

Speaker:

With me today, I've got Paul

Speaker:

Baker from Plurilock who's gonna

Speaker:

talk to us about Zero Trust.

Speaker:

Really looking forward to

Speaker:

hearing the Zero trust story

Speaker:

specifically from Paul.

Speaker:

I've heard him talk

Speaker:

about this before.

Speaker:

I think he's got a lot of

Speaker:

information for us which

Speaker:

we're gonna appreciate.

Speaker:

Paul, before we get started

Speaker:

into the questions, I want

Speaker:

you to introduce yourself,

Speaker:

who you are, what you do, and

Speaker:

what brought you here today.

Speaker:

Hey everyone.

Speaker:

My name's Paul Baker.

Speaker:

I'm director of

Speaker:

Cybersecurity at Plurilock.

Speaker:

Plurilock is a Canadian company

Speaker:

that develops some really cool

Speaker:

cybersecurity products, but they're

Speaker:

in the General Zero Trust world.

Speaker:

I spend a lot of time talking

Speaker:

about Zero Trust to people

Speaker:

just digging into what it means

Speaker:

for them and what actually

Speaker:

is it in the real world.

Speaker:

Fantastic.

Speaker:

Yeah, a great company

Speaker:

Canadian bred company.

Speaker:

We're always proud to

Speaker:

see some fellow Canadians

Speaker:

pushing the envelope when it

Speaker:

comes to cybersecurity and

Speaker:

like you said, zero trust.

Speaker:

I've got a lot of

Speaker:

questions on my mind.

Speaker:

Paul, I've heard you

Speaker:

explain zero trust before.

Speaker:

The term is not new

Speaker:

to the industry.

Speaker:

It may be new to

Speaker:

certain individuals.

Speaker:

So can you explain the

Speaker:

concept of zero trust in

Speaker:

really simple layman's terms?

Speaker:

Sure.

Speaker:

Why don't we go back a little bit

Speaker:

in history and I'll set the scene

Speaker:

for where zero trust comes from.

Speaker:

So back in the late eighties

Speaker:

digital equipment corporation,

Speaker:

DEC published kind of one of

Speaker:

the first papers on firewalls.

Speaker:

That really set the scene for

Speaker:

security for an awfully long time.

Speaker:

It really got this sort of

Speaker:

castle and moat approach

Speaker:

to security, a super strong

Speaker:

perimeter, keep the bad guys out.

Speaker:

But once you break through

Speaker:

those castle walls, you can walk

Speaker:

around and do what you like.

Speaker:

As I said, that remained

Speaker:

really the standard approach

Speaker:

to security for a long time.

Speaker:

And that of course was why we

Speaker:

see so many breaches because,

Speaker:

a wall is not impenetrable.

Speaker:

And it wasn't really until

Speaker:

the early two thousands

Speaker:

when people started to think

Speaker:

about de-parameterizing.

Speaker:

A lot of that was because there

Speaker:

was a big move away from the

Speaker:

sort of the slightly older IT

Speaker:

corporate setups of mainframes

Speaker:

and thin clients, everyone within

Speaker:

a building and into this more

Speaker:

sort of complex distributed full

Speaker:

desktops hybrid work cloud kind

Speaker:

of world that we live in now.

Speaker:

The internet, of course, and

Speaker:

the ever expanding reach of the

Speaker:

internet was a huge part of that.

Speaker:

Then in 2010, John Kinderg,

Speaker:

coined the term Zero Trust

Speaker:

in a Forester research paper.

Speaker:

Really until the last few years,

Speaker:

zero Trust as a phrase has mostly

Speaker:

stayed in the analyst space and

Speaker:

not really so much in the corporate

Speaker:

security psyche, although many

Speaker:

people in security have been

Speaker:

looking at defense in depth,

Speaker:

which is a very similar thing.

Speaker:

So if we fast forward to 2020 NIST

Speaker:

the American standards published

Speaker:

SP 800 207 which was really the

Speaker:

first attempt to try and formalize

Speaker:

this zero trust framework of

Speaker:

standards and requirements to

Speaker:

help define what it really was.

Speaker:

Last year, of course the US Office

Speaker:

of management budget, I think it

Speaker:

was, mandated that all US agencies

Speaker:

had to adopt zero trust principles.

Speaker:

So this is a thing

Speaker:

that isn't going away.

Speaker:

So what is it?

Speaker:

One of the common mottos phrases,

Speaker:

whatever you wanna call it,

Speaker:

associated with zero trust,

Speaker:

is always verify, never trust.

Speaker:

And what it really means is

Speaker:

that you need to assume that

Speaker:

users and systems and so

Speaker:

on are already compromised.

Speaker:

And so while that perimeter itself

Speaker:

is still, of course very important,

Speaker:

you need to start thinking

Speaker:

about how do we limit damage if

Speaker:

someone is inside it already?

Speaker:

So it's really, it's an

Speaker:

approach to security.

Speaker:

It's not a specific tool.

Speaker:

There's no magic,

Speaker:

zero trust button.

Speaker:

You can go and press and how

Speaker:

you press, you're protected.

Speaker:

You need to go through this

Speaker:

whole process of kind of

Speaker:

identifying really what is

Speaker:

it you're trying to protect.

Speaker:

What's the things that

Speaker:

you wanna protect?

Speaker:

And then start to consider

Speaker:

how do we protect that?

Speaker:

And usually you wanna start

Speaker:

with things at the highest

Speaker:

risk to you as an organization.

Speaker:

And then find the right tools that,

Speaker:

that help you protect those assets.

Speaker:

And then you can use the

Speaker:

guiding principles in standards

Speaker:

like 802 0 7 or referring

Speaker:

to some of the reference

Speaker:

architectures that are out there.

Speaker:

D o d have released one fairly

Speaker:

recently with a whole bunch of

Speaker:

zero trust specifications in there.

Speaker:

So say really it's just a change

Speaker:

in concept from let's make

Speaker:

the perimeter really strong.

Speaker:

Because the point is really

Speaker:

the perimeter doesn't

Speaker:

exactly exist anymore.

Speaker:

And let's focus instead on how

Speaker:

do we minimize damage, right?

Speaker:

How do we never assume that

Speaker:

everyone is good and that

Speaker:

they're doing good things, right?

Speaker:

Let's assume that every user

Speaker:

and every application and

Speaker:

every system is compromised and

Speaker:

treat them accordingly, right?

Speaker:

Make them prove that they're

Speaker:

valid, rather than just

Speaker:

saying, yeah, you're good.

Speaker:

Great.

Speaker:

Always verify, never trust.

Speaker:

Yep.

Speaker:

Or important words.

Speaker:

And it's 802 0 7 you said?

Speaker:

Is that the Yep.

Speaker:

802 0 7.

Speaker:

The part of the nist standard.

Speaker:

It's, yeah it's a pretty

Speaker:

good read actually.

Speaker:

It's a pretty good read.

Speaker:

So I'd highly recommend folks go

Speaker:

out and take a look through that

Speaker:

to kinda get a really good idea of

Speaker:

what's expected from zero trust.

Speaker:

And it's amazing that this,

Speaker:

the concept has been around

Speaker:

for a very long time, and

Speaker:

we've seen it evolve over time.

Speaker:

And again, it's, you said

Speaker:

it's a principle, right?

Speaker:

It's not really a, you can't really

Speaker:

call it a framework per se, because

Speaker:

there's really no standard for it.

Speaker:

It's more of a principle.

Speaker:

Yeah.

Speaker:

Yeah.

Speaker:

It's an approach.

Speaker:

It's of, it's a way of thinking

Speaker:

about security, about thinking

Speaker:

about how you secure everything

Speaker:

in your corporate environment,

Speaker:

whether that's, users,

Speaker:

data applications, systems,

Speaker:

networks, the whole lot really.

Speaker:

And given that.

Speaker:

Always verify, never trust,

Speaker:

ideology or approach.

Speaker:

What are some of the biggest

Speaker:

challenges organizations

Speaker:

are facing today when trying

Speaker:

to implement Zero Trust?

Speaker:

Because it sounds like a pretty

Speaker:

fundamental or logical approach

Speaker:

to securing the enterprise.

Speaker:

It is, and I think the

Speaker:

biggest hurdle is overcoming

Speaker:

paralysis at the start.

Speaker:

It's such aing, it's such a

Speaker:

potentially huge project because

Speaker:

it hits all parts of your

Speaker:

business and I think people

Speaker:

don't know where to start.

Speaker:

How do we eat this massive

Speaker:

elephant of zero trust?

Speaker:

You pick up a spoon

Speaker:

and you start scooping.

Speaker:

Key things that, that companies

Speaker:

need to make sure is that

Speaker:

they have, they've gotta

Speaker:

have buy-in at board level.

Speaker:

There has to be that real

Speaker:

drive from the top to

Speaker:

say, we are doing this.

Speaker:

It's important to our business

Speaker:

for all these different reasons.

Speaker:

And we need to do it right.

Speaker:

We need to commit to do it,

Speaker:

commit to do it properly.

Speaker:

There's not an easy way.

Speaker:

There's no zero trust

Speaker:

button, as I said.

Speaker:

It's gotta be, it's gotta be.

Speaker:

Done and done properly.

Speaker:

Yeah.

Speaker:

There's no easy

Speaker:

button, like you say.

Speaker:

But, and there's no, we

Speaker:

there's no way to even

Speaker:

determine the actual costs.

Speaker:

Until you dive into,

Speaker:

then you start eating it.

Speaker:

Exactly right.

Speaker:

It depends on what

Speaker:

you're trying to do.

Speaker:

My, my recommendation to companies

Speaker:

who want who want to go down

Speaker:

this path, and it should really

Speaker:

be all companies, cuz let's face

Speaker:

it, everyone needs good security

Speaker:

is to really first look at

Speaker:

what you care about protecting.

Speaker:

What's the crown jewels

Speaker:

that represents the highest

Speaker:

possible risk to your

Speaker:

company if it's breached?

Speaker:

It could be something related

Speaker:

to your intellectual property.

Speaker:

It could be your

Speaker:

customer information.

Speaker:

Who knows?

Speaker:

But that's the thing that you

Speaker:

wanna focus on protecting first.

Speaker:

That's what you care about, right?

Speaker:

If that piece of information,

Speaker:

that data, that system,

Speaker:

whatever it is, goes away.

Speaker:

That's your business at risk.

Speaker:

So those are the things that

Speaker:

you really wanna focus on first.

Speaker:

And look at all the different

Speaker:

ways that you can protect those.

Speaker:

Cause that's gonna be your

Speaker:

biggest bang for the buck.

Speaker:

And as an organization, I think

Speaker:

some of the challenges stem from

Speaker:

not understanding the PR priority

Speaker:

of the valuable assets they have.

Speaker:

Sometimes I would say to be fair.

Speaker:

That, that becomes a

Speaker:

challenge in itself.

Speaker:

So you're right.

Speaker:

I think we need to understand

Speaker:

what, where we prioritize, what's

Speaker:

the most important, valuable

Speaker:

asset you have, and then based on

Speaker:

that, then you work your way down.

Speaker:

That would be a

Speaker:

great start for sure.

Speaker:

And you're, I like your,

Speaker:

when you said buy-in at the

Speaker:

highest level I, you need

Speaker:

buy-in at the highest level.

Speaker:

And often what I say is you

Speaker:

need executive sponsorship.

Speaker:

You need someone absolutely.

Speaker:

Someone or some team.

Speaker:

And oftentimes it's one person.

Speaker:

You need to have that one person

Speaker:

who's driving the initiative.

Speaker:

Yeah.

Speaker:

Because without that, Then

Speaker:

there's no funding there,

Speaker:

there's really no strategy.

Speaker:

And oftentimes it's someone

Speaker:

who understands security

Speaker:

and of course the business.

Speaker:

Totally.

Speaker:

And typically in most companies

Speaker:

that's driven from the CISO

Speaker:

role I was about to say, yeah.

Speaker:

The CISO role.

Speaker:

Exactly.

Speaker:

And then that's a challenge

Speaker:

in itself because CISOs are

Speaker:

overworked, overwhelmed,

Speaker:

for the most part.

Speaker:

They've got a lot of things

Speaker:

coming at them right now,

Speaker:

being thrown at them.

Speaker:

Yeah.

Speaker:

And I see a lot of times where

Speaker:

the CISO is reporting to,

Speaker:

initially with cio, and this could

Speaker:

be a conversation itself, but

Speaker:

reporting to the ccio, and then

Speaker:

now, there's a, dotted line to

Speaker:

the cfo and then, the operations

Speaker:

people want to know what's

Speaker:

going on because it's impacting

Speaker:

every part of the business.

Speaker:

Ex Exactly.

Speaker:

It's a critical role.

Speaker:

Very critical.

Speaker:

Very critical.

Speaker:

When it comes to zero trust

Speaker:

and network infrastructure,

Speaker:

is it, what's the, what's an

Speaker:

impact on your organization's

Speaker:

network infrastructure?

Speaker:

What and is it easy to say

Speaker:

what costs are involved

Speaker:

with protecting the network?

Speaker:

It, that varies depending on what

Speaker:

tools you're trying to use and

Speaker:

how big a network is and so on.

Speaker:

But in terms of impact, if

Speaker:

it's done properly it shouldn't

Speaker:

really affect anything in terms

Speaker:

of day-to-day operations other

Speaker:

than making it more secure.

Speaker:

It's, it should be invisible

Speaker:

and be, and that's either

Speaker:

to people or to systems.

Speaker:

Is there gonna be some cost?

Speaker:

Yes, of course.

Speaker:

If you have to start buying new

Speaker:

tools, there'll be some kind of

Speaker:

cost involved that if you need to

Speaker:

bring in the services of experts

Speaker:

in the field of zero trust,

Speaker:

which I, if you are not one, I

Speaker:

absolutely recommend you do, right?

Speaker:

You can make a huge amount

Speaker:

of shortcuts by not having

Speaker:

to try and learn everything

Speaker:

from scratch yourself.

Speaker:

Get someone in that you trust

Speaker:

that can advise you on what

Speaker:

you've got that can advise you on

Speaker:

solutions that are gonna be able

Speaker:

to help your particular needs.

Speaker:

So definitely do that.

Speaker:

But yeah, a lot of companies

Speaker:

have tools in their stack

Speaker:

already that can help them in

Speaker:

this zero trust journey, right?

Speaker:

So it may just be a case of

Speaker:

better levering to leveraging

Speaker:

tools that you already have, in

Speaker:

which case it's just some time

Speaker:

cost to do that and perhaps

Speaker:

learning how to use them better.

Speaker:

The tools is definitely part

Speaker:

of the equation, and oftentimes

Speaker:

we see when you're trying

Speaker:

to have a culture shift,

Speaker:

Paul, and you obviously I

Speaker:

welcome your comment here.

Speaker:

It's also an, a change,

Speaker:

a culture change within

Speaker:

the organization, right?

Speaker:

I think that's sometimes is harder

Speaker:

to do depending on what type of

Speaker:

organization you're working with.

Speaker:

If you're a low tech organization

Speaker:

who's not really, familiar with

Speaker:

technology or you don't use it on

Speaker:

a day to day I see that adoption.

Speaker:

That rate of adoption sometimes

Speaker:

comes down a little bit,

Speaker:

and that becomes a challenge

Speaker:

in itself, regardless of

Speaker:

whatever tools you have.

Speaker:

Yeah.

Speaker:

Yeah.

Speaker:

Saying change is difficult.

Speaker:

Yeah.

Speaker:

It's a fact.

Speaker:

Change is difficult.

Speaker:

And I think the key to that

Speaker:

is, is engaging people.

Speaker:

It's in helping them to understand

Speaker:

why you are doing something right.

Speaker:

What's the benefits to, to what

Speaker:

you are doing and get their buy-in.

Speaker:

If you are expecting your end

Speaker:

users, for example, to have

Speaker:

to do something different.

Speaker:

Yes, you could just mandate

Speaker:

it and send out the, the

Speaker:

note that says this is what

Speaker:

you will do from now on.

Speaker:

But I think if you get buy-in,

Speaker:

if you get understanding,

Speaker:

if you involve them in that

Speaker:

process a little bit more,

Speaker:

then they become engaged.

Speaker:

They become aware that security is

Speaker:

a thing they need to think about,

Speaker:

and you just end up with, with

Speaker:

happier people and better security.

Speaker:

It's everyone's responsibility

Speaker:

within the organization.

Speaker:

I, I agree.

Speaker:

Yeah, absolutely.

Speaker:

I agree.

Speaker:

Absolutely.

Speaker:

And so this leads me to my

Speaker:

next point or next question.

Speaker:

And you know this really

Speaker:

well based on, what you

Speaker:

guys are doing at Plurilock

Speaker:

Identity Access Management is

Speaker:

obviously very, a very strong

Speaker:

or familiar place for you.

Speaker:

How does Zero Trust factor in

Speaker:

into identity access management?

Speaker:

Yeah, I, identity is

Speaker:

core to security, right?

Speaker:

It's probably the single most

Speaker:

thing that you care about in

Speaker:

security is are these my users?

Speaker:

Their identity links to everything

Speaker:

that they do in your systems.

Speaker:

And so that's also

Speaker:

core to zero trust.

Speaker:

If you go and if you go and

Speaker:

look through DODs reference

Speaker:

architecture for it their zt first

Speaker:

couple of required capabilities

Speaker:

in that focus on identity.

Speaker:

They focus on continuous

Speaker:

authentication and

Speaker:

things like that.

Speaker:

And we find that there's

Speaker:

a lot of companies go, oh,

Speaker:

we protect our identities.

Speaker:

We'll put MFA in front of them.

Speaker:

That's not zero trust.

Speaker:

It's a good thing.

Speaker:

I'm absolutely not saying don't

Speaker:

put MFA in front of a login.

Speaker:

But that's not enough, right?

Speaker:

You are checking someone again

Speaker:

at the door at that perimeter and

Speaker:

you're not checking them again.

Speaker:

So you need to think about

Speaker:

how can we remove trust from.

Speaker:

Identity as well.

Speaker:

Because it's relatively easy.

Speaker:

I say relatively it, there are

Speaker:

tools to do it in different areas,

Speaker:

for machine trust and applications

Speaker:

and APIs and things like that.

Speaker:

But as soon as you introduce a

Speaker:

person makes it more difficult.

Speaker:

Because you are a human being.

Speaker:

You're not a, you're not a

Speaker:

thing that is, that has some

Speaker:

specific, certificate stamped on

Speaker:

your forehead that you can use.

Speaker:

Yeah.

Speaker:

Yeah, so there's a lot of elements

Speaker:

that the human individual,

Speaker:

obviously the human element

Speaker:

brings to the table there which

Speaker:

augment the risk there is and.

Speaker:

You also need to make sure that

Speaker:

it doesn't impact user experience.

Speaker:

MFA typically is a, certainly

Speaker:

with most MFA implementations

Speaker:

is a thing that user has to do.

Speaker:

So they, they press a button

Speaker:

on their phone or put in a

Speaker:

code or something like that.

Speaker:

And you can't keep

Speaker:

making users do that.

Speaker:

So you need to try and look

Speaker:

at tools that allow you to

Speaker:

do that in a way that is

Speaker:

unintrusive to the user.

Speaker:

But still gives you that

Speaker:

continuous ability to make sure

Speaker:

that it is, that user there, that

Speaker:

it is the person behind that,

Speaker:

that digital credential, right?

Speaker:

That certificate, that

Speaker:

login, that MFA step up,

Speaker:

whatever it happens to be.

Speaker:

Making sure it's them all the

Speaker:

time doing things in your system

Speaker:

because you don't want to be

Speaker:

saying an hour after they've

Speaker:

logged in, it's still them.

Speaker:

Based on something that's

Speaker:

nothing to do with that person.

Speaker:

For me, this is the fascinating

Speaker:

point about identity access

Speaker:

management and I'd like to,

Speaker:

if you can double click a

Speaker:

little bit on this continuous

Speaker:

auth authentication piece.

Speaker:

Just to help under understand,

Speaker:

cuz mfa, I think for the most

Speaker:

part now MFA is everywhere, right?

Speaker:

You will log into your bank,

Speaker:

you log into your insurance, you

Speaker:

log into any web portal online.

Speaker:

Yeah.

Speaker:

Chances are you're getting some

Speaker:

MFA prompt, but if you don't

Speaker:

mind, Paul, and I know you guys

Speaker:

do this, at Plurilock, so if you

Speaker:

can double click on the continuous

Speaker:

authentication for, cuz I think

Speaker:

it's important for the audience to

Speaker:

understand what that means per se.

Speaker:

Yeah.

Speaker:

So so MFA is great, right?

Speaker:

At the point that, that user

Speaker:

logs in and does something, you

Speaker:

can get a really strong signal

Speaker:

that it is that user, right?

Speaker:

It can be.

Speaker:

Spread across multiple devices,

Speaker:

you can use biometric factors to

Speaker:

ensure the human being, et cetera.

Speaker:

So you have this really good

Speaker:

signal at that point in time.

Speaker:

But the problem you have is that

Speaker:

from that time onwards, you've just

Speaker:

become this sign in thing, right?

Speaker:

You've become a certificate

Speaker:

or a machine or a location

Speaker:

or something like that.

Speaker:

And assuming that a user is still

Speaker:

that same user after they've

Speaker:

logged in is introducing trust.

Speaker:

So if we think about, for

Speaker:

example, work from home, I can

Speaker:

come and log in my home office.

Speaker:

I've got my multifactor.

Speaker:

I'm on my corporate managed

Speaker:

devices with my TPM chips Inside

Speaker:

it, I'm in a known location.

Speaker:

I'm on a known network.

Speaker:

I'm using applications that I

Speaker:

normally use, but if I go up

Speaker:

and get a coffee and my wife or

Speaker:

my kids come in and start using

Speaker:

my computer, there's nothing

Speaker:

that you can see contextually

Speaker:

around that's different.

Speaker:

Except the person

Speaker:

behind that has changed.

Speaker:

So how do you continuously make

Speaker:

sure, you need to make sure that

Speaker:

it's the right person presenting

Speaker:

those credentials and using those

Speaker:

credentials through the session.

Speaker:

And so continuous authentication

Speaker:

is a way of doing that.

Speaker:

There's a few different ways

Speaker:

that you can do it at plural up.

Speaker:

We do it through looking

Speaker:

at how the user physically

Speaker:

touches their workstation.

Speaker:

So we measure the way

Speaker:

that you type and the way

Speaker:

that you move your mouse.

Speaker:

And then when you're working,

Speaker:

we can measure how you are

Speaker:

working and use that to

Speaker:

make sure it's you doing it.

Speaker:

So there's a, yeah, you

Speaker:

could do it with cameras, you

Speaker:

could do all kinds of things.

Speaker:

But the key is that you are

Speaker:

continuously looking at the user

Speaker:

and saying, is this still you?

Speaker:

Is this still you?

Speaker:

Is this still you're not assuming

Speaker:

it's me because nothing around

Speaker:

the context of me has changed

Speaker:

because I can change, right?

Speaker:

If I'm in Starbucks and I need to

Speaker:

use the washroom in a hurry, what

Speaker:

if I forget to lock my machine?

Speaker:

Yeah.

Speaker:

I'm in my hotel and I've left

Speaker:

my laptop in my hotel while

Speaker:

I n out to get some food.

Speaker:

And, housekeeping, you're in there.

Speaker:

How do you know?

Speaker:

So it's that concept of never

Speaker:

assuming that it's the user because

Speaker:

you checked them at the door.

Speaker:

Walk around behind them, make

Speaker:

sure it's them there the whole

Speaker:

time that they're operating

Speaker:

your systems, because that's

Speaker:

when the bad stuff happens.

Speaker:

Bad stuff doesn't happen

Speaker:

at the point you log in, it

Speaker:

happens after you've logged in.

Speaker:

Exactly.

Speaker:

And it doesn't really.

Speaker:

So this continuous authentication

Speaker:

notion doesn't really impede

Speaker:

user experience or productivity.

Speaker:

Cuz really it's not being,

Speaker:

it's not being, there's

Speaker:

no interaction required.

Speaker:

Yeah.

Speaker:

If it's done properly.

Speaker:

Absolutely right.

Speaker:

It should be completely

Speaker:

invisible to the user.

Speaker:

You don't want to be impacting the

Speaker:

user's ability to do things right?

Speaker:

So you can't use

Speaker:

manual steps, right?

Speaker:

You can't use entering a

Speaker:

code or putting a finger on a

Speaker:

reader or something like that

Speaker:

because the user is gonna be

Speaker:

doing that continuously, right?

Speaker:

And every time they're trying

Speaker:

to do something new oh, I'm

Speaker:

gonna open a new application,

Speaker:

or open a new file, or visit a

Speaker:

new part of the network, right?

Speaker:

You can't make them re-authenticate

Speaker:

every single time because they're

Speaker:

gonna spend all day authenticating

Speaker:

and not actually doing anything.

Speaker:

Anything productive.

Speaker:

Interesting.

Speaker:

So yeah, so you've gotta do it in a

Speaker:

way that doesn't impact the user's

Speaker:

ability to get on and do their job.

Speaker:

So I will push back and I

Speaker:

know you can answer this, so

Speaker:

that's why I'm pushing back

Speaker:

a little bit here because I

Speaker:

wanna make sure it's clear.

Speaker:

Now, when you're monitor,

Speaker:

I gotta be careful with

Speaker:

the words I use here.

Speaker:

So if you're doing continuous

Speaker:

authentication, We're talking a lot

Speaker:

about privacy, now we're talking

Speaker:

about, user, individual rights.

Speaker:

So how do I make my end user base

Speaker:

within my organization, 500, 4,000,

Speaker:

5,000 individuals feel safe that

Speaker:

this continuous authentication

Speaker:

is doing what it needs to do and

Speaker:

not doing other stuff, if yeah.

Speaker:

So certainly at Plurilock, we

Speaker:

look at the how, not the what.

Speaker:

So we don't, we are not looking at.

Speaker:

Keywords, right?

Speaker:

We don't know what you're typing.

Speaker:

We don't know what websites you're

Speaker:

visiting or what buttons you're

Speaker:

clicking on or what documents

Speaker:

you're working on, and that's

Speaker:

the way it should be, frankly.

Speaker:

Yeah.

Speaker:

We don't, that's

Speaker:

nothing to do with us.

Speaker:

That's not authenticating

Speaker:

you as a human being.

Speaker:

We just look at the physical way

Speaker:

that you are touching your device.

Speaker:

Okay.

Speaker:

If if you are a a reasonably

Speaker:

side organization, for example,

Speaker:

you probably have a proxy in

Speaker:

place for your web connections.

Speaker:

We are orders of magnitude

Speaker:

more privacy friendly

Speaker:

than a proxy, right?

Speaker:

If you think about what a proxy

Speaker:

does, it's looking at every

Speaker:

single thing that you, that is

Speaker:

leaving your machine so it knows

Speaker:

every page, every application,

Speaker:

every day, piece of data access.

Speaker:

It knows exactly what you're doing.

Speaker:

If you look at some of

Speaker:

these full session recording

Speaker:

tools, Again, yeah.

Speaker:

Privacy.

Speaker:

That's why I wanted

Speaker:

to bring that up.

Speaker:

Exactly.

Speaker:

If you, if it's a big topic now.

Speaker:

Exactly.

Speaker:

And if you look at ones ba, things

Speaker:

like cameras, hey let's just

Speaker:

switch the camera on and watch

Speaker:

the user doing their things Again.

Speaker:

Massive privacy problems.

Speaker:

There's other people in the room

Speaker:

potentially, which is, might be

Speaker:

what you care about of course, but,

Speaker:

it's it's some big issues there.

Speaker:

So yeah we are very privacy

Speaker:

friendly in that respect.

Speaker:

Fantastic.

Speaker:

Okay, a couple more questions

Speaker:

before I let you go.

Speaker:

Cause I know your time's

Speaker:

very valuable and we wanna

Speaker:

make sure that we make

Speaker:

the best use of our time.

Speaker:

How does organization measure

Speaker:

the effectiveness of their

Speaker:

zero trust implementation?

Speaker:

That's not an easy one, right?

Speaker:

How do you know if it's working?

Speaker:

There's really no, how

Speaker:

do you quantify it?

Speaker:

It's a, yeah, it's

Speaker:

a great question.

Speaker:

You can take practical

Speaker:

steps, right?

Speaker:

Penetration testing, red teaming,

Speaker:

security exercises and so on.

Speaker:

And if you have a baseline before

Speaker:

you start implementing these

Speaker:

things, because you should, right?

Speaker:

That should be start part of your

Speaker:

process of understanding what you

Speaker:

need to protect is knowing what's

Speaker:

wrong with what you've got now.

Speaker:

So if you do that before and

Speaker:

after, you should see a measurable

Speaker:

change in those baselines.

Speaker:

But I think really it's.

Speaker:

Like most security things

Speaker:

the proof is in the pudding.

Speaker:

It's an unfortunate reality that,

Speaker:

that you have probably already been

Speaker:

breached and you don't know it.

Speaker:

And if you do know it, you should

Speaker:

be looking at ways to stop that.

Speaker:

Yeah.

Speaker:

And you understand the impact

Speaker:

and the damage that it can cause.

Speaker:

And I think, the effectiveness

Speaker:

is hey, we haven't been hit by

Speaker:

a massive ransomware attack.

Speaker:

That's not because you got lucky.

Speaker:

That's because you put good

Speaker:

tools in place to prevent

Speaker:

those kinds of things.

Speaker:

Yeah, that's, that makes sense.

Speaker:

And that's definitely an

Speaker:

effective way to measure, right?

Speaker:

Reducing the risk is def

Speaker:

definitely hard to quantify, but

Speaker:

not being attacked over X amount

Speaker:

of months or x amount of years.

Speaker:

I think that's a

Speaker:

pretty good measure.

Speaker:

Yeah.

Speaker:

You you're gonna be attacked.

Speaker:

I apologize.

Speaker:

Yes, you're right.

Speaker:

It's how successful

Speaker:

are they, right?

Speaker:

It's how successful are they?

Speaker:

Yeah.

Speaker:

The attack is gonna happen.

Speaker:

It's how you've been, how you

Speaker:

were able to either recover

Speaker:

or not be impacted by it.

Speaker:

Yeah.

Speaker:

Got absolutely.

Speaker:

Got it.

Speaker:

One question, and then

Speaker:

this might be a tricky one.

Speaker:

Not sure, if it's something

Speaker:

we, we can definitely

Speaker:

answer for the audience.

Speaker:

But when it comes to regulatory

Speaker:

compliance compliance requirements

Speaker:

in general, when it comes to your

Speaker:

particular specific industry,

Speaker:

how does Zero Trust impact

Speaker:

or affect an organization?

Speaker:

Is that something you've

Speaker:

seen where it actually helps

Speaker:

even cyber insurance, let's

Speaker:

say for example, right?

Speaker:

Cyber insurance will sometimes

Speaker:

ask for certain requirements.

Speaker:

What have you seen?

Speaker:

Have you seen Zero Trust

Speaker:

Positively Infa Impact that?

Speaker:

Yeah, I mean in terms of

Speaker:

compliance requirements and

Speaker:

regulatory adherence, things

Speaker:

like that, it's certainly

Speaker:

not gonna make it any worse.

Speaker:

A hundred percent.

Speaker:

Realistically outside of federal

Speaker:

government today there's very

Speaker:

little actual compliance or

Speaker:

regulatory pressure to, to

Speaker:

adopt these kinds of approaches.

Speaker:

I think that's gonna

Speaker:

change because it has to.

Speaker:

Whether that's driven by

Speaker:

regulators or the insurance

Speaker:

companies or someone else, I

Speaker:

don't really know right now.

Speaker:

In general, I think we see that

Speaker:

things mandated by government,

Speaker:

for government start to flow down

Speaker:

into the commercial space, right?

Speaker:

So things like the government start

Speaker:

to mandate the, if you want to

Speaker:

work with the government, you have

Speaker:

to adopt these same approaches.

Speaker:

We've certainly seen that in the

Speaker:

States with things like C M C.

Speaker:

If you wanna be a supplier to the

Speaker:

federal government, now you have

Speaker:

to go through the cmmc process.

Speaker:

So I think we will see

Speaker:

more of that happening.

Speaker:

But in general it's just good

Speaker:

security practice, right?

Speaker:

It's make, it's making you think

Speaker:

about what you are protecting,

Speaker:

about the impact your business

Speaker:

of that thing being, being

Speaker:

breached, broken, lost, stolen,

Speaker:

whatever it happens to be.

Speaker:

And by doing that, you are

Speaker:

just massively reducing

Speaker:

your risk exposure.

Speaker:

You're making things harder, you're

Speaker:

reducing risk, and that can only be

Speaker:

good for you and your organization.

Speaker:

Yeah.

Speaker:

And you touched on my, one of

Speaker:

my last questions here was,

Speaker:

the long-term benefits, right?

Speaker:

Of zero trust, right?

Speaker:

I, and you can add onto this, but

Speaker:

I think what we're looking for,

Speaker:

if you're gonna implement zero

Speaker:

trust principles or fundamentals,

Speaker:

you're looking for what?

Speaker:

Improve security, reduce your

Speaker:

risk heightened awareness, right?

Speaker:

All, all of those and really,

Speaker:

It come, it comes down to

Speaker:

limiting the damage that could

Speaker:

be done to your organization

Speaker:

when that breach occurs.

Speaker:

Attacks are not going away.

Speaker:

And at some point, it doesn't

Speaker:

matter what you put in place, a

Speaker:

bad guy's gonna get in, right?

Speaker:

We've seen that with these, with

Speaker:

from the simplest of attacks

Speaker:

where, it's been a post-it

Speaker:

note on a team viewer session.

Speaker:

Spamming people with MFA

Speaker:

requests, all these really

Speaker:

supply chain type attacks

Speaker:

that are frankly terrifying.

Speaker:

At some point, the bad guys

Speaker:

either get in and you need to take

Speaker:

steps to limit the damage that

Speaker:

they can cause, and regardless

Speaker:

of anything else around,

Speaker:

around risk, around insurance,

Speaker:

around compliance, that's

Speaker:

what it comes down to, right?

Speaker:

When it hits the fan.

Speaker:

How can we stop that?

Speaker:

How can we reduce it?

Speaker:

We've had an endpoint infected

Speaker:

with malware because the user

Speaker:

clicked on a link and they

Speaker:

downloaded it and it was a

Speaker:

unknown thing, and the virus

Speaker:

scan, it's gonna happen, right?

Speaker:

But if you can limit because you've

Speaker:

implemented all these micros,

Speaker:

segmentation, all these other

Speaker:

great tools, if you can limit

Speaker:

damage that one machine, right?

Speaker:

That's virtually zero

Speaker:

impact on your business.

Speaker:

If you haven't put those kinds

Speaker:

of controls in place, you are

Speaker:

very quickly in a bad place.

Speaker:

Agreed.

Speaker:

Agreed.

Speaker:

And like we said, like zero trust

Speaker:

is a principle fundamental set.

Speaker:

Always verify, never trust.

Speaker:

Those are the four big

Speaker:

words we've learned today.

Speaker:

Yeah.

Speaker:

And frankly, organizations can

Speaker:

get started pretty quickly.

Speaker:

With some basic steps.

Speaker:

With basic steps.

Speaker:

Absolutely.

Speaker:

Like I say just even

Speaker:

thinking about what do we

Speaker:

really care about, right?

Speaker:

What is, what's core

Speaker:

to our business?

Speaker:

What can we absolutely not risk?

Speaker:

And focus on protecting

Speaker:

that the best that you can.

Speaker:

And that's gonna put

Speaker:

you in a good set.

Speaker:

Start with that, right?

Speaker:

What really matters to your

Speaker:

business, and every business has

Speaker:

something really important to them.

Speaker:

Absolutely.

Speaker:

Absolutely.

Speaker:

Very good.

Speaker:

Paul.

Speaker:

Again I really appreciate

Speaker:

the time we spent today.

Speaker:

Do you have any questions for me?

Speaker:

Any extra thoughts or additional

Speaker:

thoughts before we we go here?

Speaker:

No.

Speaker:

It's always a pleasure

Speaker:

to talk to you, Luigi.

Speaker:

How can anybody get

Speaker:

in touch with you?

Speaker:

Obviously they can, you can you

Speaker:

can get in touch with me through

Speaker:

LinkedIn through Luigi, or you

Speaker:

can hit me up at plurilock.com.

Speaker:

I'm sure you'll find

Speaker:

me there somewhere.

Speaker:

Fantastic.

Speaker:

Paul, thank you very much.

Speaker:

I know you're helping the community

Speaker:

raise the awareness, and I know

Speaker:

you're fighting the bad guys every

Speaker:

day, so really appreciate talking

Speaker:

to you anytime of the day, man.

Speaker:

Oh, you're welcome.

Speaker:

Great stories again.

Speaker:

Lose you.

Speaker:

Thanks.

Speaker:

Take care.

Speaker:

All right.

Speaker:

Thank you, Paul.

Speaker:

Thanks.

Speaker:

Have a good one.

Speaker:

Bye-Bye.

Links

Chapters

Video

More from YouTube