Zero trust is a hot topic, so we invited the Director of Cybersecurity from Plurilock, Paul Baker, to discuss the subject in detail.
In this episode, Paul Baker from Plurilock and co-founder of Assurance IT, Luigi Tiano, discuss:
Resources:
Watch the episode: https://youtu.be/D5oL9B1-0qw
Paul Baker’s LinkedIn: https://www.linkedin.com/in/paul-baker-uk/
Plurilock website: https://plurilock.com/
Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/
Assurance IT Website: http://www.assuranceit.ca/
About Paul Baker:
A customer-facing manager who collaborates with all levels of stakeholders, from developers and technical staff through to C-Suite executives. Builds solid relationships and quickly becomes the reliable "go-to" person internally and externally. Analytical thinker with a creative edge who deftly identifies client needs and assesses financial and technical viability. Passionate about helping clients discover new possibilities, maximizing investment in technology, and driving revenue for their company. Translates customer requests into detailed requirements, then follows through to delivery and beyond.
About 10 Questions to Cyber Resilience:
Learn about how IT leaders are strengthening their cyber security practices twice a month. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security.
About Assurance IT:
Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.
I wanna welcome everyone to
Speaker:the podcast this morning or
Speaker:this afternoon, depending
Speaker:on when you're listening.
Speaker:With me today, I've got Paul
Speaker:Baker from Plurilock who's gonna
Speaker:talk to us about Zero Trust.
Speaker:Really looking forward to
Speaker:hearing the Zero trust story
Speaker:specifically from Paul.
Speaker:I've heard him talk
Speaker:about this before.
Speaker:I think he's got a lot of
Speaker:information for us which
Speaker:we're gonna appreciate.
Speaker:Paul, before we get started
Speaker:into the questions, I want
Speaker:you to introduce yourself,
Speaker:who you are, what you do, and
Speaker:what brought you here today.
Speaker:Hey everyone.
Speaker:My name's Paul Baker.
Speaker:I'm director of
Speaker:Cybersecurity at Plurilock.
Speaker:Plurilock is a Canadian company
Speaker:that develops some really cool
Speaker:cybersecurity products, but they're
Speaker:in the General Zero Trust world.
Speaker:I spend a lot of time talking
Speaker:about Zero Trust to people
Speaker:just digging into what it means
Speaker:for them and what actually
Speaker:is it in the real world.
Speaker:Fantastic.
Speaker:Yeah, a great company
Speaker:Canadian bred company.
Speaker:We're always proud to
Speaker:see some fellow Canadians
Speaker:pushing the envelope when it
Speaker:comes to cybersecurity and
Speaker:like you said, zero trust.
Speaker:I've got a lot of
Speaker:questions on my mind.
Speaker:Paul, I've heard you
Speaker:explain zero trust before.
Speaker:The term is not new
Speaker:to the industry.
Speaker:It may be new to
Speaker:certain individuals.
Speaker:So can you explain the
Speaker:concept of zero trust in
Speaker:really simple layman's terms?
Speaker:Sure.
Speaker:Why don't we go back a little bit
Speaker:in history and I'll set the scene
Speaker:for where zero trust comes from.
Speaker:So back in the late eighties
Speaker:digital equipment corporation,
Speaker:DEC published kind of one of
Speaker:the first papers on firewalls.
Speaker:That really set the scene for
Speaker:security for an awfully long time.
Speaker:It really got this sort of
Speaker:castle and moat approach
Speaker:to security, a super strong
Speaker:perimeter, keep the bad guys out.
Speaker:But once you break through
Speaker:those castle walls, you can walk
Speaker:around and do what you like.
Speaker:As I said, that remained
Speaker:really the standard approach
Speaker:to security for a long time.
Speaker:And that of course was why we
Speaker:see so many breaches because,
Speaker:a wall is not impenetrable.
Speaker:And it wasn't really until
Speaker:the early two thousands
Speaker:when people started to think
Speaker:about de-parameterizing.
Speaker:A lot of that was because there
Speaker:was a big move away from the
Speaker:sort of the slightly older IT
Speaker:corporate setups of mainframes
Speaker:and thin clients, everyone within
Speaker:a building and into this more
Speaker:sort of complex distributed full
Speaker:desktops hybrid work cloud kind
Speaker:of world that we live in now.
Speaker:The internet, of course, and
Speaker:the ever expanding reach of the
Speaker:internet was a huge part of that.
Speaker:Then in 2010, John Kinderg,
Speaker:coined the term Zero Trust
Speaker:in a Forester research paper.
Speaker:Really until the last few years,
Speaker:zero Trust as a phrase has mostly
Speaker:stayed in the analyst space and
Speaker:not really so much in the corporate
Speaker:security psyche, although many
Speaker:people in security have been
Speaker:looking at defense in depth,
Speaker:which is a very similar thing.
Speaker:So if we fast forward to 2020 NIST
Speaker:the American standards published
Speaker:SP 800 207 which was really the
Speaker:first attempt to try and formalize
Speaker:this zero trust framework of
Speaker:standards and requirements to
Speaker:help define what it really was.
Speaker:Last year, of course the US Office
Speaker:of management budget, I think it
Speaker:was, mandated that all US agencies
Speaker:had to adopt zero trust principles.
Speaker:So this is a thing
Speaker:that isn't going away.
Speaker:So what is it?
Speaker:One of the common mottos phrases,
Speaker:whatever you wanna call it,
Speaker:associated with zero trust,
Speaker:is always verify, never trust.
Speaker:And what it really means is
Speaker:that you need to assume that
Speaker:users and systems and so
Speaker:on are already compromised.
Speaker:And so while that perimeter itself
Speaker:is still, of course very important,
Speaker:you need to start thinking
Speaker:about how do we limit damage if
Speaker:someone is inside it already?
Speaker:So it's really, it's an
Speaker:approach to security.
Speaker:It's not a specific tool.
Speaker:There's no magic,
Speaker:zero trust button.
Speaker:You can go and press and how
Speaker:you press, you're protected.
Speaker:You need to go through this
Speaker:whole process of kind of
Speaker:identifying really what is
Speaker:it you're trying to protect.
Speaker:What's the things that
Speaker:you wanna protect?
Speaker:And then start to consider
Speaker:how do we protect that?
Speaker:And usually you wanna start
Speaker:with things at the highest
Speaker:risk to you as an organization.
Speaker:And then find the right tools that,
Speaker:that help you protect those assets.
Speaker:And then you can use the
Speaker:guiding principles in standards
Speaker:like 802 0 7 or referring
Speaker:to some of the reference
Speaker:architectures that are out there.
Speaker:D o d have released one fairly
Speaker:recently with a whole bunch of
Speaker:zero trust specifications in there.
Speaker:So say really it's just a change
Speaker:in concept from let's make
Speaker:the perimeter really strong.
Speaker:Because the point is really
Speaker:the perimeter doesn't
Speaker:exactly exist anymore.
Speaker:And let's focus instead on how
Speaker:do we minimize damage, right?
Speaker:How do we never assume that
Speaker:everyone is good and that
Speaker:they're doing good things, right?
Speaker:Let's assume that every user
Speaker:and every application and
Speaker:every system is compromised and
Speaker:treat them accordingly, right?
Speaker:Make them prove that they're
Speaker:valid, rather than just
Speaker:saying, yeah, you're good.
Speaker:Great.
Speaker:Always verify, never trust.
Speaker:Yep.
Speaker:Or important words.
Speaker:And it's 802 0 7 you said?
Speaker:Is that the Yep.
Speaker:802 0 7.
Speaker:The part of the nist standard.
Speaker:It's, yeah it's a pretty
Speaker:good read actually.
Speaker:It's a pretty good read.
Speaker:So I'd highly recommend folks go
Speaker:out and take a look through that
Speaker:to kinda get a really good idea of
Speaker:what's expected from zero trust.
Speaker:And it's amazing that this,
Speaker:the concept has been around
Speaker:for a very long time, and
Speaker:we've seen it evolve over time.
Speaker:And again, it's, you said
Speaker:it's a principle, right?
Speaker:It's not really a, you can't really
Speaker:call it a framework per se, because
Speaker:there's really no standard for it.
Speaker:It's more of a principle.
Speaker:Yeah.
Speaker:Yeah.
Speaker:It's an approach.
Speaker:It's of, it's a way of thinking
Speaker:about security, about thinking
Speaker:about how you secure everything
Speaker:in your corporate environment,
Speaker:whether that's, users,
Speaker:data applications, systems,
Speaker:networks, the whole lot really.
Speaker:And given that.
Speaker:Always verify, never trust,
Speaker:ideology or approach.
Speaker:What are some of the biggest
Speaker:challenges organizations
Speaker:are facing today when trying
Speaker:to implement Zero Trust?
Speaker:Because it sounds like a pretty
Speaker:fundamental or logical approach
Speaker:to securing the enterprise.
Speaker:It is, and I think the
Speaker:biggest hurdle is overcoming
Speaker:paralysis at the start.
Speaker:It's such aing, it's such a
Speaker:potentially huge project because
Speaker:it hits all parts of your
Speaker:business and I think people
Speaker:don't know where to start.
Speaker:How do we eat this massive
Speaker:elephant of zero trust?
Speaker:You pick up a spoon
Speaker:and you start scooping.
Speaker:Key things that, that companies
Speaker:need to make sure is that
Speaker:they have, they've gotta
Speaker:have buy-in at board level.
Speaker:There has to be that real
Speaker:drive from the top to
Speaker:say, we are doing this.
Speaker:It's important to our business
Speaker:for all these different reasons.
Speaker:And we need to do it right.
Speaker:We need to commit to do it,
Speaker:commit to do it properly.
Speaker:There's not an easy way.
Speaker:There's no zero trust
Speaker:button, as I said.
Speaker:It's gotta be, it's gotta be.
Speaker:Done and done properly.
Speaker:Yeah.
Speaker:There's no easy
Speaker:button, like you say.
Speaker:But, and there's no, we
Speaker:there's no way to even
Speaker:determine the actual costs.
Speaker:Until you dive into,
Speaker:then you start eating it.
Speaker:Exactly right.
Speaker:It depends on what
Speaker:you're trying to do.
Speaker:My, my recommendation to companies
Speaker:who want who want to go down
Speaker:this path, and it should really
Speaker:be all companies, cuz let's face
Speaker:it, everyone needs good security
Speaker:is to really first look at
Speaker:what you care about protecting.
Speaker:What's the crown jewels
Speaker:that represents the highest
Speaker:possible risk to your
Speaker:company if it's breached?
Speaker:It could be something related
Speaker:to your intellectual property.
Speaker:It could be your
Speaker:customer information.
Speaker:Who knows?
Speaker:But that's the thing that you
Speaker:wanna focus on protecting first.
Speaker:That's what you care about, right?
Speaker:If that piece of information,
Speaker:that data, that system,
Speaker:whatever it is, goes away.
Speaker:That's your business at risk.
Speaker:So those are the things that
Speaker:you really wanna focus on first.
Speaker:And look at all the different
Speaker:ways that you can protect those.
Speaker:Cause that's gonna be your
Speaker:biggest bang for the buck.
Speaker:And as an organization, I think
Speaker:some of the challenges stem from
Speaker:not understanding the PR priority
Speaker:of the valuable assets they have.
Speaker:Sometimes I would say to be fair.
Speaker:That, that becomes a
Speaker:challenge in itself.
Speaker:So you're right.
Speaker:I think we need to understand
Speaker:what, where we prioritize, what's
Speaker:the most important, valuable
Speaker:asset you have, and then based on
Speaker:that, then you work your way down.
Speaker:That would be a
Speaker:great start for sure.
Speaker:And you're, I like your,
Speaker:when you said buy-in at the
Speaker:highest level I, you need
Speaker:buy-in at the highest level.
Speaker:And often what I say is you
Speaker:need executive sponsorship.
Speaker:You need someone absolutely.
Speaker:Someone or some team.
Speaker:And oftentimes it's one person.
Speaker:You need to have that one person
Speaker:who's driving the initiative.
Speaker:Yeah.
Speaker:Because without that, Then
Speaker:there's no funding there,
Speaker:there's really no strategy.
Speaker:And oftentimes it's someone
Speaker:who understands security
Speaker:and of course the business.
Speaker:Totally.
Speaker:And typically in most companies
Speaker:that's driven from the CISO
Speaker:role I was about to say, yeah.
Speaker:The CISO role.
Speaker:Exactly.
Speaker:And then that's a challenge
Speaker:in itself because CISOs are
Speaker:overworked, overwhelmed,
Speaker:for the most part.
Speaker:They've got a lot of things
Speaker:coming at them right now,
Speaker:being thrown at them.
Speaker:Yeah.
Speaker:And I see a lot of times where
Speaker:the CISO is reporting to,
Speaker:initially with cio, and this could
Speaker:be a conversation itself, but
Speaker:reporting to the ccio, and then
Speaker:now, there's a, dotted line to
Speaker:the cfo and then, the operations
Speaker:people want to know what's
Speaker:going on because it's impacting
Speaker:every part of the business.
Speaker:Ex Exactly.
Speaker:It's a critical role.
Speaker:Very critical.
Speaker:Very critical.
Speaker:When it comes to zero trust
Speaker:and network infrastructure,
Speaker:is it, what's the, what's an
Speaker:impact on your organization's
Speaker:network infrastructure?
Speaker:What and is it easy to say
Speaker:what costs are involved
Speaker:with protecting the network?
Speaker:It, that varies depending on what
Speaker:tools you're trying to use and
Speaker:how big a network is and so on.
Speaker:But in terms of impact, if
Speaker:it's done properly it shouldn't
Speaker:really affect anything in terms
Speaker:of day-to-day operations other
Speaker:than making it more secure.
Speaker:It's, it should be invisible
Speaker:and be, and that's either
Speaker:to people or to systems.
Speaker:Is there gonna be some cost?
Speaker:Yes, of course.
Speaker:If you have to start buying new
Speaker:tools, there'll be some kind of
Speaker:cost involved that if you need to
Speaker:bring in the services of experts
Speaker:in the field of zero trust,
Speaker:which I, if you are not one, I
Speaker:absolutely recommend you do, right?
Speaker:You can make a huge amount
Speaker:of shortcuts by not having
Speaker:to try and learn everything
Speaker:from scratch yourself.
Speaker:Get someone in that you trust
Speaker:that can advise you on what
Speaker:you've got that can advise you on
Speaker:solutions that are gonna be able
Speaker:to help your particular needs.
Speaker:So definitely do that.
Speaker:But yeah, a lot of companies
Speaker:have tools in their stack
Speaker:already that can help them in
Speaker:this zero trust journey, right?
Speaker:So it may just be a case of
Speaker:better levering to leveraging
Speaker:tools that you already have, in
Speaker:which case it's just some time
Speaker:cost to do that and perhaps
Speaker:learning how to use them better.
Speaker:The tools is definitely part
Speaker:of the equation, and oftentimes
Speaker:we see when you're trying
Speaker:to have a culture shift,
Speaker:Paul, and you obviously I
Speaker:welcome your comment here.
Speaker:It's also an, a change,
Speaker:a culture change within
Speaker:the organization, right?
Speaker:I think that's sometimes is harder
Speaker:to do depending on what type of
Speaker:organization you're working with.
Speaker:If you're a low tech organization
Speaker:who's not really, familiar with
Speaker:technology or you don't use it on
Speaker:a day to day I see that adoption.
Speaker:That rate of adoption sometimes
Speaker:comes down a little bit,
Speaker:and that becomes a challenge
Speaker:in itself, regardless of
Speaker:whatever tools you have.
Speaker:Yeah.
Speaker:Yeah.
Speaker:Saying change is difficult.
Speaker:Yeah.
Speaker:It's a fact.
Speaker:Change is difficult.
Speaker:And I think the key to that
Speaker:is, is engaging people.
Speaker:It's in helping them to understand
Speaker:why you are doing something right.
Speaker:What's the benefits to, to what
Speaker:you are doing and get their buy-in.
Speaker:If you are expecting your end
Speaker:users, for example, to have
Speaker:to do something different.
Speaker:Yes, you could just mandate
Speaker:it and send out the, the
Speaker:note that says this is what
Speaker:you will do from now on.
Speaker:But I think if you get buy-in,
Speaker:if you get understanding,
Speaker:if you involve them in that
Speaker:process a little bit more,
Speaker:then they become engaged.
Speaker:They become aware that security is
Speaker:a thing they need to think about,
Speaker:and you just end up with, with
Speaker:happier people and better security.
Speaker:It's everyone's responsibility
Speaker:within the organization.
Speaker:I, I agree.
Speaker:Yeah, absolutely.
Speaker:I agree.
Speaker:Absolutely.
Speaker:And so this leads me to my
Speaker:next point or next question.
Speaker:And you know this really
Speaker:well based on, what you
Speaker:guys are doing at Plurilock
Speaker:Identity Access Management is
Speaker:obviously very, a very strong
Speaker:or familiar place for you.
Speaker:How does Zero Trust factor in
Speaker:into identity access management?
Speaker:Yeah, I, identity is
Speaker:core to security, right?
Speaker:It's probably the single most
Speaker:thing that you care about in
Speaker:security is are these my users?
Speaker:Their identity links to everything
Speaker:that they do in your systems.
Speaker:And so that's also
Speaker:core to zero trust.
Speaker:If you go and if you go and
Speaker:look through DODs reference
Speaker:architecture for it their zt first
Speaker:couple of required capabilities
Speaker:in that focus on identity.
Speaker:They focus on continuous
Speaker:authentication and
Speaker:things like that.
Speaker:And we find that there's
Speaker:a lot of companies go, oh,
Speaker:we protect our identities.
Speaker:We'll put MFA in front of them.
Speaker:That's not zero trust.
Speaker:It's a good thing.
Speaker:I'm absolutely not saying don't
Speaker:put MFA in front of a login.
Speaker:But that's not enough, right?
Speaker:You are checking someone again
Speaker:at the door at that perimeter and
Speaker:you're not checking them again.
Speaker:So you need to think about
Speaker:how can we remove trust from.
Speaker:Identity as well.
Speaker:Because it's relatively easy.
Speaker:I say relatively it, there are
Speaker:tools to do it in different areas,
Speaker:for machine trust and applications
Speaker:and APIs and things like that.
Speaker:But as soon as you introduce a
Speaker:person makes it more difficult.
Speaker:Because you are a human being.
Speaker:You're not a, you're not a
Speaker:thing that is, that has some
Speaker:specific, certificate stamped on
Speaker:your forehead that you can use.
Speaker:Yeah.
Speaker:Yeah, so there's a lot of elements
Speaker:that the human individual,
Speaker:obviously the human element
Speaker:brings to the table there which
Speaker:augment the risk there is and.
Speaker:You also need to make sure that
Speaker:it doesn't impact user experience.
Speaker:MFA typically is a, certainly
Speaker:with most MFA implementations
Speaker:is a thing that user has to do.
Speaker:So they, they press a button
Speaker:on their phone or put in a
Speaker:code or something like that.
Speaker:And you can't keep
Speaker:making users do that.
Speaker:So you need to try and look
Speaker:at tools that allow you to
Speaker:do that in a way that is
Speaker:unintrusive to the user.
Speaker:But still gives you that
Speaker:continuous ability to make sure
Speaker:that it is, that user there, that
Speaker:it is the person behind that,
Speaker:that digital credential, right?
Speaker:That certificate, that
Speaker:login, that MFA step up,
Speaker:whatever it happens to be.
Speaker:Making sure it's them all the
Speaker:time doing things in your system
Speaker:because you don't want to be
Speaker:saying an hour after they've
Speaker:logged in, it's still them.
Speaker:Based on something that's
Speaker:nothing to do with that person.
Speaker:For me, this is the fascinating
Speaker:point about identity access
Speaker:management and I'd like to,
Speaker:if you can double click a
Speaker:little bit on this continuous
Speaker:auth authentication piece.
Speaker:Just to help under understand,
Speaker:cuz mfa, I think for the most
Speaker:part now MFA is everywhere, right?
Speaker:You will log into your bank,
Speaker:you log into your insurance, you
Speaker:log into any web portal online.
Speaker:Yeah.
Speaker:Chances are you're getting some
Speaker:MFA prompt, but if you don't
Speaker:mind, Paul, and I know you guys
Speaker:do this, at Plurilock, so if you
Speaker:can double click on the continuous
Speaker:authentication for, cuz I think
Speaker:it's important for the audience to
Speaker:understand what that means per se.
Speaker:Yeah.
Speaker:So so MFA is great, right?
Speaker:At the point that, that user
Speaker:logs in and does something, you
Speaker:can get a really strong signal
Speaker:that it is that user, right?
Speaker:It can be.
Speaker:Spread across multiple devices,
Speaker:you can use biometric factors to
Speaker:ensure the human being, et cetera.
Speaker:So you have this really good
Speaker:signal at that point in time.
Speaker:But the problem you have is that
Speaker:from that time onwards, you've just
Speaker:become this sign in thing, right?
Speaker:You've become a certificate
Speaker:or a machine or a location
Speaker:or something like that.
Speaker:And assuming that a user is still
Speaker:that same user after they've
Speaker:logged in is introducing trust.
Speaker:So if we think about, for
Speaker:example, work from home, I can
Speaker:come and log in my home office.
Speaker:I've got my multifactor.
Speaker:I'm on my corporate managed
Speaker:devices with my TPM chips Inside
Speaker:it, I'm in a known location.
Speaker:I'm on a known network.
Speaker:I'm using applications that I
Speaker:normally use, but if I go up
Speaker:and get a coffee and my wife or
Speaker:my kids come in and start using
Speaker:my computer, there's nothing
Speaker:that you can see contextually
Speaker:around that's different.
Speaker:Except the person
Speaker:behind that has changed.
Speaker:So how do you continuously make
Speaker:sure, you need to make sure that
Speaker:it's the right person presenting
Speaker:those credentials and using those
Speaker:credentials through the session.
Speaker:And so continuous authentication
Speaker:is a way of doing that.
Speaker:There's a few different ways
Speaker:that you can do it at plural up.
Speaker:We do it through looking
Speaker:at how the user physically
Speaker:touches their workstation.
Speaker:So we measure the way
Speaker:that you type and the way
Speaker:that you move your mouse.
Speaker:And then when you're working,
Speaker:we can measure how you are
Speaker:working and use that to
Speaker:make sure it's you doing it.
Speaker:So there's a, yeah, you
Speaker:could do it with cameras, you
Speaker:could do all kinds of things.
Speaker:But the key is that you are
Speaker:continuously looking at the user
Speaker:and saying, is this still you?
Speaker:Is this still you?
Speaker:Is this still you're not assuming
Speaker:it's me because nothing around
Speaker:the context of me has changed
Speaker:because I can change, right?
Speaker:If I'm in Starbucks and I need to
Speaker:use the washroom in a hurry, what
Speaker:if I forget to lock my machine?
Speaker:Yeah.
Speaker:I'm in my hotel and I've left
Speaker:my laptop in my hotel while
Speaker:I n out to get some food.
Speaker:And, housekeeping, you're in there.
Speaker:How do you know?
Speaker:So it's that concept of never
Speaker:assuming that it's the user because
Speaker:you checked them at the door.
Speaker:Walk around behind them, make
Speaker:sure it's them there the whole
Speaker:time that they're operating
Speaker:your systems, because that's
Speaker:when the bad stuff happens.
Speaker:Bad stuff doesn't happen
Speaker:at the point you log in, it
Speaker:happens after you've logged in.
Speaker:Exactly.
Speaker:And it doesn't really.
Speaker:So this continuous authentication
Speaker:notion doesn't really impede
Speaker:user experience or productivity.
Speaker:Cuz really it's not being,
Speaker:it's not being, there's
Speaker:no interaction required.
Speaker:Yeah.
Speaker:If it's done properly.
Speaker:Absolutely right.
Speaker:It should be completely
Speaker:invisible to the user.
Speaker:You don't want to be impacting the
Speaker:user's ability to do things right?
Speaker:So you can't use
Speaker:manual steps, right?
Speaker:You can't use entering a
Speaker:code or putting a finger on a
Speaker:reader or something like that
Speaker:because the user is gonna be
Speaker:doing that continuously, right?
Speaker:And every time they're trying
Speaker:to do something new oh, I'm
Speaker:gonna open a new application,
Speaker:or open a new file, or visit a
Speaker:new part of the network, right?
Speaker:You can't make them re-authenticate
Speaker:every single time because they're
Speaker:gonna spend all day authenticating
Speaker:and not actually doing anything.
Speaker:Anything productive.
Speaker:Interesting.
Speaker:So yeah, so you've gotta do it in a
Speaker:way that doesn't impact the user's
Speaker:ability to get on and do their job.
Speaker:So I will push back and I
Speaker:know you can answer this, so
Speaker:that's why I'm pushing back
Speaker:a little bit here because I
Speaker:wanna make sure it's clear.
Speaker:Now, when you're monitor,
Speaker:I gotta be careful with
Speaker:the words I use here.
Speaker:So if you're doing continuous
Speaker:authentication, We're talking a lot
Speaker:about privacy, now we're talking
Speaker:about, user, individual rights.
Speaker:So how do I make my end user base
Speaker:within my organization, 500, 4,000,
Speaker:5,000 individuals feel safe that
Speaker:this continuous authentication
Speaker:is doing what it needs to do and
Speaker:not doing other stuff, if yeah.
Speaker:So certainly at Plurilock, we
Speaker:look at the how, not the what.
Speaker:So we don't, we are not looking at.
Speaker:Keywords, right?
Speaker:We don't know what you're typing.
Speaker:We don't know what websites you're
Speaker:visiting or what buttons you're
Speaker:clicking on or what documents
Speaker:you're working on, and that's
Speaker:the way it should be, frankly.
Speaker:Yeah.
Speaker:We don't, that's
Speaker:nothing to do with us.
Speaker:That's not authenticating
Speaker:you as a human being.
Speaker:We just look at the physical way
Speaker:that you are touching your device.
Speaker:Okay.
Speaker:If if you are a a reasonably
Speaker:side organization, for example,
Speaker:you probably have a proxy in
Speaker:place for your web connections.
Speaker:We are orders of magnitude
Speaker:more privacy friendly
Speaker:than a proxy, right?
Speaker:If you think about what a proxy
Speaker:does, it's looking at every
Speaker:single thing that you, that is
Speaker:leaving your machine so it knows
Speaker:every page, every application,
Speaker:every day, piece of data access.
Speaker:It knows exactly what you're doing.
Speaker:If you look at some of
Speaker:these full session recording
Speaker:tools, Again, yeah.
Speaker:Privacy.
Speaker:That's why I wanted
Speaker:to bring that up.
Speaker:Exactly.
Speaker:If you, if it's a big topic now.
Speaker:Exactly.
Speaker:And if you look at ones ba, things
Speaker:like cameras, hey let's just
Speaker:switch the camera on and watch
Speaker:the user doing their things Again.
Speaker:Massive privacy problems.
Speaker:There's other people in the room
Speaker:potentially, which is, might be
Speaker:what you care about of course, but,
Speaker:it's it's some big issues there.
Speaker:So yeah we are very privacy
Speaker:friendly in that respect.
Speaker:Fantastic.
Speaker:Okay, a couple more questions
Speaker:before I let you go.
Speaker:Cause I know your time's
Speaker:very valuable and we wanna
Speaker:make sure that we make
Speaker:the best use of our time.
Speaker:How does organization measure
Speaker:the effectiveness of their
Speaker:zero trust implementation?
Speaker:That's not an easy one, right?
Speaker:How do you know if it's working?
Speaker:There's really no, how
Speaker:do you quantify it?
Speaker:It's a, yeah, it's
Speaker:a great question.
Speaker:You can take practical
Speaker:steps, right?
Speaker:Penetration testing, red teaming,
Speaker:security exercises and so on.
Speaker:And if you have a baseline before
Speaker:you start implementing these
Speaker:things, because you should, right?
Speaker:That should be start part of your
Speaker:process of understanding what you
Speaker:need to protect is knowing what's
Speaker:wrong with what you've got now.
Speaker:So if you do that before and
Speaker:after, you should see a measurable
Speaker:change in those baselines.
Speaker:But I think really it's.
Speaker:Like most security things
Speaker:the proof is in the pudding.
Speaker:It's an unfortunate reality that,
Speaker:that you have probably already been
Speaker:breached and you don't know it.
Speaker:And if you do know it, you should
Speaker:be looking at ways to stop that.
Speaker:Yeah.
Speaker:And you understand the impact
Speaker:and the damage that it can cause.
Speaker:And I think, the effectiveness
Speaker:is hey, we haven't been hit by
Speaker:a massive ransomware attack.
Speaker:That's not because you got lucky.
Speaker:That's because you put good
Speaker:tools in place to prevent
Speaker:those kinds of things.
Speaker:Yeah, that's, that makes sense.
Speaker:And that's definitely an
Speaker:effective way to measure, right?
Speaker:Reducing the risk is def
Speaker:definitely hard to quantify, but
Speaker:not being attacked over X amount
Speaker:of months or x amount of years.
Speaker:I think that's a
Speaker:pretty good measure.
Speaker:Yeah.
Speaker:You you're gonna be attacked.
Speaker:I apologize.
Speaker:Yes, you're right.
Speaker:It's how successful
Speaker:are they, right?
Speaker:It's how successful are they?
Speaker:Yeah.
Speaker:The attack is gonna happen.
Speaker:It's how you've been, how you
Speaker:were able to either recover
Speaker:or not be impacted by it.
Speaker:Yeah.
Speaker:Got absolutely.
Speaker:Got it.
Speaker:One question, and then
Speaker:this might be a tricky one.
Speaker:Not sure, if it's something
Speaker:we, we can definitely
Speaker:answer for the audience.
Speaker:But when it comes to regulatory
Speaker:compliance compliance requirements
Speaker:in general, when it comes to your
Speaker:particular specific industry,
Speaker:how does Zero Trust impact
Speaker:or affect an organization?
Speaker:Is that something you've
Speaker:seen where it actually helps
Speaker:even cyber insurance, let's
Speaker:say for example, right?
Speaker:Cyber insurance will sometimes
Speaker:ask for certain requirements.
Speaker:What have you seen?
Speaker:Have you seen Zero Trust
Speaker:Positively Infa Impact that?
Speaker:Yeah, I mean in terms of
Speaker:compliance requirements and
Speaker:regulatory adherence, things
Speaker:like that, it's certainly
Speaker:not gonna make it any worse.
Speaker:A hundred percent.
Speaker:Realistically outside of federal
Speaker:government today there's very
Speaker:little actual compliance or
Speaker:regulatory pressure to, to
Speaker:adopt these kinds of approaches.
Speaker:I think that's gonna
Speaker:change because it has to.
Speaker:Whether that's driven by
Speaker:regulators or the insurance
Speaker:companies or someone else, I
Speaker:don't really know right now.
Speaker:In general, I think we see that
Speaker:things mandated by government,
Speaker:for government start to flow down
Speaker:into the commercial space, right?
Speaker:So things like the government start
Speaker:to mandate the, if you want to
Speaker:work with the government, you have
Speaker:to adopt these same approaches.
Speaker:We've certainly seen that in the
Speaker:States with things like C M C.
Speaker:If you wanna be a supplier to the
Speaker:federal government, now you have
Speaker:to go through the cmmc process.
Speaker:So I think we will see
Speaker:more of that happening.
Speaker:But in general it's just good
Speaker:security practice, right?
Speaker:It's make, it's making you think
Speaker:about what you are protecting,
Speaker:about the impact your business
Speaker:of that thing being, being
Speaker:breached, broken, lost, stolen,
Speaker:whatever it happens to be.
Speaker:And by doing that, you are
Speaker:just massively reducing
Speaker:your risk exposure.
Speaker:You're making things harder, you're
Speaker:reducing risk, and that can only be
Speaker:good for you and your organization.
Speaker:Yeah.
Speaker:And you touched on my, one of
Speaker:my last questions here was,
Speaker:the long-term benefits, right?
Speaker:Of zero trust, right?
Speaker:I, and you can add onto this, but
Speaker:I think what we're looking for,
Speaker:if you're gonna implement zero
Speaker:trust principles or fundamentals,
Speaker:you're looking for what?
Speaker:Improve security, reduce your
Speaker:risk heightened awareness, right?
Speaker:All, all of those and really,
Speaker:It come, it comes down to
Speaker:limiting the damage that could
Speaker:be done to your organization
Speaker:when that breach occurs.
Speaker:Attacks are not going away.
Speaker:And at some point, it doesn't
Speaker:matter what you put in place, a
Speaker:bad guy's gonna get in, right?
Speaker:We've seen that with these, with
Speaker:from the simplest of attacks
Speaker:where, it's been a post-it
Speaker:note on a team viewer session.
Speaker:Spamming people with MFA
Speaker:requests, all these really
Speaker:supply chain type attacks
Speaker:that are frankly terrifying.
Speaker:At some point, the bad guys
Speaker:either get in and you need to take
Speaker:steps to limit the damage that
Speaker:they can cause, and regardless
Speaker:of anything else around,
Speaker:around risk, around insurance,
Speaker:around compliance, that's
Speaker:what it comes down to, right?
Speaker:When it hits the fan.
Speaker:How can we stop that?
Speaker:How can we reduce it?
Speaker:We've had an endpoint infected
Speaker:with malware because the user
Speaker:clicked on a link and they
Speaker:downloaded it and it was a
Speaker:unknown thing, and the virus
Speaker:scan, it's gonna happen, right?
Speaker:But if you can limit because you've
Speaker:implemented all these micros,
Speaker:segmentation, all these other
Speaker:great tools, if you can limit
Speaker:damage that one machine, right?
Speaker:That's virtually zero
Speaker:impact on your business.
Speaker:If you haven't put those kinds
Speaker:of controls in place, you are
Speaker:very quickly in a bad place.
Speaker:Agreed.
Speaker:Agreed.
Speaker:And like we said, like zero trust
Speaker:is a principle fundamental set.
Speaker:Always verify, never trust.
Speaker:Those are the four big
Speaker:words we've learned today.
Speaker:Yeah.
Speaker:And frankly, organizations can
Speaker:get started pretty quickly.
Speaker:With some basic steps.
Speaker:With basic steps.
Speaker:Absolutely.
Speaker:Like I say just even
Speaker:thinking about what do we
Speaker:really care about, right?
Speaker:What is, what's core
Speaker:to our business?
Speaker:What can we absolutely not risk?
Speaker:And focus on protecting
Speaker:that the best that you can.
Speaker:And that's gonna put
Speaker:you in a good set.
Speaker:Start with that, right?
Speaker:What really matters to your
Speaker:business, and every business has
Speaker:something really important to them.
Speaker:Absolutely.
Speaker:Absolutely.
Speaker:Very good.
Speaker:Paul.
Speaker:Again I really appreciate
Speaker:the time we spent today.
Speaker:Do you have any questions for me?
Speaker:Any extra thoughts or additional
Speaker:thoughts before we we go here?
Speaker:No.
Speaker:It's always a pleasure
Speaker:to talk to you, Luigi.
Speaker:How can anybody get
Speaker:in touch with you?
Speaker:Obviously they can, you can you
Speaker:can get in touch with me through
Speaker:LinkedIn through Luigi, or you
Speaker:can hit me up at plurilock.com.
Speaker:I'm sure you'll find
Speaker:me there somewhere.
Speaker:Fantastic.
Speaker:Paul, thank you very much.
Speaker:I know you're helping the community
Speaker:raise the awareness, and I know
Speaker:you're fighting the bad guys every
Speaker:day, so really appreciate talking
Speaker:to you anytime of the day, man.
Speaker:Oh, you're welcome.
Speaker:Great stories again.
Speaker:Lose you.
Speaker:Thanks.
Speaker:Take care.
Speaker:All right.
Speaker:Thank you, Paul.
Speaker:Thanks.
Speaker:Have a good one.
Speaker:Bye-Bye.