Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | iHeartRadio

Voted "Best Cybersecurity Podcast" in the 2021 Cybersecurity Excellence Awards
Cyber Security Excellence Awards 2021

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 39

Zero Trust Fundamentals with Dave Lewis

EPISODE SUMMARY

We cover the fundamentals of Zero Trust security in this episode of 401 Access Denied where host Joe Carson is joined by Cisco Global Advisory CISO, Dave Lewis. They discuss the different interpretations of Zero Trust, ways to communicate its importance, and steps for getting started. Listen now as we enter the third week of Cybersecurity Awareness month.

powered by Sounder

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist & Advisory CISO at ThycoticCentrify
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Host of the award-winning podcast, "401 Access Denied"
  • Speaker at conferences globally

Joseph Carson:
Hello, everyone. Welcome back to another episode of 401 Access Denied. I'm your host for the episode today, Joseph Carson, chief security scientist and advisory CISO at Thycotic, and I'm really excited. Today is an important episode for you and I'm actually joined by an awesome and esteemed guest. So I'd like to pass a word to Dave Lewis to introduce himself. So Dave, tell us a little bit about yourself and what you get up to in the industry.

Dave Lewis:
Well, thank you for that. My name's Dave Lewis. I'm a global advisory CISO for Cisco Systems, and I also operate as Joe's stunt double. I've been doing security now for, I'm heading up towards 30 years now in various different formats over the years, and it's been quite a wild ride. And the thing that I like about being at this point in my career is being able to look back at all the mistakes I made and all the swords that I have to fall on and be able to share those lessons with other folks and hopefully they'll be able to benefit from that experience.

Joseph Carson:
Absolutely. I mean, that's one of the most important things. That's what I look back in my past as well. And all the things that I've learned, those are the things I want to pass onto the people. It's lessons learned as experiences and knowledge that I've gained. And I did have to laugh a few weeks ago when we were actually chatting each other online and Yavid made the comment, "Is it one person complimenting himself on Twitter?" That was very comical and very, he's definitely one person that keeps us entertained. So at some point I'm looking forward to all of us getting together in the future.

Dave Lewis:
That would be absolutely wonderful. And then we can have that wonderful experience of walking into a bar and say, Dublin being mistaken for a certain actor.

Joseph Carson:
Do you ever get the Colin Farrell look alike?

Dave Lewis:
Oh, yes.

Joseph Carson:
You do?

Dave Lewis:
Dublin goes on and on about that one too.

Joseph Carson:
I think I've actually, at some point in time in the past, I actually give out his signatures autographs for him.

Dave Lewis:
So he did the exact same thing at a pub in Dublin. This young lady came up and she was actually originally from Belfast and she's like, "I absolutely have to have your autograph." And I said, "You know that I'm not him, right?" "I don't care. I need your autograph." I'm like, "Okay."

Joseph Carson:
We should definitely monetize that for sure. So at some point in time, but back to today's episode is really important. I mean, in the industry, we're always great at making up new terms and new ideas and marketing teams get their heads together, and they start thinking about new buzzwords and what things are going to make the headlines. And today's episode is really for the audience. Zero trust has been a big term that's been on the upward trend and I'm even starting to see it becoming even more visible and more important, especially with these things like the executive order talking about it. We've got different frameworks and best practices coming out. So I think for the audience, really, I want to get behind the scenes. I want to really start to uncover what zero trust is, how it came around and really reveal kind of so that the audience get a better understanding because many of us have different interpretations.

Joseph Carson:
We even ourselves, we've got different interpretations of what zero trust really is and what it does. But I think we have a common understanding as well. So Dave, can you just kind of, for the audience, really give us a bit of a background to zero trust, where this came from and really kind of what state are we in today?

Dave Lewis:
So zero trust is a term that was coined by an analyst at Forrester. I'm going to blank on the year right now, but it was quite a few years back. And the idea here is about, what's that?

Joseph Carson:
2010.

Dave Lewis:
2010. Sorry. It's a wee bit early for me today, but yeah, no, this was a term that was coined. And the whole idea was to be able to look at authenticating everything on your network, from users to devices, applications, and this has really spun off in many different directions, from many different vendors as to what zero trust means. And for me, I like to actually simplify it as stripping it right down to reducing risk in an organization and getting back to the core fundamentals of all the things that we should have been doing for the last 30 plus years, network zone, segmentation, managing users, managing devices, actually knowing what's on the wire. One organization I worked at many years ago, I remember we were deploying software for X number of nodes, I'll say randomly, 5,000 nodes. And it was like, okay, that's what we were told was in the asset inventory. I should have taken a clue that the asset inventory was a spreadsheet on one guy's laptop as my warning, but I didn't.

Dave Lewis:
And it turned out that it was more than double the number that was advertised as to what we had to push software to. And it actually surprised the folks that were managing the network that there were that many devices and it should never be a surprise like that. That sort of visibility should be there because you can't protect something if you don't know what's there. So having that visibility, having that ability to say the perimeter is fundamentally broken. What we have traditionally looked at as the perimeter of being the old castle wall and the moat and all that sort of wonderful stuff is a fundamentally broken notion when we consider that there's east gate, west gate, south gate, and all of them just happened to be open and people are coming and going, but you're busy manning the north gate. We have to really look at this as zero trust is all about anywhere an access decision is being made and have that as your core starting point in order to get your head around it. And then do the homework of rationalizing what users are in your environment, what applications and what device.

Joseph Carson:
Absolutely. And I completely agree with you. I've came from the same past with experiences where I remember in an organization that thought they had 120,000 devices on the network because that's what the spreadsheet told them. And so we were getting into, it was doing an inventory asset management for license management and patching systems and software inventory. And we were kind of like, "Are you sure you don't want to do a discovery first? Let's just verify that your spreadsheet isn't static and it is up to date and the last person who filled it in made sure they put all the systems incorrectly. Do you want to do discovery?" So after getting into that negotiations, and after a couple of weeks of discussions, we got into agreement of doing discovery and they fund 140,000 systems on the network, 20,000 more devices. When you think about even just getting into that calculation, that the energy of those devices alone was enough to pay for the deep provision, just the energy costs.

Joseph Carson:
And what happened was people basically, as they got new devices, that old device moved onto the desk a little bit to the right, and basically they were still using it for things like personal activities, checking their own personal emails, just Googling the internet. It became basically an additional device that they can go to their old files if they needed to, or old versions as of software, which may not have worked in the new devices. And all of that, suddenly became you've got now devices are not being patched, they're being outdated, that have default and legacy passwords and haven't been updated for a long time. And even the licenses were not being covered in those devices as well. So it really exposes the risk. And I remember even my time along in Symantec were we looked at, it wasn't zero trust in that phrase. It was a little bit before that time. I think zero trust came out a bit, which was around the snack and knack where you did network segmentation.

Joseph Carson:
And this is really where, when it was, and this is where I believe that zero trust, really zero trust is really, for me, is just another term that we call for the public internet. The public internet is zero trust. And what we're doing is we're taking that and applying it to our corporate networks and our corporate kind of infrastructure. And back in that time, it was all about devices that were on the public domain that might come into your organization, that might have malware, or maybe it gets a scan and it finds a virus. What's not connected was moved into a quarantine segmentation network that was untrusted. And all of a sudden it had to be scanned. It had to be remediated. It had to be cleaned. And ultimately that's really, I believe that was the foundation, the starting point, that untrusted segmentation of quarantine on the network was really what the analysts at Forrester kind of took that term from.

Dave Lewis:
I'll actually go further back than that, because my brain is slowly catching up with the fact that I'm awake. The Jericho Forum had actually put out a paper on de-parameterization that predated all of this. And I feel bad that I actually forgot that straight out of the gate, but yeah, no, fundamentally none of this is new. It is just the term zero trust is maligned by a lot of parties as a marketing term, and you know what, there's truth in that. It has taken a lot of things that we should have been doing all along and put a big marketing spin on it that is getting people to pay attention. And that's the thing that I like about it is that they're be paying attention and getting people to take this seriously. And when you look under the hood at all the things that make up zero trust, it's all stuff that we should've been doing from day one.

Joseph Carson:
Absolutely. It's really taking it from those older times when we were focusing on network segmentation, we were focusing at de-parameterization. I completely agree. The Jericho Forum was fantastic at really starting that trend of de-parameterization and saying that identity really became the foundation of what linked everything together. And I think what's happened is that looking at those things we should've been doing much more broader that when we looked at things like mobility and BYOD and connectivity and cloud computing, all of those things has meant that that perimeter has now disappeared. And this meant that, going back to what you're saying, is it's really means that we must apply zero trust to more things than what we've been doing in the past. And now basically we're looking into that terms. I still look at it as it's the public internet.

Joseph Carson:
We're just now looking at, we don't trust anything on the public internet. We had to treat our own corporate networks in that same realm, which means continuous verification, continuous authorization, continuous authentication and just make sure that everything, as it gets an access request, that it is authorized and that it's building a trust mechanism into that.

Dave Lewis:
Yeah. The internet is absolutely fantastic for other reasons, too. I mean, if we look at Netflix as an example, they had a script or have a script called chaos monkey that would go around randomly downing systems to test the resilience of the network. At my last job, we referred to the internet as our chaos monkey, because it really is relentless. It'll drop you at a moment's notice, but understanding that it is a big, scary place. And I don't mean that. It's just you have to be prepared. And this is why zero trust as a strategy is an excellent way to look at it for an environment. And I've had this question posed in the past. It's like, "How do I become zero trust certified?" You don't. You just don't. And if anybody's telling you that you got to take them out to the woodshed. I mean, realistically it is really about an iterative process of reducing risk in your organization.

Dave Lewis:
So it's not buy this magic widget and everything's going to be fine. It really is about people and process. And that's one of those things we have to get back to talking about the human element within organizations, because we tend, and I've been guilty of this in the past, we tend to focus on technical solutions and I mean, we in the greater we, and it's a by-product of what we do really. We've always had hands on keyboards and this is where we live, but we really have to collectively do a much better job of focusing on the human element, because this is where security fundamentally lies. And if we can get a good grasp on that, that will also help greatly reduce risk and organizations. So if you're doing stuff like gamifying security awareness training, if you're getting people to understand how to work remotely safely and things to that effect, all of these elements are iterative wins and better ways to improve security overall.

Joseph Carson:
Absolutely. I think the key thing here is what I really kind of is that while it might be kind of included as a part of a buzzwords and many of those other terms that we kind of use, it's one that does have a real impact on organizations. And that's one that absolutely, I agree that it is getting attention must be a priority for organizations to at least strive to be moving in that direction. One of the best terms I heard, because I've been listening to many conferences and many people talking about zero trust. And, to your point, it's not a product, it's not something you can install. It's not a compliance that you can check box and say, I'm zero trust. The best term I heard it was from Brian Meister, who was from Yahoo, was talking about kind of his experience in actually going through this and the way he phrased it was one of the best. It was actually during the QA time when it came up during a session and the person asked kind of people think that zero trust that it's scary because there is no end.

Joseph Carson:
You don't complete the project. And he said, the way he kind of phrased it was, it's a mindset in how you wish to operate your business. It's basically a way that you, it's a choice in how you want to apply security to your business. And it was, for me, that was one of the best kind of realizations is that this is not, there is no end. It's a change in mindset. It's a change in how you wish to operate. And therefore you might, this really means that any company's that's coming with what they refer to as zero trust solutions, I think, and zero trust implementations, it's really, when we get down to the reality, what they're really providing is zero trust features that help you apply it to a specific risk. And this is where we have to get into. There's no one solution. There's no one company will provide you a zero trust product. And you're done.

Joseph Carson:
What you'd look at is that each company will come with different zero trust features and will help you apply it to specific risks that you want to reduce. So just thought in your interpretation of that phrase and term.

Dave Lewis:
Yeah. And this is one of those things that, as defenders, folks have to look at their security outcomes. What is it they are trying to achieve in their organization? There's all sorts of vendors out there that are more than happy to help. But if you don't have a clear path forward as to what the outcome is that you're trying to achieve to protect your organization, you're really falling on your sword. We have fiduciary responsibilities, defenders, to do exactly that, to protect our organizations. And before you go talk to any vendor, you need to do your homework. You need to go through and say, do the rationalization of the asset inventories. You don't want to have that mysterious 20,000 systems on your network that you didn't know where there. That's terrifying on all sorts of different levels. Having lived through that, I can tell you that was just a eureka moment of, "Oh, I can't believe that just happened." Yeah. And making sure that you have that clear path forward is absolutely fundamental.

Joseph Carson:
So, what's a good place for companies to start at? Let's say you tell me it's going to, and they hear all of this buzzwords and all these terms. And they're seeing a lot of companies come with products saying the zero trust features and functions and solutions and so forth. And the company really wants to start it. I agree. One of the most important things is inventory and really getting to know what you have. Let's say, what's the next stage that they want to do? What should they be looking for at least to take that journey and to start the journey?

Dave Lewis:
So, one of the things that I typically overlook, and that's just because I've been very fortunate in past career choices that I didn't have to think about this, but making sure that you have a senior management buy-in. If you have a senior management support, this is going to get easier. And, and this is not a "Give me X millions of dollars and it'll all just magically go away." This is heavily process driven. So you want to make sure that you are looking at defined repeatable processes, because these are going to be fundamental tools in your tool set to help secure the organization. Yes, there's all sorts of widgets that can help augment that. But if you have that core strategy in place to protect your organization, that is the real key. So specking out the strategy as to how you want to go forward, going through and doing a full inventory of all your assets, all your users and all your devices.

Dave Lewis:
Then you have your three buckets of workplace, workforce, workload. You can drop each individual component of the organization to the one of those buckets. Then you are getting the groundwork that you have built up. And once you have that strategy defined to your liking, then you can go speak with your vendor partners and trusted partners to build up from there because they have the skillset based on experience with multiple different organizations that they can actually help contribute in many cases.

Joseph Carson:
Absolutely. And one of the things that you mentioned that before in part is buy-in from the board. And one thing that I find has been a bit of a challenge, especially when you're trying to communicate, I think zero trust is a great term within our technology and security kind of realm of things, but the moment you take that term and you go to the board and I've been down this path many times, I've been sitting in front of a board and when you start doing fear and stirring them into getting budget, you're going to feel they're going to come back and they're going to be asking you intelligent questions. They're going to be asking you about, "Well, what's your tangible value? What's your ROI? How are you helping employees?"

Joseph Carson:
And I think that we need to come up with a better strategy when we go into the board to get their buy-in, and for me, it's all about zero trust is a baseline to really building a trust risk-based framework that really will help reduce the risk from the threats out there, from the likes of becoming victims of ransomware, from the likes of business email compromise, everything we're looking to do. And I think we have to do a better job at translating, really, what zero trust value is to the business and really helping make sure that we have a much more, let's say, return on investment value based discussion with the board.

Dave Lewis:
I agree. I mean, the board speaks a certain lingua franca and we speak at our own. And when you go into a situation like that, and you say zero trust, for a lot of folks that are non-technical, that has a very negative connotation, and I've experienced this in other parts of the world. So geographically, you could be in different parts of the world and if you say zero trust, this is something that is seen as very negative. I gave a talk in one country in Asia just before the pandemic. And I talked about zero trust. And I had a lot of people come up to me afterwards and say, "Oh, I had never heard of this particular strategy." And I was like, "Oh, okay, this is interesting." And they said, "But it's very negative." And I took their point and I do understand that. And for a lot of people, for us as security practitioners, it's a non-sequitur. It's like, "Okay, that makes sense."

Dave Lewis:
But for the wider audience, which was the vast preponderance of folks that we have to protect, they don't get that. So taking the same thing and flipping it on its head, call it continuous trusted access or whatever you have to do, finding a more positive way to approach the same thing, nothing's changed other than the term. Again, it becomes a marketing internally in many ways to sell that to senior management so they understand exactly to your point, Joe, of reducing risk in the organization. So you want to reduce risk, reduce cost, and fundamentally get a good night's sleep.

Joseph Carson:
Absolutely. And this was fundamentally is that we had to translate it into almost more positive area to the business, how it's helping the business and ultimately kind of tie it to that risk based, because it nothing in the business changes, unless you actually have a tangible risk that you're looking for them to give budget to produce and ultimately add value to the business as well. And I agree, being based in Estonia, one thing that here is that the governments see themselves as a service provider. And really what they're looking at is that they do have built into our society a zero trust approach. However, we talk about it as much more of a digital trust. We look at it much more of, let's say, a trust framework rather than actually talking about zero trust, what's is the controls is the baseline starting point, but you build up your authentication, authorization, your verifications, all the things you mentioned, continuous verification.

Joseph Carson:
Anytime you need to level up to a new privilege, you need to go through another level of basically authorization to get there. You might add more security controls. So it's all about having that baseline starting point and then building trust and then determining what trusts, what controls you need to satisfy based on the risk that you're actually going to expose, based from that specific process or service.

Dave Lewis:
Yeah. And like, for example, in Estonia, you guys are much further down the road than we are here in Canada, but here we're starting to wake up to the idea of zero trust, the idea of greater security. Moving away from passwords is a great example. Collectively we've been stuck with passwords since I think it was 1962. It became a thing at MIT because students were stealing high-end compute time from other students and the professor at the time put in a password control in order to marshal access so that the students couldn't steal time from each other. And here we are, 2021, still contending with this sort of thing as a quote unquote security control. And there are so many better ways to do things.

Joseph Carson:
Absolutely. Was it Robert Morris?

Dave Lewis:
Well, no, but he was a whole nother kettle of fish.

Joseph Carson:
So one of the things that also, I listened to one of your talks recently, which I thought was very fascinating, and it was really kind and got me in the real realization. And it was, for me, it was that there's a lot of things that we're looking at. There's zero trust frameworks. There's maturity models, which I really liked the maturity model at the NSA introduced because it shows you that it's not a one size fits all and it's also not a one check box. That is a journey. It's multiple phases and multiple steps to maturity. And one thing I kind of was looking at, I was in a panel a few months ago, and we were talking about zero trust and things like operational technology, OT, SCADA control systems, IoT systems. And we struggled because ultimately you're now in a situation where, unlike in IT environments where you've changed your laptop every three years, you change your phone every two years, software updates become almost a regular thing, but in an OT environment or SCADA controls, it doesn't change.

Joseph Carson:
It might not change for its entire lifetime of this being deployed. So my question to you is there's two areas. Does zero trust apply everywhere? And a big one that you mentioned does it apply to humans because by nature, even our DNA and we're trusting by nature and actually cyber criminals take advantage of that. And they're very successful at that. Can you install zero trust into humans? What's the method around that side of things and also looking at other areas that might be challenges such as IoT and OT.

Dave Lewis:
All right. So installing in humans, yeah, that's a long, long lead there. When you look at security as something like, let's say home security, as an example. Sometimes you'll go out to get something from the corner store. You left your door unlocked because you'll be home in a minute. People don't tend to take home security as seriously as they might, until they have an intrusion or a robbery or whatever it happens to be. Then it becomes very visceral, very a part of it hits them at home because folks don't typically think about security in that frame of mind. We, as security practitioners, are somewhat a broken lot in that we are constantly thinking like that, but even then we make our own mistakes. I mean, I've made so many mistakes over my career. At least I've learned from them, but that's true of everybody across the board. We all do make mistakes because we're human.

Dave Lewis:
We got opposable thumbs, but that's about where it stops. So yeah, getting people to do, it's an iterative process very much like a zero trust program, is that you have to constantly be reinforcing positively because a lot of security awareness programs or security programs in general have relied on vilifying the users in the past. And this actually plays very heavily into a lot of the thinking that I've seen historically, where organizations will see security as a cost center, as opposed to a trusted business partner. I see that pendulum very much coming the other way now, where folks are starting to wake up to the fact that security is a business enabler and we're getting people to do things safely and securely in a way that makes sense, democratizing security in that giving tools to folks they can use that are very simple and they can get their jobs done.

Dave Lewis:
Because, going back to what I was saying earlier, is most people don't think about security, but if you can give them tools that keep them safe and secure without them having to know how to configure it. I love PGP. I absolutely love PGP, but I would never get my 75 year old mother to use it because some tools are written by engineers for engineers. So we have to make sure that we're giving people where their core competencies might be human resources or financial services or whatever it happens to be. We have to give them tools to keep them safe and secure. So it's an iterative process and there is no end state because once you train up a group of people, then you have a group of people that have just graduated from school and then we have to start all over again. And I don't mean that in a, it's not a bad thing, but we have to be aware that this is not something that's just going to go away.

Dave Lewis:
We have to constantly be training to that effect. Now, when it comes to control systems, that's a whole nother kettle of fish. I spent nine years in that space and it is absolutely staggering the way things are in a control system environment versus any other sort of IT environment. And when there's a vulnerability, the universal refrain that will always go out on the dumpster fire that is social media is "Oh, just patch it." It's not that simple. In one organization I was working at, we had devices that were deployed in the field that have been there for 30 years. And there was no just patch it. Even worse, if that particular piece of hardware failed, it would have been six months to get a replacement. So you can't just apply the logic that the frame, it has logic, that people will apply to most IT systems of just do X. It's never that simple. Even with a regular IT system it's never that simple.

Dave Lewis:
So we have to make sure that we have a mitigation plan in place for any sort of control system, any sort of OT system, because a lot of it has to revive very heavily on network zone segmentation as an example, or other compensating controls, because I've seen devices in the past where you couldn't install an agent or whatever on that particular system, because it would fundamentally break the control system software. Another example was I was able to install a agent for a particular piece of software, I can't remember what it is now, that's many years gone, but because of the way the system was configured, encrypted data across the wire was then being intercepted by the agent locally and dumped into log files, not on purpose, just because of the way the system was operating. So I could see all of the sensitive data in my flog files. And I was like, "Why is this here?"

Dave Lewis:
And when I went to talk to the particular vendor who will remain nameless, of the control system software, they said, "Oh yeah, we can fix that for half a million dollars US." So this is another problem most OT environments have to contend with is that where we could just get a patch for Windows, Mac OS or whatever it happens to be, in the OT environment, getting stuff changed is a much more onerous process. And especially when a fix is required, it's not as expeditious.

Joseph Carson:
Absolutely. And I've been seeing patch that satellite. Oh, we need to do a firmware update to that chip board.

Dave Lewis:
Having worked on a satellite before I can say it ain't that easy.

Joseph Carson:
So even I've seen it with even maritime, having maybe Actis or navigational system that you need to do an update. So that's not going to happen for a while, not until that ship comes into port, because you're not going to do it over basically over a free sat link.

Dave Lewis:
Oh yeah. Like, was it 64 up and down?

Joseph Carson:
Unencrypted.

Dave Lewis:
Yeah, exactly.

Joseph Carson:
So it's whoever has the biggest antenna wins is what I referred to when you're talking about satellites. So absolutely. One of the things that you're absolutely right about the human side of things as well. I mean, we are, from a society perspective, from a security awareness, we are way behind and society. We just need to continue that we need to invest in it. We need to make sure that educational programs have, I love the term, I don't know if you listened to other talks. I did a CISO panel round table during one of the events recently. And one of the CISOs said at the table says, "It's great that we have been doing this secure by design for the past couple of years. It's been a great concept, but it's pointless and worthless unless we do security by default." And that's what we really need to get to. We need to build that in.

Joseph Carson:
And there's a great book that one of our previous guests, Jessica Barker, was involved in, which was the ABCs, which is all about awareness, is a great checkbox approach or state measurement into how well your employees are progressing. Behavior's one of the things you want to get into adoption too, and also getting security by culture. And one thing you mentioned, one of your metaphors about the house or the lock in the cars. It just reminded me. I'm originally from Belfast. And maybe what we need to do is, if we really want to get people into being untrustful into a zero trust approach is we send them to Belfast for a vacation for the summer, specifically in the beginning of July. That will definitely change people's approach to security forever. I guess it's, but that's, for me, we want to apply zero trust to people maybe it's a vacation in Belfast is what we need.

Dave Lewis:
Or something a little bit milder.

Joseph Carson:
Dublin's nicer.

Dave Lewis:
Finding the security awareness program so that resonates with folks because exactly that, I mean, Belfast, definitely, that'll do it. I mean, I used to live in DC and there are parts of DC where it's, yeah, entertaining, but that's just it, it's like if people don't personally experience some sort of traumatic loss, like having their house robbed or something like that, or being robbed at knife point or whatever, then they don't necessarily think about physical security or security in general in terms that are going to resonate with them. And that's unfortunate. And I don't recommend that people go through that experience, but we have to find a better way to get people to make security part of their DNA for want of a better term.

Joseph Carson:
Absolutely. And to your point, I mean, I remember it reminds me of a project I worked on a good 12 years ago now. And it was basically, it was an interesting project because the outcome was not the original plan or goal. It was all about basically consolidating the silos of security. They were looking at harmony machines they had patched and maybe what applications were vulnerable and hadn't been updated. What types of websites, malicious websites, employees were going to, and these are those data stacks were in separate databases and not being correlated. And they decided to bring them in together, stack ranked them and try to actually correlate from a risk based approach to how they can actually reduce the risk of the organization. And the result, what ended up happening was one of the end results was that we realized that one of the things we failed and it was, I've failed many times and I've learned over the years into what we were trying enforce security, enforcing security is a tough thing and it's not a successful thing to try and do.

Joseph Carson:
And that's what we have. We had that negative fatigue and negative friction within the employees because we come as enforcers. We say, "This is how you should be doing things." And we took that approach during that project about doing awareness training with employees, we took a forceful approach saying, "You must follow this. Otherwise there'll be consequences." And it failed because employees basically, they're like, "I get measured in how I do my job. I don't get measured on how secure I am. I get measured on the business doing well, me and my business goals and the company doing well, that's what I'm measured on." And what we ended up realizing was actually, we need to reverse. We need to look at rather than being enforcers, we need to be enablers of security. And I loved Wendy's talk when she mentioned about security being usable like a spoon, because it really kind of made me think about that's the path, that's what we need to be going down.

Joseph Carson:
We need to remove the complexity and get it to being easy to use, usable, even to the point where it's running in the background, where people don't need to see security, but at that time, one of the things that came out of that specific project, was to your point is that until people see the impact, they don't realize the importance of what it is and what it means. And what we did was we find that we were communicating directly to the employees and all of them. And we decided that we actually needed to have we called it cyber ambassadors or cyber mentors within the departments who needed to be our proxies for communication. And we were trying to figure out which employees were the best at communicating to the broader team. And it was actually previous victims of cyber crime who had it closer to home, who had experienced it. And they became our advocates. They became the best people in the organization to communicate.

Joseph Carson:
And I think that's really where, when we look at, if you want to get some type of zero trust framework and approach, and you want to incorporate it in the importance of people, you need to have cyber ambassadors and cyber mentors that will be the voice and ears for security within the business and also the way that we can also communicate to their peers as well in the same language. And for me, that was a big realization into really making sure that we empower the people. We make security usable. We don't become the enforcers. We become enablers to the point where I remember anytime we go to implement any type of security control, it must be better than the existing control in place so that the user wants to use it. They actually want. Give it to me because it will help them be successful at their job. Is there anything that you think organizations can also expand in that as well to really make, because Wendy's talk was fantastic and it was one that was very memorable.

Dave Lewis:
Wendy's good that way.

Joseph Carson:
Absolutely. But do we need to make zero trust supposed to be, need to make zero trust from an architecture perspective, let's say, automated in the background? Do we need to make it usable? How do we get the users to have a good experience?

Dave Lewis:
Well, and that's just it, I mean, we have to look at what I was talking about earlier about democratizing security, very much to your point as well. How do we make this as easy as possible for users in their environment? Whether it is multifactor authentication, biometrics, password lists, whatever happens to be, what is going to make the most sense in your environment? Not every environment is created the same. And as you introduce new technologies to help with your outcomes, you have to try those. And if they work, great, that's fantastic, but always keep an eye to how do you improve things in the future? So for example, password lists is based on web authen, which is an open standard from the W3C. And this is a great example of how you can do security better. You log in once, and then it automatically passes your credentials seamless to the user.

Dave Lewis:
And obviously I'm making that as simple as possible, but the point here is trying to make it as easy as possible for the users while maintaining their security at the same point. So, yeah, I mean, it is going to take a long time because look, password great example. We've been stuck with them since 1962. I mean, even IBM created a system with passwords in 1962, and they even admit that MIT beat them to the punch. So this has been seen as a security control ever since, very much in the way that house key is. A house key doesn't, if I have my house key, I come home at night, that's great. That's me coming through the door, but there's nothing to verify that it is me coming through the door. So if you lose your key and somebody else gets it, that's a problem. So there are better ways to do things. We have to look at ways of democratizing security and making sure that applications are not hard for people to use.

Dave Lewis:
So if you have security tools that are seamless, and I mean that in that it is not going to negatively impact somebody in finance, somebody in HR, somebody in procurement, whatever it happens to be, an application developer, let them focus on their core competencies so that they can get their jobs done within a safe and secure environment. And this is why zero trust will provide for a strategy to get to that point. And however you position it within your organization, call it continuous trusted access or whatever works for you, there's no one size fits all. And that's the beauty of this is that it doesn't have to be a rigid "This is how it is," but fundamentally it really boils down to reducing risk in the organization is the core fundamental here.

Joseph Carson:
Absolutely. And I was doing a penetration a few years ago. That was came to a big realization for myself as well. That was a point in time. I love what was during that talk that it was the point in time when I realized, and it was a discussion with the CFO and CEO that made me had to have that hard discussion that made me realize that actually I thought I was there to enforce security and to be deploying security and to help the organization get the right security posture. But it was a hard realization because when it was brought down to reality, I realized that that's not my job. My job is to listen to the business and understand the risk and to look at ways that I can use my knowledge and skills to help reduce that risk. And at the same time, my goal that I realized is to help the employees be successful at meeting their goals while at the same time making sure we're reducing the risk. And that's ultimately, it was a big hard realization.

Joseph Carson:
It was a point in time to change my outlook and how I looked at my job and what I was there to do. And it also changed a lot of discussions with the boards post those years. So definitely it all starts with a risk and looking. I think for the key takeaways for the audiences is really that I think what's really important here as we're kind of uncovering and bringing down to relative what zero trust is, is that absolutely all companies should strive to go down that maturity path and try to get as much of the processes and procedures and technology to have a zero trust, let's say, mindset on how they operate and how they work, but it's not a check box. It's not a product you install. It's not an end goal. It's going back to what Brian had mentioned in what I referred to before. It's a choice in how you wish to operate your business.

Joseph Carson:
And it's a choice of how you want to make sure your organization becomes more resilient and reduces the risks to whatever types of attack's out there, whether it being cyber attacks, whether it being physical infrastructure. So Dave, any key thoughts or takeaways you would like to add?

Dave Lewis:
So first and foremost, I mean, one, thank you very much for having me on, but we have to make sure that as an organization that you have buy-in from senior management, because that'll help things longer term. You want to look at this as an exercise in reducing risk in your organization and tackling a lot of the core fundamentals that we should have been taken care of right from the very get-go years ago. And when we're doing all of that, we are reducing risk in the organization, having defined repeatable processes to make things run smoother, and we have to look very hard at democratizing security to make it easier for folks to get their jobs done, because they want to focus on their core competencies within your organization and you want to be able to facilitate that by becoming an enabler of the business.

Joseph Carson:
Absolutely. Awesome. I think that's a perfect note to leave it on for the audience. So Dave, it's been awesome having you on the show. I can't believe it's been this long before we've actually had you on, so I hope this is not going to be the last one for a while. We'll definitely have to get you back on. There's a lot more topics. So we have to educate the audience on and really start to really make security easy and usable and make sure that people get behind the scenes and really kind of get into what it really means. I think that's what this discussion is done today. So Dave, thank you. It's been a pleasure and any final words, any final kind of thoughts?

Dave Lewis:
Well, it's an interesting conversation talking to myself. So, no.

Joseph Carson:
I just have say you're one hell of a good looking guy. That's one thing that probably Tom, Brian and Yavid would definitely agree upon and so intelligent. So it's been awesome having a show. I hopefully look forward to seeing you in person at some point in the near future.

Dave Lewis:
Ah, yes.

Joseph Carson:
Stay safe, healthy, and for the audience, many, thanks for joining in for another episode of 401 Access Denied. We're really here to help make sure that security is something that you can understand, that you can get real education and benefit from. So stay safe, tune in every two weeks, make sure to subscribe and even go back and listen to some of our previous episodes with some of the awesome guests that we've had on the show. So thank you, stay safe and take care.