Zero TRUSTS given. Ryan Heidorn, David Lago, Chris Hughes, Patrick Perry
The first question comes up about the name "zero trust" and can you "acheieve it" the panelists note you always have some trust but it is about not trusting our networks
To get started Patrick Perry: You have to align to org strategty and architecture. Where is your company at right now in security before you start a zero trust environment.
Longo adds you have to have buy in. Get leadership to understand. This is a maturity model in a way
Chris Highes notes we most educate people. The digital strategy is to open things up. That scares security people. We need to educate in non-condescening ways.
oops David Lago, not Chris Lonog, but David compares who two computers the ancient DoD omne that VPNs to gov systems and is more modern and secure macbook that can connect to secure clouds.
Perry says he does not like shared responsibility model, because that means ducking and blaming other people. It is really your distributed responsibility
Chris Hughes defeines the difference between zero trust at the application level and the data level. .....to me it is about anomly detection at each layer of the stack.
Perry: What zero trust is a cross functional team. I never thought about identity as part of security before, but it is essential. Yoiu can't just have an identity team or an endpoint team.
David Lago: Use the reference architecture. You have to explain to corporate that you will not use their system. That freaks people out the reference architecture sooth them with confusion.
Chris Hughes: IaaS and SaaS have different zero trust and shared responsibility model. A SaaS doesn't comntrol the operationg system, yet at the same time you can get one tool, like SSO that spreads too far in SaaS.
Perry: Security is about what you can influence. With SaaS and IaaS you give up control and infliuence, you need to compensate with architecture.
David Lango: We need to create opportunities for SaaS by building in the handshake. Make it easier for the user
Perry adds that if you are a SaaS you need to predict your APIs from the beginning....I know that not just security, but cost, and UX....
Heidorn asks about Zero Trust and OT. Hughes replies, "It is complex. It is not a mistake if you apple f you will see cloud everywhere. This is easier to do in cloud. Ask an OTI expert, not this panel"
Perry notes that all OT is a pivot point that can let people in your network so you have to do it carefully.
Ohh Heidorn asks my fav topic: security as code and Chris Hughes on the stage to answer.
He expalins how this works in Azure and AWS through reference architecture.
It is another level of maturity.
Perry adds that "easy button can cause us to lose sight" how do you check the checker
David Lango says the government has to get quicker at ATOs
Do we need hundreds of controls? How can we automate.
Perry said the interpretation of the controls needs to change, some controls need to be updated. They are too granular. We need to change the way we grade things.
Hughes notes: I am a CEO, you have to speak to the business in terms of cost and money without fear mongering. Quantumm computers do not matter focus on phishing and MFA
A question abotu zero trust and BYOD. Perry notes that ZTA is a transaction it should work at a 1:1 relationship. BYOD or onprem device should not matter