AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices

Adopting Zero Trust

Player FM - Internet Radio Done Right

הוסף לפני two שנים

תוכן מסופק על ידי Adopting Zero Trust. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי Adopting Zero Trust או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

Via Podcast

1
The Southwest’s Wildest Outdoor Art: From Lightning Fields to Sun Tunnels 30:55

לפני 4 ימים30:55

הפעל מאוחר יותר

רשימות

לייק

אהבתי

30:55

A secret field that summons lightning. A massive spiral that disappears into a salt lake. A celestial observatory carved into a volcano. Meet the wild—and sometimes explosive—world of land art, where artists craft masterpieces with dynamite and bulldozers. In our Season 2 premiere, guest Dylan Thuras, cofounder of Atlas Obscura, takes us off road and into the minds of the artists who literally reshaped parts of the Southwest. These works aren’t meant to be easy to reach—or to explain—but they just might change how you see the world. Land art you’ll visit in this episode: - Double Negative and City by Michael Heizer (Garden Valley, Nevada) - Spiral Jetty by Robert Smithson (Great Salt Lake, Utah) - Sun Tunnels by Nancy Holt (Great Basin Desert, Utah) - Lightning Field by Walter De Maria (Catron County, New Mexico) - Roden Crater by James Turrell (Painted Desert, Arizona) Via Podcast is a production of AAA Mountain West Group.…

לפני שנתיים 54:57

MP3•בית הפרקים

Season two, episode 16: Zack Butcher discusses building upon NIST’s Zero Trust policies and standards, and ZT’s influence on a service mesh as it relates to microservices.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

There are several guiding concepts that make it easier for organizations to build a Zero Trust strategy. The first that typically come to mind come from CISA and NIST. These core elements, ranging from the five pillars through to building a ZT architecture, offer a vendor-neutral path towards removing implicit trust. Organizations like CSA also do a great job of expanding upon this knowledge with more contributions from technology and service providers. This week, we take our first step towards understanding what goes on behind these policies, standards, and recommendations, and for that we have a well-equipped guest to walk us through it.

Zack Butcher is one of the founding engineers over at Tetrate, a vendor that provides a consistent way to connect and protect thousands of individual microservices and deliver Zero Trust security operations across any environment. They also have their roots stemming from a team that worked at Google, which many of you are likely familiar with their connection to Zero Trust through BeyondCorp. However, he is also the co-author on NIST special publication 800-207A. If that looks familiar, it’s because it’s an expansion of the earlier mentioned core NIST resource, 800-207.

NIST SP 800-207A builds upon that core architecture piece and hones in on access controls in cloud-native applications in multi-cloud environments. That is a bit of a mouthful, so here is Zack on what you need to know.

When we talk about Zero Trust at runtime, there's a lot of FUD and a frustrating amount of FUD in the in the marketplace and a lot of vendors claiming certain things are Zero Trust and not.

And you know, in that landscape, I wanted to really kind of push for people to have a very clear definition of Zero Trust at runtime, and it's a minimum definition. Let me be clear. You can do a whole lot more than what we talk about in the SP, but I try and give a very, very simple minimum definition. And that is five policy checks at runtime, and we call that identity based segmentation.

Butcher also co-authored NIST SP 800-204A that focuses on building secure microservices-based applications using service-mesh architecture. So this week, Neal and Butcher ran down the rabbit hole of expanding upon these core Zero Trust resources, implications of a more secure environment at runtime, and identity-based segmentation.

56 פרקים

#Tech #Adopting Zero Trust

AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices

Adopting Zero Trust

published לפני שנתיים

שתפו

MP3•בית הפרקים

Season two, episode 16: Zack Butcher discusses building upon NIST’s Zero Trust policies and standards, and ZT’s influence on a service mesh as it relates to microservices.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

When we talk about Zero Trust at runtime, there's a lot of FUD and a frustrating amount of FUD in the in the marketplace and a lot of vendors claiming certain things are Zero Trust and not.

56 פרקים

#Tech #Adopting Zero Trust

كل الحلقات

1
How Critical Infrastructure Leaders Are Rethinking Cybersecurity 44:32

לפני 20 ימים44:32

44:32

In this episode of Adopting Zero Trust, hosts Elliot Volkman and Neal Dennis discuss critical infrastructure security with expert guest Ian Branson, Vice President of Global Industrial Cybersecurity at Black and Veatch. The discussion centers around the philosophical and strategic approaches to handling incidents and breaches, especially in the operational technology (OT) realm. Branson highlights the importance of understanding what needs protection, the integration of IT and OT security, and the crucial role of threat intelligence. They also explore the evolving need for converging physical and digital security data to manage risks effectively. 01:37 Starting Point for Protecting Critical Infrastructure 04:52 Funding and Resource Allocation for Cybersecurity 10:57 Threat Intelligence and Incident Response 16:25 IT and OT Convergence 23:47 Discussing Employee and Equipment Management 26:19 Integrating Physical and Cyber Security 34:39 Proactive Security Measures in New Constructions 40:46 Balancing Rapid Response and Availability…

1
Shadows Within Shadows: How AI is Challenging IT Teams 48:12

לפני 7 weeks48:12

48:12

In this episode of Adoption Zero Trust (AZT), host Neal Dennis and producer Elliot Volkman sit down with Bradon Rogers, Chief Customer Officer at Island, to discuss how AI is compounding the already existing problems tied to shadow IT. The conversation explores how modern enterprises handle the growing complexities of unregulated software use, the role of enterprise browsers in mitigating risks, and the dynamic between user experience and cybersecurity. 01:16 Shadows within shadows 04:15 AI in Approved Solutions 09:14 Enterprise Browser and Security 14:25 Transition to Browser-Based Applications 16:23 Enterprise Browser Capabilities 18:45 Data Protection and Shadow IT 24:39 Shepherding Data in the Enterprise Browser 25:17 Policy Perspectives on AI and Data Flow 28:16 Exploring SBOM and AI Integration 35:39 Browser Security and Application Boundaries 41:40 BYOD and Privacy Concerns 44:48 Third-Party Scenarios and Onboarding…

1
Live at ZTW2025: Cyberwire Daily’s Dave Bittner + Dr. Zero Trust 32:50

לפני 9 weeks32:50

32:50

Catch this episode on YouTube , Apple , Spotify , or Amazon . You can read the show notes here . Live from ThreatLocker’s Zero Trust World (ZTW), cybersecurity heavyweights Dave Bittner , host of CyberWire Daily and Dr. Chase Cunningham AKA Dr. Zero Trust shared their unfiltered thoughts on the state of cybersecurity, AI, and government regulations. From the shifting landscape of compliance enforcement to the role of hitting critical mass of AI in both defense and cybercrime, we can expect an extraordinary level of change in the years ahead. 01:37 Cybersecurity Landscape Overview 01:58 Government and Cybersecurity 02:39 Leadership and Appointments in Cybersecurity 03:47 Future of CISA and Compliance 06:41 Managing Cybersecurity News 14:54 The Role of LLMs in Cybersecurity 16:22 Global Perspective on AI and LLMs 18:47 Reflecting on Past Technological Predictions 20:18 The Double-Edged Sword of AI and Surveillance 24:21 The Dark Side of Technological Advancements 26:17 Debating the Term 'AI' and Its Implications 28:43 Historical Anecdotes and Unanswered Questions…

1
Rapid fire update: Silk Typhoon and DOJ's indictment of twelve Chinese nationals 3:20

לפני 9 weeks3:20

3:20

New intelligence: Silk Typhoon, formerly tracked as HAFNIUM, is a China-based threat actor most recently observed targeting IT supply chains in the US. Today, we released a new report in conjunction with the Department of Justice's action against twelve Chinese nationals that includes mercenary hackers, law enforcement officers, and employees of a private hacking company. This group has been charged in connection with global cyberespionage campaigns. Dive into our latest blog for all the details.…

1
Predicting the year of cybersecurity ahead (minus regulations) 1:02:52

לפני 11 weeks1:02:52

1:02:52

It’s mid-February, but somehow, we’ve already been through what feels like a year's worth of change in the cybersecurity and regulation world. Beyond the standard incidents, outages, and attacks… there have been obvious impacts that have downstream effects. Regardless of regulatory changes, which we’ll cover as those impact our space, AZT brought together a few minds who have thoughts on the year ahead. To properly kick off season four, we have the privilege of chatting with two wonderful guests: Lawrence Pingree , VP of Technical Marketing at Dispersive, but you are more likely to know his name from his time at Gartner. However, he has a varied background ranging from CTO to security engineer, so don’t let that marketing line in his title fool you. Oliver Plante , VP of Support at ThreatLocker, has around 15-20 years of IT under his belt. He also has seen a thing or two when it comes to implementing new cybersecurity strategies 03:21 Predictions for the Year Ahead 04:06 Zero Trust and Least Privilege 05:40 The Future of Cyber Defense 07:21 AI and Cybersecurity 08:41 Threat Intelligence and Preemptive Defense 09:50 Challenges and Innovations in Cybersecurity 14:23 The Role of AI in Cyber Attacks 26:18 Quantum Computing: Threat or Savior? 29:31 Passwordless Security: The Future 30:57 Challenges of Deepfake Technology and Passwordless Security 33:03 Blockchain and Its Applications in Security 35:33 Debate on Password Management Practices 38:03 User Responsibility and Security Automation 47:50 Government's Role in Cybersecurity 57:14 Future of Cybersecurity and Zero Trust…

1
Kicking Off Season 4 of Adoption Zero Trust (AZT) 22:43

לפני 12 weeks22:43

22:43

Catch this episode on YouTube , Apple , Spotify , or Amazon . You can read the show notes here . Neal and I are excited to welcome you back to AZT as we kick off our fourth season. After four years of trying out different formats and episodes, including at least an entire season terrorizing vendors for slapping Zero Trust on their box as if it were something you could buy, we’re ready to narrow our focus a bit.…

1
The key to growing a cybersecurity career are soft skills 50:38

לפני 20 weeks50:38

50:38

In this episode of 'Adopting Zero Trust (AZT)', host Neal Dennis and producer Elliot Volkman delve into the often-overlooked realm of soft or 'non-tech' skills in cybersecurity. This week, we chat with Courtney Hans , VP of Cyber Services at AmTrust Financial Services, and Evgeniy Kharam , author of Architecting Success: The Art of Soft Skills, who help us explore how non-technical skills are vital in shaping the careers of cybersecurity professionals. Our guests share the importance of effective communication, emotional intelligence, and adaptability. The hosts and guests share personal anecdotes, training tips, and the necessity of bridging technical prowess with essential soft skills to improve stakeholder engagement and career advancement. The episode emphasizes the value of being comfortable with discomfort and soliciting feedback to enhance one’s professional journey in cybersecurity.…

1
Behind the scenes of cybersecurity media and reporting 1:04:53

לפני 24 weeks1:04:53

1:04:53

Season 3, Episode 15: We gather a panel of journalists, communications, and a researcher to discuss how cybersecurity news and incidents are reported. You can read the show notes here . In the world of cybersecurity journalism, you can broadly divide it into four competing forces: reporters, communications teams, researchers, and readers. Each requires the other to accomplish its goals, but they all have very different priorities and goals. Journalists have a duty to inform the public about security-related events. Communication teams have a duty to inform the public about related incidents and research, but in a controlled setting. Researchers help provide answers to communication teams and journalists. Readers want to be informed of information that impact them, and their habits shape what kind of reporting is invested in the most. This week we explore some of these dynamics by bringing together a panel representing comms, journalism, and research to discuss the game of tug-of-war during incident response and incident reporting. Danny Palmer was a long-standing cybersecurity reporter at ZDNet prior to recently joining DarkTrace, Josh Swarz is the Senior Communications Manager at Microsoft focusing on threat intelligence, our host Neal Dennis is former NSA and has lived many lives around either keeping secrets or uncovering them, and producer Elliot Volkman has been a reporter for two decades and works with Josh on elevating research at Microsoft Threat Intelligence.…

1
GRC tool or spreadsheets, that is the question | GRC Uncensored Preview 43:13

לפני 28 weeks43:13

43:13

In our final preview episode of GRC Uncensored, we explore a particularly bipolar debate: do you need a GRC tool to manage compliance, or will spreadsheets suffice? After this, we will be back to our regularly produced AZT episodes. The last episodes of our pilot for GRC Uncensored can be found on your favorite podcast app or newsletter on Substack.…

1
Podcast Preview: GRC Uncensored and the commoditization of compliance 41:30

לפני 30 weeks41:30

41:30

We are interrupting our regularly scheduled podcast series to introduce you to a new series we developed: GRC Uncensored. This pilot season will elevate conversations about GRC that are often buried under millions of dollars in marketing spend. No boring talks about controls or frameworks, just unfiltered discussions with auditors and practitioners in the GRC space. We'll be back to our regular AZT episodes in a couple of weeks. ----- In the first episode of 'GRC Uncensored,' hosts Troy Fine, dubbed the 'GRC Meme King,' and Elliot Volkman, alongside guest Kendra Cooley dive into the complexities of Governance, Risk, and Compliance (GRC) in cybersecurity. The discussion unravels the 'love-hate' relationship many security professionals have with compliance frameworks like SOC 2, exploring how they have become commoditized and possibly devalued over time. The conversation touches upon the challenges security practitioners face in conveying the true value of GRC to businesses, the potential pitfalls of 'SOC in a box' offerings, and the broader implications of compliance becoming a 'check the box' exercise. Moreover, the episode delves into the broader regulatory landscape and the ongoing debates about the role of government regulations in cybersecurity compliance. This candid dialogue sets the stage for future episodes that promise further to dissect the nuances of cybersecurity audits and standards. 00:00 Welcome to GRC Uncensored 01:34 Introducing Kendra Cooley 02:05 Love-Hate Relationship with GRC 03:16 The SOC 2 Debate 04:33 Challenges with SOC 2 Audits 09:10 The Value of SOC 2 in the Industry 12:04 The Evolution of Compliance Frameworks 20:39 False Sense of Security in Compliance 24:46 The Buzz Around AI and Quantum 25:10 Staying Updated as a Security Professional 26:45 Challenges in Penetration Testing and Vendor Assessments 27:37 Compliance and Its Impact on Security 30:10 Government Regulations and Their Effectiveness 32:23 The Complexity of Privacy Laws 38:29 The Role of GRC Teams in Risk Management 42:30 Concluding Thoughts and Future Episodes…

1
How to prepare your operations team for Zero Trust 46:17

לפני 32 weeks46:17

46:17

Welcome back to Adopting Zero Trust! In this episode, hosts Elliot Volkman and Neal Dennis are joined by Rob Allen, Chief Product Officer of ThreatLocker, to dive deep into the operationalization of Zero Trust. Despite covering various aspects over three seasons, this crucial topic is addressed thoroughly. They explore pre-adoption preparation, aligning organizational actions, and the importance of education in security. Additionally, the conversation highlights the 'assume breach' perspective and how concepts like default deny and least privilege are essential. With real-world examples and anecdotes, they provide actionable insights on implementing Zero Trust strategies effectively. Tune in to learn about the foundational steps necessary to transition into a Zero Trust environment. This is the first of a three-part mini-series, so stay tuned as we explore more aspects of how to prepare your organization for adopting a Zero Trust strategy.…

1
Log4j Continues to act as Organizational Vulnerability 47:56

לפני 35 weeks47:56

47:56

Season 3, Episode 13: Cato Network’s Etay Maor provides fresh research on the abuse of unpatched log4j libraries. Catch this episode on YouTube , Apple , Spotify , or Amazon . You can read the show notes here . This week on Adopting Zero Trust (AZT), we highlight a significant cybersecurity risk focused on the notorious Log4j vulnerability and the growing concern around shadow IT. Featuring expert insights from Etay Maor, the Chief Cybersecurity Strategist at Cato Networks, the conversation initially looks into the persistent exploitation methods, the importance of knowing one’s cybersecurity environment, and strategic approaches to mitigating risks.…

1
Overturning of Chevron Deference’s Impact on Cybersecurity Regulation 51:44

לפני 37 weeks51:44

51:44

Season 3, Episode 12: Could the overturning of Chevron Deference impact cybersecurity and privacy regulations? Catch this episode on YouTube , Apple , Spotify , or Amazon . You can read the show notes here . Welcome back to Adopting Zero Trust or AZT. In our latest episode, we assembled a distinguished panel to dig into a timely topic affecting the cybersecurity landscape but has the fog of war wrapped around it. Today’s conversation centered around the recent developments in cybersecurity regulations and their potential impacts, ignited by the Supreme Court overturning Chevron Deference. This, of course, has other potential impacts on all regulation types enforced and shaped by federal agencies, but our focus is, of course, on cybersecurity, privacy, and AI. The Panel We welcome back Ilona Cohen, Chief Legal and Policy Officer at HackerOne, who joined us last year to discuss the National Cybersecurity Strategy . Ilona is also the former General Counsel for OMB. We are also joined by the GRC meme king, Troy Fine, the Director of SOC and ISO Assurance Services at Gills Norton. Beyond the memes, Troy takes a practical perspective on regulations and acts as our voice for those who may be most immediately impacted. Key Takeaways Chevron Deference overturned: The Supreme Court's decision removes the requirement for courts to defer to federal agencies' interpretations of ambiguous statutes and now relies on the courts. Increased regulatory uncertainty: This ruling may lead to more challenges to existing and future regulations, potentially affecting cybersecurity and AI policies. State vs. Federal regulation: The uncertainty at the federal level might prompt states to act more quickly on issues like AI and cybersecurity, potentially creating a patchwork of regulations. Impact on AI regulation: With about 40 federal bills addressing AI in the pipeline, the ruling could complicate the process of creating comprehensive federal AI regulations. Cybersecurity implications: Existing and proposed cybersecurity regulations, such as the Cyber Incident Reporting for Critical Infrastructure Act, may face new challenges. Business concerns: While some business organizations applauded the ruling, the resulting regulatory uncertainty could be problematic for companies trying to plan and comply with regulations. Expertise concerns: There are worries that courts may lack the technical expertise to make decisions on complex technological issues like AI without deferring to agency experts. Potential for innovation: The regulatory uncertainty might create a wild west period for AI, potentially fostering innovation before more stringent regulations are imposed. Self-regulation importance: In the absence of clear federal regulations, industry self-regulation initiatives may become more significant, especially in rapidly evolving fields like AI.…

1
Applying Vulnerability Management to Zero Trust 45:43

לפני 40 weeks45:43

45:43

Season 3, Episode 11: Vulnerability management is critical to any Zero Trust strategy, but you probably already know that. Fortra’s Tyler Reguly breaks down severity vs. risk. Catch this episode on YouTube , Apple , Spotify , or Amazon . You can read the show notes here . Every organization relies on some form of technology to run, and each tool you add increases the risk of vulnerabilities causing problems. If you don’t stay on top of patching, you increase the odds of a bad actor finding their way more easily within your network. This week, we chat with Tyler Reguly, a senior manager of security research at Fortra, who shares insights from his 18 years in vulnerability management. Tyler discusses the importance of staying on top of patching to maintain a Zero Trust strategy, the differences between vulnerability and patch management, and emphasizes that the Common Vulnerability Scoring System (CVSS) measures severity, not risk. We also briefly nerd out about the significance of groups like the Canadian Cyber Threat Exchange (CCTX) for knowledge sharing and collaboration in cybersecurity. And then, we wrap things up by exploring the efficacy of existing security policies and benchmarks, such as CIS and DISA STIGs, and the role of vendor relationships in maintaining effective security practices.…

1
The Unstoppable Phish: A Discussion with Vivek Ramachandran 26:31

לפני 44 weeks26:31

26:31

Season 3, Episode 10: Elliot chat’s with Vivek Ramachandran of SquareX about his approach to tackling the impossible: Social engineering. Catch this episode on YouTube , Apple , Spotify , Amazon , or Google . You can read the show notes here . For nearly three decades, social engineering, particularly phishing, has been one of the most impactful and financially draining cyber threats. Between security awareness training, email security gateways, generative AI, enterprise browsers, and a slew of other tech like EDRs and XDRs, social engineering has yet to be thoroughly thwarted. The reason for that is straightforward enough: social engineering is a psychological threat, not just a technological one. In our last round of interviews from RSA, we chatted with Vivek Ramachandran, the founder of SquareX, who is attempting to tackle the challenge. Vivek also walks us through a more realistic perspective of how threat actors use generative AI today, which goes beyond the more unique what-if scenarios we’ve seen in headlines in the past two years. Key Takeaways Social engineering and phishing attacks remain a significant threat, and everyone can be a target. The sophistication of these attacks has increased due to advances in AI. AI can craft messages that sound remarkably like someone the recipient knows, enabling rapid scalability. Social media platforms are becoming common channels for launching phishing attacks. Attackers exploit the trust that users place in these platforms and their contacts. Vivek Ramachandran's company, SquareX, deploys a browser extension that can attribute attacks and detect and block them in real-time, providing valuable information to the enterprise. Traditional technologies like Secure Web Gateways (SWG) have matured, and attackers can easily bypass them. Enterprise browsers solve the problem for a small niche group of websites but have adoption friction due to the inconvenience of having a dedicated browser.…

Adopting Zero Trust

1
Adopting Zero Trust: Philosophy of Prevention with iHeartMedia’s Janet Heins 44:02

לפני 2 years44:02

44:02

Season two, episode 13: Cybersecurity prevention on a global scale with Janey Heins, Global CISO for iHeartMedia. At the heart of Zero Trust is the idea of prevention. If you don’t trust anything or any person, you are playing in the same pool as risk avoidance. While total risk avoidance isn’t feasible, Zero Trust gets us closer to reality. Now, map this up to an organization with a global footprint, with significant infrastructure sprawl, and you’ve got one very complex scenario on your hands. This brings us to this week’s guest, Janet Heins, iHeartMedia's Global CISO, who will help us navigate the philosophy of cybersecurity prevention on a global scale. Putting The Conversation Into Context With more than a decade behind her as a CISO, Heins’ experience stems from working with some massive brands. As a leader, she’s particularly passionate about translating business needs into technology processes or solutions, while at the same time bridging the language barriers that often stem between IT, cybersecurity, and the other adjacent areas. iHeartMedia has over 11,000 employees and a vast physical and digital footprint. With 860 radio stations across the US and 20,000 events annually, the company is part of the emergency broadcast system and has to be ready to respond to threats quickly. At a global level, Heins makes it clear that strong detection and response capabilities, as well as prevention measures, are critical elements of prevention. And while prevention can take many forms, in the context of today’s episode, we dig into security tools, hiring security professionals, and the basics, such as providing security awareness training to employees. One challenge of securing a large organization like iHeartMedia is consolidating the tech stack. iHeartMedia has a blended architecture of OT and IT, with legacy hardware and systems that need to be secured. Heins stresses the importance of communication and collaboration between the IT and OT teams, as well as being open to new tools and automation.…

Adopting Zero Trust

1
Adopting Zero Trust: Continuous Trust 29:49

לפני 2 years29:49

29:49

Over the past two years, we’ve explored the ins and outs of Zero Trust, ranging from the concept as a strategy down to the more technical components, such as how it impacts the physical world as found in IoT devices. However, what is often missed in these conversations, is at what point an organization can actually build trust. Not just crawling up from the baseline of zero but achieving continuous trust. The short answer? Defense in depth, building security in layers, and ensuring every 1 and 0 is secure at the offset while continuously monitored through automation. And this is where we get to introduce this week’s guests, who were kind enough to be pulled away from a busy conference. This is also a special episode for us, too, as it’s the first in-person interview we’ve done since launching this series. Live (June 22, 2023) from Drataverse, we have Daniel Marashlian, the co-founder and CTO of Drata, Ty Sbano, the CISO for Vercel and an angel investor at Silicon Valley CISO Investment Group (SVCI), and Matt Hilary, the Vice President of Security and CISO at Drata. You can read the show notes here .…

Adopting Zero Trust

1
Adopting Zero Trust: Nonfederated Apps 54:44

לפני 2 years54:44

54:44

Last episode, we brought to you a wild story of a victim who was SIM-swapped four times, and this week we’re back to basics with some fresh research and a closer look at a critical piece of Zero Trust: Non-federated applications. Cerby’s Chief Trust Officer, Matt Chiodi, was kind enough to add a bit of color to a research report they released at RSA that helps validate what they’ve been building the past 3 years. Before we get to that, it’s worthwhile to define what nonfederated applications are, as, like many cybersecurity concepts, it’s going through an identity crisis. Nonfederated applications are essentially the opposite of how organizations should be inventorying, tracking, and providing access to applications (SaaS platforms are a good example). To align with Zero Trust, or really any modern cybersecurity strategy, SSO, SAML, and other solutions designed to scale are necessary so IT and security teams can properly manage access. However, there are always outliers, which the business still needs access to, such as managing admin access to a social media profile. This brings us back to Matt and the Ponemon Institute, who produced the recent research report: The Hidden Cybersecurity Threat in Organizations: Nonfederated Applications .…

Adopting Zero Trust

1
Adopting Zero Trust: SIM Swapped 59:44

לפני 2 years59:44

59:44

Taking a break from our usual format, this week we chat with a victim-turned-CEO who was hit by SIM-swapping attacks. However, not all harsh starts have to end that way, and Haseeb Awan made the best of a bad situation. After being compromised not once… nor twice, but four times, Haseeb eventually took matters into his own hands and developed a new solution and company, Efani . Haseeb was kind enough to share his personal experience of being SIM swapped where he describes the fear and anxiety felt as a result of the attacks and explained how easy it is to compromise a phone number.…

Adopting Zero Trust

1
Adopting Zero Trust with Bloomberg: Implemented 51:49

לפני 2 years51:49

51:49

Season two, episode nine: Featuring Bloomberg’s Head of Information Security Architecture and the Information Security Program, Phil Vachon. Catch this episode on YouTube , Apple , Spotify , Amazon , or Google . You can read the show notes here . What does implementing a Zero Trust strategy actually look like in an organization? Nearly a year into our podcast’s journey covering how practitioners view, define, and apply zero trust, it’s time to look under the hood at how a notable organization put its strategy into motion. This week we chat with Bloomberg’s Head of Information Security Architecture and the Information Security Program, Phil Vachon , about how they transformed their security organization with Zero Trust. Most interestingly though, while many organizations are just now exploring how they will start their zero trust journey, Bloomberg was ahead of the curve even before covid thrust the concept into the limelight. “I will always say it is continuing to be a journey. It's not a destination,” said Vachon. Key Takeaways Zero Trust Principles Zero trust is not a new concept but has been repackaged and branded as a solid ideology. Zero trust involves three principles: trust but verify, assume compromise, and strong posture. Zero Trust Journey Zero trust is a continuing journey, not a destination. Zero trust requires a good mindset about how to implement controls and how to reason about security architecture. Zero trust is not just about securing the corporate IT estate but also about securing the data center estate and the communications between components. Challenges in Implementing Zero Trust Balancing security with usability is a challenge that must be addressed to enable a high-collaboration, low-friction workflow. Bloomberg leverages many SaaS services for collaboration, but they also have their own core services that are still on-premises. They focus heavily on their offerings on-premises and have a big drink-your-own champagne culture around them.…

Adopting Zero Trust

1
Adopting Zero Trust with Bitwarden: The Mighty Password 54:32

לפני 2 years54:32

54:32

There’s no avoiding it, the headlines have not been kind to the ways we access systems today. Users are still using 1234, password , and even their dog's name. Not just using these weak passwords but also reusing them across multiple platforms, making it incredibly easy to breach someone once they’ve been caught up in a previous breach. On the vendor side, well we all know what’s happened there in the past 12 months, and now more than ever, password management platforms have growing targets on their back as high-value assets. But we are not here to throw rocks in the glass house nor try to dissect what goes well or goes wrong in these situations; however, we should all focus on what we can take away from them and ensure they are not repeated. This concept aligns well with Zero Trust, where we should assume systems are already breached, that your users - be it intentionally to shitpost in a discord channel or accidentally fall for a phishing lure- and we should remove as much implicit, unchecked trust as possible. At least until Skynet takes us all out, but we have a few good years ahead. Jokes aside, we have a great episode for you and appreciate Bitwarden lending us two of their C-suite members who cover a range of topics, including how they navigate these challenges. This week we chat with Bitwarden’s CEO Michael Crandell and Chief Customer Officer Gary Orenstein. Bitwarden offers an integrated open-source password management solution for individuals, teams, and business organizations. It also offers a self-hosted solution, which appeals to those who want greater control over their secrets. Key Takeaways The use of a Zero Knowledge architecture means that the company, whether cloud-hosted or self-hosted, should not be able to access sensitive information without the user's permission. Open-sourced solutions offer additional layers of trust as there are more eyes are on the product and can vet it for security Passwordless authentication is the future…

Adopting Zero Trust

1
Adopting Zero Trust: Empathetic Leadership with Kyndryl’s Kris Lovejoy 57:45

לפני 2 years57:45

57:45

For many, cybersecurity is seen as a cost center that reduces risk to the business. This can be oversimplified to something akin to how HR reduces people-related risks but comes with layer on top of layer of complexities ranging from technology to physical buildings and, of course, people. Regardless of organizational size, cybersecurity leadership requires a top-down approach, leaving room for discussion at the board level and aligning it with business goals. This week on AZT, Neal and I chat with Kris Lovejoy , Kyndryl’s (IBM spinoff) Global Security and Resilience Leader, former CEO of Virginia-based BluVector, and a former IBM CISO prior to being made GM of their security division. Having danced the line between startups and mega-enterprise organizations, there are few others who could so adequately discuss the role of cybersecurity leadership within modern organizations and why having a competent person at the helm is critical to the business (not just to reduce risk). We also play a bit of RSA buzzword bingo.…

Adopting Zero Trust

1
Adopting Zero Trust: Cybersecurity Innovation with Stanford Fellow AJ Grotto 39:14

לפני 2 years39:14

39:14

For more than a decade, Zero Trust as a concept has moved from a philosophy and now into a practical architecture and strategy that organizations can adopt. While Zero Trust encapsulates much of what has gone well in cybersecurity for the past 30 years or so, does it truly offer an innovative approach or just iterative change? Is the concept positioned well so others can adapt it to their needs and prevent greater cyber-related risks? While we know it’s certainly not a silver bullet, and use cases are still reasonably immature, there is a firm argument for it helping to drive cybersecurity innovation forward. This week on AZT, Neal and I chat with Andrew “AJ” Grotto, current Stanford University Fellow and Director of Security at Turtle Rock Studios (makers of Back 4 Blood and other popular video games). Prior to his current roles, AJ was an advisor at NIST and was the Senior Director for Cybersecurity Policy for The White House National Security Council. As a practitioner and academic who danced the line between public and private sectors, AJ is well suited to help us navigate the question of what drives innovation around cybersecurity if the federal government is behind the curve or creates chain reactions, and where policy comes into play.…

Adopting Zero Trust

1
AZT: The National Cybersecurity Strategy 55:36

לפני 2 years55:36

55:36

This week on AZT, we chat about something timely and impactful to everyone in the cybersecurity and users impacted by related decisions: the new National Cybersecurity Strategy ( full strategy here ). Our guests this week are Tony Scott and Ilona Cohen, both industry powerhouses and experts well-equipped to navigate this complex document. Ilona Cohen is the former General Counsel at Office of Management and Budget (OMB), was an Associate White House Counsel and Special Assistant to the President during the Obama administration, and is currently the Chief Legal Officer, Chief Policy Officer, and Corporate Secretary at HackerOne. Tony Scott is the former U.S. Federal CIO during the Obama administration, has worked for brands such as Disney and GM, and is currently the President and CEO of Intrusion. Together, they both experienced the Office of Personnel Management (OPM) breach of 2015, and have been involved with the ever-shifting threat landscape that impacts and leads to new initiatives like the latest National Cybersecurity Strategy. In particular, it resulted in the Cybersecurity National Action Plan , which resulted in the first bug bounty program.…

Adopting Zero Trust

1
Adopting Zero Trust: Open Source 58:46

לפני 2 years58:46

58:46

This week Neal and I continue with our exploration of new formats, and this time we go one-on-one with the Founder and CEO of Netfoundry, Galeal Zino . Prior to Netfoundry , Zino spent much of his career traversing R&D, and later moving into a key role for Tata Communications. Though Netfoundry’s bread and butter is a Zero Trust Network Access (ZTNA) solution that can be built into other technology via API and even supports IoT systems, and they also manage OpenZiti. OpenZiti is an open-source self-hosted solution of a similar nature with input and contributions from Zero Trust and developer communities. Rather than honing too deep into the technology aspect, Zino and Neal go down the rabbit hole of open source tools and communities and why they are so critical to much of today’s existing security infrastructure.…

Adopting Zero Trust

1
Adopting Zero Trust with Author George Finney: Approachable 50:43

לפני 2 years50:43

50:43

Zero Trust as a concept or strategy on the surface appears simple in nature. Heck, it’s only two words. However, when push comes to shove, and it’s time for organizational adoption, Zero Trust impacts every aspect of a business in the form of a digital transformation. Fortunately, for every complexity and question, there is an answer and solution, which is where our latest guest comes into play. This week on Adopting Zero Trust (AZT), we chat with infosec author, practitioner, and educator George Finney about ways to make ZT more approachable. Finney is the best-selling author of Project Zero Trust, which currently offers the most approachable way to understand John Kindervag's 5-Step methodology for implementing Zero Trust, the four Zero Trust design principles, and how to limit the impact of a breach.…

Adopting Zero Trust

1
Adopting Zero Trust: Zero Knowledge Authority 48:50

לפני 2 years48:50

48:50

This week we have a two-for-one special and feature our newest panel-style format. On the practitioner side, we have crowd favorite Andrew Abel, who currently works with a financial institution, but has worked across multiple other industries in the past. On the Zero Trust technology side, we have Michael Loewy, Co-Founder of Tide Foundation . Tide Foundation lives between authentication and micro-segmentation, or if we look at CISA’s Foundation of Zero Trust principles : identity, network/environment, and data. The solution also impacts devices and application workloads, which means they fully align with the philosophy behind Zero Trust. On today’s episode, we ground Zero Trust back to reality with how much implicit trust can truly be removed, dig into the concept of Zero-Knowledge Authority and how it chips away at ZT gaps of today, and follow up with Abel on how ZT has changed over the past 6 months.…

Adopting Zero Trust

1
Adopting Zero Trust With Ismael Valenzuela: Less Trust 48:47

לפני 2 years48:47

48:47

This week we chat with Ismael Valenzuela , VP of Threat Intel at Blackberry, a 13-year SANS instructor, and has balanced his time between educator and practitioner for decades. Before peppering Ismael with our usual questions and falling down the rabbit hole, we dug a bit deeper into his background and what drives him to split his time between educating peers and working for some of the biggest names in tech. On the docket for this week is Zero Trust as a philosophy, why Less Trust is a more applicable term, and the need for a threat model to narrow down your protect surface. As a side note, Ismael also just published a new post highlighting findings from BlackBerry’s new global threat intel report. The team will also discuss these findings today (Jan 26) on LinkedIn live .…

Adopting Zero Trust

1
Adopting Zero Trust: Season One is Wrapped 49:52

לפני 2 years49:52

49:52

Welcome to the last episode of season one, where Neal and I go on a rambling adventure and look back on some of the interesting and eye-opening conversations we’ve had over the past few months. To wrap things up, and what was supposed to be a 20-minute conversation, we felt it was time to better introduce ourselves to our listeners, discuss some plans for season two, highlight perhaps some aspirations of bringing AZT into the real world at a conference or two in 2023, and that we will finally open the doors to Zero Trust technology vendors. Since this is our season one wrap episode, and much of what we cover is a stream of consciousness, there are no key takeaways. Swing back around in January as we kick off the next season with another group of amazing guests. We have plenty of surprises in the works, too! We hope your year winds down well, and we will cross our fingers for no X-mas cyber incidents.…

Adopting Zero Trust

1
Adopting Zero Trust with Chase Cunningham: The Doctor is in 56:17

לפני 2 years56:17

56:17

This week we chat with Chase Cunningham , Doctor Zero Trust himself, about the decade-overnight success of Zero Trust, how he got involved with the concept, and methods for navigating vendors wanting to shape the concept. For those initiated into the world of Zero Trust, you are no doubt familiar with his podcast, regular LinkedIn musings, and history as a Forrester analyst. Beyond the podcast, Chase is the CSO for Ericom Software, has a long history in threat intel, and built a significant track record while at the NSA as a chief cryptologic technician.…

ברוכים הבאים אל Player FM!

Player FM סורק את האינטרנט עבור פודקאסטים באיכות גבוהה בשבילכם כדי שתהנו מהם כרגע. זה יישום הפודקאסט הטוב ביותר והוא עובד על אנדרואיד, iPhone ואינטרנט. הירשמו לסנכרון מנויים במכשירים שונים.

תקשיבו ל-500+ נושאים

דומה לAdopting Zero Trust

Apple AirPods Pro 2 Wireless Earbuds, Active Noise Cancellation, Hearing Aid Feature, Bluetooth Headphones, Transparency, Personalized Spatial Audio, High-Fidelity Sound, H2 Chip, USB-C Charging

Big Spot 'N Bop! The Giant Wobbly "Find It First" Game, A Fun, Active Race For Mind And Body, Run Around The Giant 4 Foot (122cm) Inflatable Bopper To Find And Match Images, For 2 Or More Players, 4+

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

פודקאסטים ששווה להאזין

Adopting Zero Trust « » AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices

AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices

פודקאסטים ששווה להאזין

ברוכים הבאים אל Player FM!

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

Bounty Quick Size Paper Towels, White, 8 Family Rolls = 20 Regular Rolls (Packaging May Vary)

Amazon Basics Dog and Puppy Pee Pads with Leak-Proof Quick-Dry Design for Potty Training, Standard Absorbency, Regular Size, 22 x 22 Inches, Pack of 100, Blue & White

The Let Them Theory: A Life-Changing Tool That Millions of People Can't Stop Talking About

דומה לAdopting Zero Trust

מדריך עזר מהיר

Adopting Zero Trust « »
AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices