Adopting Zero Trust
Adopting Zero Trust
Adopting Zero Trust: Open Source
0:00
-58:46

Adopting Zero Trust: Open Source

Season Two, Episode Four: Featuring Netfoundry CEO Galeal Zino

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google.

This week Neal and I continue with our exploration of new formats, and this time we go one-on-one with the Founder and CEO of Netfoundry, Galeal Zino. Prior to Netfoundry, Zino spent much of his career traversing R&D, and later moving into a key role for Tata Communications. 

Though Netfoundry’s bread and butter is a Zero Trust Network Access (ZTNA) solution that can be built into other technology via API and even supports IoT systems, and they also manage OpenZiti. OpenZiti is an open-source self-hosted solution of a similar nature with input and contributions from Zero Trust and developer communities. Rather than honing too deep into the technology aspect, Zino and Neal go down the rabbit hole of open source tools and communities and why they are so critical to much of today’s existing security infrastructure.

Editor’s Notes

The White House just released the newest National Cybersecurity Strategy, which of course encourages the implementation of a Zero Trust Network and architecture. Find the full strategy here and Brian Krebs’ highlights here.

Key Takeaways

  • Open source technology thrives when community has a shared interest

  • ZTN/ZTNA offers secure access without opening firewall ports (if not, don’t use it)

  • Shared responsibility model means everyone in the supply chain owns/contributes to security 

  • Security communities drive innovation and offer a collective defense

Weekly Zero Trust Headlines and News

Most of the content about Zero Trust is opinion-based, but here are some impactful news stories from the past couple of weeks.

Episode Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: everyone and welcome to another episode of Adopting Zero Trust or AZT. I'm Elliot, your co-host, mostly producer. Uh, we have Neal, our mouth and voice of the, uh, podcast.

And today we are going to jump into one of our newer territories. Uh, and for that I'm gonna actually hand this off to Khalil, who is the co-founder and I believe ceo. For Net Foundry, um, your background lends itself to, uh, a significant amount of expertise. You have been in executive and entrepreneurial roles before, but um, maybe you can give us a little bit of background into what has LED led you to where you are today.

Galeal: Awesome, Elliot Neal. Pleasure to be here. Yeah. For better or worse, 20 odd years. Trying to get packets from point A to point B with some security and reliability. And a few years ago realized, Hey, that's a little too hard. Why don't we try to reinvent the playing field, uh, build security into, into networking.

And that led to the start of Net Foundry, which you mentioned. It also mentioned, it also led to the start of our open source open.

Elliot: Excellent. Uh, and before I kind of jump into it, I do want to give a shout out to, I believe it's Philip, who has been very diligent in connecting us together. Uh, I think he actually hunted me down on Reddit after I was knowing people about Zero Trust, which I'd like to jump on the soapbox, so, Thank you for having such a wonderful and engaged team who's been really supportive of making this conversation happen.

Um, but yeah, sorry,

Galeal: it. They, they find us a lot of good conversations cuz they're enthusiastic for good reason.

Elliot: Yeah, absolutely agreed. Um, so really there's two focal points that we're gonna dive into today. And both of these are concepts that we have not had, um, you know, covered in past episodes. Um, so the primary one is we're gonna focus on open source as it relates to zero trust, which is right up your alley.

Um, but usually when people think zero trust, and we're looking specifically towards the technology side of the house, you know, open source isn't really, uh, the first thing that comes to mind. Usually you're looking at like sassy and very expensive things, whereas open source is more, you know, open in nature and not necessarily comes with a huge price tag, but requires some hardening and all that stuff.

Um, so I'd love just, uh, general, you know, what's your general take on, you know, why open source more than anything? Uh, what value does it bring and what is like the goal behind going open source instead of something proprie?

Galeal: So the innovation enabled by open source as opposed to closed proprietary is reason number one. I'd say reason number two, especially when it comes to things like security networking, you. You don't always want to trust what the tin says, like you want to get your hands on it. , get under the hood. Uh, play with it.

Number three, security. And I know this is controversial, but you know, go ask most folks what the most secure OS is and they're usually gonna come up with some Linux variant, and that's for good reason. Um, yes, there's pluses and minuses to be an open source, um, but we can find plenty of examples out there, um, where you can get.

That magic that we like to say, those three ingredients, you enable the innovation, um, you enable people to tinker or play to see what's in the tin. Um, and a net result can be really, really secure. That's, that's, that's why we've made the efforts to kind of build the open Zdi Zero trust community.

Elliot: Excellent. Yeah, absolutely makes sense to me. Uh, and again, I think open source as it regards to cybersecurity is pretty impactful. People feel more involved, more empowered, they know it's under the hood. Uh, whereas proprietary systems, you know, uh, I, I don't wanna like stretch too far, but if you don't know what's under there and you don't know how it's functioning, it's a little bit harder to kind of wrap your head around that.

So that makes sense. I can certainly get that. And then Neal, uh, not only is he our resident threat intel guy, but uh, the community aspect is highly relevant to his space and what he does working with, um, share threat intel sharing organizations and groups to that extent. So I'm sure he is much more equipped to be able to kind of chat through the open source concepts and you know why that's so impactful.

Neal: Yeah, I'll, I'll, I'll take a few stabs here for a moment, but, uh, for me, open source, anything. Open source is always better for a community, period. I, I think it's important to have both privatized iterations of whatever that standard may be or that construct may be, and have those industry verticals that are trying to do their own thing.

And if we think about just OSS as your reference point, Lennox versus Apple, you know, OSX versus Microsoft, pick a flavor. versus Unix and structural things like that in the day. Um, I, I think when you get topics of conversation that come out of the privatized iterations of some type of product, you have a very fixed way of looking at the solution and it gets very constrained into what's gonna happen.

And now they get their interesting niche, they get what they do well and they, you know, to be fair to OS X versus Microsoft, they do what they do very, very. . Um, but what they don't do very, very well is the things that a lot of the open source standards tend to pick up and made better initially. And for me, looking back on this stuff, uh, we look at like Apache web servers and, and versus Iiss and things like that.

When Microsoft first started trying to dabble in that world, you know, they sucked at it and they. Point of perspective, they may or may not still depending on what you like, uh, so don't yell at me if you're a Microsoft fangirl for web service type stuff, but point being, they started something. Apache started something because they saw an opportunity to make things better as a community and actually listen to what people wanted to have done right.

And I think because of that metric, both products actually became better. You have a standardized, paid for product that you can get that you don't have to worry about doing a whole lot of things. That does do typically what it says it's gonna do, and that's about it. And you really have little say in where it's gonna go after that because it's a big beast.

Um, but then you have open source standards that help push the barrier forward. And then at some point in time, the other dogs in the room tend to come back and look at those larger open source and see how they can start to listen to a community that's already bought and paid for it with their own blood and sweat and bring it back in.

and then open source gets go to the next echelon and keep moving forward. So for me, that's my perspectives on open source and why they're important. They drive both the privatized iteration as much as they do the community involvement aspects around security and other things and development. And I think it's a win-win for both sides.

So it's kind of neat to see this perspective in particular.

Galeal: Ah, no, I love that definition. Neal. You know the community. I can tell you, I mean, listen, we have a lot of innovator. At Net Foundry, but nothing compared to the community at large. And the reality is networking and security tend to be glue, right? Like not many people go build networks or fun of it. You build a secure network for a reason.

Um, so if you could take some open source, secure networking and use that as an open source ingredient into something cool that you're building, Or innovating or iterating on, you know, then some magic happens. Uh, so like that community aspect, Neal, we feel is really relevant, especially to kind of glue type stuff, security, networking, os you know, things that you can build and innovate on top of.

Neal: Yeah, agreed. To Elliot's point, I work a lot with communities in general, both my nine to five and other stuff. And I know people who do actually listen this podcast probably getting sync, tired of hearing this. But I do a lot of stuff with ISACs and is SALs, so, so you're aware, uh, I do a lot of community involvement type things, uh, both for the job as well as offline for my, my personal affairs.

Um, , I've never seen anything on any industry vertical grow without some kind of community involvement. Uh, you know, if you've got an idea, if the community's not bought into it one way or another, then why the heck is it even there? But more importantly, you know, we have a, especially in a startup world, whether you're open source project or a privatized project, wherever that may be.

You know, we got a finite amount of resources to go towards things, and I think open source efforts are amazing at being able to drive things faster and, and more timely to the actual resolutions of what's needed. And so I think we'll drill into this a little bit more about what that means from the security nature of this here in a few seconds.

But, uh, yeah, I, I think. Soapbox slightly over, but I'm a huge proponent of the open source format of pretty much everything. And anytime someone forces me to use something that's not open source, I tend to scream, kick, and scream a lot. Um, I am doing this podcast on a MacBook, but I'm doing this on a MacBook with a VM of Linux

So let's, let's I, yeah. Different thing to think about, but it is what it is. So, uh, , I try to squeeze it in wherever I can. So on that note, thinking about this a little bit more verbose, so I know like you mentioned, y'all are, y'all are the open source community as it stands right now for Zero Trust. Y'all have the projects that you have.

So I can you kind of just give us a little bit more highlight around the actual platform that y'all have put together and then we, maybe we can kind of drill into what that means a little bit and then swing back into the security implications of an open source community in Zero.

Galeal: Absolutely. Uh, I will try to stay away from the zero trust words itself a little bit to, uh, , to, uh, it's become cloudified, right?

Neal: We, we, we need a buzzer real quick. Sorry. We, we need a buzzer Elliot. Anytime someone's intelligent enough to say, buzzword sucks. This, we just need to get like an air horn bomb or something and just, you know,

Elliot: Yeah, I'll just edit that and we can make that happen.

Galeal: We talked about like the tip jar, right? Like every time you say those words, like you put some money into the kitty, um, that can fund something good, you know, like, uh, but I think words like, you know, micro segmentation and defense in depth and layers of security. Well, those are more interesting conversations.

So does ZD enable you to do? You know, forget about the features and all that crap for just, just a second. You. an application. You want that application to be delivered in a secure manner. You can take a Z D sdk, you can compile your application on that sdk. No matter what set of edges or clouds or networks, your application is then gonna pass over.

It's gonna do so. In a secure overlay. And by security I'm talking about things like mtls and encryption and lease privileged access. Um, if I zoom out just a little bit, you could actually without things like you're just, you're gonna take like all your open inbound firewall ports like your ales. and you're just gonna go default an eye, all like, you're never gonna allow anything inbound on your firewall.

Again, outbound, you're only gonna talk to a private overlay network. Um, same thing for your link listeners. You don't have to listen to the internet anymore, uh, from a, you know, just slightly different perspective. Again, this is. Basically creating a private overlay on the internet, you know, without the, the horrors, let's say, um, of things like VPNs, port forwarding RC 1918 overlap, uh, IP overlaps that, that's the ideal.

Neal make it really, really, um, simple and secure. We think they're both important, like if it's secure or not simple, forget about it. Uh, for application providers to, uh, control the network end to end.

Neal: No. Fair enough. So this is gonna open up a can of worms for me. Uh, we, we actually talked about this loosely on the last interview that we just did, last podcast, and we've hit on this loosely and some other things. Uh, but the flavor of the, of all last year, And a courtesy of SolarWinds the year before has always been supply chain risk management.

Right. And so you kind of hit on this a little bit around the implications of, of what Zero Trust, quote unquote, can bring to bear in this construct. And I think this is important. I mean, I, I imagine everybody should think this is important, but the implication of what you're producing and the validation checks that you're trying to build into this, around that, that layered structure, And mitigate hopefully the next SolarWinds piece, right?

I mean, I think that's kind of the implication here behind what you're providing is some kind of blatant strategy that's more than just email me and, uh, password encrypted with the password infected, right? It's crap like that. Uh,

Galeal: Spot on. I mean, listen, I mean, listen, SolarWinds, they just, they lost the lottery, right? I mean, it could have been anyone, but it was SolarWinds. Uh, and, and I'll use the example cuz Loop One is a SolarWinds partner. They're a public partner of ours as well, right? So what Loop One could now say, just to use your example, Neal, um, as an M S P or as an MSP or as an mssp, folks without some type of secure solution are essentially conduits for the next.

Problem, whether it's supply chain or a zero day or configuration issue, or you know, the MSP themselves got breached. Now they're a conduit into their customer's network. Unless they can say to all their customers, you know what? No one done access. I don't need public ips. I don't want any of your firewall ports to be open.

Period . You know, I want to be, I, I hate to say secure by default. Nothing's like totally secure . Um, but, but you get the idea on Neal, right? Like, like you Loop one can now go to like their SolarWinds customers or big time SolarWinds distributor. They could out go to their customers and say, Hey, we'll service you and no, you do not.

To whitelist a bunch of ips and no, you do not need to gimme public IP addresses. That's, that's how we try to make this thing a little bit more real to.

Neal: Yeah, so. I have a quick curiosity question around this, and I, I think it's really cool. Maybe we can come back and unpackage the, uh, SolarWinds loop one connectivity. I think that's really neat to see and, and maybe highlight lessons learned that they've obviously had and, and what that means from your perspective for them moving forward.

Uh, and hopefully some ideas around don't be too little, too late approach. Uh, but I, I just incidentally learned about something this past weekend. that that's supposed to be part of a supply chain mitigation strategy in, in Euro land. Um, and so I'm oddly curious, given what you're doing, if there's either tie-ins or if you're aware of the construct, and it's something called, uh, ts T I S A X, um, and it's hosted by e n x.com as a another weird Euro thing, and, and I only bring this up only because I looked at this and it was initially fixated on the auto.

and some other weird things, so I, I just didn't know if there's, if you've heard of it or if you have thoughts on this and how that's working from a supply chain mutualism perspective.

Galeal: Heard of it. Don't have intelligent thoughts cause I haven't really looked into it. I'll say a little bit more generally, Neal. Supply chain problems themselves generally not gonna help with, um, we're essentially assuming that there are gonna be breaches and vulnerabilities along the supply chain.

There are gonna be zero days. I am gonna include some libraries that I don't really know all the dependencies for. Like there are gonna be problems, but what we can do is we can assume that those problems are gonna be there and we're gonna say, well, let's. Reduce the attack surface, like rather than you facing the internet with a, a set of wait listed ips or VPNs or whatever horrible stuff you're doing there.

Um, how about ? How about we shut all that down? So even if you do have a vulnerability or, or better said, when you have a vulnerability, it can't be exploited from the outside. Like your pants aren't on fire while you go to address that vulnerability because it's not. Crushed from the internet. Um, so you still have to fix it, obviously.

Um, but you can do so knowing that while you do so, you know, the, you're not getting, you're not exposed to the internet. That's, that's kind of the tie in generally, Neal with those type of, uh, supply chain solutions, they work, they work together like peanut butter and jelly, let's say. I would say you need both.

Neal: no, that makes sense. So you kind of hit on a fun one. Uh. Attack surface and, and some other neat things here. So, uh, with, with the approach in securing some of these aspects, can you kind of elaborate a little bit more around, uh, kind of y'all saw and approaches to that the attack surface or, or someone won, popped off a really good phrase yesterday.

Protect surface versus attack surface and other weird fun stuff. But, uh, you know, you kind of allude to the fact that I, I like to poke and pro is, it's not a matter of if, it's always a matter of when, and it's not a matter of. , you know, being able to secure the human, you're never gonna secure the people in the loop.

So you should always make the implication that something somewhere is going to get compromised at some point in time, cuz people are people. Uh, so kind of drilling into that a little bit more and y'all's thoughts and approaches on, on that aspect of life and what y'all kind of consider for steps to doing things that are in that.

Galeal: Absolutely. I'll start with identity because we are taking advantage, of course, standing on the shoulders of giants, however you wanna look at it, of a lot of very nice solutions that have been developed. Sorry about that guys. On the, uh, if that phone is coming through, the identity instead of an IP address becoming really important.

So X 5 0 9 certificates. Private public key standard cryptography, like, like the standard stuff that most applications do, but putting that on the network. So basically saying like, Hey Neal, if you're gonna let me talk to your server, you're not gonna do so because I have an IP address that you trust.

Nope. You are going to issue me basically an X 5 0 9 certificate, um, that says I'm Galal and I have. To these microservices, this five tuple set of things, whatever it is on your server. Um, and that obviously has to be cryptographically authenticated and authorized. Um, what's sitting in the cloud in the middle, in, in my little simple example between let's say my laptop and your server Neal, um, are, is a fabric of nodes, routers that we built in houses.

These are zud routers, open source like everything else. Um, and basically what's gonna happen, Neal, is your server. Is gonna open up, uh, outbound , of course an identified, authenticated authorized socket. Um, and it's gonna listen on that private network. Let's just call it one router to keep it simple, but it could be however many routers you put in the zd network.

Um, and my laptop's gonna do the same thing and. If the policy says, Hey, yeah, that identity can talk to this identity given these conditions, and we can layer an MFA and all those good things and attribute based access, then great, we're gonna connect those two things. Um, and the obvious kind of result of that is now on both sides of the connection.

Like Neal, on your firewall, you know, you're inbound firewall rules, say, well deny everything. Like I don't have to worry about Goleal trying to request access to my server, um, because I'm joining the sessions this way out. Uh, that's the, that's the main idea. Obviously there's a bunch of tech stuff in the middle.

We can go, we can dive into that stack if you want. Um, but the idea, um, is start with a secure identity. Validate it nine ways of Sunday of at a least privileged access level and let nothing else in.

Neal: Yeah. So I think that fits fundamentally with some of the things we've discussed, uh, prior. So on, on that note, when we start thinking about, uh, authentication Pass, and I probably, this is my lack of understanding, more of what Net Foundry brings to bear and the platform as a whole. Um, but is there, are there blockchain implications for what y'all are working towards or utilization of the blockchain and that type of stuff for current or future iterations of the.

Galeal: Now think more. Ca certificate authority, um, bootstrapped into the ZD technology. Uh, that's the case both Neal with the open zd, um, and the Cloud zd. So the Cloud ZD is essentially managed hosted fabric. That fabric that I was just talking about, those fabric routers, uh, things like the ca are built right in.

Now. If you wanna use your own. You can do that too. Like we support our C 70 30. Fantastic. Um, and you can set up a, you know, a, a series of trust. That's up to you, right? There's no such thing. Obviously zero trust, right? Who, who do you trust? . Um, but you don't want to get into the, uh, P K I business. You can just use what's already built into ziti.

Neal: That makes sense. And so you just touched on another fun piece is the whole point is the are trusted, it's obviously not zero trust across the board. There's obviously at some point in this structure, there's some kind of implied trust that still is going to happen somewhere, somehow sometime. Uh, but what you do to secure, what happens after that is what's impactful, right?

So, , you and I still need to be able to have a conversation because we know it's just you and me having a conversation. But what happens to the stuff that we're talking about afterwards that I think is where people need to understand that back to the never really gonna secure the human, but you can probably find a way to really secure the stuff the humans are using and talking about.

So there's still some human in the loop implied trust, but at the end of the day, you can still lock what they're touching down in the right infrastructure to, to make sure we're not screwing it up.

Galeal: Completely agree. And you know, because these concepts are all software that I mentioned, uh, you can do this for APIs, you can do this server to server, you know, you can do this for, for any use case. Uh, you don't even need a human there to basically do the whole X 5 0 9 certificate, you know, identity authentication, authorization stuff that I just talked about.

Um, all the core fabric routers and controllers and policies, that's all programmable stuff, right? User terra. Use your, use your DevOps tools of choice, hit the APIs directly. Use our web console if you want to. Um, but essentially make the whole thing software instead of relying on kind of series of human configurations.

Neal: Yeah, so I, I love this. So we will hit on the API piece as well, but when we start talking, Uh, automation and some of the other fun stuff that goes in there. Um, before we get down that rabbit hole, I have one last little question around the identity access management pieces that you're hitting on. Uh, this has been a personal curiosity of mine.

I've talked about this on prior podcasts out of morbid curiosity, but there's the whole biometric fingerprinting things, passwordless security, this password that. Right. Uh, and before I ask the actual question, I'll caveat this by saying I don't think there's a world. Passwordless goes completely there without your fingerprints being a little more exhaustive in the quote unquote zero trust mentality of what that brings to bear.

Um, but I do like the aspect of the whole biometrically enabled constructs that the passwordless piece gets. Cause at the end of the day, It's all ones and zeros, regardless of whether you're typing in a 500 character password or you're letting it scan your face and your fingerprints and, and looking at, you know, your pictures from 1999 on A B B S as a al right, it's all ones and zeros regardless.

Uh, so my curiosity question then is passwordless security as a construct in this realm and being able to identify a user based off of what they're doing and applying that as part of these add. Stop gaps for what's there, at least as an additional metric. Do y'all see a future for that within some of this build out?

Galeal: We're not, we're not doing it, uh, directly, but we're doing it indirectly. So the only direct identity that, or fact, let's just call it an identity factor that we're adding, is that X five one certificate that we've kind of bootstrapped into the service really great. So if you have a server iot device or something like that, that doesn't have a human in front of it, You can use that X 5 0 9 certificate, it's gonna sign, its private key.

You're gonna be able to validate it. It's gonna validate the servers it talks to. You're gonna do all your MTLS stuff. Fantastic. If there is a human there. We support multifactor authentication, um, with whatever is there. So they have a UBI key. Fantastic. Um, they're doing something more sophisticated with Web Off n.

They're doing biometrics, they're doing fingerprints. They're doing, you know, retina identification. We're not doing that. Um, but our APIs are, are tying into it to say, to allow you, Neal, let's say, to say, Hey, for my super secure application, I require six fingerprints from glial, two eyes, this, that, and the other thing.

Right? Like, we'll just tie into to, to all those other layers,

Neal: The three urine sample is all you know for no . Uh, No. So I think that's good. So that, that's, that's perfect. In line with what I was hoping for from an answer. So this, this kind of teases up a little bit where, back to the impact of open source, you know, we get into certain things, uh, where back to MFA as a construct, T O T P, you know, trivial one time password as a standard, that that's not, that's an industry standard now, right?

Obviously. So if you build some kind of MFA thing, you hopefully build it with T O T P in mind, but T O T P itself, . I know someone's gonna correct me if I'm wrong, but I believe that was an open source construct that was industrialized, uh, or at least started off private and then became an open source construct for standard.

I, I'd have to go back and pulse check, but regardless, you know, being open source, allows you to be more flexible in your approach to some of these security processes and grow a lot better. You know, if you get constrained at once again, back to the Microsoft OSX paradigms for both those companies takes 'em a long time to shift certain things that aren't specific for them to a larger, broader technology.

They look at some of as simple as U usb. , right, thank you. People up here in Austin and, and Dell and the rest of the crew that originally invented U S B but Mac app whores, it still to this day, they try to fight tooth and nail for a long time to keep lightning as their own data standard. So much so when they put u s BBC on the box, they just relabeled Lightning u s, BBC Lightning for a while, and now it's no longer lightning.

It's just us bbc. So we've had U USB as a standard for a very long. But fighting tooth and nail to keep your own industry standards and, and applicability. Open source avoids all that. Hey, this is a great idea. Sure, we'll incorporate u SB into this today. We'll also incorporate B, C, D, F, whatever it may be, um, until one wins out.

It's like old school beta max versus vhs. They were both there for a while until a very illicit industry picked one up over the other and made it financially feasible for everyone. But, uh, more on that podcast later. , but point B, I think that's the wonder wonderful, powerful thing about open source tech.

You're not constrained because someone at the table's like, no, I only like this and I will only like this. You have a community that speaks, you have a community that breathes and lives for whatever it is they're working on. They, like u s, bbc U s, BBC is gonna be there. If they don't, it's not gonna be there.

Um, things like that. So I think that's, that's a fun thing. Um,

Galeal: Yeah. And by the way, we, uh, so T O T P you mentioned, and that is exactly, um, how we do our MFA integrations makes it really real easy for us, right, Neal? We support N E T O T P source. Um, Have added on your side, right? We don't have to go support six different things. Uh, same thing. We've seen, you know, the Kubernetes world, a lot of open source there.

Um, so people have done a lot of integrations between ZD and open source constructs on the Kubernetes side. Um, even things like spyres, spiffy on the identity side. I'm sorry cause I forget one of those open source and one of them isn't, one of them's based on the open source, but either way, like Spire or Spiffy on the identity side, um, opa, open policy advisor, like there's so many cool open source things out there.

Um, and we like to give our community the opportunity to integrate with those things.

Neal: Yeah. Yeah, I mean, that's awesome. I think that's perfect. So on that note, kind of moving into API security and structure, uh, I had a wonderful conversation with an entity a few months back that basically said, you know, we need y'all to not be reliant on just API authentication. Right. Just the standard.

Pathways that everybody uses right now, cuz it's just like anything else, it's not exactly that. Great. Uh, so can you kind of elaborate a little bit more on the API piece? I know once get certificate authorities, things like that, but building a better, building a better API world, I think should be of everybody's interest.

Galeal: Yeah, I almost divided into two parts. So, so layer four through seven. We have a lot of stuff today for APIs. Um, a lot of the authentication authorization stuff that you're mentioning. Um, a lot of really good work. Increasingly, I hate to use another buzzword, but increasingly there is some good Im l stuff going in there.

Right. Um, that's all layer four through layer seven. That's, that's really, really important. it's necessary, but, but it's not sufficient. Why? Because at layer three, you used still have a public api. So if you have a zero day, if you have a business logic problem, if you have a mis config, if you have an author authentication or authorization book, and, and I know like, no, no, no, we'll never have any of that.

No, no, no. They'll always have those things, right? Um, that's kind of where we come into play, Neal, we say, you know what, just. We used to do things like private MPLS based networks because we didn't want things to face the internet. Um, even VPNs, although usually the implementations are pretty, sorry. The idea was let's take things off the internet.

Um, the only reason we really didn't do that with APIs is cuz well, they're APIs. Like there's thousands or tens of thousands or hundreds of thousands of clients. Um, you know, like good. Putting all that stuff on VPN or mpl l s like we have to face the internet. We have no choice. Um, and that used to be right, but, but we finally realized, you know, there's, there is one way that you can kind of scale with code and it's to B code.

Um, so basically what we do is we, we say, okay. The API provider, instead of saying, okay, here's your block of code that's gonna query my public facing api, um, we give them a couple extra lines of code in the form of these ZD SDKs that I mentioned earlier. Um, and those just few lines of code added to your API server.

If you're querying my API now, Neal, um, we'll, we'll kind of reverse that client. Um, that we talked about earlier. Um, you know, you want to query my what used to be public api. I'm gonna say, Hey Neal, sorry, I don't really like facing the internet anymore. Um, good news for you. You don't need a VPN client or an MPLS circuit or any of that awfulness I will give you instead of block of code you added to your existing API query.

Um, and what's gonna happen under the covers once you do. It's gonna do all that X 5 0 9 stuff I talked about. It's gonna use that private CD fabric I talked about. It's gonna do some optimized routing. It's gonna do all kinds of cool stuff. But from your perspective, your life is the same. Plus those couple lines of code, from my perspective as the API producer, the the person who's offering you that api.

Now on my API gateway or my WA waf, or my load balancers, or my firewall or whatever, whatever my API edge is, I'm thinking that thing off the internet. Right? Again, default denial. Instead, I'm going to open outbound connections to that private CD fabric. Cuz I know in order for Neal to get on that fabric, he's gonna have to do a lot of stuff to prove who he is, , um, and consume my, my api.

So that's, that's the general API story. It's almost like taking private APIs, um, and making them accessible over the internet. Without being exposed to the internet, like you're gonna use the internet, but you're not gonna use by the internet. That's the idea with the the api, the secure API story.

Neal: No, that makes sense. Uh, so I, I think what's really cool about this, there's a lot of, obviously emphasis on, uh, or decent amount of emphasis on, like, you started off with the identity access management as a route, which that's obviously a very clear thing. That's, you gotta start there, you gotta secure that aspects of it.

So that's kind of a unique way to think about how to do that. . You know, I, I know there's some people who talk about API as a construct in the sense of authentication, kind of going the way of the dodo at some point in time. Uh, I think this starts to do that from a core competency perspective. What, what it means to be api, cuz there's the authentication aspects of an api, but then there's the actual data layer, right?

That what's going on within that connectivity. The connectivity can still exist without API is a standard for authentication and I think that's important for people to understand and then you secure the oth, you secure everything else that goes along with it. And then now it literally is just a data layer standard at that point, which would be really cool to see.

Oh, so that, thank you. That's kind of a neat perspective on it and, and the handshakes that go into doing this. And I think the big implication here for people to understand is it's also not making it necessarily more complicated in the grand scheme of things. It's just securing the process more thoroughly.

And once you build out the process, and it's still the same thing at the end of the day to go and connect, really, it's just you've done the right steps to make sure it is a more secure and robust piece to keep other people from doing the same.

Galeal: You said it so well, Neal B because the reality is usually if you can simplify something, you've also made it more secure in many cases. Um, and we have a lot of cases, uh, I'll use IOT as an example. Um, Things like smart meters, smart lockers, uh, these type of things, these traditionally are just a pain in the ass because you have to manage them from the outside world.

Um, and let's just say I have a, a smart locker and it's, you know, sitting Neal, uh, let's say you're running Whole Foods. It's sitting like on your Whole Foods Network. I'm Amazon with my Smart Locker, right? Um, you know, I don't, and I'm providing that Smart Locker. I don't want to go to you, Neal, as the firewall administrator for Whole Foods and say, Hey bud, um, I need some open firewall ports for rdp, SS H and my APIs.

Don't worry, it's cool. Um, , or I need some static ips. Do not change 'em because we're gonna waitlist them, blah, blah, blah. And if you change 'em, everything breaks. Don't change these ips. Um, or I need support for Dean and, and like all this crap. Like, it makes it really, really difficult for like almost every iot device.

So like what happens? A lot of them end up either off. So now if I want to do an OTA update or manage 'em, I have to do a truck roll, um, to who knows where. Um, , uh, or I do something pretty awful, like I have open inbound ports into this thing. Uh, and I am doing static ips and I am open to lots of our attacks because of RDP and SSH and all that stuff.

Um, so with this type of solution, you simplify all. Neal, um, and you say, you know what, guess what? I, I get it. You need the APIs, you need rdp, you need s ssh. You can have all that, but you don't need open and mount firewall ports and you don't need public addresses, and you don't need static addresses.

There's another, there's a new way, there's a new art of the possible to make this thing more simple for you.

Neal: No, it's awesome. I love it. I'm, I'm, I'm all for it on this note, so this is a good deal. Uh, let me, I just lost my scroll back on my notes, so gimme one second. I had one thing I. revisit real fast was, so we talk about, you know, APIs. Uh, I can't read my own handwriting there. Oh, there it is. . Sometimes that happens.

So I, I think once again, kind of iteration on this, uh, securing these, these common pathways until we can come up with a better, I, I would say, I mean, in a sense, if we start to provide this layer of capability, then what's really neat I think is security gets more. More standardized at a strategic level for the entire server systems and, and infrastructure that you're running.

Right. I, I think is probably kind of how I'm starting to see this with, from y'all's perspective where. , we talked a little bit about API is both a standard of how to interact, but it's also brings within its own security layer, right? And, and what that means for it. R D P, all these other things have their own key exchanges and all this other security layers and BS that goes with it.

And so, you know, whether it's port, you know, open up a particular port for whatever, whether it's, uh, securing a particular protocol for that standard, whether it's having a, just a simple username and password, but still it's being handled under that protocol variant, whatever that may be. All those things.

Additional echelons of, uh, protocols that can be compromised individually and uniquely. So I think when you start talking about wrapping this up into a larger paradigm, then maybe the longer term implication is hopefully the security protocol once again, moves away from those paradigms and they do become data standards like they sh kind of already are, but focused on that and making that better.

And then the security standard is this larger wrapper that's already standard. At a bigger scale for those communications pieces, right?

Galeal: That's it. That's it. Neal, I, I mean, this, this isn't new per se. Like we've tried to do this with things like pl l s for years and years and years. The, the things with pl l s, it's like boxes and wires, like they can only go so far. Um, and they were fine when, you know, we were talking to branch office, talking to headquarters, talking to data center, like terrific boxes and wires.

Great, um, expensive boxes and wires, but go, just do it. Now what we said is turn it in a software, um, and do it by design, like make the application the new edge, the app itself, like rather, Building this expensive network, trying to secure the network and then throwing the apps on top of it. Say, okay, let's, let's kind of reverse this whole thing and let's say if you want an application session, you need to, to kind of procure your own little secure overlay with software, um, before we're actually gonna allow said connection, um, and make every one of them ephemeral software identity based.

You know, we let, like we say, sometimes, Neal and Elliot we say the app is the new edge. That's kind of what we mean by that. Like forget about trying to secure the network. Like you're never gonna secure a network . But, um, if I give the power to the app and I give the power to the developer and I give the power to the DevOps team, the net ops team, whatever, we're gonna call these teams these days.

Okay. And I make it all software. Now I have a chance, , that's, that's the call.

Neal: that's kind of, yeah, I like that. Um, thinking about, uh, , you know what that means for you. You touched this loosely iot as an example, but cloud another buzzword, right? Cloud is a buzzword has been for a while, but it is what it is there. There's been people putting stuff in other people's boxes on the network since we invented networking.

Uh, cloud is just another marketing fun way to say, Hey, look, I can do more storage than they can. Uh, That, that being the idea though, the, the construct of movie things off-prem, uh, I think has, funny enough, it ebbs and flows right. But I think the construct of finally putting very sensitive things in a service provider like aws, Microsoft, whoever it's.

has kind of taken off over the last couple of years, not because of covid. I think it's just happens to go inside with Covid a little bit more. But the standards for cloud security and things like that have also been highlighted a lot more VERBOs over the last few years. So with the mentality that y'all are approaching things, you know, a lot of questions people have.

Traditional security process is, and we had this defense and death, we had this, uh, hierarchal structure in our firewalls and our gateways and DMZs, all these other fun things. But now almost everything, including your desktop VM is being launched out into something in AWS world, right? Different threat, vertical in and of itself that people are finally becoming more comfortable with.

So back to this paradigm, securing the apps, I think is more important than ever because. Probably in the next, who knows, five, 10 years max. Most enterprises won't have anything physically located in their own office space from a data perspective, except some very, very specific requirements. More than likely, everything will be app driven, almost exclusively.

Galeal: Yeah, and I think Neal, the, uh, kind of inconvenient truth, like if you look at the quote unquote like shared responsibility model, I, I think is what they call it. What does shared responsibility model really mean? It means you, Neal, you, Evan Yu Galil, you're responsible for the networking. Between the clouds or between your private data center and the cloud, or between your user or IOT devices or APIs in the cloud.

Like that's you, like we aws, Azure, gcp, whatever, like. That's not us. That's you, that's your part of the responsibility. Well, guess what? That's the hard part. Um, and so that's why we see, like I was joking about pls kind of before, like it's so funny, like the cloud is, is completely tethered by mpl. L s like, okay, we call it express route.

If it's Azure or we call it Direct connect, if it's at aws and I forget what the other one's called it. Fast Connect for Oracle. What is it? It's a pls, circuits like vpn. Same thing like Kubernetes. Like I might have my Kubernetes in, in G CCP and Oracle and Azure the minute I need to go north, south. Guess what?

P n , you know, like, so, so it's, it's like the, the kind of inconven truth that, that we've kind of punted on all this. Um, and I, I think. The consequences are very plain. Like you see, like, you know, a cyber attack every single day, um, . Um, but, but I'm not so sure that we've, we've kind of like put everything together and realized like, okay, well wait a minute.

There's like this networking thing between these clouds. You know, it's, it's pretty darn important. And, and maybe we just need to shift the plane field a little bit, um, and play by a different set of rules.

Neal: Yeah, definitely. I, I also see a world where the concept of VPN n as a security mechanism, uh, indirectly, kind of starts to go away with the right procedurals because once, I mean in, in a high. not real, but kind of similarity. When you're doing these microcosms of security between the comms lines and, and doing this zero trust approach to things in a roundabout way, it's kind of setting up its own virtual, private thing, right?

Obviously there's the handshakes that go on, that's a unique handshake between the two entities doing their things validated, secured in multiple fashions. VPN in and of itself in its name is still a network. If you can get in through the front door, you're still in. There's still a lot of other stuff going back and forth, and when we start talking about server to server comms and things like that, you still compromise the gateway.

You're still in and at the end of the day to everything at that

Galeal: That's, that's it. That's it. You're, you're, I mean, you might be trusting a slash 24 or a subnet or everything on a certain host, and not only you're trusting it, you're exposing it if that thing gets, you know, so in some ways, like even what we do, um, you know, called an application specific. Vpn, you know, with identities instead of IP addresses and with, you know, fabric and all this stuff.

But that micro segmentation and isolation is pretty darn important. Um, because like I mentioned earlier, like, well, anything can be hacked. Well, you know, so can our stuff, right? But you somehow kind of hack, um, our application micro segmented stuff. Well, that's what you got. You know, you have access between like this five tuple and this five tuple, and you want to use it to like a attack later.

You don't have a connection, , it's, it's, it's not there. You don't have access to an entire slash 24 sum net or host or, or whatever. Um, you know, you wanna take those encryption keys that like you just got because you're running quantum in your basement, um, and you wanna apply them to another session. No, every session's keyed independently because everything's done on a session by session, application by application basis.

That, that's why I think that, that, that micros segmentation isolation are pretty darn important.

Neal: Yeah. Yeah, I think that's, I think that's the fun part. You know, from a long-term security implication perspective as a whole, everything gets secured by proxy of needing, you know, it's a need to know. So working in the government side of the house, this, I think this is the one thing that kind of blows my mind a little bit out here.

When I first came out to the, uh, Uh, to the private side of the house, moving away from public sector, military stuff. You know, when we're talking about classified information, we've had the con, the, the fundamental ideology around, uh, proof of verification of, you know, who you are at some layer before you get access to a particular.

Data set and it's, it's session by session to some extent, right? So on, on our classified networks back in the day. What we're doing here in the real world now is very, very similar to just a basic layer of what we kind of applied things on the classified domain. I had my security clearance that went along with my identity.

I had to validate my actual self being me on recurring basis through various PKI and, and. physical card, you know, cack and all this other junk, every time I wanted to do stuff and then random pops up all this other junk. Uh, I, I think what's really neat about all that, we were doing that for a very long time and the company's people taking part in this, they're in my age bracket that had to put up with that crap for the first time on the government side where that more automated need to know process was at play.

So it's kind of neat that this side of the fence is, is catching up to that. We're calling it zero trust, but the reality is we're going a lot more, we're going a lot further beyond what we did over there on the government side, thank goodness. But I love the implications for people like me who had to deal with something similar from identity access control to bringing that out here, and then all that to say my age bracket of people have an implied desire for that layer of action here.

Anyways, so the last piece of that being adoption. and kind of where you see adoption within your own community and growth as large. Cuz we see the idea of zero trust, the N standard, the rewrite, and all the other stuff that just recently came out. Government adoption as a term, formally last year, things like that.

So on the last nuggets, speaking of all the adoption, the growth, the bandwidth, and things like that, that you see within your community.

Galeal: Yeah, a few use cases. We mentioned a couple of them. Remote management. You brought up the SolarWinds kasiah type examples. Uh, you know, listen, if you're an ms. P, an M, SS p if you're a provider and you have connections into customer environments and if you're successful, many customer environments like dozens or hundreds, safe to think of those connections, uh, as conduits for potential bad stuff Now.

Breaches, bad actors, whatever. Um, that's why I think some of those folks are moving at the forefront they have more exposure, right? They, they might have hundreds of customers, uh, and they saw what happened with SolarWinds and, and Kasai and everything else. So folks who are managing software on other people's networks or who are managing other people's networks, that's like one category we see iot.

as a whole nother category. Um, and, and again, this is literally everything from, from smart meters to smart lockers, uh, to surveillance cameras, you name it. Those things are, are really, really hard to secure. Again, there's not a human in front of them. Like even if you wanna do M ffa, you couldn't do mfa.

Like, um, that's a, a, a second category. And the third category is probably the, the pretty obvious ones, and includes mil gov and it includes FinTech and it includes your. Compliance, regulatory, security conscious verticals, throw in some geofencing in there, and those type of requirements, you know, so, so regional type stuff.

Uh, and you have kind of a third leg of, of this, this movement. Um, and again, Neal, I, we can use the zero trust term that that's fine. Um, but I think it's, it's more of a recognition that in today's like, hyper-connected world, when my assets. All over the place, . Um, I, I, I need a little different strategy, um, than essentially boxes and wires.

Um, you know, I, I need a layered approach. Um, I need an ecosystem. The atom, if you will, has to be the actual application. And I need to do this thing all as software. I need it to be simple to your earlier point.

Elliot: Yeah, so, uh, appreciate you running us through, uh, the technical aspects and, uh, open source and api. Uh, I hope you don't mind pivoting over towards sort of the business side of the world and perceptions around, you know, zt, uh, zte, zt, n a, those kinda elements. Uh, so I personally love, uh, I don't need to center myself, uh, shit talking VPNs.

Um, no one likes 'em. Um, but I would love to get your input, you know, as an organization. Essentially replaces VPNs in many use cases. But, um, what is the general conversation like when you say, Hey, you have VPNs, they suck, you're people, they don't like them. Um, you know, what does that conversation look like And, uh, as a secondary piece to that, um, Is it realistic to say it can be a full replacement or is it, you know, based more of a use case scenario where like large organizations probably still have some situations where V P N apply and you do that, but, um, between the two, I'd love some input on what that looks like.

Galeal: Yeah, typical conversation. Take a SaaS provider or an isv, uh, who is providing their services and software in a distributed manner, you know, to like lots of people or devices or both. For them, they're like amongst, like, you know, if there was a, uh, crowd of VPN haters, like they'd be at the front of that crowd.

Um, they're dealing with RC 1918 space. I mis say that RC 1918 space overlap. Uh, they're dealing with the need to ask their customers for things like public ips and static ips. They're nailing up these VPNs. Um, there's a cost to doing business like you, you mentioned the business side, right? Like every time, like if I'm a very successful I s v and, and these are usually the type that are selling to franchises, uh, distributed places, et cetera, where they today.

Need of VPNs, like my cost of business. Like, oh, great, I just closed a hundred new stores. Oh, not so great. I gotta go nail up a hundred more VPNs . Um, so like, like those guys, their, their business case is like, usually on the operations side. It's like, oh, if I take the Z D S DK and I build it into my application, then my users or my devices, they just light up my app the same way they do. and I don't need to go have a conversation with their InfoSec team or their ops team about VPNs and static ips and open firewall ports and like whitelisting and apples and like, that's just gone . It's like, like, like their business case. Ironically, it's not even always about security. Um, sometimes it's about good old operational efficiency and speed and automation.

Um, that said on the security side, and you know, Neal referenced the, the US government, you know, mandate earlier in this conversation, there's definitely more awareness that, oh, just because I have a vpn, it doesn't necessarily mean that I'm secure . Um, and so, so that, that, that drives some business as well.

I, I do think, ironically, with all like the zero trust hype, The fact that folks have replaced a lot of VPNs with zero trust. I actually think a lot of that was during covid, when actually people just wanted something easier. Like it was like, oh, today I as an IT department, I manage 50 VPNs and it sucks.

Tomorrow all my people are gonna be at home, including my executives, including this, and I'm gonna manage VPNs for all those people like and deal with their trouble tickets like, Thanks, but no thanks. Is there a better answer? Oh, you have something simpler called zero trust. I'll take some of that. Like, like, you know, a lot of these people bought this zero trust from vendors they knew, and I'm not even gonna talk about whether it was really zero trust or not.

I don't even know what that really means. Right? But, but better what they really, what they're doing is they're buying a simpler V P N. Um, I really think that drove a lot of the adoption in the last couple years. I do think what drives adoption and next few years starts to look more like the conversation we had in terms of, this is my need for.

This is what I mean by defense in depth. This is what I mean by least privileged access. This is what I mean by mitigating my risk exposure to me and my customers and my partners and my . Like, it actually, I think, will become more of a security conversation than it has been in the last couple years.

That's, that's my view of, of, of how we see anyway, the, the business side development.

Elliot: And I fully appreciate your take and calling out, um, some of those basically cloud VPN solutions or whatever. Uh, Frankenstein creations that they've created, uh, certain organization that has created like a Zero Trust certification, even though it's really more like a technology certification towards their thing that just.

Rubs ever won the wrong way, and it gives the whole concept zero trust the wrong name. So that is the premise. the antithesis of why we've created this podcast is, you know, to have conversations and it's just great to be able to talk with people who are providing relevant technology to the space who are very open and transparent about.

You know, with the reality and what is, you know, consciously just not there. There's some implied, uh, implicit trust and it cannot be fully removed. There is no silver, silver bullet and all that kind of stuff, so, um, yeah.

Galeal: Yeah. Yeah. I mean, listen, the Zero Trust term was like 20. , like, like it made sense back then. Like, don't trust the network. It, it's just like now you're like, well, yeah, of course I'm not gonna trust the network. You know, why don't we talk about what I do need to trust and why and how I'm gonna implement it.

It's just a different conversation than it was in 2010. Um, that's why it's, it's a little bit ironic that the term now, you know, has, has all of a sudden, you know, now it's like a product that could buy, no, it's not a product that could. Really, I'm gonna buy zero trust. What else can I buy from you? Can I buy DevOps from you?

Can I buy some ai, some clouds? I mean, it, it's just not something you can buy, right? It's a . Anyway, sorry, I, I don't wanna get on like, a soapbox at the end of our media, but, but yeah, Elliot I, I agree.

Neal: good. You're good.

Elliot: No, and that soapbox is exactly where we float. So , that works out.

so with that said, I will not go too far further past that rabbit hole, but, uh, where can folks learn a little bit more about what you have obviously put out in the world, uh, and then also get involved on sort of the open source side.

Galeal: Open source side, just Google Open zd. Um, what you'll find is our GitHubs, you'll find our discourse, uh, because we're passionate about what we do. You're gonna see on those discourse, you're, you're gonna see fantastic conversations, um, where everyone on the Open Zd team, cloud ZD team are out there just working with our peers, working with other developers, um, to innovate on open zd. far the easiest way. Uh, you want to try the SaaS first, which again is just the hosted. Of open zd. Uh, again, that's Cloud zd. You can do that as well. Uh, we try to make that really simple as well. You can go do that for free self sign up. Um, it's free forever for up to 10 endpoints. Um, it's depending on what you're trying to do, you know, you want to kind of see it in action, uh, and you wanna do that easily and see if it's something you care about.

You know, go do Cloud zd, do the, uh, do the, the, like I said, free up to 10 endpoints if you like what you see. Um, if it's giving you some results and you, you want to get deeper. Go to the open zd, um, and start innovating or vice versa. You know, you wanna, you wanna play with the code itself before you know you wanna play with the size.

Absolutely. Start on the open Zd side. It's, it's dealer's choice, if you will.

Elliot: Excellent. So thank you so much for that information and sharing some of your insight and expertise. Um, you know, this is not an area again that we've been able to jump into, uh, in the past, but, um, open Source obviously has a strong future as it relates to Zero Trust in general. API is obviously a very big thing, and I won't smash into any headlines for recent breaches, which obviously API is very, very relevant.

Uh, we try to avoid that particular topic, but tha

Galeal: to name anybody.

Elliot: Yeah, exactly. Uh, so again, just thank you so much for, uh, you know, being our Guinea, one of our Guinea pigs for this kind of, uh, newer format, being able to chat through the technology side of the house.

Galeal: Yeah, good conversation. Uh, I appreciate the dialogue. Always good to talk to folks who are, uh, working on the same type of things we are. And again, quite frankly, it's exciting to me. I mean, just as an app developer, the fact that you can. You, I mean, forget about ziti, right? You are going to be able to, with some type of technology, hopefully open ziti, uh, you're gonna be able to embed your trust network into your app, uh, get end-to-end security visibility, control compliance.

Pretty darn cool. Um, so looking forward to working with folks to continue making that happen.

Pretty darn cool. Um, so looking forward to working with folks to continue making that happen.

Neal: Yeah, just, uh, what we already mentioned, get your butts involved in open source somewhere somehow. If, uh, obviously now you know where to go for zero trust. If you're, uh, if you're into the open source world and giving back, or at least being curious about what it looks like under the hood, more, here's your chance.

So look forward to seeing what it brings. And, and thank you again, Gail, for jumping on with us today.

Galeal: Neal Dennis has the best beard I've ever seen and that's on Zero Trust.

0 Comments
Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology. We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.