Adopting Zero Trust
Adopting Zero Trust
The Current and Future State of Zero Trust With Forrester’s David Holmes
0:00
-54:05

The Current and Future State of Zero Trust With Forrester’s David Holmes

Season 3, Episode 4: Forrester Principal Research Analyst on Zero Trust, David Holmes, shares his perspective on the current and future state of Zero Trust.

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

Zero Trust is a concept, a strategy, a philosophy, and, for some poor souls, a solution you can buy (it’s not). Through our three seasons, we have heard about MVPs, learned from the godfather of Zero Trust, been aided by Dr Zero Trust, and even heard from current and former federal officials about their stance on the concept. However, we have yet to touch on the current an future state of Zero Trust, and for that, we look to Forrester Principal Research Analyst on Zero Trust, David Holmes.

Prior to joining Forrester, David spent a decade researching, writing, and speaking about cybersecurity topics for network and application security vendors. Before entering the cybersecurity space, he was a C/C++ software developer specializing in authentication and authorization, network protocols, and cryptography. So you could say he knows a thing or two about the subject at hand.

TL;DR

  • Holmes explains that Zero Trust's core principles remain unchanged: all networks are untrusted, least privilege access is enforced, and everything is inspected and monitored.

  • The COVID-19 pandemic has accelerated the adoption of Zero Trust as organizations were forced to work remotely and faced VPN overloads.

  • David shares his perspective on the current and future state of Zero Trust, as well as areas he would like to see the vendor market seek to solve.

  • The biggest example of successful Zero Trust implementation is Google. Since implementing Zero Trust, no major breaches have been reported.

  • In addition to Google, there is a smaller organization that successfully implemented Zero Trust using existing tools, indicating that Zero Trust can be achieved without significant financial investment.

  • However, achieving full Zero Trust is a journey rather than a destination, similar to cybersecurity itself. It's an ongoing process of adaptation and improvement.

Editor’s Note

Headed to RSA? So am I. I’ll be floating around with a camera or hanging out at the Drata booth (or antagonizing past guests). If you track me down, I have a few AZT hats to give out and some Zero Trust stickers. Also, Chase Cunningham has a charitable effort in motion for the conference, so let’s give the guy some love (it’ll be worth it).

Will I be doing interviews for the show? Maybe in a light format, but that is mostly because Neal was able to avoid going this year. Lastly, and we really don’t like sharing numbers because this series is about you and the stories being shared, we hit a new milestone. Across all channels, we now have 10K subscribers, which is frankly crazy. And no, we are still not going to offer paid subscriptions and limit information. This is still way cheaper than our ultra marathon and my Ironman habits.

As an aside, we can now confidently say after having chatted with three flavors of Forrester analysts on Zero Trust, that if there was a mapping of analyst organizations, they are the most chill group around. Meanwhile, a certain other group is still nearly impossible to get in front of a camera. And this comes from someone who has handled analyst relations in the past.

Current State of Zero Trust

The concept of Zero Trust has been around for more than a decade. During that time, it has passed through John Kindervag to Chase Cunningham, and found itself in the hands of federal agencies, non-profits, and countless vendors. When asked how David saw Zero Trust evolving in that time, he astutely mentioned that at its core it has not and won’t change. In fact, that is one of the beautiful parts of the concept because it is designed to be broad, flexible, and philosophical.

Those three core elements are:

  1. All networks are untrusted, and you should treat everything as untrusted.

  2. There should be no trusted part of the network, and least privilege access should be enforced.

  3. Inspect and monitor everything.

Holmes stated that these elements remain constant, but how organizations operationalize and implement them into different domains, like the network, access, controls, people, etc., has seen the most significant changes.

“One of the biggest developments was Covid and forcing everyone to go work remotely. So I mentioned I had a network security background, right? So who do you think was the analyst that every company in the world who's a Forrester client called when their VPN stopped working? That was me. All day for months, people would call and say, Hey, man, look, all of our VPNs land in the same zone, and there's an IPS there, and now it's totally overloaded. ‘Should we rezone or get more IPS or what?’ And so I would tell them, ‘No, no, no, no, no, no.’ The way out of this is not more VPN. The way out of this Zero Trust. Zero trust is the way out.”

Looking Towards the Future of Zero Trust

Over the past few years, there has been a significant focus on solutions that help solve for two crucial aspects of a Zero Trust strategy: microsegmentation and access. However, according to Holmes, these two don’t play well together; the technology available is provided via disparate vendors/platforms and doesn’t have strong integration points.

“They're not the same vendors. They're different teams that deploy them. They come out of different budgets. They're they very, very little. Working together. I think in the short term, I would like to see these two things become much more integrated because then it can actually start to build these quote micro parameters that Kindervag about talked about earlier on,” said Holmes.

But here’s the sticking point: David has not seen evidence of these two elements moving closer together. While he would like to see a point of intersection, if a Forrester analyst hasn’t seen it, that doesn’t seem promising in the near term.

The next element David sees coming up, and there is strong support behind this, is including Zero Trust principles earlier on in development cycles and the networks that support them. Namely, the move to CI/CD pipelines and a DevOps or DevSecOps mentality. Organizations that David supports have mentioned using DevOps templates with specific guardrails in place has been a successful approach through solutions like Terraform, but acknowledges there are some vendors who try to solve for this as well.

Even if you architect everything perfectly and put out a good policy that's very zero trust, there will be changes to the network configuration over time that just always are. Let's say it's once a month. That's 12 opportunities in the year for something to go wrong and permissions to fall off,” said Holmes. “Now, if permissions got too tight, you would know because things would stop working. But if they get too loose, you won't know because Thing, everything will still keep working. You just won't know is the hacker could walk into the back. So I think there's a gap there where people will need to have something or have some kind of process or tool or whatever to go figure out is what I, is what is my zero trust environment still zero trust.”

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello everyone. And welcome back to adopting zero trust or AZT. I am Elliot Volkman, your producer alongside Neil Dennis, our host. And today we have a much into man person to be able to speak to a subject, which we have somehow not even got remotely close to, to date we are going to be talking about the current and future state of zero trust With the wonderful David Holmes of Forrester.

Even though I gave you a little bit of an intro, David, maybe you can give us a bit of a background on yourself and what you do and why Forrester is so impactful to Zero Trust in particular.

David Holmes: Hey, everybody. It's David of Forrester. Thanks guys for having me on. I'm, I'm an analyst of Forrester five years here. Now I'm the most, we have several zero trust analysts, but I'm the most senior on the team in terms of both gray hair and time served. I come from a network background myself and also a programmer.

Worked in those two fields for a long time, and then eventually became a Forrester analyst and found myself covering Zero Trust. That was just a little bit of my journey. I don't know, was there a follow on question? I already forgot, Elliot.

Elliot: Actually yes, a little bit. Which one is more stressful, being an analyst or working on the technical side?

David Holmes: Oh, my God. Oh, this is so easy. I miss programming every day. I was just telling somebody, I'm like, I miss it because computers are easy. They like, they like do the things you tell them largely. Have you ever worked with people? It's a nightmare.

Elliot: I not, I will not bring up the question that we asked you off the record, but, oh,

Neal Dennis: one, one, one quick question. Mr. Programmer, if you had a perfect world scenario and everything could be programmed in one language, what language would that be?

David Holmes: Oh, gosh, that's, that's that's not a fair question. That's not a fair question. Partially because my, my programming days are a little bit behind me. I hear good things about rust. And so I, myself, I'm like a C, C plus plus programmer from way back. And so that's, that's like my baseline and that language, people say it's falling out of favor and didn't the government just come out and say.

Hey, we need to move away from C or whatever. I'm like,

Neal Dennis: to the kids

David Holmes: I don't like all the operating systems written in C. What, like how, how's that going to work? So maybe I'll, we leave that to the kids to figure out, but

Neal Dennis: yeah, I did

David Holmes: I would think the C plus plus, they are good things about rust. And I, I spent my last five years or so programming in Python, which is a fun and clean language.

Oh, I know Ellie, you had asked me like, why is four, what's the deal with Forrester and zero trust? So

Elliot: Oh, yeah, I did ask

David Holmes: yeah, you did ask that, right?

So

So it was about 2009. So literally 15 years ago, the, the analyst, John Kinderbog, who was on the team that I am on now that we never overlapped at Forrester released the initial zero trust papers.

And the first one was called.

This is

No more chewy centers, the zero trust model of information security, which is what set all of this in motion, right? This whole like your podcast, everything else, billions dollar industry, da da da da da. And, and as we've discussed already, I was a programmer at the time and somebody, somebody gave me a bootleg copy of the paper.

Neal Dennis: paper

Print

Elliot: Of

David Holmes: Printed out

Neal Dennis: wasn't a seat holder I was

David Holmes: because I wasn't a seat holder. I was just a lowly programmer at the time. And I remember reading the paper and at first I was like, what is this guy talking about? This is this crazy. But by the end, by the end, I was like, you know what? They're right. We have been doing everything. Not, I don't want to say wrong.

Our approaches have not been successful in keeping out the bad guys. Maybe we need to do something different. I can't say that about any other paper that I read in the last 10 years that had that impact on me. And it would have blown my mind if somebody, when they handed me the paper, they would say, someday you will have this guy's job talking about this thing.

Thank you On a podcast.

Neal Dennis: will

have

David Holmes: how about that?

Neal Dennis: job

Elliot: not just talking about it on a podcast. This is you're in and out every single day. You're helping shape everything that?

goes along with it. And of course, Chase Cunningham followed after John. Help productize it. And he is again, I terrorize him all the time. Whenever I get the chances, that is why it is everywhere or was everywhere at RSA.

Now it's probably AI this year. We'll see.

David Holmes: And so John, was we, we talk about him as if he was Moses coming down the tablets and one tablet says, everything's untrusted and the next one is inspect and monitor everything.

did

chase, I talk about the fantastic work he did in the four years he was at Forrester and basically.

know, we would have these three core principles, right? So just to review, one of them is that all networks are untrusted and you should treat everything as untrusted. There should be no trusted part of the network. The second that least privilege access should be enforced. And then third, that you should inspect and monitor everything.

So those three principles, which all sound good, right? But people would come to us at Forrester and say, all right, I, I understand these principles, but how do I translate those into my organization? Like I have an identity team or I have a network team. How does this, how do we split up, split this up and make it so these people can do it?

And that's what Chase did was basically carry forward the work so that you would have a way to talk to your different teams and different technologies and different architectures to make that happen. Yeah, I just saw chase about 2 weeks ago,

to ask me what's

Elliot: Very cool.

Neal Dennis: other than trying to, before we start talking about it, I would say B, not

David Holmes: right? Yes. So if you were to ask me what's my big contribution I made a decision, gosh, probably about 3 years ago that rather than me trying to figure out what's the big night. Big giant next thing. But I would say, Hey, the questions coming in are still how do I do this? What are the steps?

And I thought that's what I help people with on the phone every day. So I thought, let me just try to focus on that research. To help people get to some say, credible level of zero trust before we start talking about zero trust in space or whatever the next frontier is. I realize that's like a, it's maybe not as revolutionary in thinking, but it is, it's worthy work.

I

Elliot: being able to make it something practical and adoptable. I

think that's a pretty important aspect of it. Obviously, philosophy is a starting point. It's a foundation. Being able to map it to certain functions, sure. But once it gets to the hands on technical practical elements, got to be able to carry that forward.

And it's only going to get matured and optimized as that happens.

David Holmes: yes, I agree. I agree with that. Elliot.

Elliot: All right. So we're going to start with the basic questions which I don't think I could ask you a more broad in scope question, some of that was already captured in that last statement, but In your mind, how has the concept of zero trust changed in the past decade? luck

David Holmes: Okay, so that's, so that's good. And following along what I just said. When I talk about those three core principles, I tell people, those are all still the same. Those all still apply, right? That, that part hasn't changed. And then as we talk about the, the work that's been done over the last, Decade or so where we're operationalizing it into different domains.

Here's a identity. Here's networks and people and users, et cetera, et cetera, such that one can then carve up the problem and keep and be able to talk about it in the different silos of the other organization. Those are the two main. Those are the two main things.

One

probably one of the biggest developments was Covid.

to

And forcing everyone to go work remotely, right? So I mentioned I had the network security background, right? So who do you think was the analyst that every company in the world who's a Forrester client called when their VPN stopped working? Huh? That was me. I, like, all day for months, people would call and say, Hey, man look, all of our VPNs land in the same zone and there's an IPS there and now it's totally overloaded.

Should we rezone or get more IPS or what? And so I would tell them, no, no, no, no, no, no. The way out of this is not more VPN. The way out of this trust. Zero trust is the way out. And they

Neal Dennis: It was

David Holmes: early on, they did not want to hear that. It was like their hair was on fire and I'm describing the haircut of the future.

That's, that's how this message was initially received.

Neal Dennis: eventually

David Holmes: But

three

eventually they would start to come around after three or four months of this, maybe, maybe after they got their VPNs expanded more licenses or whatever, then they're like, man, that forest again, maybe he was right. And so that's when we really, really started to see a lot of.

down

There's some vendor names out like the Zscalers and, and Palo Alto with their Prisma Access Cloudflare and others. They were just selling this stuff like hotcakes. And I look at that as actually a very, very positive thing because

thing because

Zero Trust prior to that had been very much a forced, Let's go do this, right?

It might be a see. So we're a CTO who caught caught the fire and wanted to like, not shove it down everyone's throats, but it was definitely a push.

push.

Then to have the world's biggest business case for technology all of a sudden pulls zero trust into everything. I was like. This is just fantastic.

Good. All these, all these companies that who are getting a taste of zero trust. Now, is it full zero trust? Are they like way more protected?

would

I would say their threat surface is reduced.

zero

Are they full zero trust? No. Have they made progress in zero trust? Yes. Are things working? Are people happy? Yes. So that, that was probably the biggest and greatest externality to happen to Zero Trust, in I guess it was right around then the Biden executive order also hugely influential.

stay

the same

Elliot: So I, I feel bad. I almost wish I reversed that question of what stayed the same? Because that was such a perfect answer. Neil and I definitely bat around VPN as that when missing that, but we'll, we'll, we'll ignore that aspect, but that is super interesting

that you're bringing that up because in our entire first season, a lot of the folks who have put into practice zero trust concepts, they actually were ahead of the curve.

The one in particular that comes to mind is Bloomberg. They were ahead and they were ready to go and they had a pretty large distributed team. So that was an

interesting

So I do have one follow up question to that before I feel like Neal going to just go in on whichever direction you all go is you mentioned the almost layers of maturity of zero trust adoption. I feel like I know the answer, but is there an organization that you're aware of that has like fully aligned with zero trust? Have they a. It's not achievable. Let's be, let's that clear

but is there someone that is like in your mind achieved that status

David Holmes: That's a great question. And one I struggled with

with in

in coming to Forrester, I was looking for these cases, like, everyone wants to know Hey, is there some org that has done this, that we could then mirror, mirror what they did and before I throw out, I think one or two names

it's,

Many times when you're talking about zero trust, you could just replace the term zero trust with cyber security and, and if somebody said, have we finished the zero trust project or have we finished going zero trust, it's almost the same as saying, have we finished our cyber security?

And then when you say it that way, you realize that no, that's actually never done. It's never done. It's like a thing that just continues to go on and on and on and on and on partly because the, the attackers will always be there and things will always change and et cetera, et cetera. So the one example of.

A company that has done zero trust, like all the way through that I know of, and

Neal Dennis: I've

David Holmes: I'll use this, I'm not ever crazy about this example is of course, Google

Neal Dennis: course Google

And they

David Holmes: they did it in partially in response to being attacked by a nation state. I can't remember if it was the U S or a different one, but but anyway, after that, they said, Hey, we need to redo everything.

And to their credit, they, they went ahead and redid everything. And it's all zero trustee. And if you ever want any proof about it, this is a thought experiment. Think about what was the last time we heard about a big Google breach. And you're like, you know what? It's I can't think of one after that, that one, but also think of this.

They know they have the data for every affair that's happening on the planet. At any time. How come somebody hasn't hacked in there and just grabbed all that data, right? Two people spend the night in a hotel room. Pretty sure their phones are on Google knows they're both in that room. That data never ever leaks.

They have that somehow locked down and maybe, maybe it's through the magic of zero trust. So now I haven't seen them have a ton of success selling that into the enterprise. I don't run it to a lot of Forrester clients who are pretty much. Part of the ecosystem. And I think that is more around the clumsiness that a very, very engineering led organization like Google has.

Relating to business. And so very often there's the Google Way, which, might be the technically the right way, but the business has its own needs, and then somehow they fail to meet, meet in the middle.

Elliot: Neil, you had your hand up. I feel like you're you've

David Holmes: yeah.

Elliot: to burst And

then

Neal Dennis: no, I just have a comment on the why we don't see. People's Ashley Madison stuff anymore. No, I, I, I think it's fun to think about with Google. You're right. It's, it's neat to think about what we have or haven't seen data wise. And I think. We think about the scope of what Google is versus what a state sponsored threat would be like China or Russia.

Russia's goals are obviously different than China's goals for when access things. Russia has less desire to tie in their general day to day exploitation path to legit just espionage for corporate affairs. They need that, but they're less concerned about that. Whereas China has multi pronged efforts to do everything from how do we blow up the new U S tank to how do we make the U S tank ourselves? And

Other things, larger things like how do we become Google, they don't necessarily care about the info itself on Google. they

care about how Google is able to do that at scale, right? So I think from a fascinating perspective, I'm obviously hoping that Google isn't getting boned every day because I have a lot of stuff in there. but

I also think that if they're getting if they are legitimately having issues, which. Whether they're being breached or not with a zero with a Chinese based threat. Chances are, we will never see that type of data in the wild. Only because China doesn't China's default mode is not to blackmail China's default mode is to recreate that and make it their own and then, move forward.

Anyway, I think it's a fascinating thought flow though, because we like to hope Google's doing the right thing, but I honestly don't unless it was a hardcore breach, we'd ever really find out about it. But anyway, that being said, large scale company versus small scale company, though. So Google has bought resources like legitimate companies that bring to bear the capacity to be able to do zero trust or to mitigate and monitor threats, right?

mean, they are the king of buyouts and resale for that type of tech stack now. So I'm thinking from your perspective, I know this might be getting into some secret sauce stuff that you've published, but given some of your recent things on strategy posts and stuff like that over on the Forrester side of the house, I'm thinking about At scale, the lower end of the spectrum, someone who's, a 500 million or a billion dollar company, or maybe up in that slightly larger echelon, that 10 billion range, they're not a fortune 100, right?

It may even be a fortune 500. How do you have that discussion? What's another allegory, another story you could use to help get people to buy into that process? That's. Not Google and their trillions of

David Holmes: Yeah. Yeah. So on maybe on the other side, opposite end of the spectrum talking with, they're probably several hundred million dollar company, but they're not, hyperscaler big or anything. In fact, I don't even think they're that big. They're just really good at what they do. And they're A client that I talked to quite a bit.

I'll just say they're in images. Just put it that way. Which should be broad enough. And they have a really, really good team over there. Like they've, they've been forced to clients forever. They've been drinking the Kool Aid. And they, they went and did the whole zero trust project, even before a lot of the tools we have available today, like zero trust access and sassy and all this stuff.

They, they built it all, with SSL VPNs and proper segmenting and, and et cetera. They, they basically built a zero trust environment. Now, two things that make them slightly different than that, your average organization, one is that team and the people on that team are really, really good. Not, that's not to say everyone's security team is terrible. There's just uneven levels of. of, commitment, et cetera, et cetera. So anyway, it's a really good team. And also their architecture is very, very static and the things that they provide from a data perspective, also very, very static. So they're not constantly having to deal with digital transformation and, network modernization, very much more static environment.

So I think that helps them. They're one of the ones that I think of, and it's such a great story because, because they didn't have to go out and spend a ton of money, right? They did zero trust with the tools that they had on hand, and it just shows that it is possible. Does that help, Neil? Or does that

help

Neal Dennis: it does I, I think that's an applicable statement there. I think the end nugget there is you may already have the tools that

you need to do the job. You just need to come up with the

right idea. No, you have to come with the

right idea. It's just the right plan of action. The right idea is already there.

David Holmes: Mm hmm.

Neal Dennis: Yeah. so do you see then in that scope and scale, so you talked this, not a very expensive by revenue perspective company but. Given your insights at Forrester, things low into that all the way up to things like Google perspectively. Are you seeing a larger adoption on the, of zero trust now from, from those lower end type entities, or are you still seeing a more of a heavier push for companies in that, that larger scale

David Holmes: No, I think it's actually, if you were to quantify it, where the small one counts as much as the big one, right? So we're not waiting these then actually seeing more activity on the lower end. For example, a lot of like cities, city in Arizona, once they're doing a micro segmentation project, or a city in Canada, and those are really interested because you might think, oh, what kind of data does the city have anyway?

They actually have a bunch of really, really valuable data. I remember I was doing one an assessment with one of them and they said, oh yeah, yeah. Our lottery division we have, we have the algorithm for the selection of the numbers and we really try to protect that.

I'm like thank you. Cause that has been hacked

Neal Dennis: a fun one.

David Holmes: It's hilarious when that happens. And they said, oh yeah, and we also have all the bank accounts for all the gas stations. It's I'm like, what? They're like if, if if somebody wins like 10 million, the gas station does not have that on hand.

So we have to wire them. We have to send them to 10 million. I said, are you telling me you have the bank accounts for every gas station In your area. And they said, yes, we do. I said we need to, we need to get all over that. Let's let's protect that like right away. Cause what, how awful would that be if that got out?

So anyway, answering your question, Neil. There's a lot of activity from, the smaller ones and people ask me, why are they doing it? And the answers vary. It's maybe 30, 40 percent like, Hey, we've, we've wanted to do this for years and now we have to go ahead. We have the tailwind from, the Biden executive order.

It doesn't apply to us because we're a state agency. But we think someday it might, and no one's going to argue with us if we just say we want to get ahead of this. So that's maybe 30, 40 percent of those. And that's great, to see people being proactive about it. Maybe another 20 percent are like, Oh, we got hit with ransomware and now we're trying to make sure it doesn't happen again.

And and I feel, I feel for those people and good for them for trying to get to zero trust to reduce that kind of thing. And then others, might be doing it because of covert Hey, this, this project got started in coven. We're really pleased how it's working now. We just want to carry it through.

Neal Dennis: Yeah, I think that's interesting to think positively that a lot of the responders are people, a small percentage versus the majority are ones who've had an event and know the transition needs to happen. So that's, that's neat

insights. Also like the fact nobody does think about local government, municipalities, individual university networks.

Everybody does think like my original statement, company corporate versus dollar versus not. But you're right, there's a whole world of, of these fun networks that are not considered as use case examples that are really cool to call out. The one thing that you mentioned the last little nugget, the COVID piece.

So moving through COVID,

Elliot: of

Neal Dennis: Intel analyst and as a technologist, I, I address in certain other aspects of my life a little bit. But. On that note, I'm curious about how many of those are related to, we just bought all the things, whether it was all the VPNs and the VPCs and all the other fun V this V that's and telling that's an SSH and all that junk to get through it and how much of it's, that effort around consolidating versus like you mentioned a minute ago, we started the path, couldn't move forward.

And now we're growing. So I'm curious how much of it's consolidation of efforts versus just a continuation of efforts or a consolidation of tech and then continuation of tech path.

David Holmes: Gosh, I'm not sure. I have enough data to say, know,

Neal Dennis: See that a lot at any metric where people are trying to wrap all that junk up that they bought?

Elliot: Okay

David Holmes: to move towards zero trust, right? It's a reaction. And 40 percent of the time, it's them being mindful and say, we're proactive. We're doing this.

Neal Dennis: that's cool. That's still good insight. So I appreciate it.

David Holmes: Yeah.

Neal Dennis: I might, sorry. My Intel analyst brain sometimes likes net metrics and numbers. Oh, it's always the actual logistics guy. I'm just the guy who likes to consume things. So I like more data like Johnny number five need input. The more I can get, the better off my brain works some days.

Gatorade But

that kind of thinking about this, then bringing it back a little bit more on. The strategic mindset. So when we talk about where people are in their journey, at least when they get started, we talk about pieces and elements of what's important there. So I know once again, back to some of your publications, you've written a decent amount on buy in and discussing that buy in.

So is there any advice you could give someone To be able to go try to get that by him before the event actually happens, right? To

David Holmes: Oh,

yeah

Neal Dennis: into that perspective, cost savings, benefits, whatever they are

David Holmes: used to write about it a lot because we had to, right? Because we're trying to support the CISO or the CTO who's trying to push zero trust into the org, right? And we talk about all these things like engage with the stakeholders and da, da, da, da, da, da, da, da. But then everything changed when that Biden executive order came out.

I remember I was doing a A project with one of our armed forces and I started to go into this, the spiel, like, all right, so when it comes time to convince everybody, they said, oh, no, no, no, no, no, we can skip this part because we've already been told we're doing this and so we have to spend a lot less time.

On those kinds of conversations now, which I am ultimately glad about because, trying to sell, it's like trying to sell a religion, right? It's good for you for doing that. I'm like, I love those guys in the, the young guys in the suits are peddling around town, like knocking on people's doors.

I'm like, wow. I don't necessarily want to talk to him, but can you imagine the guts that takes to do that for two years? The. But we were trying, we were creating a lot of content to help somebody like that in their organization spread, spread the word enough to make sure that the project got projects at least got going.

And, um, one of the tips that we had that I think is perhaps the easiest one to understand and maybe the easiest one to do is the project will go a lot better if you can get like the highest ranking officer. Like the CEO or COO to send out an email saying, Hey, this is what we're doing

Neal Dennis: you will run

David Holmes: you will run into somebody who is going to fight you on this.

And if you have that email,

That's, that will help

that's, that will help you a lot.

Don't have to have

but we, like I said, we don't have to have those conversations so much anymore. The most common conversation we have with people now, probably for the last year and a half is. We used to, they would used to be able, they used to come to us and say how do I get started?

And we tell them MFA. It's easy. Everyone's going to see you do it. So it's high visibility. It's not too hard. High risk, high risks high probability of success. Go do that one. You'll reduce huge threat surface. So they all went away and did that. Then they came back and they're like, okay, what's the next step?

And as a matter of fact, what's the step after that? And I'm like, oh man, we need a roadmap for these people. So we, All of our conversations now are about roadmap, not all, but a lot of them are about roadmap. And so we spent about 18 months, several of us handles putting together. What would be a credible, what would be a roadmap to get you to a credible level of say, intermediate level zero trust.

And we published that, I want to say last spring. So maybe about a year ago. And everyone I've shown it to has been like, Oh, thanks. This is exactly what I was looking for. And it's 39 steps split into the different domains that Chase had outlined in his research. And one of the things we did that I don't think anybody else has done is, so we took all these tasks and they were like, they were like ADM, right?

So we split them out into this, we'll call this pile intermediate and this pile advanced.

Neal Dennis: And then so of

David Holmes: And then, okay. So of this pile, which of these have dependencies on each other?

Neal Dennis: each other? We

David Holmes: And we resolved all those. So we built a, we built like a giant spreadsheet, put in like everything got an ID and then we put in all the dependencies and then we're trying to figure out how do we represent it?

I couldn't figure out. So you know what I did? I went and I wrote some code in Python.

Neal Dennis: resolve all the dependencies Initially

David Holmes: That's who I was, right? To resolve all the dependencies and then print out the tree and then we were able to present it. And I tried to initially tried to drop the road map with the dependency shown, but it just looked like a bunch of spaghetti.

I just tell people, Hey, if you follow this road map, all the dependencies are resolved. So you, you should not run into a case where you're starting a sub project and you're like, Oh, it turns out we needed to have this other one done. We didn't know it. If you follow our road map, all those dependencies are resolved.

So those are much more of the common conversations we have. Now we're working on the advanced one, but that won't publish till later this year.

Neal Dennis: No, I love it. I think that's awesome. That's good news as a whole. People are trying to stop it or if they don't have to ask you how to go get by and anymore as much, then, then that's obviously really

David Holmes: it is. It's a great time to be a Zero Trust Analyst.

Neal Dennis: got a good job ahead of you. You ain't going nowhere.

David Holmes: Gotta ask about AI at some point.

That's

Neal Dennis: Podcast

I was, okay, we'll, we'll do that, but let's, let's, let's do this. So I was going to make a comment here. I had a curiosity question about AI, since we're going to go there. LLM models, all this other stuff. We see a lot, especially on Elliot's side of the fence, people trying to make these models for, GRC related things.

Do you what, what is your personal take on, on not just, The zero. There is no zero trust in LLM. Let's be up front that you're sitting here, even if it's packaged, encrypted and mutated, it's still going somewhere else that you don't control. But unless you're Microsoft, then you can build your own data lake.

So my question to you, do you see a route there where you could leverage it at least to help you get started into the zero trust world? Do you see language models? I can help you at least maybe even identify pieces where you need to go back and look at things. That as part of the future here in the next. whatever

David Holmes: That's an interesting angle that no one's asked me yet, Neil. So

Neal Dennis: Yeah, that's

David Holmes: let me let me just back up and level set on and I'll just admit right out. I do not have a data science background, right? I'm network security and programming and zero trust. I've, I, when all of the chat GPT stuff came out of, I was like, I need to understand this at least to understand, am I close enough to the end of my career where I can go, this is something else somebody else understands.

And I think that's what I arrived at, but I got to the point where I was reading a paper that said, all right, here's how it tokenizes everything. And it turns everything into numbers. I was like, Oh, whoa, whoa, whoa.

Neal Dennis: I I I I I I

I I

I

David Holmes: So it does not understand what it is saying. It's a bunch of numbers to it. And so I, I fired up chat GPT and I asked it a question.

It was something simple. David's father has two sons. One is named bill. What's the name of the other son? And it was like, I have no idea. How could I possibly know that? It could be anything, right? Obviously David is the name, the other, it's you have to understand the meaning of father and the meaning of son in order.

order to understand

to understand that.

going to

so it just happens to be really good at

one

words and how they all fit together, but it doesn't really understand any of them. And that's why it's, it's, it's, it can't really do math either. Cause it turns the numbers into the wrong numbers.

Numbers so I

so I was like, okay, that's really, really interesting. And probably the biggest trap we'll fall into is because we are, we recognize good writing as a, as. Intelligence like that's, that's half my job guys trying to look intelligent on paper.

And so

one of the biggest things we'll fall into is giving the thing more credit than it probably deserves.

Does that make sense? And so I have heard of really, really, Time saving and brain saving applications of this where people like, like a whole job of a person was to read through some medical notes and then summarize it for the doctor who's on call. Those jobs are gone now. That's just done by AI.

And I'm like, that's unfortunate that that job's gone, but I could totally see where something didn't necessarily need to understand all of it, but just be able to write a summary real quick. Maybe that's fine. Now in cybersecurity and zero trust. My position on this as it relates to generative AI is if your organization is going to use generative AI as a differentiator, right?

To set yourself apart from your competition, then you are going to want to train it on your data. For example, if your customer is going to use the thing, then it should know a lot about your data, your processes and all this stuff.

I think

Your data

But I think once you put your data into it, it's going to be very, very hard to control how that data is.

your into

As soon as you put your data into it, you're basically saying, okay, all of that data can be regurgitated to anybody in the world. And you're okay with that.

I, submitted,

Make sure you're okay with that. And so I, I submitted, I submitted a paper about this to that really, really difficult cybersecurity conference where nobody gets their papers accepted every year.

I think we don't have to say their names, but I'm like, okay, if it gets rejected, it'll just be like the 10th time they rejected a paper of mine.

So, anyway the

So anyway, the, the, what I'm trying to tell people is I don't, you, I don't think you can. You can use Zero Trust. So I don't think there's a place for Zero Trust in the sort of the middle of this.

Generative AI stuff to figure out who gets access to what data because it doesn't even,

stuff

it's almost like a weird black box. We throw stuff into and hallucinates people hallucinate too, but whatever. So if you're going to use zero trust, it will be much more about being careful about the data that you put into it.

And I know what I know about people in human nature. Almost no one's going to pay attention to that part. They're just going to dump all their data in there. People are just going to figure out how to pull it out. I remember right after all this started, I had this epiphany like, Oh, yeah.

Okay. Everyone's going to dump their data in there. And then somebody is going to show that you can basically go and ask it for all the sensitive data.

and ask

then people are going to go, Oh no, we need to put some kind of firewall on this thing. And it sits there and it like tries to filter the data, going in and out and filters the request coming in.

And I'm like, it'll be like the worst web application, firewall thing ever. And like within a month, somebody had announced that they were making that. I'm like, that's just.

month somebody had

announced.

Elliot: Yeah, The fact that you can basically trick it with emotional reactions and with prompt engineering or prompt injection to trick it to give you that information is wild how available that technology All right,

Neal Dennis: I it write ransomware all the time. Call it ransomware. Maybe not. Okay. Not all the time, twice, be clear. And it's never been used. But I had a thought experiment in there and you're right. It's just anybody can get whatever they want and how they want it. And then at some point time, the data model is going to be such, so yeah, protect your data, figure out if you want to play in that and understand that at the moment you click the button, it's no longer your data anymore.

Yeah, I'm, I'm curious to see what comes out of it and I'm curious to see, how much longer Elliot has a job

as a GRC

marketing

Elliot: Who's to say I'm not already using the technology to do half my

job

Neal Dennis: Oh, I'm,

Elliot: That's why I'm doing this in the middle of the day. I'm,

just kidding you work me I'm totally not recording

David Holmes: all right now.

Neal Dennis: and yes, for the record, Cyware, we do this starting at 6 PM Eastern. Monday

through

Elliot: totally correct.

David Holmes: Yep. So hey guys, I know you wanted to ask me what, what I thought about the future of zero trust and and I don't, I don't know if you explicitly asked it yet, but, but,

Elliot: We

have not, but,

We

would definitely love your

Neal Dennis: Thank you for bringing us back on topic, David.

David Holmes: sure,

Someone needs to

In the short and let me get just a little bit like acronym technical for a second. There's, there's basically two marquee zero trust technologies at work right now, at least in the vendor marketplace, right? One is micro segmentation, which is. Basically applying zero trust into a network to say which computer should actually be allowed to talk to each other and let's just make that so like explicitly say, okay, host C can talk to host a, but never to host B.

It's right. Which is a lot harder than it sounds. So there's that micro segmentation. And then there's the other thing that happened during COVID, which was Hey, let's give people access only to the applications that they need access to and not anything else, right? That's the access part and that was like the big sexy part of zero trust for about two years Because it solved a business problem, right?

The business problem was people cannot work because the VPNs are overloaded Let's bring productivity back and in some cases accelerate it with zero trust stuff, right? It's the ultimate business problem So that got really hot. Now, the dirt with the dirty secret of zero trust right now is these two systems do not work together at all.

They're not the same vendors. They're different teams that deploy them. They come out of different budgets. They're they very, very little. Working together. I think in the short term, I would like to see these two things become much more integrated because then it can actually start to build these quote micro parameters that Kinder about talked about earlier on.

So I'm, I'm, I haven't seen a whole lot of evidence that that is going to happen, but I would like to see it happen. So that's, that's my, That's, that's the short term. I think another short term thing is with a lot of things moving to a CICD pipeline, DevOps, et cetera, et cetera how does Zero Trust work in that fashion?

So some of our more technical and forward thinking, forward looking clients who have a DevOps staff. When I talk to them, they're like, we're, we're thinking to go into their trust. And we're just going to try to do it all with. DevOps templates. Like when the app gets deployed, it already has the language in there.

This is, these are the hosts that can talk to these ones. And I'm like, that's probably how I would do it too. Now that's not what a lot of the vendors want to hear,

wasn't

They would like to sell a thing that just does the thing. But the developers know

talked to

do this I could set all that stuff explicitly.

In code, like that's the most explicit possible thing. So that, that world seems to be going in that direction, right? And I talked, I talked to clients who are building systems using Terraform and they're like, yep, we were all very zero trusty. I think there's some holes there where they're, they're, they're setting it out, but is it working like they think it's working or what if somebody makes a change and then the access becomes much more permissive, so a gap that exists right now is.

Even if you architect everything perfectly and put out a good policy that's very zero trust, there will be changes to the network configuration over time that just always are. Let's say it's once a month. That's 12 opportunities in the year for something to go wrong and permissions to fall off.

Now, if permissions got too tight, you would know because things would stop working. But if they get too loose, you won't know because Thing, everything will still keep working. You just won't know is the hacker could walk into the back. So I think there's a gap there where people will need to have something or have some kind of process or tool or whatever to go figure out is what I, is what is my zero trust environment still zero trust.

So again, I haven't seen a lot of evidence of that. But I'm hopeful.

Neal Dennis: makes sense. I like it. I like it. Future state stuff. So when are we going to expect that for us to report on the future state of zero trust?

David Holmes: Oh

Neal Dennis: that bought

David Holmes: there's, there's,

David Holmes: so it could anytime not in the next month but it be Q2 It might be Q3 think that sometimes people ask me what's the the far distant future of Zero Trust And

David Holmes: look like.

And you know how, like

Elliot: you

David Holmes: is is phishing attacks. I don't know how many, it's some crazy percent of attacks start that way. And there's actually a reason for that, right? It's actually, we got somewhat good at locking down our perimeters as they are right.

Firewall's not letting people through. And. And so then attackers figured out, Oh, I need access to that resource. So I need to appear like a person who has access to that resource, right? So zero, so elements of zero trust and zero trust principles were already being embedded into our cybersecurity architectures and the fact that phishing is such a popular threat vector now.

It's just simply proof that we used zero trust to, to cover up all of this other stuff that needed protection. And now they are having to drive through in these other realms, right? So they have to

Neal Dennis: access

David Holmes: pretend to be somebody, and then they have to beat the MFA and then

Neal Dennis: for systems

David Holmes: then they can get access to the thing.

So I think further out, we're going to see, unfortunately, a more need for Systems to be a little bit smarter about what is this looks like David, and he passed the FMFA test,

Neal Dennis: but we still

David Holmes: but we still need to inspect what he's doing because it might actually a compromised credential, and I think that problem is a lot harder to solve and zero touch will probably have to come come back around and figure out what is the right set of principles to guide that.

Elliot: is

Neal Dennis: we had a talk early on about, your, your keyboard identity, right? The people who are doing passwordless security, quote unquote type stuff and what that could look like. And at the end of the day, know, for the, the fundamental threat actors trying to get in, that, that keyboard or that passwordless environment does play a role.

Help mitigate that.

initially, but like everything else, at some point in time, it's still a database. So if you do zero trust around the database, that's making those key checks, you're probably pretty decent on, but it's still a fingerprint, a digital fingerprint that someone probably will learn to replay.

I'm excited for that. To be fair. I'm excited for passwordless security. There's banks that are already using this to some The Google reCAPTCHA systems are actually technically a form of passwordless security in the sense because. You go, is this a human? Are you human? You click the checkbox. That checkbox isn't trying to track.

It tracks how long it takes get there. It tracks where you go to get there on the trackpad and everything else. But it's also using the breadth of everything you do, including your affairs on Google to figure out if it's actually you on that box, right?

David Holmes: can't be David. He's having affair right now.

Neal Dennis: David's got his, yeah,

David Holmes: can't Neil. He's having an affair right now. No,

Neal Dennis: but, that, that's exactly it, you're right.

Is, Google has the breadth of info. Google's little, am I human? Click button does all that passwordless security, the light mentality. But at the end of the day. Adoption is key, but once people adopt it, everybody finds a new way around it. MFA was the big thing, but like you mentioned, there's ways to escape that.

They're hard most times, there's ways to get around it. So anyway, I think that's cool. I like that, that idea and the human is always the most susceptible chain in the link to breaking. And the more we can do to constrain the human and turn him into an AI, maybe the better off we are. I don't know.

David Holmes: I don't know. Every year I think cyber security and the digital world can't get weirder and then it just keeps getting weirder. That's

Neal Dennis: Yeah.

David Holmes: where it's going to be in five years.

Neal Dennis: So I'll throw it back over to Elliot to wrap up and see if he's got anything else that he wanted to bring up.

Elliot: right. Yeah. So you already alluded to it. The question is AI adjacent. So you've seen it. Obviously organizations are somewhat quick to jump on the bandwagon. If they see a really hot industry buzzword zero trust was like enemy 1 for multiple years. AI is now becoming that organizations are either.

Using some sort of wrapper with chat GPT and APIs, or some of them that are taking a little bit more time or building their own private models and starting to integrate that. Now, now, in relation to zero trust, I just would love your perspective to see if you feel like any organizations are marrying the two concept of zero trust and AI and are trying to say, we now have this amalgamation of zero trust AI, God knows what it does.

But is there any organization that you see is not just like attaching the buzzword, but is actually trying to do something with this, groundswell of been around

David Holmes: Short answer is no, I have not seen somebody properly merging these two. And, and it's still way early days on the AI stuff. I did talk to somebody recently who has a startup and it's, I believe they're like, we're zero trust for AI

Neal Dennis: company was

David Holmes: and, um, in further discussion with this person, great guy.

He so I keep tabs on the startup environment and right. It's really bad out there right now. Like purse strings are closed for everybody, unless you're in AI and then they can't give you money fast enough. And so while this person didn't say, Hey, This is what I had to do to keep my business going.

That's the impression I got. And I don't, I don't necessarily blame him for that. So his, what he, what his company was basically doing was applying zero trust to the underlying mechanics of the Kubernetes systems that most of these AI apps run on, make sense?

Neal Dennis: hmm.

David Holmes: I was like so in reality, it doing zero trust for Kubernetes, not necessarily for AI.

Neal Dennis: something you

Neal Dennis: a great example it's a

David Holmes: so anyway, that's a sort of a bad example of somebody who's not a bad

Elliot: It's

a great example.

David Holmes: counter example of somebody who's having to tie these two things keep their business going and, good good for him, and more power to him, but I haven't seen anybody yet.

It's probably the job of the next Forrester analyst to come up with the Oh my God, it will be like the iRobot rules for artificial intelligence. Yeah. The ones like

Neal Dennis: like oh Yeah.

thou shalt

harm him. There's three. And I only remember the one which is, you shall not harm humans. I don't remember what the other two are. I think one, this is a Google view. Can I

David Holmes: But it'll be something like that, but around zero trust. . I don't know if going to be,

Elliot: because

they're out now, right? keep seeing the clips of all the, AI driven robots that are out. And I, I feel like I saw one just this past week or two where the audio responses from the AI driven robot are now awkwardly, terribly human. There's like a stutter and pause the creepiest thing I have ever seen. I that came out of that.

Uh no

Neal Dennis: Your, your rules were, that's funny because I got to tie into that with the rules. There are three rules of robotics. Robot may not injure a human being or through inaction, allow a human being to become, come to harm. Robot must obey orders given to it by humans, except where such orders conflict with the first law, a robot must protect its own existence.

As long as such protection does not conflict with the first and second law. So we think about the hilarity there about the voice activated or the voice AIs and stuff. I see there's, I get adverts for these things. To say, Hey, let's upscale your sales up. And at a, at a e comm website. And Ella, I don't know if I told you about this.

I don't remember who I was talking with this about a few weeks ago. I got an advert. The whole advert is based on, let's say somebody comes to your website and they click on, on a pair of sunglasses that are 500 bucks or whatever it may be. Whatever the thing is, they put it in their cart. And then they leave.

You've probably already captured some of their user stuff, potentially, especially if they're a return customer or if they're coming through a larger shopping center, like Shopify and stuff like that. So an AI calls them up and says, Hey, Tom saw that you looked at those glasses. Can you just tell me why you decided not to go through that purchase?

It sounds. Like this, this formatting is, is clean and it sounded creepy. It sounded like a conversation you and I would have to upsell someone on a product, right? In general. And the guy responds, Oh yeah. The cost is this, that, and then, Oh did you happen to find a competitor that you liked that was better?

And that's why he decided not to go with us because of that cost. Oh yeah. I found a pair of Oakley's that claimed to do the same thing for only 300 bucks. And then the AI, if it's this, this chat bot. If your site supports things like credit, like payments, as opposed to just a flat payment, this one went into it.

It's Oh what if I told you one, I could discount the price by 10%. And two, we just started a new payment option program. Do you still think it's worth buying this product if you can get it for 50 bucks less and make four monthly payments? And the guy goes, Yep, like this is a live interaction with a customer that they recorded and the dude goes, yeah I think I didn't know about that.

I would rather have your product. I like your brand So yeah, please let me know how to make it more affordable and then the bot responds like awesome I'm gonna send you a link to a website with the payment program Let me just make sure I still have your email address correctly closes the deal sends him the email sale done And it is that that and there's maybe one or two moments in there where I thought it was It's blatantly automated, right?

That is the creepy stuff with this voice stuff and how it's going. So we think about zero trust and access and things of this nature. I can already go out and program emails to do all that stuff, right? We all see those things. But now that I've got these voice bots where I can just plug in a basic script, train it up against a response model for an IT support team.

And then I'm off to the races getting access to gosh only knows what.

David Holmes: I don't know how I feel about that now. It's Hey, it helped the guy out, saved him some money, pushed him over the little hump that he needed to get over, the win win. But on the other hand, I'm like, every time I have to talk to a computer, I'm like, is degrading what this thing's not even going to remember this converse and

Elliot: Hard pass.

Neal Dennis: Benefit, it doesn't have to get a commission check.

David Holmes: Yeah, I think part of the, part of my issue is what if everything you did. Like you had an AI call you immediately after trying to close the deal. I was just looking, my friend wants a scarf. I thought I'd look at scarves. I know. know, it's too early. I don't know.

Neal Dennis: It's a weird world.

Elliot: would be that's everything would become like, a car sales process, which is literally my nightmare. I not 0

Neal Dennis: Tell you what, if I could program out, cause I use things like Google voice and other, other VoIP based services. If I can program them out to answer. So if the caller ID shows that it's a sales. Company of some sort of product. I can program my own Autobot response to haggle with for a good 20, 30 minutes

David Holmes: Yeah.

Now

Neal Dennis: then prompts me on my phone says, Hey, I haggled this like the, I don't remember those apps that go out and haggle your bills for you.

But if I can go in and show interest in a product that I really like, and then let the two AI bots haggle back and forth with each other for an hour, I get a little prompt on my phone that says, would you like to go forth with this purchase at this dollar? And I'm like, yeah, sounds great. And then it goes out and buys it.

That'd be a cool world. I'd love that. And then you don't even have to talk to the car salesman to go buy your truck. You can let the bots do it. Nobody knows.

David Holmes: bots, duke

it

Elliot: just made humanity redundant.

Neal Dennis: I made sales redundant is what we just

did

Elliot: with that.

Neal Dennis: that way people like David can back actually do legitimate work and, and not worry about the sales reps

Yeah. I'll say David, thank you for the fun chats. I don't know if Elliot's got any more left in him, but

Elliot: No, no, no, we're good. David, thank you so much for being here. We really appreciate it

David Holmes: really like

Elliot: dealing with our casual nature.

David Holmes: Of course, I love it. I love it.

Discussion about this podcast

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.