 Hi, this is your host and welcome to another episode or two of her let's talk and today we have with us once again Zack picture founding engineer at that rate. Zack is great to have you on the show. Hey, thanks. Thanks for me back Yeah, and today we are going to talk about a lot of things including one of the conferences that you folks believe hosting with NIST And the Department of Commerce in may which will be in my home turf, which is DC Before we talk about the conference and all those things I want to talk a bit about zero trust because first of all we have been talking about Security the whole culture should we have been talking about zero trust network zero trick architecture But these terms evolve as the industry also evolves so talk a bit about when we talk about zero trust today What does it mean in fact actually in and coinciding with this event? We actually just published NIST SB 800 207 a very excited about that that 207 series is what governs your trust So 800 207 is zero trust architecture so I Was very excited to be able to write the next installment in that zero trust series and That paper which we released for public comment about two weeks ago Will be kind of one of the focal points of that conference in in DC later this month In that paper, I really tried very hard to do a couple things one introduce nothing new But to give us a real practical hands-on definition for what zero trust is at runtime So I want to be clear There's more than just runtime when it comes to zero trust But there's a lot of interfaat around Technology and tools and things and I want to help give us some definitions to cut through them. So first off in a broad You know categorization. What is your trust? it is the people process and the the you know technology and and Business process in place do able to mitigate an attacker being inside the network So that's the mental model, right? So traditionally we thought about security from the perimeter. How do I stop the attacker from getting in? Zero trust acknowledges the attacker a motivated attacker can get in the perimeter What do we do to mitigate what that attacker can do? Once they're inside. So that's the mindset, right? They're inside the perimeter is not sufficient So I need to take steps at every hop at every at every service at every instance To make sure that that attacker is limited in the data that they can egress in the systems that they could try to compromise and The other systems that they could pivot to we want to bound an attack in space in a time So philosophically that's what we want to do at runtime. How do we do this in? 207 a the the new paper we introduce what we call identity-based segmentation and That is five policy checks at runtime that we want to have happen on every single hop So we don't want to apply these just at the front door, you know Maybe in our API gateway, but we want to do this for every single hop in our infrastructure And those five things are encryption and transit Service identity and service authentication Service authorization, so we want and why do we want these and then I'll get what let me do the after end user authentication and End user authorization. So those are the five policy checks. So why do we why do we need or want those? encryption in transit is really for two properties one We want eavesdropping protection We don't want other people who you know Maybe you're looking at the bits on the wire to be able to see what we're sending because the data sensitive and to we want We want message authenticity. We want to make sure that the message you received is the message I sent So we need encryption to provide both of those then we want to know what applications are communicating and We want policy that governs that so we want to say the front-end can call the back-end and the back-end can call the database But the front-end can't call the database directly And then we want to know who's the user in session so, you know, we want to know that it's Zach that is logged in to the front-end and That in this current session, you know, Zach has a read scope Therefore we're allowed to get the data from the database via the back-end So all of that together gives us, you know, this protection on the wire and it helps us bound an attack in space Service authorization policy helps us do that and bound attack in time, right? The the credential expiry and those pieces help us do that So overall this gives us a pretty concrete definition Hey, if you do those five checks at runtime, you're in a good spot and you're achieving what we call identity-based segmentation Which we argue is zero trust at runtime. You can do more, but you need to do at least those As you're talking about it's a lot about culture a lot about practices as well but we look at it as a mix of tools and Proper practices to get best out of those tools as well without each other is not going to practice Actually practice it does help a lot, but we need right tools also You folks have a platform that does provide zero trust application connectivity and security through Service mesh and service mesh plays a very big role when it comes to security So talk a bit about when we look at service management look at your trade What role is service mesh playing in is transferring security and compliance and how once again service mesh, you know It's just you know, there are a lot of projects around, you know That you can look at steel linker do whatever you thought but how to create a is kind of Helping users take advantage of these tools and technologies. So a couple different pieces there So first why service mesh to help do this to help with this aspect of security? This is actually something that my other line of mischievous talks about quite a bit So the 207 is is the fourth mischievous paper that I have that I felt author The other series is the 800 204 series and this is really all about microservice security and multi-cloud That's really where I started working with this and in those papers We argue that the service mesh is the most effective archa No, it's effective set of technologies in the microservice architecture To be able to provide security guarantees and in those papers We argue that the service mesh kind of forms the security kernel for a modern distributed system in the same way You think about the kernel providing security features for processes and applications that we're running together And we can trust that because the small audited set of code that is being reused to provide security for many different applications The service mesh provides that same primitive in the distributed system. So that's why We focus on the service mesh as a technology to help implement a bunch of different controls So certainly those five things for identity-based segmentation the service mesh can help you implement and We provide tetrax service bridge Which is an enterprise offering that really brings the management capabilities that you're used to and something like AWS For managing the AWS service For being able to manage the service mesh on-prem So that user login the user access permissioning who can do what where and what are the the safe configurations that the service mesh can take are All the capabilities that we bring and we do that across your entire infrastructure and not just one mesh deployment And so that then lets you build controls and guidelines Using the meshes the technology to implement those controls and then let your developer go and Because you have kind of the bounding box of safe configuration there your development teams can iterate within that bounding box As fast as they want you know, they're going to be safe irrespective of tools or specific technologies What advice do you have for users in today's world so that they can have a very good Security posture to ensure that their workloads application environments are secure. What is your advice? Yeah So there's there's a basic process that we want to follow Regardless of the technologies that we're using so first we want to inventory what we have we need to know what our Real estate is right. We then need to be able to monitor that in ideally in real time Right, so we want to know what's there ideally we want to know who owns it in the organization We want to know what it's doing at runtime and Then we can start to build more sophisticated capabilities on top to do things like Continuously monitor so we can react so that we can reduce our time to identification Then we want to build tools for remediation So we need to be able to identify you know, what's there know what normal is Identify when things are not normal and then be able to take action to return the system to normal and so that's the the core set of capabilities that we need to develop regardless of the technology that you use to achieve those capabilities and You know that gives us than a blueprint for where do we start? You know, I guarantee you as an organization You probably don't know what you actually have in terms about the physical infrastructure and the software and where that software is coming So that's the place to start from a security perspective as an organization that that's that's trying to mitigate minimize risk Inventory what we have figure out what's there and then we can build a plan of attack from that Otherwise, you're taking staffs in the dark. How much of this you are seeing organizations are actually doing practice Or you feel that they are still behind we need a lot of education so that are you like no They're all moving in the right direction. They're they're all doing the right things. Yeah, I wish you know in general I think is an industry. We're trending in there in the right way But you know equally we're also building more complex applications in more complex environments So that the challenge gets harder as well Really what I see is in in I view one of the other big purposes of the NIST papers is really to help educate And it's both to help educate, you know security decision makers But it's equally to help educate the auditors and regulators that are evaluating systems And so a lot of what we talk about in 207 a and there's kind of three big ideas I talked about identity-based segmentation. We additionally talk about how we want to layer new identity-based policies on top of Existing network policies not replace them and And in doing so we can relax the network policies and get some agility for example So, you know our purpose in these papers is not to break new ground But it's to talk about how we can do the right thing that we've been doing in the modern context and In that way educate and move the ball So my goal, you know, what we see is that there are a lot of folks that are doing this There are a lot of folks that are starting to overlay identity-based policy on top of their traditional network-based policy You know, we even help customers that do this gain agility while they do it because we can relax network Oriented controls in favor of identity The canonical example I give is the firewall rules between on-premise cloud, right? And in a bunch of folks that we work with, you know, that's a six-week process I file a ticket to get the firewall rules updated and I get the subnets and all that and you know The firewall team goes to the spreadsheet That's the source of truth and maps the ciders back to services back to teams to figure out. Do I allow this or not? One of the patterns that we talk about in 207a and that we implement is Putting identity-aware proxies on either side of the firewall So that way we have one firewall rule that says hey the identity-aware proxies can communicate And then we can use identity-based policy to decide who can go over that connection And that's an example case study that we talk about in 207a in that paper So to answer your question, you know in general as an industry, we're moving to in the right direction there are definitely some people that are far ahead of others and What weird and some of the folks that we work with are those and what we're trying to do is kind of pull And drag the rest of the industry into this better world and using things like these sps Helps give the weight to make that okay from the perspective of of auditors and regulators. Let's talk about The conference that you folks are co-hosting Witness and department of commerce in a couple of weeks and once again in my home turf dc I talk about that. We're super excited This will be the fourth annual conference that we get to exclusively co-host witness You know, we have a deep relationship there in the form of a collaborative research agreement In addition to the writing that we do together And we leverage that to help bring these ideas these techniques and these technologies to industry And so that's the whole point of this conference which will be in person in downtown dc on The 25th of this month and there will be some workshops on the 24 And for folks that care about continuous compliance and the authority to operate There's another paired sister conference that will be happening on the 23rd So all of that is great. So come for continuous compliance hands-on workshop workshops around using the mesh and around continuous compliance and our conference on the 25th That will be covering zero trust and multi cloud specifically We the goal here is is really for both decision makers and practitioners to be able to come and learn about What's of the other large organizations in both the public and private sector are doing How they're approaching zero trust Some of the cultural change some of the technology change some of the tools and technologies for achieving So, you know, we would love to have folks attend if you're in the area It's also going to be streamed online And I believe it will be available for free Certainly everything will be recorded and will be available after the fact as well And all the previous years conferences are available to so if you want an idea what what it's going to be like If you just search, you know on your own your preferred browser Go search for NIST zero trust conference You'll see multiple years for it from 2019 till till this year's With all the program there that you can go kind of see and get a flavor for what the conference is like Zach, thank you so much for taking time out today and discuss this topic Of course standard and upcoming conference As usual, I would love to have you back on the show. Thank you. Thank you for having me. I appreciate it and and again Yeah, look forward to seeing folks at the conference at the end of this month may 25th. Thanks everybody