Conference Talks

FutureCon Dallas

Driving Zero Trust at Two Different Companies: Lessons Learned

As we settle into life with COVID, the topic of zero trust security and a remote workforce is top of mind for all enterprise security teams. During this session you’ll hear from security practitioners who were responsible for the zero trust strategy and implementation at two Fortune 500 global enterprises – Adobe & Cisco. They will share their experiences and tips for rolling out zero trust methodologies at scale.

The audience will gain understanding in:
How to get started:
1. Selling the strategy, people, process and technology
2. How to make real progress in months, not years. 3. Demonstrating continued business value
4. Real world examples. Highlighting improvements to user experience and security posture.
5. Tips and tricks, lessons learned and what to avoid

View Transcript

Den Jones:

Hey everyone. So I’m Den Jones, Chief Security Officer at Banyan Security.

Carlos Martinez:

And Carlos Martinez Director of Solutions Architecture at Banyan Security.

Den Jones:

So first of all, just get everyone warmed up a little bit. Do you want to raise your hand if you’ve heard Zero Trust be mentioned just one time too many. So I think it’s the overused marketing hype the industry wants to put in there with digital transformation and all the others terms like XDR and stuff. So we are going to try and not talk about Zero Trust and then we are not going to really talk about the products that the Banyan make, right? So what we will talk about is really the methodologies that we’ve delivered in two large companies before we joined Banyan and really some of our tips and tricks on that journey and the adventure and then we are really available as resources. So let’s talk a little bit about who we are. So we joined Banyan, but we started off… I was on Adobe leading the Enterprise Security Organization there and where Zero Trust was a part of our strategy. And then I joined Cisco reporting to the CIO, I was the Senior Director of Enterprise Security there and again we led the Zero Trust initiative across all of Cisco and Carlos.

Carlos Martinez:

Yeah. So it feels like we’ve probably have been joined at the hip here, but as part of the Enterprise Security Organization that both Adobe and Cisco, we were as mentioned responsible for delivering on that internal Zero Trust initiative and specifically in 2018 at Adobe, we kicked off and delivered on an internal project. We called Zero Trust Enterprise Network or Project Zen, where we secured access to over 1300 applications, SaaS and On-Prem. At Cisco as part of our Zero Trust for the workforce initiative, we enable secure remote access to over 100,000 employees in a span of five months. So fast forward to today, we joined Banyan in early December and we were offered roles basically doing something we’re passionate about and that was working with other practitioners, helping as Den pointed out, just being able to help any other folks out there that are getting started with their Zero Trust journey.

Den Jones:

Awesome. So why do we need this new security models or what is Zero Trust, right? So I actually would rather think of it as more outcomes and really the outcomes for us is improving the user expedience and increasing security. So you think, why do we need that? Well, for the last 20 years of our industry, the authentication… So the very first bubble in the left here, the authentication really focused on the user’s identity, but it ignored the device. That meant I could log into NAP and service, regardless of whether my device met security posture or not. So that became something that was alarming to us because especially in 2018, we done our Zero Trust project. But what happened was we didn’t know about at COVID, we didn’t really think of the work from home. We just had an evolving workforce in Adobe, where more and more people were traveling more and more were remote workers and they weren’t always in the building.

Den Jones:

So back then we considered that part of our evolution anyway and also the way we were being attacked. We could tell through these attacks in the while that they’re evolving. How they’re attacking us, it was just more and more phishing. So it didn’t matter if you were inside our corporate network, which was mistakenly, always thought of being somewhere you’re safe, because really that perimeter, that security boundary no longer mattered, right? What was happening was they were phishing, you were clicking a link, they are already inside. So that network perimeter, that VPN, that firewall. While you don’t want to necessarily get rid of them, they are just not playing the same role that they played the last 10, 20 years.

Den Jones:

So if you could imagine, if I said, “Look, we can deliver something like this.” And this was conversation I had with our executives, our CSO and our CIO in Adobe is like so. Imagine a day where your users never have to enter their username password during an authentication. Imagine they don’t need to change their passwords every 90 days and then imagine if there is a problem with their device, because we want them to meet a minimum bar that they can self remediate, without having to call IT and get help. So if they don’t have the right stuff, then they can fix this themselves without calling us. And then VPN was no longer something that they would use. And I said to my boss, I was Like, “Imagine that day, and then imagine you can do it before you retire, before you leave your job, because it’s not the never ending project. We can deliver this in months.”

Den Jones:

And part of this session, we’ll explain a little bit about how we got there. So really the end of it, there’s very few times in your career where you’ll get to say, “Hey, we can improve the employee experience while we can increase security.” And we took what was originally 20 bullet points of my architect team’s wins that were going to get and we got it down to just a few in each case that we thought were really, really important. So let’s jump in. Carlos, can you explain the architect please?

Carlos Martinez:

Yeah, sure. And I’ll briefly cover the components that we deployed or enable to provide that seamless, secure access that Den just mentioned. So we’ll start with the policy engine component. So from a Zero Trust perspective, it’s all about ensuring that the right users and secure devices are able to access those services or resources that you explicitly allow. And in terms of defining the specific endpoints and the users you want to build out that inventory and that inventory will consist of data or attributes that you collect from other sources. So in our case, that was our device management solution wanted to make sure our devices actively enrolled, are they compliant. Also, other sources like EDR to be able to detect that compromise status or UEBA to be able to determine if there was some sort of anomalous behavior and from a user to device standpoint.

Carlos Martinez:

So the next sort of bubble there on the left side is. It’s all about establishing that trust of the endpoint and that user. And from an endpoint perspective, what we did was we deployed a lightweight app or agent that allowed us to, number one established that identity of the device. So again, going back to that inventory from a policy engine perspective, ensure we know who it’s assigned to and that it is actively registered. Number two is, be able to invoke that lightweight app and determine at the time of application access, whether or not that endpoint meets certain security requirements. So is the device jail broken or rooted, is it running a minimum OS or has some patches applied? All of these sort of checks can be performed at the time of access. And then the last piece is being able to surface some of the compliance of that device to the end user and being able to kind of show, “Hey, you are not compliant.”

Carlos Martinez:

Your trust is, does not meet the minimum requirements. And by the way, these are the steps you have to take to remediate and gain access to those resources or services. The next part I’ll just briefly touch on is on establish that trust of the user. So from a user perspective, we deployed to all of our fleet of managed devices, a certificate that was tied to a user that helped us enable that user identity, to reduce the number of times we prompted a user for their username and password. That along with prompting for MFA allowed us to establish that trust of the user. The last piece I’ll cover is really that enforcement point or in our case deploying the infrastructure to allow access to those On-Prem resources and that was through the access proxy. The access proxy allows you to ensure that you establish a secure connection and as mentioned earlier, you’re able to establish that user and device trust before allowing access to that downstream application or service.

Carlos Martinez:

And by the way, once you have done that with one service, you’re doing that for every additional session or service that you’re accessing. The last piece I will cover is really the connection between the proxy and the policy engine is, once you’ve established that session, the reality is the state of the end point or the posture can change at any time. And so you want to make sure that continuous authorization it is there, so that, “Hey, if we detect your devices has now been detected as compromised or there’s an urgent termination.” Whatever the case may be, you’re able to take immediate action and terminate sessions, step up authentication, Et cetera.

Den Jones:

Awesome. So one thing… So when Carlos explains that architecture, we found in the early days, there was no vendor that could do it, right? So if you ever hear these vendors say, “Oh yeah, buy our stuff. We can do all of it end to end.” That really wasn’t the case. And then the other thing, the bigger problem was we already had existing investments. So like all of you already have an authentication platform, you’ve already got some networking stuff in your environment and some access control, you’ve got a logging solution. So as we went through these things, it’s like, “Well, we already have investments.” We don’t want to rip out our Okta stuff or we don’t want to do like get rid of our Carbon Black or whichever tools you’re using. You don’t want to get rid of those things. And then the other thing is with a team already in place to supported all of this stuff.

Den Jones:

So in Adobe, when we done our Zero Trust deployment the very first time. Our version one, I increased the staff by one. That’s the one though, right? So you might want to get yourself one like this. And then we spent $240,000 of OPEX. So we didn’t spend a lot of money to get off the ground up and running. And that’s what we used to cover the 40,000 workers with the 50,000 devices, the 1300 apps and we were lucky because we were already quite an ingrained customer with Okta. So we already had a really good program around our identity provider and our multifactor authentication. So that made it a really good starting point for us. The big thing for us is the existing talent that you’ve got is not moving mountains to use that team to get your journey started.

Den Jones:

So on the getting started piece, I’ll share my meager role in this. A lot of it was selling the vision. So I had to go to the executives and I had to tell them, “Hey, we want to do this thing. This is all the right reasons.” And when you start talking to the CIO, the one thing that they want to hear is, how do I save money? So I could turn around and say, “Well, would you like to reduce the number of service desk tickets related to password, because this will enable that.” And then as an example talking to the chief security officer as like, “Would you like to eliminate lateral movement during a compromise, because you get one laptop compromised your network or your existing VPN solution usually allows wide open access across the network to thousands of devices.” I was like, “Well, why don’t we turn that into a guest network scenario?” So you can see your peers and you can get to the internet and then you can access apps and services that way. So do you want to share some of [crosstalk 00:12:11].

Carlos Martinez:

Yeah, so a couple other things or areas are really start with a small core group of folks. I mean, the reality is you’re going to need subject matter expertise across identity endpoint, Et cetera, Et cetera. And so for us, one of the things that enabled us to be agile was build that small core team where you define objectives, you then identify some of the key areas that you need to go and implement or deploy. And then every sort of core member will go out to the respective teams and work on some of these problems and come back together. So that’s one big thing that again, enabled us to move quickly and not be paralyzed with all this consensus across a large group of folks. The next thing is finding that concrete use case that will help catapult your initiative. At Adobe in 2018, we were really struggling to find which applications and which users to kick off our initiative with.

Carlos Martinez:

And then around the fall of 2018, there was a large acquisition that was announced and the teams were scrambling to do what we typically do, which is connect these two networks, allow broad access to enable continuity and from our perspective. Leadership, I’m now pointing to him is they said, “Why not use this infrastructure we are working on, this architecture?” And it turned out that it was a wild success. I think it really legitimized what we were doing and really I think a month or two after we ended up rolling out to the rest of the company. The last piece, I’ll cover is around just making sure you’re crisp and your communication plan to your users.

Carlos Martinez:

As you introduce this new method of access, you want to make sure that you generate some buzz with your users, enable them to go out and become champions with sales or marketing. We went out and said, “Hey, you guys can help us identify certain applications that you guys want externalize as part of this rollout.” And so for us, it was all about sharing and soliciting feedback with our users. Den, I know you’re very passionate about the last one.

Den Jones:

Yeah. So we used to run the identity stack both in Adobe and Cisco and you’ve never… Have you ever said to yourself, “I would love to log in more.” So raise your hands. Okay. What about logging in less? So yeah, love to log in less. Now because you ran or we ran the identity stack. I didn’t ever have to go out to the company and say, “Hey, would you like to log in less, would you like me to improve this experience you’re having?” So because we did not have to ask anyone, but what we had is the team connect, our posture checking and our Zen platform, into the identity stack. So the time of authentication, when we wrote on that traffic. So when people say, “Where did you start?” It’s like, “We started there.”

Den Jones:

Because we did not need to ask permission, we could do it in our dev environment, we could POC it really fast and that got us up and running. And then when you could show our executives, this new experience of logging in and actually there is nothing to show them, because you’re not being prompted now and you’re not going to be prompted for VPN. That for us was just a brilliant place to get moving.

Carlos Martinez:

All right. Well, I’ll briefly cover this slide. It’s may be hard to read, but I mean this looks like if you’ve ever deployed a project at your organization. I mean, it’s basically the identifying the key milestones. In our case no different, we started by identifying what was our objective? What were we going to start with? So we identified a few key applications, as I mentioned earlier and committed to that. We weren’t trying to boil the ocean, we wanted to define what was our initial goal as part of GoLive. Next is we engaged all the app teams that for those applications that we identified, made sure they tested the ability to access this end to end. Some of the things that you’ll notice are as you provide this explicit access, you need to factor in other dependencies that you need to enable.

Carlos Martinez:

And so being able to have a stage environment is key for this. Again, this new method of access. The last piece is making sure you involve all of you, the security organization from the beginning. So that includes a pen test of your environment, ensuring that you have the same, if not better logging and visibility to access and you can triage this device associated to this user. All of that, you want to make sure that you get the sign off from both IT and security on. And then for us, as we were starting to get close to rolling out, for us it was all about getting that feedbacks. So deploying the configurations, feeling good about we are not seeing the cert pop up or users do not have to go and reinstall something. We start tightening things down from an experience perspective and start piloting it. And then the last piece is again, as we touched on earlier just as you GoLive, making sure you start generating that buzz to your users on, “Hey, there’s a new method of access. Come try it out. You don’t have to VPN, Et cetera.”

Den Jones:

Now that announcement as you guys know, when you communicate to 40,000 people not everyone reads that communication. So we’d do that internet thing and what was really fun about it is we were doing this project. We had someone contact our security team, they had found this jam. They had realized that you didn’t need to VPN in. They thought that there was a whole no network, a whole no security and they are like, “I can now access all these applications, I have tested it from three different machines and I did not even have to VPN in.” And they are like, “Holy crap, we’ve broken something without risk.” And then the [socks 00:18:18] sent that over to me and they are like, “Den, is this your stuff?” And we are like, “Oh yeah, let us check.” So we looked at this user, he had all the good stuff on his devices.

Den Jones:

So he had these certificate, he had these endpoint security software and all this stuff. And lo and behold, the guy was just using our platform and he didn’t even know it. So the great thing about the communication is you do not need to communicate to 40,000 people that they don’t need to do something. It’s really good from a project perspective, when the best thing you’re doing is going, “Yeah, that’s our stuff in action and we didn’t really have to tell you.” So for us, that was real great validation. And look, we do actually have a build slide here that it’s funny. None of the other builds worked up until this point, I guess. So one of the things executive support is really essential. So getting this moving forward, that was a huge thing for us. And then no vendor could do it all.

Den Jones:

So we’ve just got to realize that all of the vendors you ever meet and see, they’ll try and sell you their cool aid and ultimately there’s not one that can do it all. You’re going to have to look at your existing investments and figure it out from your architecture, how and where pieces will fit in the puzzle. And then Zero Trust principles to the organization. When we deployed this in 2018, we didn’t tell anybody about Zero Trust, all they knew was this thing called Zen. And even then they didn’t care about the acronym, right? 40,000 people don’t give a crap. So we tried to avoid this term and really what we wanted focus on was the benefits. So as I said earlier, we’re improving the user experience, we’re eliminating passwords, we’re improving security. One of the things I didn’t mention was we actually formed a security intelligence team.

Den Jones:

So I had four interns that we recently graduated and we created this thing called security intelligence, they use some open source stuff in Cisco, our good friends Exabeam, we partnered with them. So that was a cool thing to see. But really what you’re doing is you’re doing some UABA, you’re funneling that information in and I’m determining the likelihood of your first factor being compromised based on what we’re seeing from that data coming back. So that kind of stuff was brilliant. So shading this information with our leadership team, we got to turn round within the first month and say, “Look, here’s some executives.” Where they’re actually logging in as a first factor, but they’re not paying attention because the bad act was logging in as them on the first factor, because their password was compromised and they’re hitting the okay button on their second factor without even knowing where the prompt’s coming from.

Den Jones:

So then we started this education campaign to make sure we’re reaching out. And then we’re resetting their passwords, because they know that account is compromised. Rather than waiting every 90 days to determine just randomly we will just change it anyway. So we stopped that 90 day password change because we had the intelligence to know when the account was compromised and if you’ve been in the identity game long enough, you’ll know that 90 day thing. In the late 90s, early 2000s, somebody came up with that thinking that’s a good compromise of business moving fast still, but people being safe. Roll on 20 years later, we have a better way to do that.

Carlos Martinez:

Yeah and again we touched on this piece, which is being able to actively communicate again, not just to your user base, but also to leadership. So using that channel to be able to say, “Hey, we’re running into issues deploying or enabling certain applications.” Whatever the case may be use that channel again to your user base, but also of leadership. All right, now we’re getting towards the end here. But again, just to summarize. Here are a few things that you can expect from a Zero Trust implementation, at least from our experience. Number one is your reducing the need for an employee to think about, “Hey, do I need to initiate my VPN connection to access this resource?”

Carlos Martinez:

You’re really blurring the experience of allowing users to go onto their browser and access internal.company.com and it just auto magically works for them, right? But under the hood, you are getting that additional visibility as to the device, the posture, whether or not the device has the latest operating system version. And in our case at Cisco, what we were seeing as part of this rollout, we saw that. I think at the very beginning we were seeing about 2.5 million device checks per month and we were seeing about 50,000 devices being remediated by the user. And so that’s employees taking action, right? It’s no longer us having to communicate to them and say, “Hey, please patch your device. Please do this. Please do that.” We’re now in line to say, “Hey, do the right thing and you’ll gain access to of this resource.”

Den Jones:

And if you’ve ever tried leading a project like this in a company where they actually make VPN solutions and you’re trying to tell them, “It’s not the end of VPN, we promise.” That was very dicey when it comes to the political landscape. So this is the Shameless Commerce Slide. The marketing team, I think said we had to have one or we don’t get paid. The one thing I want to really show you guys on the bottom right here is we actually have a team edition. So it’s a… Don’t worry about calling the sales guy, don’t get harassed, that usual stuff. You can sign up and you can actually get this running yourself. So if you want to get an engineering team or a sales team, use an applications and services without VPN in and without the password and all this stuff, it’s really quick, it’s really easy and it’s free.

Den Jones:

I think the word free is meant to be in there, but it’s free. So this is Shameless. So also you can contact us. So as we said earlier, we are practitioners or we were before we join Banyan I guess. So we were practitioners, we have a wealth of experience on how we lead this. So we are actually available, we make ourselves available. That’s part of what they pay us to do and we’re not the sales team. So the good news is I actually don’t really know much about the company’s products. I’m trying to keep it that way, so that I can really focus on experience the industry and how do we move forward together. And then I do have one other Shameless Slide, we’ll open up for Q&A. But I’m going to leave you with, we are going to start a podcast next month.

Den Jones:

We’ve got some amazing guests lined up. So John Kindervag, one of the godfathers of Zero Trust, I think he’s going to be on the show. We’ve got the ex CIO from the White House Theresia Payton, she will be on the show. So we’ve got a lot of great guests. One of my friends from the FBI’s going to join us. So keep your eyes out for that, because it’ll be a fun event every month. Any questions anyone? Yes.

Speaker 3:

The certificate that’s used to identify the posture of the endpoint and the person. Could you explain a little bit how that improves the log in experience, the secure posture?

Den Jones:

Yeah, so let me repeat the question. So how does a certificate that we used to authenticate the user and the device, how does that improve the security posture?

Carlos Martinez:

So to answer the question is we leveraged our device management solution to deploy both a user and device certificate. So as part of the deployment, we issued that to TPM for Windows, making sure that there was some policy so that if someone tries to lift that cert that we have the proper logging and policy to prevent that, right? So from the user perspective, that user certificate that’s deployed or issued at the time of authentication let’s say, a web application. There’s a challenge for that certificate and that certificate through different configurations that we’ve deployed would automatically be selected.

Carlos Martinez:

And so that is done as the first factor for that user and once we inspect the certificate… So in the case of Adobe, we inspected the cert for the user information, we then validated the user in terms of is he active, is he part of the right role, Et cetera. Now in some cases the certificate may not be there, there may be issues. But we do offer a fallback mechanism so that if there is an issue or that certs revoked, we do prompt the user for their credentials.

Den Jones:

Any other questions, we’ve got about two minutes left before we wrap up? So the good news is or the bad news I guess, is we’ll be around for the rest of the evening. So any questions you want to catch up, our contact details were back here and then we’ll also be back there were the bar is after the sessions. Thanks everyone.

Carlos Martinez:

Thank you.

Close Transcript

< Back to Resources

Book Office Hours with Den Jones

If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.

Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.

Make an Appointment