Conference Talks

FutureCon Los Angeles

“Driving Zero Trust at Two Different Companies: Lessons Learned

As we settle into life with COVID, the topic of zero trust security and a remote workforce is top of mind for all enterprise security teams. During this session you’ll hear from security practitioners who were responsible for the zero trust strategy and implementation at two Fortune 500 global enterprises – Adobe & Cisco. They will share their experiences and tips for rolling out zero trust methodologies at scale.

The audience will gain understanding in:
How to get started:
1. Selling the strategy, people, process and technology
2. How to make real progress in months, not years.
3. Demonstrating continued business value
4. Real world examples. Highlighting improvements to user experience and security posture.
5. Tips and tricks, lessons learned and what to avoid”

View Transcript

Den Jones:

Hope everyone had a nice lunch, welcome back. And so a little exercise because it’s after lunch. So Raise your left hand if you’ve heard too much about Zero Trust already. Okay. Raise your right hand if you can read. That’s awesome because I don’t want to read all this stuff to you because I’m sure you’ll get the slides and you can read it when you’re not busy.

Den Jones:

So an easy agenda today, what is Zero Trust ? Why do we care? We’ll talk a little bit about architecture and then I want to talk to you about getting started in your journey, right? So for me, I don’t care about the buzzword, I care about the outcomes. So I’ll share a little bit on the lessons learned. So Before Banyan, I was working at Cisco, I led enterprise security there. Had a team of 300 people in my organization. We served 110,000 people at Cisco, also by 200,000 plus devices. So as you can imagine, it’s a big complex organization.

Den Jones:

My life at Banyan I’ll tell you is not nearly as complex as this, so I’m pleased with that. And before then, I was in Adobe and I was the director of enterprise security there. And during that time, we delivered Project Zen which was one of many initiatives, but it was the year 2018, before COVID this whole work from home business. And one of my architects be into me that we should really screw up how we do authentication, we should also add posture check and also not use VPN. And it took him three months to get this into my head because I’m a bit of a slow learner. So roll on.

Den Jones:

So we delivered this in seven months, so we got a really good win there and I’ll share a little bit about that journey. And then I left there, I got a bit bored after a while. I’d been there for 15 plus years, and then I went to Cisco. And at Cisco I reported to the CIO there and we were running a Zero Trust initiative there because Cisco has a big view of Zero Trust. They have it for the workforce, the workplace and the workload. So you may hear these terms branded around and we can even talk offline on what those all mean and my view of that.

Den Jones:

But now I’ve joined Banyan, I run security in IT. I’ll say my part time job because it’s really small as a company, but my big job is really getting out as an evangelist while I can still pretend I’m a practitioner and have that conversation with all of you folks and recollect and reminisce on my experiences. So the real thing here, I’d like to talk about outcomes, right?

Den Jones:

SO think of it like this, we needed a new security model because the whole time we’ve been doing identity and access management, we’re only looking at the user ID. But the problem is it’s not just a user ID. If that laptop got breached, we would whack the user ID and that person would be dead in the water. As far as we were saying as well let’s think of a new way. Let’s look at the user and the device together and say, “If that device is compromised, I whack the user on that device, but not the user’s other devices or the user ID.” So let’s recognize is a better way we could handle that.

Den Jones:

So the other thing was the workforce. As far as I was concerned in 2018, Adobe had went towards this cloud force model, so we were evolving with the business and then the bad actors, they’re just sending you a phishing link. You can click the link, and then as far as we’re concerned, you’re compromised. So whether you’re on LinkedIn and you want that low rate mortgage, or whether you’re on Facebook or whatever else, and you’re just clicking links on your device, that’s all different now. They’re not brute forcing your username and password because they can buy that in a dark web already. So why brute force it?

Den Jones:

And I heard this tons, “Hey, but I’m already in the network, we’re safe.” No, you’re not. Your home network is probably safer than your company’s network because on your home network, you’ve only got four people clicking silly links. In your corporate network, you’ve got 50,000 people clicking crap. So you’re not safe. So as we went forward, it’s almost like that work perimeter is no longer useful. It’s not a boundary you should be hanging your hat on. So what I wanted to do and here’s the marketing team’s best effort of me trying to say this was good. We’re still talking about that.

Den Jones:

So I used to go in there and say, “Hey look, you don’t want to change your passwords every 90 days. In fact, never use your username and password again during authentication. We’ll swap that out with a certificate. And we’re also going to do some machine learning in background for UABA, so we’ll know if your username’s passwords compromised, as opposed to the let’s change it every 90 days, because we’re not sure.” And if you go back to the late ’90s, early 2000s, Sarbanes, Oxley, you’ll remember they all said, “Oh, you’ve got to change it every 90 days.” And we’re all like Why? Why not? 45? Why 180?”

Den Jones:

So some idiot came up with 90 and it wasn’t me, so then self remediation. When you’re trying to access staff and you’re saying, “Hey look my device.” If I’m going to do a posture check in a device and my device doesn’t meet the posture check we don’t want them to call IT because that’s useless. Not saying your IT teams are useless, I’m just saying call an IT could be useless. So get some self service in there. And then the other thing was get rid of VPN. So I don’t like VPN.

Den Jones:

All VPNs do is first of all, you have to increase your operational costs because you’re doing command line ACLS to access IP addresses, that’s how old VPN systems work. And to make your life easier, your full-time employees usually get full access to the whole network. So they’ll VPN into your office network and then they’re in. Now, you might have segmentation. So you might get them to do some bash in host and your data center. Well, that’s wonderful. But if they’re in your network and your network’s fairly large, that bad actor is in your fairly large network and they can launch the attack to all the other devices on that same office network. So I would rather say, “Don’t let them in your network, have them access applications directly that you make internet accessible via some method that some people will call Zero Trust .”

Den Jones:

The other thing was is, raise your hands because you may be getting tired now. Raise your hands if you’d like to finish a project before you leave your job. Okay. Yeah. So what we were finding was a lot of people do these jobs. And if some CISOs are only in their job for two years, sometimes they’re not seeing the end of the they started. So you would like to see the end. So when we were in Adobe, we done the first run of this in seven months. When I went to Cisco, we had some Cisco dual technology. We done that next run in five months.

Den Jones:

When we done in Adobe in seven months, we hodgepodged together different technologies. And we worked with the vendors like Okta and VMware for them to do an integration that didn’t even exist. So while it took us seven months, that’s working with people to build stuff that wasn’t in existence. So benefits, I think of this like there’s two conversations you’re going to have. You have one with the CIO and you want to talk about reducing operational cost and improving user experience. If you do this right, you get to not change passwords every 90 days. And if you look at your service test tickets in the top 10 of your tickets is password change related tickets.

Den Jones:

We reduce those by 60 to 80%. So that number for 40,000 people, every 90 days, not calculating that they do a change and then for 15 minutes, they’re trying to recover, right? And they’ve maybe got four devices so they have to go and update all of them. So the reality is just something like that, selling that to your board is a huge change. Selling to your board that I don’t need to do operations twice, I add you to the user directory group to access on the app, why do I need to then add you to a VPN ACL to get access to the infrastructure that that app is served on. And not to mention, it’s probably just some IP address it’s hitting a load balancer that goes to some app. So that visibility is really hard when you’re looking at it from a VPN lens.

Den Jones:

Now, security. Enforcement of device posture during your login is really cool. I like to think it’s cool Because I’d like the stuff that accesses our HR system to at least be a recent OS, be patched, maybe of some malware protection if you don’t mind, that’d be kind nice. So the other thing, and this is something that we’ve enabled only begun to do in Adobe years after I left. And this is where your kind of culture and politics comes in. It’s really flipping the switch to say, “If you don’t have it, you can’t get it.” So if you don’t meet our minimum bar, you’re not getting it. And in some cultures that’s hard and some cultures that’s easy.

Den Jones:

And then the last thing for me is security intelligence. I created a team in Adobe called security intelligence. Why? Because we’ve got all these logs of all this stuff that’s happening and we’re doing nothing with it until a breach occurs, then you start looking at that stuff. It’s like, “Well, why don’t we look at it beforehand and we can determine the behavior of the users and we can know what normal looks like, and therefore we can gain some trust about the user and what they’re doing in that device. And then anomalous events start to raise a flag. That’s how I know your account may be compromised. And that’s why I don’t need to change your password every 90 days. So there’s a huge upside on this for both security.

Den Jones:

Now, the other thing I would say is M&As. We done two M&As around the same time in Adobe we were doing the Zero Trust stuff. One of the networks was in a high risk country. We didn’t want to join that company’s network two hours. It was like 500 users, we just wanted them to access the apps for day one. And we lit that up in minutes. All we had to do was get them to install some of our agents on their end points and they were done. So I don’t need to build out infrastructure. I don’t need to join networks. I don’t need to worry about the risk of that network. And that for me was a huge win for us.

Den Jones:

In a shameless plug, I will have a blog post going out next week I think just on that M&A topic where I go into great detail on why you want to do that and why it’s good. But it really legitimized our efforts there. There Are some common components to this, I’ll build this slide out. So there are some common components. There’s the end points. There’s the access proxy. So if you want to come into your network, because a VPN is really a reverse proxy, right?

Den Jones:

So instead of that, if you’re going to give it a VPN less experience, you’re now using your reverse proxy equivalent. We hosted ours in AWS and had a VPC tunnel back, so that was pretty easy. And then the policy engine is really in any implementation where you’re doing workforce to application access, you want to say, “Look, I need to know the risk in the device posture.” So you give the device a risk score, the use had a risk score, the app risk score. This policy engine in the middle just really enables you to determine what you’re going to allow to occur.

Den Jones:

So you get to choose whether that you want that device to access that application based on its risk or its posture. But you might also say, “Well, wait a minute, it’s just a website. I don’t care if that application has the same malware protection software that we have internally.” So a good example is if you’ve got vendors or contractors and you can’t put your device management software on their devices, then you can actually use this method to give them access to certain applications and services, but without exposing your whole network and without exposing other systems.

Den Jones:

One of the biggest things is you’ve all already spent a shit-ton of money on all your stuff. So every vendor you ever speak to will try and sell you on, “Buy my stuff and you can get rid of all of that stuff.” Well, my experience told me was that’s crazy. I’ve got a five year contract here, a three year contract here, I can’t do that. So the really important thing for me in this architecture was finding partners that could come in and integrate with what we had rather than tell me to replace what we have.

Den Jones:

So when we done this in Adobe, we spent $240,000 in the first year and increased our head count by one. That’s because we leveraged the existing investments and we leveraged the existing teams. The people that done the directory were involved, the people that done the endpoint were involved. So you don’t need to, if you really want to make progress, you don’t have to build an army. In fact, when I got to Cisco, they had 75 people working on this thing for two years before I turned up and they’d done lots of pilots and lots of POCs and a shit-lot of documents. And I saw 125 page document, and I’m like, “The title’s wrong. I’m not reading it.” And I just threw it to the side.

Den Jones:

I’ve got everybody off the team. We built a core team of six people, one to represent each of the areas we required. The other 69 people, they were welcome to sit the side and not get involved because the more people, the more ideas, the more distractions and the slower we moved. So you got to be really careful on who you invite but don’t need to have a big army.

Den Jones:

So the biggest thing for us to get started is sell the vision and don’t sell the vision saying, “I’m going to do some Zero Trust.” Nobody gives a crap. Sell on outcomes, the business value, and for me, it was all about the user experience. I’m going to improve the user experience. I’m going to reduce operational costs and I’m going to improve security at the same time. Very rarely in your career do you get to sell that vision.

Den Jones:

We had that small cross-functional core team, and then we found a concrete use case. So while we had done a POC in a pilot to demonstrate we could do it, our best use case was during that M&A situation where we really had to make a choice. Do you want to join your network to a company that you’ve acquired that’s in a high risk country or do you want to do it this way? And clearly the this way bit seems a bit easier. It was lower from a cost perspective, it was quicker, but also enabled us to not join our network, the high risk country environment. So run a focus communication campaign.

Den Jones:

Here’s here’s the interesting thing. It’s not a campaign to your users. If you’ve ever had to ask your users will they like it to be easier to log in, then you’re doing something wrong. So I just turned around and said, “I don’t need to ask permission to improve the log in experience. I’ll just do that in the background.” The communication campaign was actually internally with the people working the project, the leaders, the C-suite so that they all knew what we were doing and when we were doing it. And I put a big line in the sand, “By this date will be done.” And that weekly report that went out had a ticker counting down the days to being done.

Den Jones:

When I was at Cisco, our timeline was by next year’s RSA we’ll be on stage talking about how we done it. So every knew that’s the day, and nobody wanted to be the one that got involved or got in the way of us missing a date. So it was important. I’ll share this story, right? So in Adobe, we got a call one day from our security team and they’re like, “Hey, we think we’ve got a security incident. One of the engineers has reported this issue.” He is able to log in to these internal services without using VPN. And we’re like, “Holy shit, really? Let’s look into this.” And it turned out he was using our platform.

Den Jones:

He didn’t know he was using our platform. His device met the criteria to get in, his authentication, his device management, all the stuff that we wanted in the posture check was there. But this genius, because he thought he was a genius. He thought he found a vulnerability. And really what he found was he was using our platform, not VPNing in and he didn’t even know because we didn’t tell anyone. We didn’t communicate to 40,000 people you don’t have to do anything. That’s a dumb communication.

Den Jones:

And then the technical starting point is integrate with your existing identity platform. So we would an Okta shop, it was very easy. You do the authentication, it does a redirect to your device posture. And we actually wrote a white paper on that, so that’s also available. And then I’m going to go through this quick, because this is really, it’s not useless, but if you’ve run a project before, start small, get moving, blah blah, blah, blah, blah, blah. And that’s how it looks, I’m sure because you can all read.

Den Jones:

So what not to do? Oh no, you do want to do this. You do want their support. You also want to know how to manage up. You’re not telling them everything, but you’re telling them the key points. Like, “Don’t worry, we’ll get it done.” There’s usually about the far as I got. And then no vendor can do it all. I don’t care. You can talk to our sales team. I don’t like talking to sales people, I’ve done this job for too long. So I tell own sales people, I hate talking to sales people. You guys suck.

Den Jones:

But leveraging what you have is important and then finding out your gaps. You need your use cases. You need outcomes, but let’s start off with introducing principles to an organization. Well, we didn’t have to introduce Zero Trust principles because who cares. The problem though is the execs are here in this term every single day. And if you look at surveys are like 85% of them have that in their goals, they don’t know what it means. You can’t go around this room and get the same definition of any one of us. So the reality is how do they know what that goal means?

Den Jones:

So the thing for us was talk to them in ways of outcomes or results, business value. And then you can measure that, but you can’t measure I deployed some Zero Trust because I don’t trust that. So avoid the term Zero Trust, doesn’t mean crap. Share the benefits to your users and your leadership team. It’s very easy to say, “By the way, you’re not VPNing in any longer,” they get that. And then active communications. I said it’s really inward with your team and your stakeholders rather than the user base. In our user base, we’ve done an intranet news article.

Den Jones:

I love this countdown business because my problem with everybody I work with is they try and skirt around the fact that there is a line in the sand and then they’ll give you reasons to push it out. And then the PM will make it green again because they’ll just adjust the dates. And all of a sudden you’ve been green 18 months later, I hate that shit so I try to avoid it. At the end of this, no VPN, an improve user experience and some better security. If you’ve not got that in this talk by now, you’re sleeping I guess.

Den Jones:

And then this is a shameless commerce slide. I work for a company called Banyan. We do have a website because we’re real, but we actually do have a bottom right Team’s Edition. It’s free for 25 users and you can set it up, again without calling those pesky salespeople. If you want to do something with it, contact us.

Den Jones:

Carlos isn’t here today. He was meant to be here, but he’s lazy so he didn’t want to come. We’re both available though. Carlos worked with me at Adobe and at Cisco and joined me at Banyan, so if you ever want to figure out how to have someone shamelessly follow you, whatever you go, ask him and you can book office hours. I’ve got a calendly link in here (https://calendly.com/denjones). So when you get the slides, this will all be available. I’ll also be at the booth out there after the talk. And now we’ve got some time for questions, unless I’ve done such a good job that you’ve none.

Speaker 2:

Well, yeah. There a lot of editors that throw Zero Trust into their parking pitch, right? We have Zero Trust network, we have Zero Trust firewall, Zero Trust what have you. So I’m just curious from your perspective, what does Zero Trust mean to you?

Den Jones:

Awesome. So the question what does Zero Trust mean to me? Because everyone throws that term out. I’ll tell you what it’s not, then I’ll tell you what I think it is. It’s not I’ve got ACLS, right? It’s not I’m doing fine grained authorization and it’s not I’m a twisted VPN player, That’s cool and all, but that’s just identity and access management really. So I look at it like is it architectural principles? And then if you go back to nest and some of the other stuff like John Kinda Rug, and then beyond Corp, everyone’s gone from, “I just want to know a network I’m on there’s evading level of trust.” Generally untrusted and the device and the user has a level of trust, and the application you’re going to has a level of trust.

Den Jones:

For me when I joined Cisco, they had three ways to describe it. They were like Zero Trust for the workforce, for the workplace and the workload. And I think that might be entitled to the great companies they bought over the years, right? They were trying to pitch themselves in this way. But the reality is user to applications is one thing, then services to services is another thing. And then when you’re on the network, your office network, people think of NAK and they’ll say that’s a Zero Trust.

Den Jones:

For me, at the end of the day, I think it’s the ability for us to gain better trust on the people and the things that are accessing the stuff. And if you go back to what our job I is, our job is protect the data. No one gives a crap about any of the other stuff. Your workstations could all be compromised for all we care, provided the data is safe. So it’s all about data theft and your ability to run your business. So at the end of it for me, I just look at this really is a better evolution of identity and access management, more than anything else. And recognizing we shouldn’t trust the networks we’re on, the networks are no longer important. And you can ask 10 other people, including John Kinda Rug, and I’ll tell you’ll get 10 different answers. Any other questions? Yes.

Speaker 3:

Are there any guidelines that will indicate how much effort one needs to put based on the size of organization, expected threat actors and similar factors?

Den Jones:

So the question is-

Speaker 3:

[crosstalk 00:24:42] set for all the organization or the size will matter?

Den Jones:

So the question is about is there any guidelines on the amount of effort required depending on the size of the organization, your environment, threat actors and other external entities, workloads, yet? I don’t know of any guidelines, I know that NIST published Zero Trust architecture, and within there, they put some other information about how it go about a deployment. I think the reality is I looked at this like a cookie cutter approach.

Den Jones:

So I want to get to position what I can publish one application to a group of users. And then after that, all you’re doing is adding more users to the group and you’re publishing more applications. And for us, and depending on how you do this, we didn’t have to work with the application teams, so we could scale to 2,000 apps in Adobe really quick because we already had 2,000 apps enabled to via Okta. So it was a really quick transition for us. And the amount of effort that team today, the core team, Adobe is still only four people. It’s not an army because they’re really just doing a twisted version of the same job they’ve done before. I’m an Okta admin, I’m an endpoint guy, it’s the same stuff. I don’t know of any guidance really that gets to that of level detail. And I think that’s because there’s not enough people that agree on what Zero Trust means and what it would mean to you in your environment. Yeah.

Speaker 4:

To your example when you were talking about, I think it was either Adobe or at Cisco about the user who thought he found that ability, certain many VPN, but going through your system, did you keep the VPN eventually or did or did you get rid of it?

Den Jones:

Yeah. And then I think this will be the last question. So basically the user that found or thought they found a vulnerability because they weren’t using VPN. We still kept the VPN in place. What we found though, was users weren’t using the VPN. We still had other use cases like B2B and other things where the VPN was still required. They still have their VPN today, but it scaled down a lot more than it was. And the day that everybody get sent home because of COVID, their VPN environment didn’t have to be touched because most other companies were having to scale theirs up.

Den Jones:

Well, we already had their Zero Trust thing in play and it was auto scaling. So it didn’t matter, right? So I think the reality is don’t use getting rid of VPN as a financial justification to make this investment. I think it certainly we can reduce and eliminate over time, but I never went down that path and I’d been asked this question a lot is, “Did you use getting rid of VPN as the financial savings to invest here?” And I was like, “No, never.” Some companies might. Sorry.

Speaker 4:

It’s good to be [inaudible 00:27:47]as well in case something goes wrong.

Den Jones:

Exactly. By the way, if you have another project where you had this fall back so easy like, “Hey, if that does work, I don’t care, use that.”

Speaker 4:

Yeah.

Den Jones:

It’s cool. And we done that and that worked really well. Everyone, thank you very much. I’ll be outside if you want speak later. Thanks.

Close Transcript

< Back to Resources

Book Office Hours with Den Jones

If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.

Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.

Make an Appointment