Leadership Insights: Zero Trust

Transcript

Charlene O’Hanlon: Hi, everyone. And welcome to another Digital CXO Leadership Insights video. I’m Charlene O’Hanlon, and I am here with PJ Kirner who is the CTO and cofounder of Illumio. We are going to discuss zero trust. It’s such an important topic for organizations to keep in mind. PJ, thank you very much for taking the time and getting on video with me. I do appreciate it.

PJ Kirner: Oh, thanks for having me. Glad to be here.

Charlene O’Hanlon: Great, great. So let’s talk zero trust. I wonder if, first of all, if you might be able to tell us a little bit about your company and then we can kind of dive into the greater topic of zero trust architectures and zero trust in cybersecurity.

PJ Kirner: Yeah. Thank you. So Illumio’s mission really is to prevent breaches from becoming cyber disasters. Our platform helps customers stop ransomware. And like the one metaphor I like to use is if you think about how people build a submarine, they build it with compartments so that when there is a breach in a submarine they can close that compartment off and you have resiliency.

And so what CSOs need is cyber resiliency, so segmentation and that compartmentalization, zero trust augmentation is what achieves those cyber resiliency goals.

Charlene O’Hanlon: Yeah, zero trust has been a very hot topic in the cybersecurity space for a couple of years now, and I feel as though we are getting to almost critical mass as far as awareness of zero trust strategies. But to me it doesn’t seem as though as many companies are actually achieving zero trust or have really adopted zero trust. So I’m interested in talking to you about ways in which organizations can maybe not even go in full fledged zero trust, but maybe start to adopt zero trust in kind of maybe some of the quick hits, if you will, in ways that they can approach zero trust without obviously breaking the bank. So what have you seen among the organizations these days as it pertains to zero trust?

PJ Kirner: So you’re absolutely right. Zero trust is a strategy, and often strategies are multi-year strategies, and I think the first question – and so therefore they could take a long time or they feel like they could take a long time and be expensive. I think the first question that needs to get asked is how do I start? What is the first milestone where I could actually get real risk reduction on the road to that much longer journey to achieve those ultimate outcomes? So that’s what can we do quickly, what can we do cheaply, what can we do – and actually report back up to the board or the CEO asking those things, that we actually did something to reduce risk for the organization.

Charlene O’Hanlon: Yeah. That’s a very important conversation obviously, and it really does speak to the heart of really from a business perspective the importance of having zero trust as a cybersecurity strategy. But to your point, it is a strategy, and obviously it’s going to be approached differently by any organization. So do you think that there’s a complexity issue regarding zero trust or is it more about just getting buy-in from everybody who’s involved in developing and implementing the strategy?

PJ Kirner: I have a lot of thoughts on that, and we’ve done a number of things with customers, but I’ll tell you one way people have started quickly – and if you have this in your organization you should jump on it. So I always talk about security being a team sport, right? You have to have the security team and the application owners and the business owners who are running these applications, because we really focus on protecting data and applications. So we’ve had a few cases with customers who the application owner, the business owners were saying to the security teams, like please find me a way to secure my applications.

And one example is a pharmaceutical company we worked with a little while ago. They really wanted to have the application infrastructure that ran the manufacturing machines because it talked to the public cloud. They wanted to have that secured. So they knew how their applications worked and they said, security team, please find us a solution. And when you have alignment – you don’t always – but when you do have alignment between the business and a security goal, jump on that, because that is an opportunity. And we were able to get them up to a zero trust goal quickly in under a week.

Charlene O’Hanlon: Wow.

PJ Kirner: So when that does happen, like the security team should keep their ears open, and those could be quick wins. Now not everybody has those, but pick those up if they do occur in your organization.

Charlene O’Hanlon: That’s great. That’s great. So what other quick wins that you guys have seen in the past maybe that might help organizations at least kind of wrap their brains a little bit more about zero trust and ways that they can implement it?

PJ Kirner: So if you are taking a risk-based strategy to things, you might be looking at where are my critical assets and where are my most important applications and where are my high-value applications, right? And you should follow that strategy and do it that way. But you might end up coming to a thought process where, oh, this is the most critical application, most critical to the business. Let’s start with zero trust there. That might be the ultimate value, but that might be one of the hard things to do.

So one thing we’ve worked with people on is sometimes in their network they do have protocols, especially around management protocols, because those are actually used by ransomware to spread. And where can we just sort of shut them down where they’re unused, right? So you look for places – because the network allows them to happen, and if the network is open, malware and ransomware can take advantage of them. So just shut down attack surface on management protocols that are unnecessary. The challenge with that though, to be able to do that, because how can you just shut things down?

Maybe somebody does use that, maybe they’ll use it later. You certainly have to have kind of visibility first, right? So you have to put visibility out there, sort of collect that information. And then from like a visibility system you can say, oh, nobody is using these things, or here’s the approved places where I’m allowing these things to happen and where they’re allowed to happen from. And then you just prevent everything else. We even find – like telnet, for example – there are unencrypted protocols.

Telnet is one of those things that people have used in the past. Sometimes there’s a random Telnet port open. But just block all that stuff, right? So there’s places where you can remove attack surface in terms of protocols relatively easy, might be unused, and get some quick wins there.

Charlene O’Hanlon: Alright. Great. So where do you see zero trust moving from here? Do you think we’re eventually going to get to widespread adoption of zero trust mindsets, architectures, applications, everything? Or do you think we’re still kind of closer to the beginning than we are to the end of zero trust adoption?

PJ Kirner: I think from an adoption point of view, everybody’s trying to get on the path. So as you sort of mentioned earlier, there’s broad adoption there. Where they are on their journey, yeah, people say they want to do it, the board has said we’re going to do it. They don’t even have the strategy yet. We’re very much at the beginning phases of those things.

And that’s why small steps along that journey and being able to report true risk reductions, right? Maybe like, yes, you’re trying to get to that high-value, critical business application and the high-value asset. You’ll get there, right? But demonstrate successes along the way and then people will build trust in the program, they’ll build trust in the tools. The organization will learn how to do this, and then things can go faster as they do that.

So I think in that sense, people are early on that journey. But that’s why it’s all about quick wins and proving small successes. I think that can keep the momentum going and deliver security goals.

Charlene O’Hanlon: And it’s also important to point out that zero trust as a strategy, it’s an ongoing thing. It’s like digital transformation. It never really has an end. So it’s something that organizations, when they are considering zero trust, they do need to look at it from that lens. It’s not like a project one-and-done-type thing and then you move on, you’re secure and that’s that. It’s definitely something that should be a regular part of their security mindset moving forward.

PJ Kirner: Yeah. And actually, you bring up a good thought. We have to talk to people about when they put new infrastructure in play. What can I do for the new infrastructure, right? And so you can sort of say, well, I’m going to put a line in the sand, like all new things will have these principles applied. That is a way people have done it in that environment.

But you can’t ignore – you know, everybody wants to ignore the brown field, and brown fields live for much, much longer than anybody wants. You do have to have a holistic solution, but finding the way to not have any more technical debt being created also is an important kind of element of the strategy. And then what you’re doing is you’re having a sandwich and you’re sort of closing from both angles to achieve success.

Charlene O’Hanlon: Oh, that’s an interesting way of thinking about it there. Interesting. Alright. Well, PJ, thank you very much for having the conversation with me about zero trust and ways in which organizations can achieve through these little iterative quick hits, if you will. So very, very much appreciated and thanks for sharing your expertise and your time.

PJ Kirner: Yeah, appreciate it. Thank you.

Charlene O’Hanlon: Alright. I’m Charlene O’Hanlon for Digital CXO Leadership Insights. Thanks for joining me.