Zero Trust with Estefania Fernandez and Neil Lovering

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Today, let's see, Andres, June 26th. Welcome everybody to the Security in 45 show.

(00:06):
Andres, summer has started. Kids home from school. It's super hot here in North Carolina.
I know that's going to make you laugh a little bit there. I know my North Carolina temperatures
are like winter for you Florida people. But I hope everyone's having a terrific week.
And today we're going to have a great conversation on Zero Trust.
Zero Trust, a topic everybody certainly needs even if they don't realize it.

(00:34):
Exactly. Yeah. And it's interesting because we hear a lot about Zero Trust every day. We hear,
you know, what is Zero Trust? What does it do? Is it a framework? Is it a deployment? Is it
something that we say, for example, a lot of components, things that, you know,
we have already in an environment and the reality is that Zero Trust is not a product.

(00:58):
And we'll talk about that today. I know Mike, we were talking about it earlier. We're super excited
to have two super rock stars guests in our show today. And let me introduce you to them. We have
Stephanie and then we also have Neil. And I would like to give them some time just to make sure

(01:18):
they introduce themselves and we get to know them a lot more. I'll give it to you, Stephanie.
Thank you. Well, I'm Steph. I am a TSS security engineer specializing in security. I work in Cisco.
Not as many years as all these guys over here, but I've been here my fair share of years.

(01:38):
I'm based in Mexico City and I'm happy to help answer any questions that you may have.
My name is Neil Lovering. I've been with Cisco for a little more than 20 years.
I've been doing this networking thing for probably three decades or so since I
got out of the military. I had a CCIE for almost all of that 30 years out there and

(02:03):
just happy to be here and have fun. Thanks. That's awesome. Steph and Neil, I'm really
looking forward to this conversation with you. Neil, you've got such a wealth of experience
and you're a constant learner. I think it says a lot when we were talking earlier and I pointed
out your CCIE number 1772 and you still continue to get certified. And I made a joke about, hey,

(02:30):
are you using your grandfathered in at that point? You said, no, I would call that quitting. I remain
certified. So I think that says a lot. And Steph, you've got a really interesting background in
software engineering. We're real similar with that. I know that's how you got into Cisco
originally. So both of you just have great perspectives for today's topic on zero trust.

(02:53):
Let's just jump right into it. Zero trust is probably something that a lot of people have
heard of and some people are on that zero trust journey. Neil, for you to start off the first
question, I'll throw it your way. Where does the zero trust terminology come from? Why was this
term even invented? Why was it invented? It's hard to do why questions. I've tried to avoid those for

(03:18):
most of my life out there. But really the concept of zero trust came out a little bit more than 20
years ago, actually. They kind of started that kind of as a way of trying to define a better or
closer concept of security, kind of saying that individual users or devices or users with their
devices should only have access to the applications or the resources that they need to. And everything

(03:43):
else is kind of a deny all policy. And we've, you know, security folks have tried to build
worlds like that where you only have permit lists. And of course, those are usually met with catastrophic
failures because you have no idea what the world is going to offer up or where you need to go in
today's world out there. So those definitions have evolved and merged and grown over the years too.

(04:05):
And we point that out with lots of different sessions at Cisco Live and stuff if you have
ever a chance to go. But it's important to understand that vendors themselves should never
be the ones who dictate to anyone out there, this is what zero trust is. Vendors are their participants.
They bring the products, the capabilities, the engineering aspects to helping you achieve those
zero trust goals. But zero trust is an industry concept out there. It's really important to

(04:29):
remember, I think. That's so true. I think that's something people forget is that it's not one
vendor that created it. It is an industry and each company is going to approach it in a different manner there.
Yeah. And the other thing is that you see a lot of, and I love this show already because

(04:52):
we're not just biased over one technology or one vendor, things like that. This is like a general
thing, right? We have many different things. We have many different definitions of zero trust,
many companies already have their own version of that. And just the main idea is just to try to get

(05:12):
into a common place where we can say, hey, this is a good starting point. So this is already
really good. So I was just going to say, and it's named correctly, like of all the confusing
terminology we use, this is something that's actually named correctly. I'm giving you zero
trust until you can prove otherwise to get onto the network. Which itself is kind of a challenge

(05:38):
if you think about it. Mike, if you and I have absolutely zero trust and there's nothing we can
do to ever become friends or to get at least a little bit of knowledge or insight or the ability
to grow a friendship. So there has to be a little bit of give or take when you start that process of
introduction to then take that relationship and flourish it. And that's exactly what zero trust is.
Maybe there's a growth of over time you get better and more access because what we know about you

(06:05):
and your device is actually improving. Or that could change in a heartbeat too. Very good point.
Very good point. Yeah. And in terms of changing in a heartbeat, yeah, we talk about zero trust being
like you can have a retrospective alert or something like that where you could maybe have
your trust revoked or diminished in a way as well. So you're a call out. Yeah. Yeah. Yeah. So many

(06:30):
different ways of ramifications in the zero trust. So I'm excited about this. And Steph, I do have
the next question for you. Just if you don't mind, just name like an everyday example, zero trust and
what is not, what it is and anything that you can tell us about it. Yeah. Well, everyone enforces a

(06:53):
certain level of zero trust in their day to day life. Even if we don't notice it, we are doing it.
For example, almost everyone here surely has some sort of social media. So when you go online and
you configure your social media accounts, when you accept a friend, you are giving them access to the

(07:15):
things you post, the things you think. So you can start giving them access. But even in your social
media, you can start configuring. So only your closer friends can have access to very specific
posts that you make or very specific things that you say. So you can start giving these granular
access to different levels of yourself that you have posted in social media. Now, we talked before

(07:40):
that all of you here are parents, all of you are dads. So another good example here is the parental
controls that you can have in your devices at home. You don't want your kids to access every single
site online because not everything is age appropriate. So you have these controls so your kids are safe
online. And you can even say, okay, you are allowed to go to these videos on YouTube, you're allowed

(08:04):
to go to these games, and that's it. Because not everything online is safe. So you can give this
different level of access and different level of controls to your kids.
That's a really good analogy. I actually have a lot of fun blocking stuff here at my house with my kids.

(08:25):
I don't know, you guys... It's funny too that the example that Steph gave, it's little things like
that in life that we might already be doing and not really thinking about applying to something
as geeky as like a zero trust. And then when you actually go to work and you start doing zero trust,
you can't figure out where to start or what to do. You're already kind of doing that. It's just a
mentality or a focus point or an individual concept. And that's exactly what Steph was

(08:47):
talking about there with friends and family. It's like a fundamental thing, like getting to know
somebody, sharing some information about, in this case with the social media example,
it's absolutely true. I never thought about this. Yeah, we are all doing it in some way or another

(09:09):
with maybe just as part of common sense throughout our daily lives. So that was a great example. I
like that one because it kind of relates Steph to everyday things that we're all doing. Neil, what
about... Same question for you, an example of zero trust, but this time being related to the nerdy

(09:33):
aspect of it in our industry and kind of the security networking industry. Any common examples
or use cases of zero trust that we may find out there in the industry? We kind of see it happening
a lot in today's world if you think about it. You might actually trip across it just when you access

(09:53):
your bank account information. As annoying as it might sound, you get some multi-factor or your
phone goes off or you have to check an email and type in a code or something like that. So that's
kind of a concept of, if not an absolute application of zero trust. So again, it's you and your device
or maybe specifically more you and you happen to have a device accessing one particular application.

(10:18):
Obviously it doesn't give you access to the entire banking industry. It doesn't give you access to
online shopping lists. It doesn't give you access to free movies or downloads. It's the banking
activity, that one thing. So I think that's a really interesting example. And there's multiples
of those in today's world out there. In your networking environment, folks might set up an
example of when I want to log into a server or something, there's only a defined list of people

(10:41):
who are allowed access to this. That's kind of zero trusty in a way that Mike and Neil can get
there, but Andres can't. But Andres has access to the super awesome server out there that no one
else can get into. So is that zero trust? Maybe, maybe not. It just depends on how you look at the
definitions of that. But again, if you're providing individual control or access methods to something

(11:06):
that exists out there, that's kind of zero trust by all of the basic definitions out there. Some
vendors, again, might not have a solution unless they don't consider it that. But remember, vendors
are not making the definitions here. That idea, and it's important for the segmentation because
yeah, with that example between Andres and I with access to different, Andres has an example to

(11:29):
maybe one part of a server that I don't. If my part does get compromised, it's not going to
essentially, or it might not affect his part as much. And it certainly is a good way to
separate the roles. I can still log in just enough to do my job. I don't really need access to

(11:49):
Andres part of the server to do my job. And that's really limiting a lot of risk right there.
Yeah. And that's another thing that I believe it helps a lot with understanding
what the whole zero trust idea is. I know from the industry here, things, let's say for example,

(12:15):
zero trust network access or application access or other things that they mention. And
it just makes, that segmentation is also part of it. And I think it takes us to a really good place
or that common place that I was talking about earlier on the zero trust. So pretty cool.

(12:36):
You bring out some interesting points there too, Andres, the concept of zero trust network access
or zero trust application access. I think some people don't have enough time on their hands or
too much time on their hands. They keep coming with more and more acronyms for our lives out
there, but it's kind of also showing us that the concept of zero trust can be applied to various
things and zero trust can have controls at multiple places out there. It's not just the user

(13:00):
and the endpoint and the iPhone in your hand and the application in the cloud. If you have access
to and your environment has a network, then use the network that can give you controls and visibility
and segmentation if you want. So there's all kinds of things that can help you reach those targets of
what zero trust is in your definition or the protection profiles that you really want.

(13:23):
Imagine the larger a company grows and the larger the threat landscape gets,
the more important zero trust essentially becomes because you've got all these different
avenues of potential attack there. I will be curious.
Sorry, Mike. You see that now with our customers moving to Amazon Web Services and they need to

(13:43):
extend their policies there as well. It's a growing beast.
Yeah, I will be. And I do have a question that I'll ask one of you later about best way to maybe
get started on something like that. I mean, that seems like a massive undertaking. So I will be
curious your thoughts. Maybe if we have some time for that, I'll be curious where you would start
on a huge project like that. Yeah, we'll get to that one for sure. And actually, I do have the

(14:11):
next question for you, Steph. And this one is more oriented to the technology, the way that we
implemented things that you know, for example, what are the tools that we can leverage to start
implementing something like Zero Trust today? You will hear this a lot today, but Zero Trust is

(14:34):
it's a journey. So starting to adopt technologies and tools. Well, it could be challenging at the
beginning, but we need to start somewhere. I've seen with my clients that what they need the most
at the beginning, it's an MFA. We cannot rely only on users and password anymore. This is very risky

(14:59):
nowadays. We have malware actors that have so many techniques to be able to break a password
that relying only on them. Well, it's just not the best route anymore. And well, our users don't
help either. We have users that leave their password in post-its that they just save it in
the notes of their phones. This is just not very safe. And nowadays, it's very common that we have

(15:24):
password administrators that last pass and they have their own level of risk themselves. So we
cannot just rely on this to be able to give them access to our sensitive information. We need more.
We need more layers. So with this extra layer with an MFA, we can be at least more certain that this

(15:44):
user is who they say they are. Another basic step that we can take on this journey is a basic one,
is having endpoint protection. Your security products may fail. Your firewall may not look at
that malicious file. And well, having this last line of defense is always great for having
protection on your endpoints. And well, again, a very essential pillar in your security journey.

(16:12):
And as you said, as you guys said, the segmentation is essential. We need to start
limiting access to all of our resources, to all of our users. Maybe if you ask your questions to
yourself, like, am I going to allow these random users to access these finance documents that have

(16:33):
very sensitive information from their personal iPad? Maybe not. Maybe they don't need access to
that. Maybe if they are accessing from a corporate device that has the antivirus in place, that has
the adequate operating system that has less vulnerabilities, maybe then if I implement my

(16:54):
DLP engine and I know if this user is trying to send this sensitive finance document through their
personal Gmail account, maybe with those layers and layers of protection, maybe then I can give
them access to these very sensitive documents. But yeah, it's beyond checking if my user is saying

(17:15):
who they say they are, is checking credentials, is checking if they are using the correct device
and if they actually have access to that very specific resource.
You actually bring a really good point on the segmentation and the category. For example,
this finance file or server or anything. I think it's something that gets overlooked

(17:41):
most of the cases is just make sure that you categorize your data, sensitive data,
what's critical, what's not and things like that. So I think that brings up a really good point on
that. It's great Steph too, you pointed out there's layers of security here. That concept's been
around for a while. DoD in the US had defense in depth forever out there. Jokingly, UGERS

(18:06):
are filled with layers, so said Shrek out there, but the multiple concepts of overlapping
technologies and capabilities is what really is going to drive our security solutions today.
Yeah, without a doubt. Steph, I like the aspect you mentioned, which was the device itself,
because I don't know, do you guys feel like a lot of times that gets overlooked? I see

(18:30):
a lot of emphasis on doing, they'll get that MFA check in place and yeah, you are the correct user,
but then we forget some of the basics about the device you're on. Yeah, great. You are absolutely
the trusted user that we want to have on the network, but you're on an infected BYOD device,
for example. So I think that's a huge component. All right, so this was a big one for me, this next

(18:57):
question, Neil, because where do you start and kind of, you know, what's the best way to start
and is there a recommended approach? If I'm listening in on this conversation we're having
right now and, you know, hey, this is something I need to get a grip on and my manager wants me to
start designing a zero trust implementation for our company, any recommended advice you have based on

(19:24):
what you've seen out there in terms of where to start? That's a great question because it's a
difficult process to say that there's a one size fits all here. Steph threw out some great examples
of some of the technologies that are almost necessary or seem to be represented in parallel
with zero trust and multi-factor authentication, for example. That might be a quick win. It's not

(19:45):
too difficult to get that up and running. Cisco had it rolled out across their entire global network
in a matter of weeks for the most part. So, you know, maybe it's because Cisco is full of a bunch
of smart people too, but that concept is something that could be actually adopted and consumed quite
well. Using that other thing out there, maybe from your perspective as someone who needs to roll out

(20:07):
zero trust or get an understanding of it, do you have any pain points right now? Do you have any
problems? You know, look at that as a place to implement some tools or have some conversations
around. Oftentimes, too, zero trust is probably going to involve just more than you, the security
person. It might involve the switching folks, the wireless folks, the AD folks, the cloud folks.
Do you have conversations with these guys? If not, why? Why not? You know, have a cup of coffee,

(20:32):
get some conversations going because when you start implementing these corporate-wide, these
campus-wide, these customer-wide security enablement technologies out there, it's going to
touch a lot of folks, not just your desk or your security team out there. So, I think the biggest
thing out there, again, if you want some quick wins, you can easily do that. Find where it hurts

(20:54):
right now or what's being pushed down upon you and do that. But in the longer run out there,
you know, build some friendships, get some coordinations going, and you could be the jack
of all trades, figure out what you're going to do today as far as taking small little bite-sized
pieces off that elephant. That's a really good point. Yeah, because if you're designing something
on that larger scope, that's a great point about communicating and making those friendships with

(21:18):
other people in your organization because they might be seeing, you mentioned pain points, they
might be having pain points that maybe I have not had. So, what are those pain points? And maybe
that would be a great way to start the journey. It's just, hey, let's get back a bunch of time
savings because this one particular event keeps happening and maybe some basic segmentation is
where to start. I like that. I think it will vary from client to client. If we talk to a small

(21:44):
company, there is one guy who is a network guy, a security guy, an AD guy. So, he's having
conversations with himself. So, yeah, I don't think there's a blueprint for every single customer we
have, but yeah, start somewhere and start making a plan for your security journey, of course.

(22:05):
That's a good point, Steph, is do something. Don't sit around waiting until you have the complete
plan because if you take that approach, you're never going to start. You're never going to have
the full plan and there's always things that are going to change out there. Do something.
You're flying an airplane. You can't go from here. I'm in Herndon, Virginia, to Los Angeles on a
straight line. The plane is going to duck and dodge and go up and down all over the place because
that's just what it does. It's making your life easy as a passenger out there. Do something.

(22:30):
Start somewhere. Never stop.
Yeah, and another thing that I'm thinking of that also applies on where to get started is,
again, identifying what are the things that we're securing. That is, I think, one of the
biggest starting points for Zero Trust. Where do we start applying those security controls?

(22:56):
And that makes a lot of sense, I guess. Kind of identifying the important assets
and getting the inventory part of it. Yeah, the visibility, right? That
and I heard this one a lot over the time. You cannot secure what you cannot see. I don't know
if you guys have heard that one and it's on point now that I see where can everybody can get started.

(23:20):
That's good. All right, all right. So you guys are making this too easy.
You know what's funny? We've only on this topic, we've only mentioned where we work with Cisco
like two times. So that shows you that this is and then a vendor agnostic concept, as Neil mentioned

(23:44):
on the very first question. So pretty cool. Yeah, yeah. It makes a lot of sense like this.
I want to and Steph, I think the next question is going to be for you. And let me see my notes here.
Hopefully I don't lose this one. Yes. So we have heard like I know I've delivered for a lot of my

(24:10):
customers Zero Trust workshops inside here in the US. And I've heard that there's a lot of
for a lot of my customers Zero Trust workshops inside here in Cisco. One of the things that
we talk about is frustrate the attackers, not the users. So if you don't mind talking a little bit
about that high productivity versus the strong security paradigm, that'll be good to hear.

(24:37):
Yeah, well, I think we need balance, balance between security and usability. For example,
if we talk again about the MFA, when we are implementing the second factor,
we recommend of course, choosing a method that it doesn't have like a big learning
cure for our users, maybe choose something they already know how to use. It could be for example,

(25:02):
biometrics, they already know how to use the fingerprints for accessing their phone,
maybe their laptops. If you choose that method that they already know how to use,
it won't be as annoying as find your hardware token and use it. Or let's send a code through
your mask to your phone and you type the message and now you can access. So if we can make this

(25:26):
easier for our users, this can help them a lot with these new tasks that they now have to do
every day. We can also implement technology that is hidden. They don't really know we are there
checking their posture because this is a hidden agent that we have, but we are checking it. We
know you're using that you have the antivirus running. We know you don't know that we know,

(25:49):
but we know. We can implement, for example, an RBI with our executives. Executives are known for
not wanting, for wanting to be able to access every single site that they want. They don't want
to be blocked. They are executives and they want to access everything. So with this technology,

(26:10):
we are able to say, OK, go wherever you want, but in a safe way because they are not. They are going
to the site for them is the same experience, but it's not really the same site. This is rendered
image of the site. So this kind of technology is very user friendly for them is the same experience
as before, but now you can sleep at night knowing that they are protected. And well, another thing

(26:35):
I can think about is consistency. If we can provide these consistency, whether they are in
the office or at home and they don't have to guess if they can access the application using the VPN
or not or from their personal device or not, this can help a lot our users to have these same
experience every single time. That use case that you mentioned about the executives wanting to

(27:02):
bypass the security so spot on. I'm pretty sure that it's resonating with a lot of the people
that it's on this call just because it is so true. Like, I don't know how many times when I used to
be in operations some time ago, I remember hearing this like, yeah, you guys are implementing security

(27:23):
and things like this, but you know, I cannot access my X1C website. So yeah.
I like the consistency part is nice. Like having a consistent way is the user where when I log in,
it's the same way every time. And we think about like single sign on, for example, when I authenticate
into the network, I do it one time and it's always the same. And I don't need to remember, I need to

(27:48):
authenticate in this particular way for this particular application. I like the hidden part
of that stuff because yeah, it's great. If I can have my, we were talking about scanning the device
earlier, if I can do all that, I don't need to manually worry about any of that or even be aware
it's coming on. I heard this analogy, it was here from someone in Cisco about, you know, you

(28:12):
shouldn't have to understand like the piping to get to where you want to go in the network.
You know, there's all these pipes connecting everything. And I, as the user, shouldn't really
have to know or understand that or be aware of that. But through like proper segmentation,
it's really nice to frustrate an attacker who would have to figure that out or have to start

(28:36):
thinking about, oh, they have this company has really good segmented role-based access. And
I have compromised an account and I'm in a small little area, the small little segment, but they've
made it very difficult for me to get outside of the segment. So very difficult for the attacker,
but very easy for the user who's just wanting to do their job there.

(29:01):
Segmentation is an interesting term that Mike do because it's not the packets that you have to
worry about as the people who originate those packets and the targets that they're eventually
trying to get to. So if the network or the access is setting up those channels or those swim lanes,
then you're destined to not be able to get to where you need to go or not execute the protocol

(29:22):
of the port when you eventually hit that destination that you are allowed to at least reach.
You can knock on the door, but you can't go through the door, so to speak, or have an analogy from
that perspective. So all that falls into that concept of segregation or separation or segmentation,
whatever term you prefer across there. And that would certainly help that concept of thwarting

(29:44):
or frustrating those attackers. They get into the network, but they can always,
they're only allowed to go left. They can never get to the right-hand side of things.
Absolutely. And basic MFA, yeah, that's a frustrating way for an attacker. Great, I've compromised the
username and password, but Steph, you mentioned MFA being a nice way to start if you're not sure

(30:04):
where to start on the journey of zero trust. And that's pretty frustrating to do an attacker,
not being able to log in when you have the username and password. Neil, what do you see where people
mess up zero trust? I've got my plan and I'm doing my plan and it's just not working. Do you see

(30:25):
any common, hey, this is the reason why individuals are kind of messing up their attempt at zero trust?
That's funny you say that. I just thought of one. So this was not part of any of our previous
discussions out there, but when you bring up the concept of MFA, it's absolutely necessary. And
Steph had some great examples or reasons for that. But when you look at zero trust, you have

(30:48):
different pain points, as I suggested before, different topics that you need to address
immediately, but they're not a one and done. You have to think about at what level do I need to do
that? Is it simply because I'm trying to impress somebody or someone said you must do that, check
the box and I'm done, or I need to get it done, I'll do something else and I'll come back, I'll
make it even better. And we're people, we're humans, we like to always make things better out

(31:11):
there. How much better do you need to make it? Do you have to climb to the absolute top of the
mountain, make it the best, most bulletproof system ever? Maybe not, but maybe a little bit
better than ordinary. So the MFA example in this case might be if I have a yes no button on my
phone, okay, I did it, I'm going to click yes. But there's a zillion documented cases out there of

(31:31):
MFA fatigue. People's phones would go off and they'd just click yes. They had no idea where it came
from, but I was told to click yes when it went off, so I just kept clicking yes. And a number of
networks that were compromised because of that are uncountable out there. So now in today's world,
it's not MFA proof, but it's a little bit more unlikely to be tampered with. There's a code that

(31:54):
shows up on the screen and then your phone says here's the code. Well, if you're not the one who
asked for it, you might ask yourself why is my phone telling me to type in a code? And then
there's the, if you're not the one who has the screen in front of you, where would I even type
in this code? So the two will never connect. So at least that's one example. So there's MFA and then
we're climbing the rope a little bit or climbing the stairway to get better MFA. And that's one

(32:17):
tool of how many might exist across here. So that might be an example, Mike, of how one could not so
much mess it up, but you could be better than. It's not just a checkbox for the sake of doing
something. It's making sure you get it right. So Neil, to that point is zero trust something that
we want to continuously examine as time goes by, like our own zero trust policy or is it a set it

(32:41):
and forget it? Sounds like I'd suggest that people hate to hear the concept, but any type of security
solution, whether you want to use the term zero trust with it, or are you just applying an ACL to
a router or a firewall out there? It's something you want to revisit over time because I look
beyond the screen here and I see the outside world that's constantly changing out there. So there's

(33:02):
always new approaches, new vectors, there's new vulnerabilities that happen on the gear that we
use all the time. So you need to adjust for that. And if you're not willing to circle back and think
about that or adjust your security policy or patch the operating systems, upgrade things, buy new
devices, that's all part of that refresh, that circle back aspect of things. Then you're making

(33:23):
yourself more open to attack by not doing that and zero trust kind of calls that out. But that's that
concept's been around forever out there. Yeah, that's a really good point. I mean, you were just
bringing me back to like my tack days when we were having conversations about moving off of like
triple-des into AES for example. It's like if you weren't revisiting that, you'd still be on an

(33:48):
older algorithm that's going to get hacked. So yeah. Even triple-des is getting to that point
of being on the edge and should consider moving forward and elliptical curve or quantum and all
that stuff is coming in today's world, right? So yeah, it doesn't stop. To your point, Neil,

(34:09):
I have heard too many times from customers, especially with email security, if I just set
it up, I can forget about it. No, you cannot just forget about your email security. You have to
continuously feed these products. So yeah, I've heard that a lot. It's called zero trust, not zero
work. I wish for the latter, of course, but yeah, no, it is so true. There's always that constant

(34:41):
improvement and you hear also out there, the attackers are just getting better and the only
need to be right once. And it is a constant battle between defenders and the attackers and making
sure that we get it right. And I know, Neil, I'm going to go over a little bit of what you just

(35:04):
mentioned about just checking those boxes. Yes, I see it happening a lot with financial institutions
that, hey, we need to have network controls, right? Network access control. We need to make
sure that we know and they just buy the solution and don't implement it. So that is maybe another

(35:26):
example of what we see there. Or to your point, Andres, someone buys a firewall because someone
said they need to insecure and then they put a permit any any statement at the bottom. I would
call that a router. I don't care what little sticker on the outside the boxes. Yes, so true.
Very expensive paper. What is it called? Later three gateways what it turns into at that point.

(35:49):
Yes. Oh, boy, I've seen those a lot. Yeah. Awesome. I know we're getting close to,
and I think this is the final question we have. And this one's for you, Steph.
We hear a lot of the technologies. We hear a lot of about zero trust. But and even though

(36:17):
we talked about how to get started, where to get started. But what about, and this one's more
specific to Cisco use cases. What are our customers say, for example, get started, they need help,
they want to see what how we can help them where where we would take them to.

(36:38):
Well, as it said too many times today, security is a journey. It's a never ending process where
when you think you are fully projected, there's a new kind of a title is released into the wild
and you have nothing in place. But if you feel you can be in a better place in regards to your
zero trust journey in your company, a good way to start is reaching us. We can help you develop a

(37:03):
plan. We can help build the correct strategy for you. And if you already have some pieces of the
puzzle already in place, of course, you can contact your accounting and we can help you find some
areas of improvements that you may have. I know one thing that comes to mind is,
yeah, the zero trust workshops, that's a kind of a fun way to learn zero trust.

(37:30):
And then the Cisco blueprints, I think that's kind of a cool way to see little details about areas
that maybe I want to get started in a particular area, a particular pain point or something like
that. So, so I guess that's a question too. Also, Mike, to your point is you can have these
very generic conversations that happen to be and produce these nifty little documents at the end,

(37:56):
or you have a lab environment that maybe you explore something you've never seen before.
And that might open a door that you never even thought about before. You didn't think about
the need for this product or this capability. You never had this picture come back that had a couple
of red dots on it. You thought your life was full of green environments. Everything was great.
So being honest and having these type of conversations can now lead to a more secure

(38:20):
environment. Absolutely. You just have to be willing to have those conversations.
Kind of like the MFA thing that you brought up, Neil, like you might have, people might not be
aware until they see it in a lab that, hey, you can do like a verified push with the codes on the
screen. Like, wow, I didn't know that was an option. So, yes, spurring that conversation and learning.

(38:40):
And I was going to mention some of that too. We, I think, and we'll make sure we put it on
the community posts that we do after the episode, but I'm sure we do have those Zero Trust workshops
and there's a lot more information. There's one that it's very hands-on gear or the software,

(39:02):
and the other one is more like on the planning and the strategy behind it. So that'll be a good
thing to bring up. So we've got a whole lot of people on the call and everyone's dying to hear
like a good dad joke. So now you go, Mike, and that'll burn up our last minute. So,

(39:23):
if we go a little bit over, that'll be okay. I really want to hear what you've got to say,
Neil and Steph on your, tell you what, do you want me to go first? I do want you to go first.
Okay. Well, I was having trouble thinking of a good Zero Trust dad joke, but it did occur to me
that I kind of had something funny happen when I was talking with my two sons who are seven and

(39:47):
eight. And they were like, Hey dad, what's the security 45, you know, about? And I said,
well, we're going to be talking about this thing called Zero Trust. They were like, dad, what is
that? What is Zero Trust? And I said, well, it's kind of like, you know, how dad has, you know,
how dad has the truck and I have to have a driver's license that allows me to drive a vehicle,

(40:10):
but I have to have a key that makes it so I can just drive that specific truck. And they said,
okay, I think I got it. I think I got it. And I said, and you know, if I were to do something
bad, I could get like my ability to drive the truck taken away. And they said, oh, like a
speeding ticket. And I said, yeah, like a speeding ticket. And they go, well, dad, I don't have any

(40:33):
speeding tickets. Can I drive the truck? And I said, well, you guys, you don't have the license
or like the key to get to the truck. So the next morning I woke up and they had like a debt. They
woke me up. They had a key that they made out of cardboard and a little driver's license with a
little picture that they had, you know, created on their own. And they're like, dad, we're good

(40:54):
to go. I don't have any tickets. I got this license. I got this key. And I said, well, guys,
it's got to be from a trusted source, like a DMV. And then I said, you know what, let's just go,
you can sit on my lap and we'll just drive around the block one time.
So I love that way that that actually encompasses everything.

(41:19):
Real real life examples, you know, of zero trust. Steph, why don't you go next? What do you got for
us? Well, of course I can go. It just can go better from here. It's a very bad joke, but you know,
I found it online. Why don't the zero trust policies make friends easily?

(41:42):
Zero trust policies make friends easily. Because they don't trust anyone, not even for a bite.
That's what we were talking about. There's got to at least be a little trust to get
to get somewhere. OK, I like it. I'll admit I'll fail on the joke part. I'm not a big joke person.
I haven't had kids like you do, Mike. You're still lucky to have kids at home. Mine are grown.

(42:07):
My youngest is twenty seven. So I haven't thought of dad jokes for quite some time out there.
So I try to have fun all the time and make jokes about everything in life. But to carry a joke on
is a hard thing for me to do. Understood. It is. Yes, it is. That's why I couldn't even think of
one. And I was just like, you know, yours is more of a live example, which is exactly it actually.

(42:29):
So I liked it. Exactly. Yeah, there's no topping off that one. I do have a very silly one in this
way. All of them are terrible. But but yeah, this one is good, I think.
How does zero trust order coffee? You guys know?
Oh, it's like with like creamer that has like zero percent fat or something.

(42:57):
No, it is here. I don't trust anyone. I'll bro myself.
Very nice. Very nice. So I must be a zero trust coffee person then. So there you go. There you go.
Well, this has been so much fun. I would love to hear, Neal and Steph, if you have any closing

(43:18):
thoughts about today's conversation. Steph, I'll kick it over to you first.
Yeah, just keep in mind that security, as we've said, is it's a journey. Step by step. Don't rush.
Don't don't just buy or see the first thing you see. Oh, OK, I need this. I will implement this now.
See your options, see what the thing that fits the best to your company. Of course, we're Cisco,

(43:42):
but if there's something out there that makes more sense to you, go for it. The idea here is that you
are well protected and step by step. Don't rush. I think that will be the best way to start. It's
easy. Don't rush.
To follow on what Steph was saying, that you do have to be very careful.

(44:03):
To follow on what Steph was saying, that you're doing something. You're not sitting around
thinking about doing something or continually in the planning process. You're always doing
something and the plan's going to change. The plan's going to get better. The plan's going to
adjust. You might find something that doesn't work, but you're doing something. You're always

(44:24):
taking a step forward or two steps forward and half a step back. There's always forward momentum.
I'm sorry. Great. My takeaways, we started off, Neil, you're talking about zero trust being an
industry topic, not something that was created by a vendor. I really liked, Steph, that you pointed

(44:45):
out that we have zero trust in our everyday lives. You gave that social media account. I'm like,
that's resonating with me with kids watching YouTube and stuff, for example. Then, Neil,
you got into zero trust in the industry. Yeah, something that every company does need.

(45:07):
Some specific use cases of zero trust in the environment. Then, of course, we talked about
implementing it using the technology and the tools. Steph, you thought a good one might be
doing some MFA with verification of the user and the device. Then, Neil, you touched a little bit
on the segmentation and the concept of it's not just zero work, as Andre said, but we're going to

(45:35):
analyze it as we go, not just forget about it, but stay on top of the game and make sure that we're
at least more secure than maybe the competitors right around us. We do not want to be that easy
target. Great stuff. That's great stuff. For my takeaways, what I really like and always like

(45:58):
about zero trust in the conversation is the strategy, just making sure that you identify
those things that you want to make sure are secure. You want to make sure that you have
a roadmap of what you want to do. Keys into zero trust, making sure that high productivity versus

(46:20):
strong security is well thought of. Remember, we're not trying to frustrate anything that wants to
come and attack us. We don't want to frustrate our users. So, just eliminating that friction.
Just what are the things that takes to get to zero trust right? We had some examples, Neil,

(46:41):
you gave really good examples about what do we see there. The last thing is just make sure that
you know there's help out there from, you know, we're biased on where we work at. But
if you want to learn more about zero trust strategy, where to get help, feel free to reach out and we'll do our best to make sure that will help out.

(47:07):
Andres, I'll add that we're biased, of course, we're all working for Cisco and we sell security stuff.
But there's no vendor on the planet who can solve every zero trust question and every zero trust
challenge you might have out there. So, it's going to be a multi-facility challenge. So,
it's going to be a multi-vendor approach. I only say that because if you turn the coin over and

(47:30):
there's a vendor that says we got this, just buy our stuff and you're totally covered, then that's
the first person you walk out the door. And that's certainly not anyone on this call. Yeah, great points.
Great, great points. Well, Neil and Steph, it has been an absolute pleasure. I do want to personally
thank you guys for all the good you do in the world with zero trust. You're helping a lot of people

(47:52):
through this call and through the work you do every day. So, much appreciation for you guys taking
the time to join Andres and myself today. Happy to be here. Next call, July 24th. Andres, I believe
that's our AI conversation. That one's going to be cool because it's not about AI, it's about

(48:15):
the security of AI because AI is great until it gets hacked. So, we had a great conversation
today on zero trust. Neil, Steph, thank you again. Andres, I will see you on the next one. Stay secure,
everybody. And we'll see you on the next show. Thank you. Have a good one. Bye, guys. Take care.

All Episodes

Episode Transcript

Popular Podcasts

Are You A Charlotte?

On Purpose with Jay Shetty

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Zero Trust with Estefania Fernandez and Neil Lovering

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Are You A Charlotte?

On Purpose with Jay Shetty

Dateline NBC

All Episodes

Zero Trust with Estefania Fernandez and Neil Lovering

Are You A Charlotte?