Has your organization managed to implement zero trust access?

I have so many thoughts on Zero Trust's overall model. This is a little cynical, but the cyber industry just feeds to perpetuate itself in a meaningful way. Google and Uber pioneered a lot of the discussion around the Zero Trust network, but there are probably 90 different definitions of what Zero Trust means. We're 25 years into this and we still haven't solved identity and access. Either coarse-grained, or fine-grained, however you look at it, we're still having the conversations.

My favorite example is that every year we, as an industry, publish the 100 worst passwords and have a good chuckle. The question I've asked every year is, "Why do we not hold software vendors to account and actually prohibit those passwords at a hash level, from ever being used in a software?" It would be easy to do and we would immediately take care of stupid admin issues. The reason is the software vendors have no incentive to do that, even though it would probably be less than a few hours of coding.

We have enterprises that won't push them to do it either. Instead, we have a self-perpetuating system: "We are going to create some new technology instead. We'll get it funded, take it to IPO, and then make a bunch of money. Then we're going to create another piece of technology that's slightly different, with a new shade of purple, but still doesn’t solve any problems." The biggest opportunity is to solve the innovation buyer-seller cycle, and that needs to happen in a profound way. Until we solve that, we're just going to be in this world we're in today.

Zero Trust is a tool, but it's almost like we have to start looking at it the way we've looked at SDLC. Because it's that directory. It starts with those HR processes, pulling them together with automation and getting that Zero Trust, because if that directory has any form of corruption, that's it. That means your life cycle of that identity is flawed. You could do all the periodic reviews and audits you like, but it could have an account that could live there for years and be legitimate. That is the threat.

We're getting ready to pilot a startup company with some tech from a Zero Trust perspective—it's the identity issue, especially with a heavy cloud presence. For me, there’s a bit of frustration because when I talk about Zero Trust and our identity access strategy, it's always about the human factor. But that's not my problem right now.

My problem is I've got these multi-structured relationships—new digital capabilities—that are leveraging the cloud, as they should. My new port problem is my API and trying to be able to watch workloads as they execute to make sure it's authorized.. These are identity issues around non-human space. We're doing a pilot in that space because I think Zero Trust is deeper than what we originally categorized it as.

Cloud native companies generally consume a lot of cloud services and continuously learn from the market innovations. Zero Trust access is still a challenge. There's a lot of buzz around it and people might be claiming they’ve implemented it, but I don't think anybody can really say that they fully achieved it. Yes, there are tools in some of the services, but are they really covering everything?