Exploring the significance of Zero Trust in today’s cybersecurity through a conversation with Object First and Numberline Security experts.
Throughout the cybersecurity planet, one term that continues to resonate and shape organizations' security strategies is Zero Trust. At the recent RSA Conference, Sean Martin had the opportunity to sit down with Anthony Cusimano from Object First and Jason Garbis from Numberline Security to talk about Zero Trust and its implications for data security and resilience.
Understanding Zero Trust
Zero Trust is more than just a buzzword; it represents a fundamental shift in how organizations approach security. Anthony and Jason emphasized that Zero Trust is not a one-size-fits-all solution but a strategy that requires a shift in mindset and collaboration across various teams within an organization.
The Role of Data Security in Zero Trust
Data security and resilience play a crucial role in the Zero Trust framework. Jason highlighted the importance of applying Zero Trust principles to backup and recovery processes to ensure the protection and availability of critical data, especially in the face of evolving threats like ransomware.
The Intersection of IT and Security
As organizations navigate the implementation of Zero Trust, the conversation touched on how the boundaries between IT and security are becoming increasingly blurred. The shared responsibility model extends beyond technical aspects to involve finance, operations, and every individual within the organization.
Empowering Organizations with Zero Trust
Both Object First and Numberline Security are at the forefront of helping organizations navigate their Zero Trust journey. Object First's Ootbi product focuses on out-of-the-box immutability to secure backup data effectively, while Numberline Security provides guidance on Zero Trust strategy and readiness assessments.
Taking the First Steps Towards Zero Trust
Starting the Zero Trust journey does not require perfection from the get-go. Jason stressed the importance of focusing on foundational security measures before moving into more complex aspects of Zero Trust, emphasizing the need for a methodical and incremental approach.
Final Thoughts
Embracing Zero Trust is not just about adopting a new security paradigm but about fostering a culture of continuous improvement and security resilience across all facets of an organization. As Anthony and Jason aptly put it, leadership can emerge from any part of the organization, driving the transformation towards a Zero Trust mindset.
In conclusion, the conversation with Object First and Numberline Security sheds light on the multifaceted nature of Zero Trust and underscores the importance of collaboration, resilience, and proactive security measures in today's threat landscape. Embracing Zero Trust is not a choice; it's a necessity in safeguarding the most valuable asset organizations possess—their data.
Stay tuned for more insights and resources from Object First and Numberline Security as they continue to pave the way for organizations embarking on their Zero Trust journey.
Learn more about Object First: https://itspm.ag/object-first-2gjl
Note: This story contains promotional content. Learn more.
Guests:
Anthony Cusimano, Director of Technical Marketing, Object First [@object_first]
On LinkedIn | https://www.linkedin.com/in/anthonycusimano89/
Jason Garbis, Founder and CEO, Numberline Security
On LinkedIn | https://www.linkedin.com/in/jasongarbis/
Resources
Learn more and catch more stories from Object First: https://www.itspmagazine.com/directory/object-first
View all of our RSA Conference Coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Embracing Zero Trust: A Conversation with Object First and Numberline Security | A Brand Story Conversation From RSA Conference 2024 | An Object First Story with Anthony Cusimano and Jason Garbis | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And here we are. This is Sean Martin. You're very welcome to a new On location from RSA Conference. And as you know, I get to talk to lots of cool people about some cool and interesting things. And I think there are a lot of, it's always fun to think of buzzwords when you think of conferences. Because I think Zero Trust is still, I don't want to say it's a buzzword, but it's certainly a topic that still persists in conversations.
It's a relevant piece and an important part of organizations security programs and mindset probably as well. And that doesn't mean it's easy. It doesn't mean we've solved the problem yet. And it's a big problem, right? It touches a lot of things. And so I'm thrilled to have Anthony and Jason on with me.
We're going to talk a little bit about Zero Trust and Perhaps the role of data security and, uh, in the role of data, in data trust as well. So, uh, a few words from each of you, uh, about what you're up to. Anthony, let's start with you first.
[00:00:59] Anthony Cusimano: You know, it's funny. I actually wrote a blog. Did you? Uh, I want to say last year it was called, uh, Zero Trust, from buzzword to big deal.
Okay. And I, I made the point that once you started seeing it in White House reports, it's no longer a buzzword, now it's like a matter of general security risk. Right. So, that's, and for me, you know, I do a lot of marketing work, and whenever I saw Zero Trust in the past, I'm like, oh, they're just trying to sell me some new security principle and concept.
But truly, NIST, CISA, and now, you know, what we're going to talk about today. Zero Trust has become a mandate. And something that is very important for everyone to at least understand the principle and practice and make use of in their security. Perfect. Jason?
[00:01:41] Jason Garbis: And, uh, it's, I think, to some degree, I'm relieved that the buzzword of the day is AI.
So that we can actually get away from the, oh, Zero Trust is just a buzzword nonsense. And focus on getting the work done. And we're really seeing that. Obviously, in the federal government we have a mandate, but in the private sector as well. Enterprises really are taking this seriously and moving forward.
And I think this is the time for here at RSA Conference, as well as in general, for enterprises to say, Okay, how do I actually do this? And what is the scope of Zero Trust? Where do I get started? And how can it help me?
[00:02:16] Sean Martin: So what Do you find that most organizations understand what it really means? To a point where they can say, OK, this is how I have to change my, the way I think about my program, the way I build my program, the way I staff my program, the way I report about it and measure it.
It touches on all those things, right?
[00:02:38] Jason Garbis: It does, it does. I spend a lot of time talking to different security leaders and enterprises, and in general, they do understand that Zero Trust is a strategy. And they understand I can't just go to Vendor A and buy Zero Trust and then a week later be done. But the things that the enterprises struggle with are some of the things that you just mentioned.
How do I set up the program? Where do I start? How do I do it so that I can start to get value in two months? Or three months, and not 18 months. How do I make sure that I'm actually delivering not just security value, but value to the business overall?
[00:03:10] Anthony Cusimano: And, and I'll add to that, and simply, I think Zero Trust has gone from something that you know, your, your DevSecOps and your, your, your GSOs have had to know about and probably implement to something that's much wider in the IT space.
Now your infrastructure admins, your storage admins, your backup admins, They all need to know what Zero Trust is and they need to know whether or not their applications, their infrastructure is up to spec when it comes to it. So,
[00:03:35] Sean Martin: yeah, the crossover, I've heard actually a lot of conversations around the tighter collaboration, perhaps even the, not necessarily the merging, but the tighter proximity of the CISO and the CIO working together.
[00:03:51] Anthony Cusimano: Right.
[00:03:52] Sean Martin: And I think that's probably driven a lot by this Zero Trust program. So how You mentioned the infrastructure. So there's the IT infrastructure, there's security that supports that, there's the business workflows, and then you drop in a threat of ransomware that shakes all that stuff up. How do organizations kind of map Zero Trust across that environment to say that this is what we're trying to build, this is how we're trying to secure it, and here's how we're monitoring and responding to that from an infrastructure and a Zero Trust perspective.
[00:04:27] Jason Garbis: The, um, the approach is really about, um, so first I want to touch on, you talked about that term crossover, around the, I think it's an increase in recognition that the data security, in particular the data backup and recovery infrastructure needs to be, I won't say part of security, but part of security's overall responsibility and because it's where all the data is.
It's the first thing the malware or the ransomware, um, malicious actors try to go to is, Oh, I want to encrypt the backups. I want to destroy the backups. Or I want to use the backups as my source to exfiltrate everything that's important. And, um, it's, I think there's a recognition that security's domain or scope needs to include that.
Now, certainly IT and operations, you know, will continue to have those roles. But I think it really needs to be much more of a collaboration between security and the infrastructure teams to say, okay. Let's make sure we're using best practices. What is best practices? That's what Zero Trust brings us nowadays in those areas.
[00:05:27] Sean Martin: And for I'm thinking about Lots of thoughts are in my head, so let me focus. I've heard a lot of this week at RSA and even leading up to the event. A lot of focus on the data, again. Which is interesting. And also A lot of talk about resilience, right? So it's not just protecting data for privacy's sake, it's protecting it to ensure that business continues to function.
Um, So, what are your views on that? I don't know if you're hearing that. Yeah,
[00:06:05] Anthony Cusimano: it's, it's such a math equation of a problem. Because if, you can have protected data, but if you can't recover it, then what's the point, right? Like, you either encrypted it and lost the key, or you've not done your due diligence when it comes to actually managing and storing and being able to locate these things.
You can also protect the data and be able to recover it, and if it takes six months, it's still useless, right? So, it's, it's truly a matter of understanding. In data protection we always talk about the RPO, the recovery point objective, and the RTO, your recovery time objective. And now we're working in almost like, I'm sure there's a third acronym that we'll figure out soon, which is like your security to recovery point time objective.
Which is to say, it's secure data that you can actually use post ransomware recovery, and you can get it up in this amount of time. And I'm sure it makes a nice little parabola when you map it all out. But, it's all to say that it's, it's so much more complicated than it used to be because of the threat of the attack happening to the data.
It used to, we used to just back things up because, you know, someone deleted an email and I want to recover it and it takes five minutes, let's put in a ticket and have it done. Now, they, they go after the backup data first because they know that's the first place that everyone goes when they've been hit.
Everything's locked down, we can probably, we can recover from a backup. It doesn't work anymore because now the backups are locked down as well.
[00:07:22] Sean Martin: Right. And, and, or, compromised and, and, uh, yeah, twiddled with and all kinds think
[00:07:30] Jason Garbis: that the threat model, so to speak, for backup and recovery has definitely changed from someone deleted a virtual machine.
Or, you know, a very infrequent data center got flooded too. Something where you have malicious attackers, you have adversaries, actively trying to get into your organization. And you see in the news, that every week practically, there's some sort of major ransomware attack among peer companies. So, you know it's going to happen to you.
So, this I think is one of the drivers for this urgency to, Really improve the way that organizations are doing their data resilience around specifically the backup and recovery processes and systems and infrastructure.
[00:08:07] Anthony Cusimano: And it is funny, you know, we see some really major attacks that have happened in the past where they have backups, they're in the process of recovery, and they end up paying the ransom anyway in hopes that it's faster.
So there's a performance evaluation that happens there too.
[00:08:21] Sean Martin: So it's interesting. Um, this may be an off the wall question, but do Cyber insurance is a big thing, right? For, in many, in some cases where it's allowed to kind of pay for ransom. Um, are you seeing any, any, I don't know, any of the brokers, I don't know if you have these conversations or not, but are you seeing the brokers of providers, insurance providers, saying you have to have proper security on your, Disaster recovery stuff or we're not going to provide the coverage you need.
[00:09:00] Anthony Cusimano: Absolutely, yeah. Underwriters, uh, they're starting to write new policy. Because, you know, I work in the immutability business. We sell immutable storage and we're kind of looking at underwriters specifically because it's up to them to determine whether or not a business or an individual can even qualify for cyber insurance.
It's at the end of the day insurance. is a business, right? They're out to make money, too. Absolutely. If they're always paying out and they're never making anything for themselves, then it's not a very good policy. So, we, we fully expect them to start, and have you even heard that they're leaning towards saying that immutability must be mandated, that you must encrypt your backup data, that you have to have, you know, Exit portion has to be backed up and proven that it's production.
It needs to be in a backup repository for seven plus days of immutability. Like we're going to start seeing a lot tighter policies because they don't want to lose money and have to pay out because of sloppy security on the I. T. side. So
[00:09:56] Sean Martin: we're looking at order that you both talk to a lot of companies, I'm sure, and speak to a lot of teams that have a lot of competing priorities, right?
Not enough budget to do certain things. Uh, How does this fit into the big picture and maybe tie it back to ZeroTrust? Is ZeroTrust a driver that might help them achieve some of these things that they're not able to before ZeroTrust? Or is that a distraction that takes them away from actually getting to the data security?
What's that story?
[00:10:29] Jason Garbis: Um, I mean, Zero Trust, the Zero Trust Initiative and the Zero Trust Architecture can, in some circumstances, save enterprises money. There's no doubt about that. You're retiring all the infrastructure, you're perhaps getting rid of very expensive wide area networks and moving to more standardized or commodity.
In many cases, um, it is going to be an expense of additional time and resources and people's priorities. And sometimes there's additional software that needs to be procured and deployed. But If, if it's done properly, a Zero Trust program will deliver value to the business and can show that, Hey, we're doing, uh, you know, we're an acquisitive company.
We do M& A every six months. We can actually accelerate the integration and save a lot of money there or deliver more business value there. Oh, we can reinvent this business process that used to take 28 days to onboard a new employee and bring it down to two days. Through a combination of securely enabling new types of connectivity as well as adapting the business process around it.
So, I mean, Zero Trust really is a strategy that combines security best practices and yes, it requires prioritization and budget, but when you look at what it can deliver, in many cases it's going to have a positive ROI for the business.
[00:11:49] Sean Martin: And who's the, clearly it's a security focused thing. But it sounds like, especially when you start talking about swapping business processes, building new things, looking to IT to change out tech stack, right?
Move their data to a different place and put new controls and things around it. Some of that like, switches between IT and security. So who, who has the best chance of making something meaningful happen? Is it still security is the leader there or do you see IT saying there's value in zero trust?
Especially when we're looking at building out a resilient business that's more efficient and has less stack that we have to maintain, whatever. Are they a driver? I don't know, what do you see?
[00:12:39] Anthony Cusimano: For me, it really feels like it's an expanded shared responsibility model. Because it doesn't just stop at IT and security.
I'd say it falls out to, you know, the finance people. If you really want to kind of Like blow up the concept of zero trust. There is a, you know, I'll never trust. Always verify. If an email comes by that looks like it might be suspicious, we need to train the entire company to become a little more skeptical to do their due diligence when it comes to verification of, you know, identity process.
You know, is this application the same when I log into every day, why does it look different today? There, I think there's zero trust is a, it's just as much a mindset as it is a security practice in principle. And. And yes, obviously the security team plays a huge hand in setting up the technical and the sort of application side of things.
We're seeing IT now get rolled into this process as they take their networks, their storage, their applications and work it into the framework. But I would say this expands well beyond just the technical. And it's really a mindset that everyone has to adopt to protect the business at large.
[00:13:45] Jason Garbis: Yeah, and I think it clearly is going to depend on the organization for sure.
And I think one of the things that Anthony and I talk about is this concept of Zero Trust Data Resilience. And it's really applying Zero Trust principles to the architecture and the program around backup and recovery. And I think it's a great example of where leadership can come from any part of the organization.
And one of the things we talk about in our white paper and our blog post is, That the backup storage and recovery team can absolutely look at this architecture and these principles that we put together and then go to the security team and say, Hey, you know, I am concerned that we're not applying security best practices to our backup system.
We're not properly segmented. We're not properly deploying these things across maybe multiple different resilience zones. I want to make sure that we have the right level of authentication for admins so that if, Something gets compromised, it doesn't extend, and the blast radius doesn't go to our backup systems.
So I think that what we're trying to do is, you know, do a little bit of evangelism here, but an understanding that inside of organizations, the push towards zero trust can really come from anywhere.
[00:14:53] Sean Martin: Interesting. So, tell me more about what, uh, what Object First does. Maybe a bigger picture. And how, how this is helping, specifically around the, the, uh, Zero Trust.
How you're specifically helping organizations embrace that. Um, as we noted a few times here, it's not just about a new piece of technology, right? Right. Or moving the data in a different way, or applying some new technology. It's all of that, plus the mindset, plus the operations, plus it has to fit into the business and the rest of the security.
So how does Object First and then your team helps with that as well?
[00:15:32] Anthony Cusimano: So, it's just like Jason said, you know, leadership can come from anywhere. And we saw that at Object First when we started building our product, which is called Ulpi. It's a fun name to say, but it stands for Out of the Box Immutability.
So, you know, there's a meaning behind the fun word. And the idea that we had when creating this box was companies, and specifically businesses that have, you know, overstretched IT teams, if they're a backup admin and their job has always been to be a backup admin, chances are they're not the most well versed in security.
And they're just trying to tread water like the rest of us and keeping up. You know? It's now fallen to them. They need to make sure that the backup stays secure and they might not have all the tools they need to do that. So we focused on building a solution, a box that is specifically for ingesting backup data from Veeam.
We only target one backup vendor today. And when that data lands on our box, there is no person or process that can get it off immutability window. It's interesting to me because, you know, earlier you asked, you know, is there a little bit of resistance with teams when it comes to adopting Zero Trust?
Some of the resistance we even run into with our own product is it's zero access, which means there's no root, there's no backend, there's no operating system that our users can get into, and that's the same for us. Once the data lands there, it's, it's there. You set seven days, it will stay there for seven days, and then you can remove it after that, but that's, that's the point and purpose of it, is that we don't trust ourselves or our users to not be compromised.
And it's important from a, you know, everyone at RSA is talking about AI, that's the new Jason already said it's the buzzword, so we have to mention it on this. Uh, you know, we saw a bank hack that happened in China, I think it was a month ago, where the CEO and CFO got on Zoom, talked to the finance guy, and wired 20 million dollars outside of the bank.
And CFO were just deepfaked AI impersonators. So, like, there is levels of subversion that are happening now, where we can't trust people we see on calls. Right, right, like, there's just Your admin days of having root credentials and privileges, like, those days are gone. You are now the problem. And we saw that when we built our box.
We knew we had to make something that was more secure than anything else that's on the market. And not just from a, well, we put all the, you know, security testing and processes on there. It's like we limit things from the end user because they can be a danger to themselves.
[00:17:57] Sean Martin: And at Numberline Security, what are you guys up to?
[00:18:01] Jason Garbis: So we, uh, provide Zero Trust strategy and guidance services for enterprises. Um, so we work them on helping understand and define where are they in their Zero Trust journey. Um, we do, uh, kind of an upfront Zero Trust readiness assessment that uses the CISA Zero Trust maturity model. We evaluate kind of their organizational level of commitment to Zero Trust because that's going to then drive their success.
What does the Zero Trust Program look like? Do they have a mandate? Great. Have they already made a strategic decision to move into Zero Trust? Or are they just trying to learn about it and will have to focus a little bit more on building business value and justifying things. So those, those kind of upfront things will definitely shape the Zero Trust Program and how they're approaching us.
I also spend a lot of time helping enterprises figure out actually how to get started with their program. And a lot of the challenges that organizations have is They are trying to solve big, hairy problems up front and before they start. Oh, we can't do this because our CMDB or our five CMDBs are a mess.
Or we have three identity systems and they're all terrible and we really don't know who needs access to what. Those are definitely problems that have to be solved and they are going to take a long time to solve. But what we say is you really need to get started incrementally with a slice across the different pillars.
Take one system or two systems for 25 or 50 or 100 users. And understand who are those identities, what devices are they using, what networks are they using, and what is it they're trying to access. There's always going to be, in every organization, some small number of systems where they have a very clear picture of that.
And that's a great way to get started, to start to learn Zero Trust, to build momentum in your organization, um, and to develop and start to deploy these Zero Trust policies on a Zero Trust architecture. And The data backup and recovery systems could be a great first project for an organization because you know exactly where your backup system and storage is.
You know exactly where the data needs to come from and you know exactly which admins need access to control this. So it could be a really good candidate without a lot of variability in it to get started with your Zero Trust Program.
[00:20:08] Sean Martin: Presumably a well known and process as well, that you can kinda, That's right.
You know how that's gonna turn out.
[00:20:15] Jason Garbis: We certainly hope so, and, you know, we're kinda joking, but, um, when, when, when I talk to organizations about getting started with Zero Trust, one of the things we emphasize is, hey, you don't have to have a perfect identity system. You don't have to have a perfect CMDB, or a perfect anything, but, There is a baseline level.
If you're not doing the basics. If you're, you know, don't offer employees after they leave and their accounts stay active forever. If you don't have MFA for admins, get those in place first. Before you start to do something a little bit more sophisticated.
[00:20:47] Sean Martin: Got it. Perfect. Well, Anthony, Jason, it's been fantastic chatting with you.
Learning about more, more about Zero Trust and data and disaster recovery and bundling all that together. Protect what really matters, right? That data. And, uh, I encourage everybody to connect with Anthony and Jason and the Object First team and the NumbersLine security team. And, uh, if you're here out and about at RSA Conference, uh, catch the session.
Catch the chat. And, uh, get a demo. And I know there's a blog and a report, or a white paper, I should say, that you put together. So we'll point folks to that as well so they can follow along. Do a little reading before they connect at the end and, uh, come armed with questions on how to take some of those first steps.
So thanks guys. Appreciate it.
[00:21:33] Anthony Cusimano: Thank you.
[00:21:34] Sean Martin: Thank you.