Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

**Breaking Cybersecurity News Raw & Unfiltered** What is a "Zero-Trust" Framework, and is it Right for Your Business?

May 09, 2022 Petronella Cybersecurity
Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001
**Breaking Cybersecurity News Raw & Unfiltered** What is a "Zero-Trust" Framework, and is it Right for Your Business?
Cybersecurity with Craig Petronella - CMMC, NIST
Help us continue making great content for listeners everywhere.
Starting at $3/month
Support
Show Notes Transcript

***In order to get the breaking cyber news to you guys FAST we are posting these right after the live broadcast! If you prefer your news more filtered, keep an eye out for the edited posting tomorrow!***

With the rash of cyberscams and a huge portion of the workforce going remote, there has been a lot of talk about implementing a "Zero-Trust Framework."  But what is it exactly? Are there any drawbacks, and is it something that will work for your company?

Find out as the PTG team discusses all this and more!

Hosts: Craig, Blake, and Erin

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Craig:

Hi, everybody. Welcome to a new podcast episode. Got Blake and Aaron today. We're going to talk about how to transition to a zero trust framework.

Blake:

Yeah we promised this one.. We did promise this one last week. So I think a good thing to start off with is Craig, why don't you tell us what is the zero trust framework? Exactly.

Craig:

Yeah. So zero trusts is kind of a buzz word, but basically what it means is you're not trusting the vendor or the provider it's like for example, something like signal is probably considered a zero trust. Verify that, but it's probably a verified, a verifiable zero trust for secure end-to-end encrypted messaging. And the reason why it's probably falls under zero trust is because the code is open sourced for everyone to kind of security researchers, professionals, et cetera, to scrutinize that basically zero trust means you are not trusting. Proprietary or the vendor in particular. So if you embrace a zero trust framework, remember we talked about different kinds of vendors and their risk profiles. Well, as we move towards a zero trust model, it's really better for everyone and it increases security as a whole.

Blake:

Yeah, I looked it up and it it says requiring all users, whether they're inside or outside of the organization's network to be authenticated authorized and continuously validated for security, configurations, and posture before being granted or access. Having access to any users, applications or data.

Erin:

Okay.

Craig:

That's a mouthful,

Blake:

I D I guess this is the, I mean, this is the future of cybersecurity and every business should be transitioning into this business model. Is that that's right. I'm assuming.

Craig:

Yeah. I mean, they talk a lot about it in some of the new regulations. I think the Biden executive order also talked about embracing zero trust frameworks. I think there's also crossover with things like NIST 801 71 and you know, popular frameworks around that. I think the bottom line Is that it goes to. Back to what I was saying before in previous episodes around it's a risk thing, right? I mean, if you're, if you are embracing zero trust, principles and frameworks, it's, it's constantly vetted and tested, right? So it's like you said, Blake, it's continuously validated. Whereas if you're trusting a single company that has proprietary code. And they don't share and they're not open with their code and configuration. Well, that's not, that's not zero trust because they're, it's not continuously vetted. You're trusting the company to vet it and then probably do a pen test or a third-party audit, but you're still, you're still kind of tied to that proprietary ecosystem. Right.

Blake:

Is it fair to say that you teach? Essentially the organization is, is acting as if their employees are babies and they can't do anything on their own. Does that, is that a fair way to say it?

Craig:

I don't know if that's, that's a little harsh. I think that, I think I think it's more about the foundational principles and technologies that are embraced and working together as an ecosystem. Like I said, if you're redesigning or reinventing your company and you're embracing zero trust technologies in various layers of your company, you're as a whole making your company stronger by having each of those layers continuously tested and vetted.

Blake:

Yeah, fair enough. I mean, the articles have that pulled up here. It talks about user identity in credentials like human pro programmatic. Credential privileges on the device network connections you know, behavioral patterns and, you know, these are things to look out for or that you should be monitoring in point hardware and function, geolocation, firmware authentication, and risk operating systems and patches application installs. I know we, you know, stay on top of the. Like as, you know, if you're a managed service customer and also like security and incident detections, suspicious, suspicious activity, you know, attack recognitions and patterns and odd things of that nature.

Craig:

So. NIST national Institute of standards and technology. They came out with a framework for zero trust of NIST, S P 800 dash 2 0 7. And if you go to the NIST website, they have a publication around, obviously the abstract definition. What we're talking about here. What comes to mind as an easy analogy for people to maybe grasp is, you know, back maybe, well, certain aspects of technology today are static and not dynamic, right? So it's, it's almost like making your company more dynamic and flexible embracing zero trust principles around these different layers that we're talking about. But it's assuming that there's no implicit trust granted to any kind of asset or user account or vendor. So it's, it's, it's building in redundancies and your framework.

Blake:

other than people that are trying to pursue NIST or CMMC or any of those special compliance requirements, are there any other businesses that you'd recommend implementing, like the industries that you'd recommend adapt zero trust framework,

Craig:

Yeah, this is not specific. When I said NIST, I wasn't referring to You know, like a specific vertical like government or, or something like that. I was saying. This has, has a publication around zero trust architecture. As far as types of companies, I would say really it's recommended for any business, especially nowadays with the current threat landscape. Like I'm reading this here. It says zero trust is cloud is a response to enterprise network trends that include remote users, bring your own device or BYU. And cloud-based assets that are not located within an enterprise owned network boundary. It focuses on protecting resources, assets, services, workflows, network accounts, et cetera, not network segments as the network location is no longer seen as the prime component to the security posture of the resource. So to kind of translate that a little bit, you know, back 10, 20 years ago. A lot of people would drive to work and you would build ITE stack and, enterprise infrastructure you'd have typically a server or servers you'd have a network and your users would connect to the corporate network. Well, fast forward to present day, post COVID. A lot of people are still working from home and that's their permanent role now. They're more, we, you know, we're more of a global kind of workforce that were no longer all required to go punch the time clock in a single location. So hopefully that helps maybe define it a little bit better, but it's principles and workflows to adapt to that methodology and way of working.

Blake:

So it just sounds like it got a lot harder with everybody transitioning into work from home.

Craig:

there are a lot of gaps, right? with people working from home, some people, unless the company is regulated and more mature. Some people are not connecting to the corporate VP. Maybe they don't have a corporate VPN, for example, maybe they're just using their home internet service. So my point is that we've got software as a service or SAS applications like Microsoft teams, for example, that allow for a mobile and remote workforce, but something like teams. I don't consider a zero trust. It may help with the connection, but I don't consider it as a zero trust. Because it's still a closed source, proprietary, not continuously vetted. So it gets a little confusing, but I think That the whole architecture is centering around. How do we bring together a workforce that is not in a single. corporate location?

Erin:

That makes sense. And just out of curiosity, do you think there's a way for any business to become completely zero trust?

Craig:

it's the same for HIPAA compliance or a lot of these regulations, you know, I think that businesses. I don't think that it's like a yes or no question is my point. You know, you try really hard to be as compliant as you can. Okay. And you hope that you do, you have the evidence of all the layers of things that you could do, but it's always going to be a constantly evolving effort. I think that a business can add, I think a smaller business in particular can more easily adapt and embrace zero trust architectures and technologies. Opposed to a bigger company that has more, cock wheels, more things to change. Right. So yeah, I do think it's possible to eventually get there, but I think that there may be some challenges with siloed information or, or older legacy systems that maybe that there's no substitute for, like for example, you know, data and email. Is probably the first step that most businesses would take to embrace zero trust? And then moving out from there entering the applications that the company would use and the different, hardware or network layer, there's just different puzzle pieces

Erin:

Yeah. I mean, that makes sense. That completely goes along with the 22 layer, be an onion approach

Craig:

That's right.

Erin:

to cyber security. That makes sense. And what do you think would be like the easiest thing for people to implement, to start becoming zero?

Craig:

The easiest thing would be the data and email so they can certainly call or reach out to us and we can help evaluate their situation and then create. An assessment process to see exactly what would be the low hanging fruit to convert them over to a zero trust architecture. it's obviously going to be different for various types of companies or regulations that they're subject to. But most often it's going to fall into what I said earlier. The data and email components are usually the easiest to move into some type of zero trust model. But a proper evaluation discovery and assessment process has to be followed because if you just go sign up for something, it may not work and be compatible with your workflows and how you operate. Maybe you have certain applications or, or custom workflows. So we've got to make sure that things don't break and cause more, more havoc or problem.

Blake:

So I was looking into the, the 800, 2 0 7 that you were talking about

Craig:

Yeah.

Blake:

and it talks about the court. Excuse me. It talks about the core principles of zero trust, which is continuous verification. Obviously we've already talked about that limit. The blast radius is what they see what they say and automate context collection and response. Can you talk briefly about those like limit the blast radius? So, so how do you, how do you minimize an impact if a breach occurs? That's one way, obviously.

Craig:

yeah, it would be on, well, yeah, enclaves are segmentation, you know compartmentalizing things, leveraging technologies, like end-to-end encryption, for example Also trying to embrace passwordless technologies. So those are some, ways to mitigate risks, because if you embrace the technology that doesn't rely on passwords, for example, well, now you're raising the bar in regards to providing better protections against phishing and business email compromise. So it goes back to our layered model is what I'm getting at.

Blake:

And then as far as automate context collection and response,

Craig:

Yeah. So that falls into like what we were talking about. XDR extended detection and response, and artificial intelligence automations, you can put in almost like scripting and logic and automations to help depending on the layer that it falls into. So if we talk about XDR, for example, XDR relies on artificial intelligence and patterns and data and analysis, and it's continuously improving and it's also continuously getting vetted and tested, right? So as all the immense logs come into different places. It helps aggregate that data and helps make sense of it before it bubbles up to the human level.

Blake:

Awesome. Yeah. This article I'm talking about also talks about three different stages to like rolling out, you know, step up. I understand all the resources and access points and visualize the risks involved with those access points and those devices. The second stage would be to detect, obviously to detect and stop, threats, or mitigate the impact of a breach. We already talked about that compartmentalizing and in case of the breach you know, obviously a threat that cannot be stopped to figure out how you would minimize the impact to the ecosystem, the environment. And then the third stage would be extended protection. Right. We talked about XDR and open that up to every aspect of the it infrastructure. All the resources, all the locations, all the end points and all this, all the employees would be like the three steps to rolling this out

Craig:

Yeah.

Blake:

my understanding.

Craig:

Now, one of the things that I was just this kind of stuck out at me, it says Zero trust was created based on the realization that traditional security models operate on the outdated assumption that everything inside an organization's network should be implicitly trusted. This implicit trust means that once on the network users, including threat actors and malicious insiders are free to move laterally and access or exfiltrate sensitive data due to a lack of granular security controls. So what, the reason why that sticks out to me is back ages ago, 20 years ago, or so when I took the Cisco certifications, you know, there was always this implicit allow function, meaning your firewall was at your corporate location and anything inside the network was implicitly trusted. that's, what they're saying here. They're saying. We're in a world now that we're all not working out of a corporate network, we're all not in one place. We're all not working out of the same network, the same location and going through the same firewall, for example. And we can't all be implicitly trusted anymore. So we need something better and that's, that's what zero trust brings to the table. It's no longer assuming anything. It's always verified, never trust.

Blake:

Well, this is the future because obviously in one of our previous podcasts, we talked about a breach statistics and. A huge percentage of the breach has actually come from, you know, internal employees, people who you know, let them in the back door accidentally. Right. You know, obviously intentionally isn't as another, another thing that we're talking about sabotage espionage, But accidentally butting them through the Mac door, you know? Cause a lot of times from, you know, from stats, that's the easiest part for him, for hackers to start at, to come through the back door and to see if there's if there's entry to the back door versus them kicking through your front door. Right. So internally, I mean, we've talked about this before in some of our podcasts, you know,

Craig:

Yeah. I've talked about that analogy with the alarms and cameras and dogs and different security layers. And I think, you know, that's a good point. I think that, you know, if you look at it through that lens and through that perspective, A zero trust model is more secure because each of those layers are independently verified. Nothing's ever trusted. It's always verified at each individual layer and endpoint. And you know, as far as you can, as you can take this, like, for example, when. We at PTG adopt a zero trust principle, like end-to-end encryption, we're leveraging and trusting encryption standards that are global and continuously verified for security and tested. We're not trusting a single entity or company or person with a particular security layer. So there's, so it's kind of like, you know, it goes into. A little bit of crossover with like blockchain, for example, you know, blockchain is a technology that's secure by default, but it's open. And it's append only. So you can't make any changes to it, nobody in the world. Right. As long as the blockchain. So we've got two different kinds of blockchains. We have public blockchains and private blockchains. We're specifically talking about a public blockchain. So like, for example, like with Bitcoin, You know, Bitcoin is the first use case of a public blockchain, and it's also the most secure because it's the longest chain and the longest chain that has all of the blocks continuously verified by all different nodes on the blockchain that participate in the process. That's why it's the most trusted and trust me, hackers are always trying to break and steal Bitcoin. my point is that, you know, that could be some type of crossover point, but it, but it goes, like Blake said, you know, it goes into all these different layers of software and, you know, hardware and. Different, you know, pieces. That's why it's so important to follow our assessment process, to make sure that looking at everything in your company to make sure the right solutions mesh well together.

Erin:

Well, and I think too, I feel like I kind of come back to this a lot, but if you think about the solar winds, right. Hack, that was because there was not a zero trust framework set up. Right. Would you say that's the case

Craig:

Well it's solar winds. It was interesting because, so the hacker, so, okay. So this is where it gets a little complicated. So solar winds is a software. Well, in this case it was a soft, they were providing a software to help their customers with remote monitoring and management patch management, et cetera, et cetera. Right? So their companies and their customer. Of solar winds, we're trusting solar winds to provide vetted and tested security updates and patches. Well, what happens in their workflow was solar winds was breached and hackers use them as a jump off point to infect all of their customers. so. It's not really the same there's some parallels, right? Like it goes back to what I was saying earlier around, you got to really trust your vendors, but so let's go back to the solar winds thing. even if you asked solar winds prior to this event, show me your supporting proof of your third party pen tests. And let's say they, they show you all that stuff. There's only so much. That the customer can do. You have to trust them at some level, right? But maybe there is a better way to incorporate zero trust methodology into how vendors, like, for example, maybe there is a, instead of let's play customer of solar winds instead of trusting solar winds to provide me with a patch or an update maybe there's some intermediary that then verifies that the patch is valid and what it says it is like Microsoft would use hashing to make sure that what Microsoft's giving you is coming from Microsoft. Now hashing it in its own. Won't help in this situation because again, you're still trusting Microsoft. To give you the patch. The hashing just tells you that nobody manipulated it and it is what it is. Right. But what I'm saying is maybe there's a way to have a third party layer that and test and verify that, Hey, look, this really is a update from solar winds or no, this is malware. We're going to deny that, you know what I mean? Like maybe there's some, maybe in the future, there's some kind of open. Standard that helps these companies verify what they're, that, that they're doing, what they're saying, they're doing like, for example, on the blockchain, you can't, you can't manipulate and alter the Bitcoin blockchain. For example, everyone on the network would say, no, that's not real and they're going to deny it. So that's what I'm saying. Maybe there's a way to decentralize and add a component to. Some of the trusted circle vendors that a lot of businesses use. I'll give you another example, what QuickBooks, tons and tons of small businesses use QuickBooks or tons of businesses use PayPal or square. But how do we, as co companies know that what we get from those tunnels are safe? Like how do we prevent another solar winds? Right. We, you know, there's only so much. That we could do. I mean, we could say no, we're not going to use your technology. And then like, for example, not take the credit card and maybe, maybe that's the answer for the payment layer. Don't take a credit card, take crypto or, or you know, I'm not, again, I'm not advocating for one direction or the other, my point is that in that specific layered example, that that would be a decentralized effort. So that's what I'm saying. You know, like there's so many different pieces to a business and so many different software packages. And, you know, I guess the bottom line is after a thorough assessment process and methodology that we do, we'll be able to find all of those issues and gaps. But you may have, you may be at risk for, and a lot of companies may be at risk for another potential solar winds type breach.

Erin:

Right. Yeah. Probably a lot of, probably a lot of them I would imagine. And that was the cool thing. What was it that happened? That weekend, right? We had just installed the XDR on somebody's computer, right. The weekend of the solar winds.

Craig:

That's

Erin:

And they, they were able to, they shut it down. Right. So nothing would infiltrate it.

Craig:

Oh, I think you're confusing. I think that wasn't solar winds. That was the log for J.

Erin:

Oh, that was locked for J yes, it

Craig:

That's okay.

Erin:

yeah,

Craig:

the point is businesses need to embrace zero trust technologies everywhere possible, and look at not just technology, but look at every vendor, like, look at target, you know, target was reached by an HVHC vendor, Right, So the HPAC vendor was the trusted implicit allow inside their network. And that's how they, you know, that's how the key logger got in there. And it, it was an easy way for the hackers to manipulate them. So what I'm saying is that when we evaluate a business, We don't just evaluate their technology. We don't just evaluate their cybersecurity layers. We're looking at the business as a whole, you know, what, what vendors is that business using? Who's who's in that trusted circle. Are there more than one per P more than one group or more than one employee authorized? Spending for example, like what, what if you get a phishing email and somebody like the controller is persuaded to sends money packs or Bitcoin or gift cards to somebody. Is there somebody that checks on that to make sure that that is legit? You know what I mean? Like that, like, that's an example of a central point of failure there at the human level. right. So maybe there's a checks and balance of that. But this spiders out into so much is my point. It's not an easy thing. I mean, it's, it's a good direction to go, but it's not an easy answer for a lot of companies.

Erin:

Right, right. Yeah. That makes sense. In the talking about redundancy also makes sense. I think redundancy can feel a little tedious at times, you know, but if you think about what is. Keep you from having to do you know what I mean? Like if it can stop a, an attack from happening, then it's definitely, definitely worth it.

Craig:

another example is like with apple, right? So a lot of us buy apple devices, like an iPhone, for example. But when we buy the iPhone, which apple controls the hardware and the software, and we know that we know that as consumers we're buying into. Apple's methodology and that's why we buy the device and it's our freedom and choice to, but to pick and choose what device we buy sometimes, unless your company dictates it. But my point is that with the example that I'm painting the picture around everyone with an iPhone is trusting apple to provide that update. Right? What if, what if some, I'm not saying this would happen, but it could. What if something got breached in Apple's vetting system and the hackers then controlled every single apple device as like a security update. So there's gotta be some testing around and some tr I guess, also more transparency from companies to show their users. Hey, look, this is how we are going to deal with an issue like that. This is why this is how we're protecting you. And these are the extra safeguards we have in place to prevent something like that from happening. The same thing with Microsoft, you know, Microsoft is huge. You know, we all trust Microsoft to provide updates and patches on patch Tuesday and other days of the week. Same for Intel and AMD. And so my point is that all these big companies, I feel like really need to pave the road and lead the path forward on adoption around zero trust. And then the, the smaller it easier for the smaller companies to follow.

Erin:

What'd you say the big companies right now are, what if you had to grade them on how good overall you see the big companies being on implementing zero trust? what grade do you think you'd give them?

Craig:

Well, I think it's kind of hard to answer that question. I think, I think apple has really done a great job. I think Microsoft has done a great job too. I think Apple's job from a threat landscape perspective may be a little bit quote, unquote, easier Cause apple. Only works on apple devices, right. They control the hardware and the software. So it's always been in my opinion, easier for apple to engineer the perfect marriage of hardware and software. Whereas Microsoft has to adapt their software to all these different channel manufacturers that adhered to what we call standards. And a lot of these manufacturers don't do everything perfectly. So they may be really close to the standard on something or off the standard on something else. So my point is you've got these nuances that Microsoft has to support. So their hardware configurations are bazillion different combinations that they have to make windows be compatible and not crash for example, or a bluescreen. So, I think that's another challenge. But as far as zero trust, I don't really feel like those big companies, Microsoft or apple in this example are providing enough example around zero trust. I think there's a lot more work to be done there. I still think that. Since they are the big companies and they have the resources, they should be the ones to kind of lead the pack.

Blake:

One thing that comes to mind when you mentioned apple is like, I remember, I can't remember. I think it was like maybe like five or 10 years ago, but you weren't able to download apps outside of the app store. they, they prompt you and they warned you and you have to go into your computer to like unlock it, to allow an external app outside of their app store to even be installed on a machine. And I was thinking about that as soon as you started talking about zero trust and an apple, I think apple does a pretty decent job at kind of keeping their ecosystem, their software and their hardware and their security. All kind of buttoned down for the most part, in my opinion.

Craig:

Yeah, I agree with that. I agree with. It's our opinion. of course, but my point is that I think that for apple, it's easier because again, the, you know, for the example I just gave around them engineering the hardware to, to ma to match perfectly to software. Right. I still think that there could be more work to be done to embrace zero trust. I think that Apple is really started to lead the way in privacy protections at the consumer level. Like with the, you know, they have new technology now where you don't have to, the user, doesn't have to give up their email address for example, and they can mask their IP address. And, you know, there's different privacy levels that I feel are overall good thing for apple that is kind of pushing those things. But I still think that there's more work that can be done. To embrace zero trust. Like, for example, I don't see where maybe I'm wrong, but I don't see an easy way to verify certain layers of Apple's ecosystem. I think that's held close to heart for them.

Blake:

What do you mean by that?

Craig:

We trust that apple and Microsoft have not been breached, but there's no like public layer that can attest to that. you know, you check an iPhone and you check for updates. And we trust that when we check for updates, that update comes from. Apple or Microsoft, but, how do we really know we're just trusting that. Okay. They said, there's no updates. Like how do we know that that's, there's no zero trust layer. That's vetted.

Blake:

Yeah, you're talking about like, the kinda trust but verify thing, right?

Craig:

exactly. But that's kind of the whole principle zero trust, right?

Blake:

Yeah. I mean, it was kinda hard. To comprehend and to process everything. Cause it's just, I mean, it's relatively new from, from my understanding. I mean, I guess it's not, it's not a new it's not a new strategy, but it's like a new like buzz word, right.

Craig:

Yeah, well, it is kind of a new proposed architecture, so it is kind of a new strategy. So, you know, it's, especially if it comes from NIST, right. So they're trying to define it. And they're trying to say, look, you know, this, this could be a good thing as a whole. And I do think it's a good thing as a whole, in my opinion. It's just I feel like there needs to be more examples set forth by common companies and more transparency. I think it, and I think Apple's starting to do that with some of these enhancements that they're making, but I guess you know, again we're moving away from this corporate, everybody in one place. Implicitly allow everyone inside to be allowed to do whatever they want. I think that as we add in and incorporate zero trust, I just think it needs to be done so that it's not a big bog down for people as well.

Erin:

So when you say bogged down, you just mean bogged down by all the layers, all the stuff that they have to do.

Craig:

Yeah. Like one thing that comes to mind for apple is their face ID. Right? So like, if I, I have my I have a device set, like for my outlook, for example, if I use Microsoft outlook on my mobile device, I can set the pace ID that after so many seconds, it, it re verifies that I'm who I am, right? Like that somebody else isn't looking at my mail or whatever. And that's a, that's a zero trust methodology around that function or feature. Right. That's an example. I'm saying that there could be more of that that can happen that are not necessarily. Difficult for people to adopt and kind of, I guess what I'm saying is that I don't want companies to create more hassle and more frustration for people. I want them to work on easier to adopt improvement of workflow at the same time. So like for example, you know, like passwords, everybody hates passwords, Every day, it's like, oh, your password needs to be this long and this long and this long. And we've talked about password managers and we've talked about technology like gatekeeper at hardware, tokens and different things like that, which we fully support. But my point is that if we can focus more on how and embrace a standard, where, and I, I saw something, I, I haven't studied it yet, but there was some push for getting rid of passwords. So like, if we can get Google and Microsoft and apple. To all get rid of passwords and still heightened the security of the device and the, and the account that we're trying to protect without a password and embrace some type of zero trust architecture where it's using encryption or whatever to, to protect That that seed. That could be a good thing is my point. I mean, gosh, could you imagine not having to, or, or maybe a technology, a zero trust technology that's built on the blockchain where like we have a, a seed or a token. And that token is kind of like Google authenticator, it's private and individualized, but always changing every so many seconds. Maybe there could be a way. To embrace a technology like that at the identity level. And then it uses that same zero trust methodology for every place that we visited. So it's kind of like single sign on. So then you don't have a password for anything and it's all vetted and tested.

Erin:

That would be awesome.

Craig:

right, exactly. My point is that obviously we're cybersecurity professionals, so we want it to be secure, but my point is, We shouldn't have to trust a person or a company to say that it's secure, we should be able to trust no one and trust the technology and the world to vet and test it with supplying evidence of it much like much like the blockchain with Bitcoin, for example, you know, There's no manipulation of it. It's constantly getting tested every day, every second, you know? So maybe some way to leverage a technology like that, but in the everyday lives of, of us all so that we don't have to deal with. I mean, could you imagine how much time is lost from people for getting passwords to whatever?

Erin:

Oh, so much time, so much time. It's crazy.

Craig:

Yeah. So that's what I'm saying. Like, as we improve and work to improve a more secure Zero-Trust. Movement big companies help to make it more and easier as well. At the same time.

Erin:

Okay. Great.

Blake:

I was getting ready to talk, to pull up some of the 800, two or seven documents here. That might be one for another another podcast though.

Craig:

we could probably do a whole series on zero trust,

Erin:

I mean zero trust is really just another word for what PTG and Craig have been telling people for a long time.

Craig:

Yeah. like, one of the things like with the CMMC and the different regulations that we're working for is they say, you know, your it guy or your it company shouldn't do your cyber. Right. checks and balance approach, the cyber validates the stuff, meaning hardware, software. Methodology that the it providers doing. And if there's an issue, there's a checks and balance approach of, okay, fix this and here's a gap for this. So it's, it's constantly tested. Right? I think that's a good thing. For really any company, not just a regulated company to follow, because what it does is, you know, a lot of small businesses that are not like a construction company, for example they may have an it guy or an it company or a managed service provider. But they don't really, most of them probably do not have a cyber company. They probably assume that the it guy or the managed service providers doing that work, which is a poor assumption because that's not true a lot. Now, a lot of those companies will do, or we'll say, Hey, we do cyber security too, but that's not. That's where I think my opinion is that a conflict of interest happens now. It's okay for a managed service provider. To do the two functions, if, and only if they're supporting evidence in a clear line in the sand of differentiation, meaning they've partnered with a company to do that cyber function or, you know, something like that, but the same team and the same company. you've got one it guy and his name's Bob, Bob should not be doing it setup and configuration and it security or cybersecurity. Does that make sense? Like Bob should, if, if Bob has Joe on the team and Joe doesn't interact with that, they have clearly divided divisions of the company and they're technically two separate companies, then that's okay because it's a checks and balance, but it could create a conflict of interest if you've got the same it guy or the same managed service provider, and they're doing both sides and there's no clear line in the sand of validation, that's where companies could get in big trouble, because especially if they're regulated, they won't really get in so much trouble from like an authority. If they're not regulated, unless there's a state or a federal law in their state. but the other negative impact could be some type of breach where. Oh, Mr. Business owner thought the it guy put in protection for ransomware, for example.

Blake:

Something that comes to mind immediately is like Bob would be like your single port of failure

Craig:

That's right.

Blake:

something that, came to mind immediately is I was watching that documentary on like the Boeing airplanes that went down and stuff, and it was like they had this one pitch sensor or something that only had a single point of failure. And whatever, I guess whenever the angle of attack was I don't know, that thing was, it was essentially, it was failing. And then what I would do is it would just steer the plane down, you know, like turn the nose down. Cause I thought that it was stalling. Right. Everything that, you know, the reason why I'm bringing this up as everything. For security and safety relies on, you know, having multiple multiple resources and not a single point of failure. So in that instance, for example, the more resources that you have and the more that they're divided and compartmentalize, the, the less likely you are to have something happen and maybe safety or security or anything of that sort, you know,

Craig:

Yeah, so this, so that's a good point. And then what comes to mind also is that a lot of small businesses, especially if they're outsourcing to like an individual freelancer, that's a risk point. So you need as an organization to have backup or some type of redundancy there. The same for a company managed service provider. There needs to be participation on both sides on the company side or the consumer side, as well as the provider side on helping to build this stuff, because otherwise. There's risks and there's there's gaps there. Even if you're a company that has your own it staff, you know, you still need to look ahead and think about, well, what happens if they get hit by a bus? Like what, what do I do? You know, like you have to have different scenarios. You know, we talked about tabletop and exercises. This is the perfect exercise that a lot of companies can do. You know, think about like, you know, what do I do if, if Bob gets hit by a bus, you know, like how does my company go out of business? Like, you know, what, what can I do to reduce that risk? And it's not an easy problem to solve, but business owners that are listening can think about it and try to put into place redundancy. Or consider working with companies that have redundancies in place or even better yet choosing more than one company. One, one is it you'd want to cyber and following some of these frameworks, even if you're not. Required to follow the specific framework. Like for example, you know, we talked about CMMC version two. It is still the most modern framework and it is a good framework to follow. Even if you might not be a defense, industrial base contractor, it still would give good maturity and improved security to the business.

Erin:

Absolutely. That makes sense.

Blake:

Yeah. I was looking at the 800 2 0 7 document here, and I'm just this, a lot of different levels, just super complex. And they talk about also here, we talked about implementing. Before, but they talk about steps that you can use to implement or include CDM systems, continuous diagnostics and mitigation systems, essentially gathering information about the assets and the state of the assets within your ecosystem industry compliance systems essentially making sure. You know, whatever data or information that you're sharing falls within if it's FISMA or healthcare or whatever regulations you have in the policies and rules. Of course they talk about like a threat intelligence feed, which we've kind of talked about with XDR. And of course the same thing here. With network and system activity logs, it seems like XDR checks a lot of the boxes, you know, data access policies. And yeah, there's a lot of stuff. A lot of stuff here, a lot of complexity, a lot of layers.

Craig:

yep. That's what I was saying. That it's, it's just not something that's an easy button, right? I mean, it's, it takes effort from the business for adoption. First of all. They need to figure out what, what's the focus on first? You know, we have good methodology around our four pillars to determine that. But it's work. You gotta work at, eating the elephant one spoonful at a time.

Erin:

Yeah, absolutely. If you want to consume that elephant, you got to start somewhere.

Craig:

That's right. like I said before, I mean, we can make a whole series out of this. Typically the first steps would be data and email to embrace zero trust around those frameworks. And we have solutions for that we can. customize that for any business and give them exclusive pricing on it,

Blake:

It seems like XDR checks at least two or three of the boxes as well, too.

Craig:

right. But it's at a different layer.

Blake:

Right, right, right.

Craig:

what I'm saying is that if we focus on data and email first and we implement those technologies, Where effectively creating a secure bunker or an enclave to put their data in and their emails in on top of their unsecure stuff that's already running. right, So then it's a matter of how do we, if they have more than one person in the company, how do you then adapt to workflows and collaboration? And you mentioned XDR. So if they're a company. That has several employees multiple locations. For example, now your problems are exponentially more complex because you've got multiple people involved, different hierarchies involved. So you have just different complexities where XDR comes into play is that's going to detect that lateral movement and continuously, you know, test and verify. At the network layer though. So that's what I'm saying. So like, if you're a one person working out of their house, you know, you could have XDR on your net where your home network, and that will detect to make sure that anybody who has one device these days, right. I mean, everything is connected to the internet, even doorbells and thermostats. So wherever you are, my point is that there's more than one device. And at that network layer, that's where XDR comes into play. But if we start with protecting data, And email, we can put that in a S in a bunkered secure area. And then you see, you know, it just kind of expands upon and builds upon from there.

Erin:

I think we talked about this before, but I think we should do maybe next week we could do a podcast on enclaves. And explaining what that is, because that seems to kind of go across not only zero trust, but also NIST. You know, and it's just a great way to save money so that you don't have to, you don't have to implement everything enclave, but you know, if you have data that you store that is extremely sensitive, you know, maybe you can start there kind of deal. Cause it, it does seem to kind of run with it. I would say.

Craig:

Yeah, think this is probably a good closing point for this one, but I think the starting point should be to, you know, just reach out to us and we'll help you. No cost or obligation to have that first phone call, just discuss it with you. And then obviously if there's a fit to provide professional services and, you know, go through with something like a four pillars assessment, you know, there's certainly a fee involved with that because it's a lot of work, but the output will be a blueprint on how, how to get started and how you know, what, what to do that. Obviously, we want you to do that with us, if possible, because We have already vetted and tested and we've got the 22 layer patented cyber safety stack, but you could also take that deliverable to any company and still have a you know, a good deliverable there that's tangible, that could be used.

Blake:

We have one of our podcasts lined up to like what, what to look for in a managed services provider and an it and cybersecurity. So I've got that one in our back pocket that we can break out in the future here. Cause I think that'd be good. Obviously we're here to help obviously. We hope that you feel comfortable reaching out to us, but you know, we're here if you need us.

Craig:

Exactly awesome.

Erin:

Absolutely. What a great way to end the podcast.

Blake:

Yep. I think so.

Craig:

Thanks guys.

Erin:

Nice job. Well, yeah, you guys have a great week and we'll see you here soon.

Blake:

Bye.