Adopting Zero Trust Adopting Zero Trust

Season two, episode nine: Featuring Bloomberg’s Head of Information Security Architecture and the Information Security Program, Phil Vachon.
 
Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.
 
What does implementing a Zero Trust strategy actually look like in an organization? Nearly a year into our podcast’s journey covering how practitioners view, define, and apply zero trust, it’s time to look under the hood at how a notable organization put its strategy into motion. This week we chat with Bloomberg’s Head of Information Security Architecture and the Information Security Program, Phil Vachon, about how they transformed their security organization with Zero Trust.
 
Most interestingly though, while many organizations are just now exploring how they will start their zero trust journey, Bloomberg was ahead of the curve even before covid thrust the concept into the limelight.
“I will always say it is continuing to be a journey. It's not a destination,” said Vachon.
Key Takeaways
Zero Trust Principles
Zero trust is not a new concept but has been repackaged and branded as a solid ideology.
Zero trust involves three principles: trust but verify, assume compromise, and strong posture.
Zero Trust Journey
Zero trust is a continuing journey, not a destination.
Zero trust requires a good mindset about how to implement controls and how to reason about security architecture.
Zero trust is not just about securing the corporate IT estate but also about securing the data center estate and the communications between components.
Challenges in Implementing Zero Trust
Balancing security with usability is a challenge that must be addressed to enable a high-collaboration, low-friction workflow.
Bloomberg leverages many SaaS services for collaboration, but they also have their own core services that are still on-premises. They focus heavily on their offerings on-premises and have a big drink-your-own champagne culture around them.

There’s no avoiding it, the headlines have not been kind to the ways we access systems today. Users are still using 1234, password, and even their dog's name. Not just using these weak passwords but also reusing them across multiple platforms, making it incredibly easy to breach someone once they’ve been caught up in a previous breach. On the vendor side, well we all know what’s happened there in the past 12 months, and now more than ever, password management platforms have growing targets on their back as high-value assets.
 
But we are not here to throw rocks in the glass house nor try to dissect what goes well or goes wrong in these situations; however, we should all focus on what we can take away from them and ensure they are not repeated. This concept aligns well with Zero Trust, where we should assume systems are already breached, that your users - be it intentionally to shitpost in a discord channel or accidentally fall for a phishing lure- and we should remove as much implicit, unchecked trust as possible. At least until Skynet takes us all out, but we have a few good years ahead. 
 
Jokes aside, we have a great episode for you and appreciate Bitwarden lending us two of their C-suite members who cover a range of topics, including how they navigate these challenges. This week we chat with Bitwarden’s CEO Michael Crandell and Chief Customer Officer Gary Orenstein. Bitwarden offers an integrated open-source password management solution for individuals, teams, and business organizations. It also offers a self-hosted solution, which appeals to those who want greater control over their secrets.
Key Takeaways
The use of a Zero Knowledge architecture means that the company, whether cloud-hosted or self-hosted, should not be able to access sensitive information without the user's permission.
Open-sourced solutions offer additional layers of trust as there are more eyes are on the product and can vet it for security
Passwordless authentication is the future

For many, cybersecurity is seen as a cost center that reduces risk to the business. This can be oversimplified to something akin to how HR reduces people-related risks but comes with layer on top of layer of complexities ranging from technology to physical buildings and, of course, people. Regardless of organizational size, cybersecurity leadership requires a top-down approach, leaving room for discussion at the board level and aligning it with business goals.
This week on AZT, Neal and I chat with Kris Lovejoy, Kyndryl’s (IBM spinoff) Global Security and Resilience Leader, former CEO of Virginia-based BluVector, and a former IBM CISO prior to being made GM of their security division. Having danced the line between startups and mega-enterprise organizations, there are few others who could so adequately discuss the role of cybersecurity leadership within modern organizations and why having a competent person at the helm is critical to the business (not just to reduce risk). We also play a bit of RSA buzzword bingo.

For more than a decade, Zero Trust as a concept has moved from a philosophy and now into a practical architecture and strategy that organizations can adopt. While Zero Trust encapsulates much of what has gone well in cybersecurity for the past 30 years or so, does it truly offer an innovative approach or just iterative change? Is the concept positioned well so others can adapt it to their needs and prevent greater cyber-related risks? While we know it’s certainly not a silver bullet, and use cases are still reasonably immature, there is a firm argument for it helping to drive cybersecurity innovation forward.
This week on AZT, Neal and I chat with Andrew “AJ” Grotto, current Stanford University Fellow and Director of Security at Turtle Rock Studios (makers of Back 4 Blood and other popular video games). Prior to his current roles, AJ was an advisor at NIST and was the Senior Director for Cybersecurity Policy for The White House National Security Council. As a practitioner and academic who danced the line between public and private sectors, AJ is well suited to help us navigate the question of what drives innovation around cybersecurity if the federal government is behind the curve or creates chain reactions, and where policy comes into play.

This week on AZT, we chat about something timely and impactful to everyone in the cybersecurity and users impacted by related decisions: the new National Cybersecurity Strategy (full strategy here). Our guests this week are Tony Scott and Ilona Cohen, both industry powerhouses and experts well-equipped to navigate this complex document.
 
Ilona Cohen is the former General Counsel at Office of Management and Budget (OMB), was an Associate White House Counsel and Special Assistant to the President during the Obama administration, and is currently the Chief Legal Officer, Chief Policy Officer, and Corporate Secretary at HackerOne.
 
Tony Scott is the former U.S. Federal CIO during the Obama administration, has worked for brands such as Disney and GM, and is currently the President and CEO of Intrusion.
Together, they both experienced the Office of Personnel Management (OPM) breach of 2015, and have been involved with the ever-shifting threat landscape that impacts and leads to new initiatives like the latest National Cybersecurity Strategy. In particular, it resulted in the Cybersecurity National Action Plan, which resulted in the first bug bounty program.

This week Neal and I continue with our exploration of new formats, and this time we go one-on-one with the Founder and CEO of Netfoundry, Galeal Zino. Prior to Netfoundry, Zino spent much of his career traversing R&D, and later moving into a key role for Tata Communications. 
Though Netfoundry’s bread and butter is a Zero Trust Network Access (ZTNA) solution that can be built into other technology via API and even supports IoT systems, and they also manage OpenZiti. OpenZiti is an open-source self-hosted solution of a similar nature with input and contributions from Zero Trust and developer communities. Rather than honing too deep into the technology aspect, Zino and Neal go down the rabbit hole of open source tools and communities and why they are so critical to much of today’s existing security infrastructure.