1 00:00:00,000 --> 00:00:09,700 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,700 --> 00:00:13,280 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,280 --> 00:00:17,600 Hey everybody, welcome to episode 86. 4 00:00:17,600 --> 00:00:19,360 This week is another one of those special episodes. 5 00:00:19,360 --> 00:00:21,880 It's just myself, Michael and Mark. 6 00:00:21,880 --> 00:00:26,640 But Mark is not only a co-host, he's actually also a guest this week because he and his 7 00:00:26,640 --> 00:00:30,640 partner in crime, Nikhil Kumar, are here to talk about a book that they have co-authored, 8 00:00:30,640 --> 00:00:34,760 which is going to be one of a series of books called the Zero Trust Playbook. 9 00:00:34,760 --> 00:00:38,920 And the first book is called the Zero Trust Overview and Playbook Introduction. 10 00:00:38,920 --> 00:00:41,560 So because it's a special episode, we won't have any news. 11 00:00:41,560 --> 00:00:44,880 We're just going to get straight into it and talk to our guests this week. 12 00:00:44,880 --> 00:00:47,600 So Nikhil and Mark, thank you so much for joining us this week. 13 00:00:47,600 --> 00:00:51,960 Nikhil, why don't you give us an overview of what you do and let our listeners learn 14 00:00:51,960 --> 00:00:52,960 a little bit more about you. 15 00:00:52,960 --> 00:00:53,960 Yeah. 16 00:00:53,960 --> 00:00:59,960 So what I do, I am a biologist, computer scientist and engineer, and I do enterprise and security 17 00:00:59,960 --> 00:01:01,760 architecture most of the time. 18 00:01:01,760 --> 00:01:03,720 This journey started long ago. 19 00:01:03,720 --> 00:01:11,280 It started basically building real-time operating systems and sensitive defense systems almost 20 00:01:11,280 --> 00:01:13,360 37 years ago. 21 00:01:13,360 --> 00:01:16,300 And you started worrying about the original side channel attacks. 22 00:01:16,300 --> 00:01:23,040 And then it evolved through a variety of different sectors, from the OT sector and manufacturing, 23 00:01:23,040 --> 00:01:28,040 through life sciences, through healthcare, through fintech. 24 00:01:28,040 --> 00:01:35,240 And eventually you learned the lessons through like, you know, hard knocks to figure out 25 00:01:35,240 --> 00:01:38,880 what is right and what is practical and what really works. 26 00:01:38,880 --> 00:01:42,480 And that was the foundation for Zero Trust in general. 27 00:01:42,480 --> 00:01:48,920 And one day at a conference in Scottsdale, I'm sitting down with the MVP for the cybersecurity 28 00:01:48,920 --> 00:01:52,560 forum in the open group, Jemma Hytala. 29 00:01:52,560 --> 00:01:56,480 And I think it was over a glass of whiskey that we came to, or maybe a cup of coffee. 30 00:01:56,480 --> 00:01:57,480 I think it was the whiskey. 31 00:01:57,480 --> 00:02:00,960 We decided, hey, you know, let's do this thing about Zero Trust. 32 00:02:00,960 --> 00:02:03,600 And that's how the Zero Trust initiative started. 33 00:02:03,600 --> 00:02:06,640 And then a little later, Mark joined us. 34 00:02:06,640 --> 00:02:09,400 And that's how the world changed. 35 00:02:09,400 --> 00:02:10,400 Thanks Nikhil. 36 00:02:10,400 --> 00:02:11,400 Yeah. 37 00:02:11,400 --> 00:02:15,460 So for me, like the Zero Trust thing, I sort of came at an odd angle to security, right? 38 00:02:15,460 --> 00:02:20,680 So I didn't come up through the standard firewall, IDS, IPS, you know, sort of technology 39 00:02:20,680 --> 00:02:21,680 stack. 40 00:02:21,680 --> 00:02:25,320 I actually started at Microsoft in about 2000. 41 00:02:25,320 --> 00:02:29,200 And so I got to see the big security stand down, the focus on SDL. 42 00:02:29,200 --> 00:02:34,240 I worked with customers that were trying to get their Windows baselines configured and 43 00:02:34,240 --> 00:02:38,080 help set the DoD standard, USDOD standard, et cetera. 44 00:02:38,080 --> 00:02:42,520 And so I always sort of had like an infrastructure eye view of security, but I also had the blessing 45 00:02:42,520 --> 00:02:47,260 of looking at it through the work of Michael and others, like through that sort of holistic 46 00:02:47,260 --> 00:02:49,580 Microsoft lens early on. 47 00:02:49,580 --> 00:02:53,080 And I also started at Microsoft in the Active Directory group supporting it. 48 00:02:53,080 --> 00:02:56,960 And so I got to understand the identity side long before I got into the sort of network 49 00:02:56,960 --> 00:03:00,680 side and the sort of classic security view. 50 00:03:00,680 --> 00:03:03,920 I never looked at security like the security industry did, right? 51 00:03:03,920 --> 00:03:07,360 And then along comes Pass the Hash, and I helped with the Pass the Hash white paper, 52 00:03:07,360 --> 00:03:11,420 co-authored that one, version one and version two, and then built some of our privilege 53 00:03:11,420 --> 00:03:13,460 access guidance and all that. 54 00:03:13,460 --> 00:03:15,880 And then I sort of had to back learn the networking stuff. 55 00:03:15,880 --> 00:03:18,200 And I was like, why aren't you all caught up, right? 56 00:03:18,200 --> 00:03:23,200 Because I just started in that unusual spot, which when the identity-based attacks came 57 00:03:23,200 --> 00:03:27,200 along, I was just uniquely prepared because I know way too much about how the internals 58 00:03:27,200 --> 00:03:29,080 of AD worked. 59 00:03:29,080 --> 00:03:35,080 And I got connected up with the Open Group through Sean John out of the UK, who's like 60 00:03:35,080 --> 00:03:38,560 an MBE, I think, or something like that, for her work in cybersecurity. 61 00:03:38,560 --> 00:03:41,880 And she was like, you need to work with some of these Open Standards groups. 62 00:03:41,880 --> 00:03:43,720 And I was like, okay. 63 00:03:43,720 --> 00:03:48,720 And I met Nikhil and just started to really work together really well, and we're working 64 00:03:48,720 --> 00:03:49,720 on the Zero Trust standard. 65 00:03:49,720 --> 00:03:50,720 We're like, you know what? 66 00:03:50,720 --> 00:03:52,840 This is really going to need an implementation guide. 67 00:03:52,840 --> 00:03:58,760 This is going to need a playbook on a role-by-role thing, because security is really complex 68 00:03:58,760 --> 00:04:02,920 and everybody's role is changing, maybe a little, maybe a lot. 69 00:04:02,920 --> 00:04:07,600 And so yeah, for me, the Zero Trust thing was extremely natural, because I was always 70 00:04:07,600 --> 00:04:10,800 looking at security in sort of that different light, the traditional networking one. 71 00:04:10,800 --> 00:04:16,440 It's like, okay, how do we help the world sort of see a better way of doing security? 72 00:04:16,440 --> 00:04:20,680 It's interesting as you bring up the holistic view of things, because you dropped my name 73 00:04:20,680 --> 00:04:25,560 in there for reasons I don't understand. 74 00:04:25,560 --> 00:04:31,560 But the reason I say that, my focus is almost exclusively on software development, right? 75 00:04:31,560 --> 00:04:35,880 So looking at security design, secure coding, tooling, libraries, static analysis, dynamic 76 00:04:35,880 --> 00:04:37,600 analysis, and all that sort of good stuff. 77 00:04:37,600 --> 00:04:44,120 But like you, even though I had my area that I just love and enjoy, being at Microsoft, 78 00:04:44,120 --> 00:04:48,920 in fact, just being in industry in general, I guess, you sort of do get to learn a lot 79 00:04:48,920 --> 00:04:50,480 through osmosis, right? 80 00:04:50,480 --> 00:04:53,720 Just by being around people who are dealing with specific areas. 81 00:04:53,720 --> 00:04:54,720 So you might not be- 82 00:04:54,720 --> 00:04:57,520 You're meeting smart people that are working on something else, yeah. 83 00:04:57,520 --> 00:04:58,520 Yeah, exactly, exactly. 84 00:04:58,520 --> 00:05:02,200 All right, so that's a good way of sort of kicking this thing off. 85 00:05:02,200 --> 00:05:06,200 Well, actually, Michael, I would like to add a couple of words in that, right? 86 00:05:06,200 --> 00:05:10,360 So when I was dealing with the Open Group, there was a guy called Steve Whitlock. 87 00:05:10,360 --> 00:05:16,960 He was the CSA for Boeing, and I run my own small little company, but I was dealing with 88 00:05:16,960 --> 00:05:22,560 Steve and they had a thing called the Jericho Forum, and actually, Mark knows Steve too. 89 00:05:22,560 --> 00:05:26,560 And Steve and I, I mean, I talked to him and Carl Bungee, I think, who was also either 90 00:05:26,560 --> 00:05:29,960 the CSA or whatever it was for Boeing in those days. 91 00:05:29,960 --> 00:05:33,400 And there was a small community of people running the Jericho Forum. 92 00:05:33,400 --> 00:05:38,160 And they came out with the Jericho Commandments, and they were really practical. 93 00:05:38,160 --> 00:05:43,680 They were very valid, very practical for somebody who was really trying to implement security 94 00:05:43,680 --> 00:05:46,600 in a mid to large sized enterprise at that time. 95 00:05:46,600 --> 00:05:51,640 And I was like, well, here is something that I can, you know, I'm polite, I like things 96 00:05:51,640 --> 00:05:52,640 that work. 97 00:05:52,640 --> 00:05:55,120 So here is something that resonates for me. 98 00:05:55,120 --> 00:05:58,680 And so that was a large part of the foundation for our vision of Zero Trust. 99 00:05:58,680 --> 00:06:01,640 And you know, Mark and I have talked about it a lot in the past. 100 00:06:01,640 --> 00:06:06,760 And it was something which just was, I think, Mark, you had a session with Steve Olson, 101 00:06:06,760 --> 00:06:07,760 this topic. 102 00:06:07,760 --> 00:06:12,200 Yeah, we co-authored a blog, actually, talking about the Zero Trust versus the Commandments 103 00:06:12,200 --> 00:06:13,760 and how it sort of evolved those. 104 00:06:13,760 --> 00:06:14,760 Yeah. 105 00:06:14,760 --> 00:06:17,560 The thing that was kind of interesting is like when someone first pointed me at the 106 00:06:17,560 --> 00:06:21,200 Commandments, I looked at them and said, well, that just makes sense, right? 107 00:06:21,200 --> 00:06:23,520 And I didn't really think anything of it. 108 00:06:23,520 --> 00:06:29,600 Because I didn't really appreciate, again, that network-centric view of how much the 109 00:06:29,600 --> 00:06:34,240 industry outside of Microsoft at the time was focused on networking and how important 110 00:06:34,240 --> 00:06:36,560 it was to sort of break that perception. 111 00:06:36,560 --> 00:06:40,840 And so later on, like years later, as I sort of started working with the Open Group more 112 00:06:40,840 --> 00:06:44,240 and connected with some of the folks in it and then looked at the Jericho forum, so that 113 00:06:44,240 --> 00:06:49,640 lens I was like, oh, these are like the first formal roots of Zero Trust, right? 114 00:06:49,640 --> 00:06:53,320 Like this is the first sort of written down, this needs to do it. 115 00:06:53,320 --> 00:06:58,040 We've always had that sort of, I can't remember who made the quote of the crunchy outside 116 00:06:58,040 --> 00:07:00,240 in the soft chewy center of the firewalls. 117 00:07:00,240 --> 00:07:02,240 Bill Cheswick, I think. 118 00:07:02,240 --> 00:07:03,240 Yep, yep. 119 00:07:03,240 --> 00:07:04,240 Thank you. 120 00:07:04,240 --> 00:07:06,240 And when you look at like, okay, where did Zero Trust come from? 121 00:07:06,240 --> 00:07:12,880 I mean, there's a huge surge thanks to John Kindervag, got a head nod over to that good 122 00:07:12,880 --> 00:07:15,400 work that he did there at Forrester. 123 00:07:15,400 --> 00:07:19,560 But when you look at like the overall like where did Zero Trust come from, I mean, you 124 00:07:19,560 --> 00:07:23,680 can date this back to not just the Jericho forum, sort of applying to cybersecurity, 125 00:07:23,680 --> 00:07:27,580 but like you can look at the early days of computer security and the least privilege 126 00:07:27,580 --> 00:07:30,280 in the first documentation of that. 127 00:07:30,280 --> 00:07:35,860 And then you can even trace this easily into the physical world of security and any kind 128 00:07:35,860 --> 00:07:38,620 of game theory and any types of conflict situation. 129 00:07:38,620 --> 00:07:42,220 Like Zero Trust is basically like saying, okay, now that we've ripped out the whole 130 00:07:42,220 --> 00:07:46,560 firewall makes a safe idea, what do we do? 131 00:07:46,560 --> 00:07:50,640 And we're able to draw from like sort of like everything human conflict. 132 00:07:50,640 --> 00:07:53,560 And so that's the thing that I really enjoy about it. 133 00:07:53,560 --> 00:07:54,840 And I'll add some color. 134 00:07:54,840 --> 00:08:01,400 In today's world, Zero Trust is not just about, you know, a small localized thing about a 135 00:08:01,400 --> 00:08:03,000 network or something like that. 136 00:08:03,000 --> 00:08:05,200 It's really more holistic thing. 137 00:08:05,200 --> 00:08:10,240 It's the cybersecurity for the digital era, which is a big shift in the traditional way 138 00:08:10,240 --> 00:08:11,240 of thinking. 139 00:08:11,240 --> 00:08:15,280 When I think about what the cybersecurity industry has gone to is like, hey, it used 140 00:08:15,280 --> 00:08:19,920 to be here's a group of tech geeks in the basement with the IT folks, right? 141 00:08:19,920 --> 00:08:23,520 You know, the organizational basement, you know, kind of not literally, you know, all 142 00:08:23,520 --> 00:08:26,120 of a sudden it's now a board level issue, right? 143 00:08:26,120 --> 00:08:30,440 And boards look at risk in a very different way than security people do because they have 144 00:08:30,440 --> 00:08:33,320 to take risks to succeed and excel in their business. 145 00:08:33,320 --> 00:08:37,560 You know, so they have to calculate and take calculated risks and they're always accepting 146 00:08:37,560 --> 00:08:40,160 that something could go wrong. 147 00:08:40,160 --> 00:08:44,400 And so, you know, that's the thing that's been sort of interesting is seeing just the 148 00:08:44,400 --> 00:08:48,560 language and the culture collision as security became a board level issue and a business 149 00:08:48,560 --> 00:08:53,280 leader level issue, you know, and having to connect and translate between those. 150 00:08:53,280 --> 00:08:55,320 So that's like a big part of why we wrote the book. 151 00:08:55,320 --> 00:09:00,280 In fact, there's like a couple of pages in there dedicated to here's a word that is used 152 00:09:00,280 --> 00:09:03,880 very differently depending on who you are as a reader, like operations or what have 153 00:09:03,880 --> 00:09:04,880 you. 154 00:09:04,880 --> 00:09:06,800 And so that's been one of the things that's also interesting. 155 00:09:06,800 --> 00:09:09,680 So I always raise a couple of questions. 156 00:09:09,680 --> 00:09:17,120 First one is if you had to explain zero trust in an elevator and you only got 15 floors, 157 00:09:17,120 --> 00:09:19,520 so don't be there all day. 158 00:09:19,520 --> 00:09:21,280 How do you explain zero trust to somebody? 159 00:09:21,280 --> 00:09:25,160 Which is technical, but not necessarily an expert in security maybe. 160 00:09:25,160 --> 00:09:27,160 And then there's the second question. 161 00:09:27,160 --> 00:09:31,560 So I look at Microsoft's documentation around zero trust and it talks about, you know, authenticate 162 00:09:31,560 --> 00:09:36,920 and authorize explicitly, perform actions at least privilege and assume breach, which 163 00:09:36,920 --> 00:09:37,920 by the way is my favorite. 164 00:09:37,920 --> 00:09:41,920 And then you go to look at NIST documentation and they talk about different things as well. 165 00:09:41,920 --> 00:09:45,960 So does that mean people have a different perspective on zero trust or is it kind of 166 00:09:45,960 --> 00:09:49,440 the same stuff just through different lenses? 167 00:09:49,440 --> 00:09:54,360 So on the first one, which sort of gets into your second question a little bit, it really 168 00:09:54,360 --> 00:09:56,440 depends on who I'm talking to. 169 00:09:56,440 --> 00:09:59,960 And I'm not saying that in a deceitful, like I tell a different story to different people. 170 00:09:59,960 --> 00:10:04,040 But like when you talk to a board member about security in general, because zero trust is 171 00:10:04,040 --> 00:10:09,080 just a modern version of security, they're going to have a very different view and level 172 00:10:09,080 --> 00:10:16,640 of caring and level of exposure to terminology than would, you know, a CEO, a CFO, a CIO, 173 00:10:16,640 --> 00:10:23,080 a CISO, a security analyst, someone that's in the security team, you know, working as 174 00:10:23,080 --> 00:10:28,800 like a SOC analyst or an engineer, an architect all the time versus an IT person where it's 175 00:10:28,800 --> 00:10:30,240 like 10% of their job. 176 00:10:30,240 --> 00:10:34,700 So the answer is always kind of dependent on who I'm talking to. 177 00:10:34,700 --> 00:10:39,080 So if it's just a general IT person, you know, I'd be explaining, listen, this is a new way 178 00:10:39,080 --> 00:10:40,980 of doing security. 179 00:10:40,980 --> 00:10:44,520 And you know, it uses some of the old stuff, but ultimately we're just, we can't count 180 00:10:44,520 --> 00:10:49,360 on the firewall anymore because there's attackers in our network and our stuff is off the network. 181 00:10:49,360 --> 00:10:52,760 And so we're just trying to figure out how to protect those assets and those things that 182 00:10:52,760 --> 00:10:56,440 really matter to the business, you know, as if everything's on an open network. 183 00:10:56,440 --> 00:11:00,240 We're not getting rid of the firewalls today, but we're definitely, you know, trying to 184 00:11:00,240 --> 00:11:05,200 protect in a way that's realistic to today's threats and the world we're in and the systems 185 00:11:05,200 --> 00:11:06,200 you deploy. 186 00:11:06,200 --> 00:11:09,720 So is that the big driver then, the fact that internet firewalls, I'm not saying they're 187 00:11:09,720 --> 00:11:15,520 useless because they're not, but their value and their requirement as a hard boundary that 188 00:11:15,520 --> 00:11:20,400 has kind of disappeared because of things like mobile devices, remote work, all that 189 00:11:20,400 --> 00:11:22,900 sort of stuff has just changed the security landscape. 190 00:11:22,900 --> 00:11:25,320 Is that why Zero Trust is so important? 191 00:11:25,320 --> 00:11:30,800 In my mind, yes, because we've had a dependency on that and we've had an assumption that that 192 00:11:30,800 --> 00:11:33,220 was more effective than it is. 193 00:11:33,220 --> 00:11:37,040 That's why I cite the firewalls because that's what classic security thinks of it. 194 00:11:37,040 --> 00:11:39,040 But Nikhil, what's your thoughts on that? 195 00:11:39,040 --> 00:11:43,640 Well, you know, I mean, having done this and actually sat on the board in times, I've sat 196 00:11:43,640 --> 00:11:45,960 in multiple organizations, right, and startups. 197 00:11:45,960 --> 00:11:50,520 I was an MIT mentor for a bit and different kinds of roles, right. 198 00:11:50,520 --> 00:11:52,680 And I've sat in large organizations in the board. 199 00:11:52,680 --> 00:11:57,280 And what happens is when you talk security, people's eyes glaze over. 200 00:11:57,280 --> 00:12:01,960 They're like, oh, you're coming here, you're going to come up with a compliance requirement 201 00:12:01,960 --> 00:12:04,880 and ask for a dollar bill, right? 202 00:12:04,880 --> 00:12:07,600 And that doesn't work consistently, right? 203 00:12:07,600 --> 00:12:11,080 You need to think about the risk tolerance of the organization. 204 00:12:11,080 --> 00:12:15,840 And one of the things about Zero Trust is you're operating in a world where you cannot 205 00:12:15,840 --> 00:12:19,120 spend two years taking a decision or three years. 206 00:12:19,120 --> 00:12:21,200 The world doesn't wait for you. 207 00:12:21,200 --> 00:12:24,400 So you need to be able to kind of dance, right? 208 00:12:24,400 --> 00:12:29,520 And so whatever paradigm that would have to come from what I hate putting it, but it's 209 00:12:29,520 --> 00:12:36,700 the ossified past, has really got to be a paradigm where you can be quick and agile 210 00:12:36,700 --> 00:12:38,400 on your feet. 211 00:12:38,400 --> 00:12:42,400 And so, and you have to be able to realize that your threat vectors are going to be. 212 00:12:42,400 --> 00:12:46,800 Who would have thought about AI being such a big driver one year ago, right? 213 00:12:46,800 --> 00:12:48,400 So things change. 214 00:12:48,400 --> 00:12:49,800 And who thought about COVID, right? 215 00:12:49,800 --> 00:12:53,640 Well, COVID came in and it was like days, weeks, right? 216 00:12:53,640 --> 00:13:00,600 So being able to adapt that fast has changed the playing field significantly. 217 00:13:00,600 --> 00:13:05,080 A business has to be able to enter a new domain very quickly. 218 00:13:05,080 --> 00:13:07,920 They can't wait two years, three years, five years. 219 00:13:07,920 --> 00:13:10,040 That's not an option anymore. 220 00:13:10,040 --> 00:13:16,040 So you need to have a cybersecurity paradigm, which is agile and allows you to operate with 221 00:13:16,040 --> 00:13:17,640 a level of uncertainty. 222 00:13:17,640 --> 00:13:21,440 And that's one of the drivers behind like assumed breach. 223 00:13:21,440 --> 00:13:24,360 That's your level of uncertainty in your conversation. 224 00:13:24,360 --> 00:13:28,660 And so that's one of the drivers behind Zero Trust from the leadership perspective. 225 00:13:28,660 --> 00:13:31,880 When you go down the ladder, you go to the enterprise architects, you go to the security 226 00:13:31,880 --> 00:13:35,800 architects and then you go down to the delivery folks, the drivers are different. 227 00:13:35,800 --> 00:13:40,000 And that's exactly why Mark and I actually wrote the book, because the drivers are different 228 00:13:40,000 --> 00:13:44,640 and you want to be able to address it from different people's point of view. 229 00:13:44,640 --> 00:13:48,280 But if you were to think about it, that's why I said Zero Trust is the cybersecurity 230 00:13:48,280 --> 00:13:49,280 for the digital era. 231 00:13:49,280 --> 00:13:50,920 It addresses agility. 232 00:13:50,920 --> 00:13:55,360 It addresses the ability to move quickly and provide acceptable security. 233 00:13:55,360 --> 00:13:59,520 Those are, I think, the main things which kind of start defining it differently, right? 234 00:13:59,520 --> 00:14:04,520 Yeah, and I was going to say, for a business leader, I would love to, it's very simple. 235 00:14:04,120 --> 00:14:09,120 It's like, listen, this is an agile approach to security that protects your stuff in a 236 00:14:08,800 --> 00:14:13,800 dynamically changing way and aligns to your priorities. 237 00:14:11,960 --> 00:14:16,960 There's a little bit of work for you. 238 00:14:13,240 --> 00:14:18,240 I always try to tie in and give an obligation there that you've got to help us figure out, 239 00:14:17,600 --> 00:14:22,600 if I was on that security team, what's important to you? 240 00:14:20,800 --> 00:14:25,800 So they're given a take and they sort of get that. 241 00:14:23,400 --> 00:14:28,400 But that would not work with a technologist. 242 00:14:28,400 --> 00:14:33,400 It would not work with an architect, depending on maturity and other factors. 243 00:14:31,400 --> 00:14:36,400 And so it's really, really important to understand the collision of languages. 244 00:14:35,400 --> 00:14:40,400 Kind of agree with that completely, right? 245 00:14:37,400 --> 00:14:42,400 Because different people, different ways of looking at things, and like I said, 246 00:14:40,720 --> 00:14:45,720 that's why we were writing a playbook series, not a playbook. 247 00:14:43,920 --> 00:14:48,920 We tried to write a playbook and then we discovered it would be a 1,500-page playbook. 248 00:14:48,320 --> 00:14:53,320 And then we said, oh, this is going to work. 249 00:14:49,880 --> 00:14:54,880 Let's split it up. 250 00:14:50,960 --> 00:14:55,960 Yeah, we had to break it up. 251 00:14:52,400 --> 00:14:57,400 So let's talk about why we're really here, which is to talk about the starts of the book series 252 00:14:57,400 --> 00:15:02,400 that you two are working on. 253 00:14:58,880 --> 00:15:03,880 So why don't we kick things off with, Nikhil, why don't you give us a background 254 00:15:02,880 --> 00:15:07,880 as to why you started with this book, how you sort of arrived at, 255 00:15:06,920 --> 00:15:11,920 hey, this is going to be a series of books and not one book. 256 00:15:09,640 --> 00:15:14,640 And then let's cover the main goals of the book series. 257 00:15:13,680 --> 00:15:18,680 So why we arrived at this book really is Zero Trust was a new topic. 258 00:15:18,680 --> 00:15:23,680 We came out with a thing called the core principles and that really resonated with the industry. 259 00:15:23,680 --> 00:15:28,680 And this incorporated it in there and were participants in some of the feedback we got. 260 00:15:29,240 --> 00:15:34,240 And it got incorporated in the president's cybersecurity directive. 261 00:15:33,000 --> 00:15:38,000 That was the open group core principles. 262 00:15:34,840 --> 00:15:39,840 Yeah, the open group core principles. 263 00:15:36,400 --> 00:15:41,400 And at that point of time, we looked at it and we said, 264 00:15:39,320 --> 00:15:44,320 how can we get this message out there meaningfully to people? 265 00:15:43,080 --> 00:15:48,080 And how do we define it? 266 00:15:45,280 --> 00:15:50,280 Because there's a lot of confusion about what Zero Trust means. 267 00:15:50,280 --> 00:15:55,280 And the book, for example, defines it in their own context, right? 268 00:15:53,280 --> 00:15:58,280 And then people who have always had these, what I would say, as a prior assumption, 269 00:16:01,120 --> 00:16:06,120 which we need to revisit all about the network and network centricity, etc., 270 00:16:07,360 --> 00:16:12,360 and 100% guaranteed security, which never exists, by the way, 271 00:16:10,360 --> 00:16:15,360 because you have a daily breach. 272 00:16:12,080 --> 00:16:17,080 But people are always kind of thinking that way and they're locked in into that. 273 00:16:17,080 --> 00:16:22,080 So we thought about, well, we need a book to start helping to clear the air 274 00:16:20,600 --> 00:16:25,600 and set up clear direction along with those standards 275 00:16:24,520 --> 00:16:29,520 that we were rolling out of the open group. 276 00:16:26,920 --> 00:16:31,920 And so that was the start of it. 277 00:16:28,440 --> 00:16:33,440 And then we said, well, how are we going to do it? 278 00:16:30,240 --> 00:16:35,240 It can't be for an individual. 279 00:16:32,040 --> 00:16:37,040 It has to be role-based. 280 00:16:33,080 --> 00:16:38,080 So when we wrote up the list of the table of contents 281 00:16:38,240 --> 00:16:43,240 or the outline of the book that the publisher asked for, 282 00:16:41,440 --> 00:16:46,440 we had that thing about what is Zero Trust? 283 00:16:46,440 --> 00:16:51,440 And what are the stakeholders? 284 00:16:47,760 --> 00:16:52,760 And Nikhil was the one that came up with the concept of the playbook 285 00:16:50,080 --> 00:16:55,080 and proposed it to me. 286 00:16:51,640 --> 00:16:56,640 And I agreed with it, hey, we need this. 287 00:16:55,800 --> 00:17:00,800 And then as we got deeper and deeper into writing with it, 288 00:16:58,440 --> 00:17:03,440 I started to appreciate more and more. 289 00:17:00,840 --> 00:17:05,840 As you look at it through the different roles, 290 00:17:02,640 --> 00:17:07,640 it's such a different view of things. 291 00:17:05,360 --> 00:17:10,360 And the things that you would do as a chief legal officer, 292 00:17:09,000 --> 00:17:14,000 a CEO, a SOC analyst, an enterprise architect, 293 00:17:14,000 --> 00:17:19,000 a cloud security or a cloud engineer, 294 00:17:17,080 --> 00:17:22,080 versus identity operations person. 295 00:17:21,080 --> 00:17:26,080 It was just so radically different. 296 00:17:22,720 --> 00:17:27,720 And all of them had an important part to play. 297 00:17:25,040 --> 00:17:30,040 The playbook format ended up being just this amazing way 298 00:17:29,760 --> 00:17:34,760 to look at things and get some clarity. 299 00:17:32,440 --> 00:17:37,440 It was really hard to get in security in general, 300 00:17:35,960 --> 00:17:40,960 let alone the modernization transformation changes 301 00:17:38,680 --> 00:17:43,680 with Zero Trust. 302 00:17:43,680 --> 00:17:48,680 As we went through and did it. 303 00:17:45,560 --> 00:17:50,560 And to be honest with you, 304 00:17:46,360 --> 00:17:51,360 it was some of the hardest writing I've ever done, 305 00:17:47,840 --> 00:17:52,840 especially this first book. 306 00:17:49,200 --> 00:17:54,200 Because it's like, how do you actually communicate effectively 307 00:17:52,960 --> 00:17:57,960 to a member of a board of directors with limited experience 308 00:17:56,200 --> 00:18:01,200 and security at the same time as a SOC analyst? 309 00:17:58,960 --> 00:18:03,960 And so we had to go deep into what is the human experience? 310 00:18:02,960 --> 00:18:07,960 What is computer security, information security, 311 00:18:05,120 --> 00:18:10,120 cybersecurity, all the same thing. 312 00:18:07,280 --> 00:18:12,280 But what is that that actually existed in the real world 313 00:18:12,280 --> 00:18:17,280 before it showed up on computers? 314 00:18:15,040 --> 00:18:20,040 Because at the end of the day, 315 00:18:16,280 --> 00:18:21,280 cybersecurity is conflict on computers. 316 00:18:18,200 --> 00:18:23,200 And so each of the angles of it, like extortion, 317 00:18:20,640 --> 00:18:25,640 well, there's been extortion forever. 318 00:18:22,000 --> 00:18:27,000 Like your protection rackets from the mafia 319 00:18:23,880 --> 00:18:28,880 and all that kind of stuff. 320 00:18:25,080 --> 00:18:30,080 Extortion has been around forever and it's now ransomware. 321 00:18:28,240 --> 00:18:33,240 That's the way that people make criminal money on that. 322 00:18:32,440 --> 00:18:37,440 And so we had to go and find that sort of normal human origin 323 00:18:37,440 --> 00:18:42,440 for all of these important topics 324 00:18:39,520 --> 00:18:44,520 that are hitting cybersecurity. 325 00:18:41,560 --> 00:18:46,560 And so it was a challenge, but it was definitely worth it 326 00:18:44,320 --> 00:18:49,320 because the clarity that came out of that 327 00:18:45,680 --> 00:18:50,680 was pretty awesome. 328 00:18:47,680 --> 00:18:52,680 And the reality is there isn't anything like that, right? 329 00:18:51,080 --> 00:18:56,080 Because of two things, right? 330 00:18:52,360 --> 00:18:57,360 Firstly, it's a fundamental change in cybersecurity 331 00:18:55,600 --> 00:19:00,600 impacting pretty much the entire organization. 332 00:18:58,960 --> 00:19:03,960 So somewhat like digital transformation, 333 00:19:03,960 --> 00:19:08,960 the journey of zero trust delivery process is roadmap. 334 00:19:08,720 --> 00:19:13,720 And it reflects essentially the ability 335 00:19:12,720 --> 00:19:17,720 to transform an organization. 336 00:19:14,960 --> 00:19:19,960 There are different ways we do things. 337 00:19:17,320 --> 00:19:22,320 There's a different level of agility to be thought about. 338 00:19:20,320 --> 00:19:25,320 Different stakeholders have to be engaged. 339 00:19:22,440 --> 00:19:27,440 And I don't think we really have that otherwise right now 340 00:19:25,760 --> 00:19:30,760 in the industry, in the cybersecurity industry. 341 00:19:28,200 --> 00:19:33,200 We have siloed, sometimes arcane assets, 342 00:19:33,200 --> 00:19:38,200 but not something which goes end to end 343 00:19:35,360 --> 00:19:40,360 and takes people down that journey. 344 00:19:37,440 --> 00:19:42,440 And we saw the need for it and we said, 345 00:19:39,640 --> 00:19:44,640 okay, well, you know what? 346 00:19:41,120 --> 00:19:46,120 With the agility that we need 347 00:19:42,360 --> 00:19:47,360 to provide something to the industry, 348 00:19:44,400 --> 00:19:49,400 the Playbook series made a lot of sense. 349 00:19:45,960 --> 00:19:50,960 And we were literally giving people a Playbook. 350 00:19:48,560 --> 00:19:53,560 So if you're a senior leader, 351 00:19:51,000 --> 00:19:56,000 if you're a small business, mid-sized, 352 00:19:52,840 --> 00:19:57,840 large business in different domains, 353 00:19:54,880 --> 00:19:59,880 what does it mean to you? 354 00:19:56,320 --> 00:20:01,320 What does it mean to you in the context of a day in the life? 355 00:20:01,320 --> 00:20:06,320 What does it mean to you in the context of a day in the life? 356 00:20:04,320 --> 00:20:09,320 And also, what capabilities do you need? 357 00:20:06,320 --> 00:20:11,320 How do we stitch them together? 358 00:20:08,320 --> 00:20:13,320 Those are all things which are really important. 359 00:20:11,320 --> 00:20:16,320 And as I said, I haven't seen anything like that 360 00:20:14,320 --> 00:20:19,320 in the industry. 361 00:20:15,320 --> 00:20:20,320 What about you, Michael? 362 00:20:16,320 --> 00:20:21,320 Do you think we've seen something like that? 363 00:20:18,320 --> 00:20:23,320 Or Mark? 364 00:20:19,320 --> 00:20:24,320 I haven't. 365 00:20:20,320 --> 00:20:25,320 I have looked at some of the table of contents for the books. 366 00:20:23,320 --> 00:20:28,320 I've got an idea of what's in there. 367 00:20:28,320 --> 00:20:33,320 I don't know of anything. 368 00:20:29,320 --> 00:20:34,320 But that being said, it may be worthwhile, 369 00:20:31,320 --> 00:20:36,320 actually talking about what is in the first book. 370 00:20:33,320 --> 00:20:38,320 What sort of topics do you want to cover in the first book? 371 00:20:36,320 --> 00:20:41,320 And then how does it sort of fit 372 00:20:38,320 --> 00:20:43,320 in terms of the rest of the series? 373 00:20:40,320 --> 00:20:45,320 And then at the end of it, 374 00:20:41,320 --> 00:20:46,320 I think we've got to ask the hard question, 375 00:20:43,320 --> 00:20:48,320 when you guys ship in this thing? 376 00:20:45,320 --> 00:20:50,320 So yeah, so we just start off at the very beginning, 377 00:20:47,320 --> 00:20:52,320 which is basically, hey, 378 00:20:50,320 --> 00:20:55,320 this is what we're going to cover in the book, 379 00:20:52,320 --> 00:20:57,320 the first of many, 380 00:20:57,320 --> 00:21:02,320 the following books, 381 00:21:00,320 --> 00:21:05,320 and then yeah, we can have a date. 382 00:21:01,320 --> 00:21:06,320 The title of the first book is longer 383 00:21:03,320 --> 00:21:08,320 than I would prefer it to be, 384 00:21:04,320 --> 00:21:09,320 but it was actually kind of necessary 385 00:21:05,320 --> 00:21:10,320 because the first book in the series 386 00:21:07,320 --> 00:21:12,320 really does two different things. 387 00:21:09,320 --> 00:21:14,320 It does introduce zero trust 388 00:21:11,320 --> 00:21:16,320 and put it in that simple, plain, straightforward language 389 00:21:14,320 --> 00:21:19,320 that everyone can understand 390 00:21:15,320 --> 00:21:20,320 and addresses some of the myths and misconceptions 391 00:21:19,320 --> 00:21:24,320 right up front. 392 00:21:20,320 --> 00:21:25,320 So that's sort of like the first part, 393 00:21:25,320 --> 00:21:30,320 the second group, 394 00:21:28,320 --> 00:21:33,320 and a bunch of standards as well, 395 00:21:30,320 --> 00:21:35,320 the zero trust commandments and the like, 396 00:21:32,320 --> 00:21:37,320 that help define zero trust and clarify, 397 00:21:34,320 --> 00:21:39,320 okay, this is what it is. 398 00:21:35,320 --> 00:21:40,320 And that's sort of like the big theme 399 00:21:37,320 --> 00:21:42,320 for the first half of the book. 400 00:21:39,320 --> 00:21:44,320 And then the second half gets into, 401 00:21:41,320 --> 00:21:46,320 okay, this is the introduction to the series, 402 00:21:43,320 --> 00:21:48,320 and so this is how to read it, 403 00:21:46,320 --> 00:21:51,320 how to look at it, 404 00:21:47,320 --> 00:21:52,320 what stuff you're going to find 405 00:21:49,320 --> 00:21:54,320 for each and every role, 406 00:21:54,320 --> 00:21:59,320 and so that's really sort of the second half of the book. 407 00:21:58,320 --> 00:22:03,320 First part, zero trust, this is the way, 408 00:22:00,320 --> 00:22:05,320 it's a very short chapter, straight up, 409 00:22:02,320 --> 00:22:07,320 here's the summary of this is why zero trust 410 00:22:05,320 --> 00:22:10,320 is important, what it is. 411 00:22:07,320 --> 00:22:12,320 Second one is like, okay, how do you read the series? 412 00:22:10,320 --> 00:22:15,320 That's chapter two, 413 00:22:11,320 --> 00:22:16,320 and you can either try and read the whole thing, 414 00:22:13,320 --> 00:22:18,320 which may or may not be appropriate, 415 00:22:16,320 --> 00:22:21,320 or if you want to skip ahead and skip to your role, 416 00:22:18,320 --> 00:22:23,320 here's the stuff that you need for context 417 00:22:23,320 --> 00:22:28,320 as an investigation threat hunting analyst, 418 00:22:25,320 --> 00:22:30,320 as an enterprise architect, 419 00:22:27,320 --> 00:22:32,320 as a business leader, what have you. 420 00:22:29,320 --> 00:22:34,320 Here's the stuff you need to read 421 00:22:30,320 --> 00:22:35,320 before you jump straight there. 422 00:22:32,320 --> 00:22:37,320 That's what chapter two is about. 423 00:22:35,320 --> 00:22:40,320 And then three, kind of explaining, 424 00:22:37,320 --> 00:22:42,320 hey, zero trust is security for today's world, 425 00:22:40,320 --> 00:22:45,320 and kind of answering those, 426 00:22:43,320 --> 00:22:48,320 kind of the myth-busting thing of, 427 00:22:45,320 --> 00:22:50,320 can't we just do this, can't we do this, 428 00:22:46,320 --> 00:22:51,320 all the sort of standard shortcut questions 429 00:22:51,320 --> 00:22:56,320 and myth-busting in that one. 430 00:22:53,320 --> 00:22:58,320 Standard zero trust capabilities, 431 00:22:54,320 --> 00:22:59,320 this is sort of the capability-oriented approach 432 00:22:57,320 --> 00:23:02,320 of the open group. 433 00:22:58,320 --> 00:23:03,320 We just released the zero trust reference model 434 00:23:00,320 --> 00:23:05,320 actually the day we were recording this. 435 00:23:02,320 --> 00:23:07,320 And so that's been very popular. 436 00:23:05,320 --> 00:23:10,320 Lots of LinkedIn reactions and reshares 437 00:23:08,320 --> 00:23:13,320 and whatnot on that. 438 00:23:10,320 --> 00:23:15,320 And so we based it on those capabilities, 439 00:23:13,320 --> 00:23:18,320 because we need a consistent way 440 00:23:14,320 --> 00:23:19,320 of describing security, right? 441 00:23:15,320 --> 00:23:20,320 And that's what the open group reference model did. 442 00:23:20,320 --> 00:23:25,320 It's AI, because today's world, 443 00:23:23,320 --> 00:23:28,320 you've got AI just changing so much stuff 444 00:23:25,320 --> 00:23:30,320 and changing so many assumptions. 445 00:23:27,320 --> 00:23:32,320 And so we wanted to cover, 446 00:23:29,320 --> 00:23:34,320 what does that actually mean to security? 447 00:23:30,320 --> 00:23:35,320 What does it mean to zero trust? 448 00:23:31,320 --> 00:23:36,320 How do you manage it with zero trust? 449 00:23:33,320 --> 00:23:38,320 And so that was sort of chapter five. 450 00:23:35,320 --> 00:23:40,320 Getting into six, is scoping sizing starting? 451 00:23:38,320 --> 00:23:43,320 Because that's a big question. 452 00:23:40,320 --> 00:23:45,320 It's like, okay, this is all fine and good, 453 00:23:42,320 --> 00:23:47,320 but I don't know where to start 454 00:23:43,320 --> 00:23:48,320 and I don't know how big to go. 455 00:23:48,320 --> 00:23:53,320 Success is set six and success criteria is seven. 456 00:23:51,320 --> 00:23:56,320 The three pillar model, 457 00:23:53,320 --> 00:23:58,320 which I want to let Nikhil cover that one 458 00:23:55,320 --> 00:24:00,320 because he's got a great way of explaining that. 459 00:23:58,320 --> 00:24:03,320 And then we turn that three pillar model 460 00:24:00,320 --> 00:24:05,320 into a six stage plan, which is chapter nine. 461 00:24:02,320 --> 00:24:07,320 And then chapter 10 is like, 462 00:24:04,320 --> 00:24:09,320 hey, here's the role by role 463 00:24:05,320 --> 00:24:10,320 what we're going to tell you for every role. 464 00:24:07,320 --> 00:24:12,320 That answers this question. 465 00:24:09,320 --> 00:24:14,320 What is the success criteria? 466 00:24:11,320 --> 00:24:16,320 What are the success metrics? 467 00:24:12,320 --> 00:24:17,320 What are the processes and methods you need to do? 468 00:24:17,320 --> 00:24:22,320 How does zero trust change your existing job? 469 00:24:20,320 --> 00:24:25,320 All those kinds of questions. 470 00:24:22,320 --> 00:24:27,320 Where does this particular role come from? 471 00:24:25,320 --> 00:24:30,320 Like if I'm in a smaller organization, 472 00:24:27,320 --> 00:24:32,320 who does this job if I don't have a dedicated person 473 00:24:31,320 --> 00:24:36,320 for doing threat hunting or whatever? 474 00:24:33,320 --> 00:24:38,320 Who would do that? 475 00:24:34,320 --> 00:24:39,320 Who would do investigation or triaging of it 476 00:24:37,320 --> 00:24:42,320 if there isn't dedicated people for it? 477 00:24:39,320 --> 00:24:44,320 So we cover all those kinds of things 478 00:24:41,320 --> 00:24:46,320 to help people adjust the playbook stuff 479 00:24:46,320 --> 00:24:51,320 to a large Fortune 500 sort of organizations, 480 00:24:50,320 --> 00:24:55,320 but also to smaller organizations as well. 481 00:24:53,320 --> 00:24:58,320 So people can say, oh, okay, 482 00:24:54,320 --> 00:24:59,320 that would go to Joe or Mary or Nikhil 483 00:24:58,320 --> 00:25:03,320 or what have you to do their thing. 484 00:25:00,320 --> 00:25:05,320 And that's the first book. 485 00:25:01,320 --> 00:25:06,320 So Nikhil, I'll let you. 486 00:25:02,320 --> 00:25:07,320 All right. 487 00:25:03,320 --> 00:25:08,320 So to add some color, 488 00:25:04,320 --> 00:25:09,320 I mean, the first thing that everybody that I've seen asks 489 00:25:07,320 --> 00:25:12,320 is why do zero trust? 490 00:25:09,320 --> 00:25:14,320 And I think what that first book does 491 00:25:14,320 --> 00:25:19,320 is that Mark was talking about 492 00:25:16,320 --> 00:25:21,320 is about that why, the whiff of it, 493 00:25:18,320 --> 00:25:23,320 right, what's in it for me as a reader. 494 00:25:21,320 --> 00:25:26,320 And again, because this is such a broad space 495 00:25:25,320 --> 00:25:30,320 and has such overarching impact. 496 00:25:28,320 --> 00:25:33,320 One of the things I always tell business leaders 497 00:25:30,320 --> 00:25:35,320 and IT leaders is when you do zero trust, 498 00:25:33,320 --> 00:25:38,320 it's not just for protecting what you got, 499 00:25:36,320 --> 00:25:41,320 but for enabling you to play in different areas faster 500 00:25:41,320 --> 00:25:46,320 and becoming competitive advantage for the business. 501 00:25:43,320 --> 00:25:48,320 That's something I just always like to tell people 502 00:25:45,320 --> 00:25:50,320 because that's not how it's perceived. 503 00:25:47,320 --> 00:25:52,320 Security has not been perceived that way forever. 504 00:25:50,320 --> 00:25:55,320 And then the other thing is we have those three pillars. 505 00:25:54,320 --> 00:25:59,320 Why are they there? 506 00:25:55,320 --> 00:26:00,320 You know, the three pillars started with some work 507 00:25:57,320 --> 00:26:02,320 I'd done on the SOFR BT 508 00:25:59,320 --> 00:26:04,320 and sort of our methodology for the company I run. 509 00:26:01,320 --> 00:26:06,320 So that's how it started. 510 00:26:02,320 --> 00:26:07,320 But they came about, again, to hard knocks, right, 511 00:26:07,320 --> 00:26:12,320 and what we did was we said, 512 00:26:09,320 --> 00:26:14,320 okay, the first pillar is about kind of defining your strategy, 513 00:26:13,320 --> 00:26:18,320 identifying your mission and your vision and goals, 514 00:26:15,320 --> 00:26:20,320 defining capabilities, technical capabilities 515 00:26:18,320 --> 00:26:23,320 so you're not locked in into a particular solution 516 00:26:20,320 --> 00:26:25,320 because things keep changing every six months. 517 00:26:22,320 --> 00:26:27,320 And by the way, procurement takes more than six months 518 00:26:24,320 --> 00:26:29,320 in many organizations. 519 00:26:26,320 --> 00:26:31,320 So that journey, that just is an example, right, 520 00:26:30,320 --> 00:26:35,320 procurement is just an example. 521 00:26:31,320 --> 00:26:36,320 How to make it agile and fit into an agile delivery methodology, 522 00:26:36,320 --> 00:26:41,320 for every, you know, whatever methodology you use. 523 00:26:39,320 --> 00:26:44,320 And then how do I translate it? 524 00:26:41,320 --> 00:26:46,320 How do I kind of make sure it fits my organization's business models? 525 00:26:45,320 --> 00:26:50,320 Because far too often people, 526 00:26:48,320 --> 00:26:53,320 you know, especially technical people, 527 00:26:50,320 --> 00:26:55,320 think about what's the best way to do it, 528 00:26:54,320 --> 00:26:59,320 forgetting what the organization is focused on 529 00:26:56,320 --> 00:27:01,320 from a fiscal and a cultural perspective 530 00:27:00,320 --> 00:27:05,320 because that's not what they're trained in, 531 00:27:05,320 --> 00:27:10,320 that's not what they're going to go implement, 532 00:27:09,320 --> 00:27:14,320 that there's basically an impedance and you can't execute 533 00:27:11,320 --> 00:27:16,320 and millions, sometimes hundreds of millions, 534 00:27:14,320 --> 00:27:19,320 are spent before that lesson is learned, 535 00:27:17,320 --> 00:27:22,320 many times with failed projects, 536 00:27:19,320 --> 00:27:24,320 especially transformational projects. 537 00:27:21,320 --> 00:27:26,320 And so we have, in the third pillar, 538 00:27:23,320 --> 00:27:28,320 we call it the operating model pillar. 539 00:27:25,320 --> 00:27:30,320 So we have that operating model 540 00:27:27,320 --> 00:27:32,320 which allows you to look at your organization 541 00:27:32,320 --> 00:27:38,320 and decide where to focus. 542 00:27:35,320 --> 00:27:40,320 And that really is a force multiplier. 543 00:27:37,320 --> 00:27:42,320 It helps you become successful. 544 00:27:39,320 --> 00:27:44,320 And if I can jump in for a second, 545 00:27:40,320 --> 00:27:45,320 like the thing, it took me a little bit, honestly, 546 00:27:42,320 --> 00:27:47,320 to get my head around the three pillar model. 547 00:27:44,320 --> 00:27:49,320 And Naquil remembers, like, you know, 548 00:27:45,320 --> 00:27:50,320 taking these times and sessions to explain it to me 549 00:27:47,320 --> 00:27:52,320 as we were writing the book. 550 00:27:48,320 --> 00:27:53,320 But once I sort of got my head around it, 551 00:27:50,320 --> 00:27:55,320 I was like, because I was taking that very technical view of it, 552 00:27:53,320 --> 00:27:58,320 and I'm like, oh, this is where we translate 553 00:27:56,320 --> 00:28:01,320 all of that technical goodness 554 00:28:01,320 --> 00:28:06,320 into business terms and into business processes 555 00:28:04,320 --> 00:28:09,320 and into pillars that the business can recognize 556 00:28:06,320 --> 00:28:11,320 so that they can say, oh, okay, now I can track it, 557 00:28:09,320 --> 00:28:14,320 I can govern it, I can manage it. 558 00:28:10,320 --> 00:28:15,320 And that was sort of like that, 559 00:28:12,320 --> 00:28:17,320 that was like a big epiphany for me, 560 00:28:14,320 --> 00:28:19,320 was just like realizing that this is a good method 561 00:28:17,320 --> 00:28:22,320 for connecting that business strategy element 562 00:28:20,320 --> 00:28:25,320 to the technical reality that's often missing 563 00:28:23,320 --> 00:28:28,320 in a lot of organizations. 564 00:28:28,320 --> 00:28:34,320 And that's for this first book. 565 00:28:30,320 --> 00:28:35,320 Everyone. 566 00:28:31,320 --> 00:28:36,320 I think Mark hit it. 567 00:28:32,320 --> 00:28:37,320 It's literally for everyone. 568 00:28:34,320 --> 00:28:39,320 We are point-of-recommended for business, 569 00:28:37,320 --> 00:28:42,320 technical, regulatory, compliance folks, 570 00:28:40,320 --> 00:28:45,320 for IT folks, as well as for, you know, 571 00:28:44,320 --> 00:28:49,320 and we keep talking about business leaders, 572 00:28:46,320 --> 00:28:51,320 but I dealt with a mortgage company. 573 00:28:48,320 --> 00:28:53,320 And guess what? 574 00:28:49,320 --> 00:28:54,320 The people on the ground, 575 00:28:50,320 --> 00:28:55,320 they're the people who are really implementing Zero Trust 576 00:28:52,320 --> 00:28:57,320 and who are feeling the impact of it, right? 577 00:28:57,320 --> 00:29:02,320 There is an impact. 578 00:28:59,320 --> 00:29:04,320 You can't have the full credit card number 579 00:29:01,320 --> 00:29:06,320 in front of you anymore. 580 00:29:02,320 --> 00:29:07,320 So there are these impacts for the people 581 00:29:05,320 --> 00:29:10,320 who are on the ground doing the work. 582 00:29:07,320 --> 00:29:12,320 And it makes sense for them to understand why. 583 00:29:10,320 --> 00:29:15,320 If they don't, it becomes hard to execute. 584 00:29:13,320 --> 00:29:18,320 So we recommend that you read it, whoever you are, 585 00:29:17,320 --> 00:29:22,320 especially, you know, I mean, tell me which industry today 586 00:29:20,320 --> 00:29:25,320 does not deal with the digital world. 587 00:29:25,320 --> 00:29:30,320 So I don't know of any area 588 00:29:27,320 --> 00:29:32,320 that you would not get impacted. 589 00:29:29,320 --> 00:29:34,320 So I think this is intended for the general audience, 590 00:29:33,320 --> 00:29:38,320 and then the books that follow are for your specific roles, 591 00:29:37,320 --> 00:29:42,320 and that's where you go into and you look at, 592 00:29:41,320 --> 00:29:46,320 hey, I'm starting this journey, I want to build a strategy. 593 00:29:45,320 --> 00:29:50,320 Okay, here are some, we call them the ACME examples, 594 00:29:48,320 --> 00:29:53,320 which will kind of illustrate what it means 595 00:29:53,320 --> 00:29:58,320 to be in my sock, what are the implications, 596 00:29:56,320 --> 00:30:01,320 what's my day in the life like? 597 00:29:58,320 --> 00:30:03,320 And so we take that playbook 598 00:30:00,320 --> 00:30:05,320 and just take you down that journey in the following books. 599 00:30:04,320 --> 00:30:09,320 You know, that's kind of what we're trying to do, 600 00:30:06,320 --> 00:30:11,320 to give people that shared context 601 00:30:10,320 --> 00:30:15,320 and then be able to dive into specific things. 602 00:30:13,320 --> 00:30:18,320 Yeah, I mean, it's exactly that. 603 00:30:14,320 --> 00:30:19,320 So the intent is the first book is for everyone, 604 00:30:17,320 --> 00:30:22,320 and everyone's on the same page, 605 00:30:22,320 --> 00:30:27,320 and then if I'm a sock analyst, 606 00:30:24,320 --> 00:30:29,320 I would move on to the security operations playbook. 607 00:30:26,320 --> 00:30:31,320 If I'm an architect, I would go to that one. 608 00:30:29,320 --> 00:30:34,320 Now, architects have to work broadly, 609 00:30:30,320 --> 00:30:35,320 so they may end up reading some of the other ones as well. 610 00:30:33,320 --> 00:30:38,320 If I'm just an IT operations, IT engineer, 611 00:30:35,320 --> 00:30:40,320 or identity operations, identity engineer, 612 00:30:38,320 --> 00:30:43,320 I would read the operations engineering playbook 613 00:30:41,320 --> 00:30:46,320 as well as the intro. 614 00:30:43,320 --> 00:30:48,320 So this is really meant to get everybody on the same page 615 00:30:45,320 --> 00:30:50,320 and start the journey for everyone, 616 00:30:50,320 --> 00:30:55,320 people that want a career change, 617 00:30:51,320 --> 00:30:56,320 people that want to learn what life is like 618 00:30:53,320 --> 00:30:58,320 in other jobs that they aspire to. 619 00:30:56,320 --> 00:31:01,320 So we tried to make it clear for those paths as well 620 00:31:00,320 --> 00:31:05,320 because of how much we have a shortage of talent 621 00:31:03,320 --> 00:31:08,320 in our industry right now. 622 00:31:04,320 --> 00:31:09,320 So let's ask, well, what about the hard question then? 623 00:31:06,320 --> 00:31:11,320 So when's this thing going to be available? 624 00:31:08,320 --> 00:31:13,320 The first book anyway? 625 00:31:10,320 --> 00:31:15,320 So it will be available very shortly after the broadcast 626 00:31:13,320 --> 00:31:18,320 of this podcast. 627 00:31:14,320 --> 00:31:19,320 It's actually already up on Amazon, 628 00:31:19,320 --> 00:31:24,320 it's a great online website. 629 00:31:21,320 --> 00:31:26,320 We'll put the links in there in the show notes. 630 00:31:25,320 --> 00:31:30,320 Zerotrustplaybook.com should forward you to 631 00:31:28,320 --> 00:31:33,320 one of those places where you can get it. 632 00:31:31,320 --> 00:31:36,320 It's in pre-order status right now, 633 00:31:33,320 --> 00:31:38,320 but sometime in the first week or two of November, I think, 634 00:31:37,320 --> 00:31:42,320 is when it will be actually shipping and e-booking 635 00:31:40,320 --> 00:31:45,320 and all that kind of stuff. 636 00:31:41,320 --> 00:31:46,320 But it's available right now for order. 637 00:31:46,320 --> 00:31:51,320 I've never seen getting a book done. 638 00:31:47,320 --> 00:31:52,320 It's always very exciting. 639 00:31:48,320 --> 00:31:53,320 Well, it's my first time, so I'm not quite as seasoned 640 00:31:49,320 --> 00:31:54,320 as you, Michael. 641 00:31:52,320 --> 00:31:57,320 I remember when I first came on our Microsoft 642 00:31:54,320 --> 00:31:59,320 cybersecurity team, and so Michael came on and he was like, 643 00:31:57,320 --> 00:32:02,320 so what books have you all written? 644 00:31:58,320 --> 00:32:03,320 I'm like, none. 645 00:32:03,320 --> 00:32:08,320 It's all good. 646 00:32:05,320 --> 00:32:10,320 So let's just wrap this thing up. 647 00:32:07,320 --> 00:32:12,320 It's really exciting, again, with a new book. 648 00:32:10,320 --> 00:32:15,320 I've looked at the table of contents, 649 00:32:15,320 --> 00:32:20,320 and I've been doing a playbook format. 650 00:32:17,320 --> 00:32:22,320 In other words, it's not just theory. 651 00:32:18,320 --> 00:32:23,320 It's just stuff that you need to really consider doing 652 00:32:20,320 --> 00:32:25,320 and here's how to do them, how to measure them, 653 00:32:22,320 --> 00:32:27,320 and that sort of stuff. 654 00:32:23,320 --> 00:32:28,320 I think that's just really, really awesome. 655 00:32:25,320 --> 00:32:30,320 So to wrap things up, and Nikhil, you may not be aware of this, 656 00:32:28,320 --> 00:32:33,320 Mark definitely is. 657 00:32:30,320 --> 00:32:35,320 So one question we always ask our guests is, 658 00:32:32,320 --> 00:32:37,320 if you had just one thought to leave our listeners with, 659 00:32:35,320 --> 00:32:40,320 what would it be? 660 00:32:36,320 --> 00:32:41,320 So, Mark, why don't you kick things off? 661 00:32:38,320 --> 00:32:43,320 In the context of this one, 662 00:32:43,320 --> 00:32:48,320 what would it be? 663 00:32:46,320 --> 00:32:51,320 Anything that you want to see in the following books 664 00:32:48,320 --> 00:32:53,320 because those are still being typed? 665 00:32:50,320 --> 00:32:55,320 Nikhil, do you have any final thoughts? 666 00:32:52,320 --> 00:32:57,320 Put two things in there. 667 00:32:54,320 --> 00:32:59,320 One, I'll echo what Mark said, 668 00:32:56,320 --> 00:33:01,320 and two else, I'll let people remember 669 00:32:59,320 --> 00:33:04,320 that Xero Trust is not just about protecting a network 670 00:33:01,320 --> 00:33:06,320 or protecting an individual asset alone. 671 00:33:04,320 --> 00:33:09,320 It's a holistic conversation covering literally 672 00:33:09,320 --> 00:33:14,320 all of the networks. 673 00:33:10,320 --> 00:33:15,320 It's a lot more. 674 00:33:11,320 --> 00:33:16,320 And so with that in context, 675 00:33:13,320 --> 00:33:18,320 we have to think about why we have written this series. 676 00:33:16,320 --> 00:33:21,320 Go read it. 677 00:33:17,320 --> 00:33:22,320 Yeah, it's about Xero Trust, not Xero Trust Networks. 678 00:33:20,320 --> 00:33:25,320 It's about the whole impact to security. 679 00:33:22,320 --> 00:33:27,320 Big, that's an awesome point, Nikhil. 680 00:33:24,320 --> 00:33:29,320 Yeah, actually, Nikhil and I, 681 00:33:25,320 --> 00:33:30,320 before you joined, we were discussing that, 682 00:33:27,320 --> 00:33:32,320 and when he said that, 683 00:33:28,320 --> 00:33:33,320 oh my God, a penny just dropped. 684 00:33:30,320 --> 00:33:35,320 This isn't Xero Trust Networks. 685 00:33:32,320 --> 00:33:37,320 This is way, way, way bigger than that. 686 00:33:37,320 --> 00:33:42,320 It's just a common, 687 00:33:39,320 --> 00:33:44,320 so yeah, it made a lot more sense. 688 00:33:40,320 --> 00:33:45,320 All right, so with that, 689 00:33:42,320 --> 00:33:47,320 let's bring this episode to an end. 690 00:33:44,320 --> 00:33:49,320 Gentlemen, thank you so much for joining us this week. 691 00:33:46,320 --> 00:33:51,320 And to all our listeners out there, 692 00:33:48,320 --> 00:33:53,320 we hope you found this podcast episode useful. 693 00:33:51,320 --> 00:33:56,320 Stay safe, and we'll see you next time. 694 00:33:53,320 --> 00:33:58,320 Thanks for listening to the Azure Security Podcast. 695 00:33:56,320 --> 00:34:01,320 You can find show notes and other resources 696 00:33:59,320 --> 00:34:04,320 at our website, azsecuritypodcast.net. 697 00:34:04,320 --> 00:34:09,320 For more information on the podcast, 698 00:34:05,320 --> 00:34:10,320 please find us on Twitter at Azure Setpod. 699 00:34:08,320 --> 00:34:13,320 Background music is from ccmixtor.com 700 00:34:13,320 --> 00:34:40,320 Background music plays