CyberWire-X 5.15.22
Ep 31 | 5.15.22

The current state of zero trust.


Rick Howard: Hey, everyone. Welcome to CyberWire-X, a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire. And today's episode is titled "The Current State of Zero Trust." A program note - each CyberWire-X special features two segments. In the first part, we'll hear from an industry expert on the topic at hand, and in the second part, we'll hear from our show's sponsor for their point of view. And since I brought it up, here's a word from today's sponsor, NetFoundry.

Rick Howard: I'm joined by Amanda Fennell, the CIO and CSO of Relativity and host of her own podcast, "The Security Sandbox," that is part of the CyberWire network of podcasts. Amanda, thanks for coming on the show. 

Amanda Fennell: Thanks for having me. Let's do it. 

Rick Howard: Welcome back. Today, we're talking about zero trust. And it occurs to me that most of the security vendors have glommed onto that phrase as a way to sell their product, so much so that it's kind of lost its meaning. But just because the vendors have taken control of the narrative doesn't mean that zero trust isn't a good idea. So where do you fall on this? Is this a purely marketing phrase that has no meaning, or is it essential to your own internal security program? 

Amanda Fennell: Oh, man. This is a moment I wish you could see. I'm smiling at this one. It does come up so often. I use the same, like, kind of relationship here with the term, like, world peace. It's still a great idea. 

Rick Howard: It's a - yeah, we should do that. 

Amanda Fennell: It's still important. We should do that. Don't deny that just because people use it all the time. And it's like saying, I love you to my husband, right? I don't love you less 'cause I say it all the time, which I don't. But - so it's - you're right. It's been overutilized. But I do fall in the same place as you do. Adopting a zero-trust mindset is critical. It's the hybrid working model that we use at Relativity. It's an important component to keep this new digital fortress secure. We no longer have that moat situation that we can easily defend. So it does really help us to provide users with just that bare minimum. And for all our CISSP heads out there, that rule of least privilege and things like that - it does allow us to do that, to accomplish the mission they need to and to contain any potential compromise. Who's going to argue that, right? This is a... 

Rick Howard: Yeah. 

Amanda Fennell: ...Different perimeter these days. It's not traditional. We can't let it be lost. Just like - what was it? Five years ago or so, 10 years? - disruption. Oh. 

Rick Howard: Oh, yeah. 

Amanda Fennell: Oh, that was the word, right? 

Rick Howard: Another word that we overused. 

Amanda Fennell: Another word. Another word. 

Rick Howard: A main theme of the original John Kindervag zero trust whitepaper - you know, geez, it's over 10 years ago - is that we should assume that our networks are already compromised then try to design them to limit the damage if it turns out to be so. And I get a lot of pushback on that. Is that a realistic design scenario, or is there something else we should be trying to do here? 

Amanda Fennell: Yeah. I mean, you know, this is where it's hard. Us security people get a bad rap, that we're always assuming the worst, right? Assume you've already been breached - you know, this whole dynamic. Yeah. You know why? It really helps you start to build things from a good perspective if you just assume the worst and then hope for the best. And I think with the zero-trust mindset, the design scenario is applicable. You do need to assume that everything could have the potential to be hostile until you verify it. And that's why we say things like the trust but verify saying that, you know, in security we love to say that. But I think it is still the right perspective, and it is still the right design scenario. That doesn't mean you have to come across with a lot of negativity. You know, we're not having to be the active bouncers at a nightclub situation. It's just having the tech do that for us. 

Rick Howard: Well, I mean, in context, you know, he wrote the paper, like I said, over a decade ago. Back then, we were doing perimeter defense. We thought we could keep everything out. We build this electronic fence around everything important, and then everybody would stay out. But John, when he wrote the paper, was saying we need to reverse that thinking. I think he anticipated our networks would be scattered in, you know, just a few short years. And if you assume that it was going to be bad, then you would design it completely differently than if you were trying to put that electric fence out there. Is that what you think it is, too? 

Amanda Fennell: Yeah. And I think, you know, you mentioned how long ago he used the white paper, that this came out. Look, you know, Lockheed Martin - you know, kill chain - 2008, I think, is that original time frame. So we're looking at 14-plus years ago whenever this concept still came out. Guess what? Still applicable. So I think that you have every once in a while these great thinkers in the industry who come up with a concept like this that really is one of those pillars that should stay there, and it should be the way we do it. So for Relativity, that means that we operate under that assumption that no user, no link, no application should inherently be trusted until we do verify it using our own systems and processes... 

Rick Howard: Right. 

Amanda Fennell: ...Which is super useful because it goes back to the pillars of, you know, tools, process, people. And if you've created your whole program with that zero trust really well, it folds right in there. It's about making sure your people are educated on what it is, that the processes' reflected and the tools are in place and the tech is in place to help you enable that. So I think you just got to use the security fundamentals to keep it going and keep it strong. 

Rick Howard: So let's talk about that 'cause before we can get to any kind of robust zero-trust program, we need another kind of robust program, an identity and access management program. Do you guys build that yourself with no commercial help, or do you use commercial tools or some hybrid? How do you guys think about that? 

Amanda Fennell: Yeah, this is, like, my favorite topic these days. I - that is my favorite topic. So the "Spider-Man" reference - right? - with great privilege, with great responsibility, great strength, all those things. So we know that... 

Rick Howard: I'm - wait. Wait. I am so glad that you brought Spider-Man up - OK - that's... 

Amanda Fennell: Of course... 

Rick Howard: ...Right in my wheelhouse. So go for it (laughter). 

Amanda Fennell: ...How do we not? You know, it's so important. I think the CIA got it from Spider-Man, from the comic books originally, Stan Lee. We know we have access to a lot of really important data - for ourselves, for our customers, for our partners. This is really important. We take it very seriously. And it's also an honor and an obligation to really have this opportunity to protect this stuff. So making sure that the right people access it at the right time for just the amount of time that they should is absolutely where we get our IAM programs. You asked a couple questions that were pretty tactical. Yes, our IAM team is built into our larger Calder7 security team. It was created in-house. It started a couple years ago when we first moved to the cloud. It was a guy who really liked cloud stuff... 


Amanda Fennell: ...And... 

Rick Howard: The one guy, yeah. 

Amanda Fennell: The one - that one guy - right? - he really enjoyed it. And we were like, you know, we think this could be something, we can make this a role for you, right? So he builds a cloud security team, then he starts to build out that we need an IAM team, then he starts to build up a, you know, security development team with it and it all goes together because you got to develop new tooling at all times to really make it fit what you're trying to do in-house. So some of those tools we do create ourselves, some we leverage external. I don't think it's a big surprise. We're huge Azure involvement, and Azure actually does a pretty good job with helping us to build some of our own tooling on top of what they do for a lot of the IAM stuff. 

Amanda Fennell: So yes, it's a little bit of everything. I feel like I'm in the kitchen. I'm throwing a little bit of salt and pepper in here. I got a couple other ingredients that are coming in. I like to leverage what's already in place. I like to create things that are detailed and created for our particular needs. And what we found most useful for doing all of that is that you just can't do 100% any one of those things. It is a slivers of the pie that come together. 

Amanda Fennell: And one of those things I just can't walk away without mentioning, since you brought up my favorite topic, is people love to throw automation at IAM. And if I could give any caution to people out there to learn from the things that we had to learn over and over again and fail faster and fail better at, is just because you automated it doesn't mean that you also automated going back to check for those stale permissions and to check that the automated permissions are being taken away on time. So we had... 

Rick Howard: Yeah, you're... 

Amanda Fennell: ...To really work on that tooling. 

Rick Howard: You're right, because we, you know, we spend so much time trying to convince everybody to automate these infrastructure as code processes. And it was such a hard job to get people to start, that we never really went back to them and said, well, let's get everything in there. Now that you're doing it, let's do some of the right things. Is that what you're saying? Make... 

Amanda Fennell: Yeah. 

Rick Howard: ...Sure we do all those back end process that makes it... 

Amanda Fennell: Well, you know... 

Rick Howard: ...All so clear. 

Amanda Fennell: ...I think that's the biggest thing that we always try to do with our team is that we know that we're really good and we're very proud of a lot of things we've put together. But if anything, we wish that we could help teach people some of the things that we had problems with so that they could avoid it. And that was one thing that we put in all this great automation but we had to go back and then say, wait, woah, woah, woah, woah, we also have to activate some automation to go behind the automators. Who watches the watchers? But yeah. 

Rick Howard: So there's really kind of two architectures for identity and access management programs. One is you - the user goes right to the workload and says, hey, I'm who I am, let me in. But the other one that most people don't have but I think is a better architecture, is something called - it's horribly named, by the way - it's called software defined perimeter. But instead of going to the workload, you go to some other thing, log in there, and then that thing does the negotiations to get you to the workload and only that workload. Do you see more and more people using it and are you guys using a software defined perimeter approach? 

Amanda Fennell: Some are not. So I think that it's where there's no - I hate to say, like, it depends. So sometimes... 

Rick Howard: No... 

Amanda Fennell: ...We do, yeah. 

Rick Howard: ...Comes up every time, yeah. 

Amanda Fennell: Every time. So this is where you got me into a corner in the conversation - right? - like you got me through all this the way but now it's at the point where I don't want to show all my cards. This is a... 

Rick Howard: Right. 

Amanda Fennell: ...How-to then. But I will say that, yes, when applicable, I think it's the right thing to use. I completely can acknowledge that one. It is not 100% in any direction for the way that we've deployed things. And so because I think that in some cases that works and it is the most available solid security and mitigation in the way to approach this, and then there are other times that it's just going to slow things down in that particular way and that median time to a resolution of things is just - it's too important. So comes down to the real question of when people use one model versus another, it has to start with - and I - oh, man, I hate to simplify this - what are you solving for, right? Are you... 

Rick Howard: Right. 

Amanda Fennell: ...Solving for speed to access, or are you solving for security first? Sure. You're all going to say security first but the business is going to say something different, right? And what I would like to say is that whichever model it is that you decide to deploy, our job in the security realm is to let the business do the thing, and to have them accomplish the thing and whatever they're solving for, comma, securely. 


Amanda Fennell: That's it. 

Rick Howard: I like the way... 

Amanda Fennell: That's it. 

Rick Howard: ...You say that... 

Amanda Fennell: Yeah. 

Rick Howard: ...Comma, securely. I like that. 

Amanda Fennell: Comma, securely. 

Rick Howard: Well, one of the future architectures that are - is on the horizon for us is something called SASE - Secure Access Service Edge - and I know both you and I are big fans of this. So does SASE make this identity and access management idea easier, or will it make it harder for us in the future? 

Amanda Fennell: I think - oh, man, I really - it's so cliche. Both. 


Amanda Fennell: Here you go again. And the reason why is because I think that the way that it's currently deploying, and the way that people are using this for the Secure Access Service Edge, it's wonderful the way that this captures network and security coming together but I think that in order to do this the way that people really want to do it effectively, you have to have all of the ingredients, right... 

Rick Howard: Yeah. 

Amanda Fennell: ...And not everyone's environments lend themself to that. For example, like... 

Rick Howard: Yeah. 

Amanda Fennell: CASB's a great example. CASB may not be the way that we are set up. If you're in a Palo Alto environment, that's not the way that they do that kind of security and perimeter and so on. So I think that it's in the middle of becoming more mature right now. It came out, made a lot of sense. It's very smart to deploy and to use this. But the problem is, if you don't have your dance card filled with all of the different boxes you need here, we're having to learn how to do it differently. So it's the right concept, I think it's the right thing to do but we are having to augment it and mature differently. 

Rick Howard: Well, it's like many things in our security space. You're doing a river crossing. You know, you're moving to a new thing but you still got to maintain all the old things before you get there - right? - now you made it more complex, even though you're moving to a thing that's going to make everything less complex somewhere in the future. So that's the problem we all have, right? 

Amanda Fennell: I think so. And I think there's also always the thing that whenever we decide a strategy or buy a tool, there's always this feeling of, like, OK, well, how long until I get value from that? What's the time frame for me to get some value? And that's the struggle some people are having right now. I think with SASE it's just that - well, it's SASE. It's not so simple that way. You can't just say, cool, we're going to do this. This is the new strategy, we're running in this direction. You're going to have to - just like IAM - tailor it to your own needs and what you have and what you don't have. And that's where people are doing the work right now. And I think we're going to see some great stuff come out with people who are going to publish some more white papers on this and some of the struggles they themselves have gone through with it. I know that's one thing that we're working on, too. 

Rick Howard: So it's like you build a SASE environment and start to move things towards it but you still maintain what you're doing And pick the most obvious things that make it easy and get some wins there, and then figure out how to do it in the future. 

Amanda Fennell: I think because people approach a lot of these things differently. What are they doing about DNS and the way that they're doing - yes, you keep those things - look, people, I told you as a joke earlier, my sound, I had to be careful about it because there's people doing work outside - right? - on my house. But in order for them to replace the column with this new column I need - right? - they had to put two braces up on each side of it. 

Rick Howard: Oh, yeah. 

Amanda Fennell: You can't just put this new column in, you have to brace what you have in there, you got to make sure that it's working and it's still going to hold everything together until you're ready for that new one to take over, and then you'll take away the two braces that are fixing it. So it's a process, and I think I see the same thing with the SASE stuff. Like, like you said, keep the old till you're ready to move on to the new but you're going to have some duplicative things that are going on for a little while. 

Rick Howard: Well, Amanda, as usual, really good stuff. But unfortunately, we're going to have to leave it there. That's Amanda Fennell, the CIO and CSO of Relativity, and host of her own podcast, the "Security Sandbox" podcast. And you can find her show on the CyberWire webpage. Amanda, thanks for coming on the show and sharing your wisdom. 

Amanda Fennell: Oh, thanks for having me. I love it. It's my - this is, like, my second zero trust podcast episode I've been doing lately, so I'm excited about it. 

Rick Howard: It's on your mind, I get it. 

Amanda Fennell: Thank you. 

Rick Howard: Next up is my conversation with Galeal Zino, the CEO of NetFoundry. 

Rick Howard: Galeal, thanks for being on the show. 

Galeal Zino: Rick, pleasure to be here. 

Rick Howard: So no one can doubt that the state of the current infosec environment is one of steady improvement. I mean, you know, we've come a long way from the perimeter defense and defense in depth models of the 1990s. And yet it seems that the number of successful cyberattacks keeps growing. You and I are of the same mind about this. If we as a community are to reduce the volume of successful cyberattacks, we all have to get back to first principles. So I know what I mean by that, so can you tell me what you mean by getting back to first principles? 

Galeal Zino: Yeah, Rick. First of all, great, we've made a lot of progress. But then again, talking about first principles, the surface area for attacks is massive compared to... 

Rick Howard: Oh. 

Galeal Zino: ...A year ago, let alone five or 10 years ago. The blast radius, Rick, for these attacks, the severity and consequences of these attacks - right? - from a first principles perspective, that's where we focus on how can we, for our customers, our users - and by the way, our users are developers, they're operators, DevOps, NetOps, they're security teams - how can we enable them to reduce the surface area of the tech? How can we enable them to reduce the blast radius? How can we enable them to mitigate? We're not going to win this Whac-A-Mole game completely, but how can we do better, as you said, Rick? 

Rick Howard: I really like the way you call it the blast radius because, you know, when I started doing this back in the, you know, dinosaur days, we only had one perimeter and that's where all the data was. And like you said, today, data is all over the place. I call them data islands. We still have endpoints and data centers that a lot of us run but we also have mobile phones now and we have cloud services, we have SAS applications. I was just doing the security assessment of CyberWire today. We have, you know, over 100 SAS applications that we're running. So data is everywhere, and it's... 

Galeal Zino: Yeah. 

Rick Howard: ...Become so complex, right? 

Galeal Zino: Yeah, I agree, Rick. I mean, listen. When the app is the new edge and it's, like, massively distributed, then how do you better secure both the attack - the surface area and the blast radius, and do so in a way that, like, you're not compromising your business - right? - like business velocity, automation, portability, extensibility, scalability, like, just as or more important today than ever before? So I kind of see it like it's this kind of dual issue, Rick - right? - like security plus business velocity. 

Rick Howard: So talk to me about this business velocity thing. I think many security practitioners don't really have a hand around that or understand what that means. So what do you mean by that? 

Galeal Zino: Yeah. I think, Rick, there's this perceived tug of war - if we want to use a quick metaphor - where on one side of the rope is a security team. And OK, maybe it's just one woman in organization, maybe it's a full department, maybe the folks are distributed. But either way, you have some folks in an organization. They're kind of tugging on the security side of the rope. And on the other side, we have developers, product folks, architects, DevOps, you know, automate everything. You have these forces on the other side of rope that - of course they want security, but they need business philosophy. Like, if they are going to serve their customers with excellence, deliver an awesome experience to their customers, continually innovate, they can't compromise automation, agility, velocity. And so we have this perception of this tug of war, Rick, although, interestingly, I think it's a little bit of a false perception because we do believe that there's some enemies, so to speak, that are common to both the need for security and the need for business velocity. 

Rick Howard: Yeah, I agree that the perception is definitely there. The business decides to invest resources into fully throwing down on DevOps and DevSecOps. They don't want the security team to slow that down. You know, all the benefits you would reap from 10 deploys a day and all that stuff - if you're going to not get that because the security team doesn't respond to that or doesn't let you go fast like that, then why do it? But you're right, I think that's false. I don't think that's really happening out there. It's just - it's a perception thing. Is that what you're saying? 

Galeal Zino: Yeah, it's a perception thing. And I think there are common enemies - we usually circle three, actually - common enemies of both security and velocity, if I kind of go from granular to less granular. IP addresses - enemy of both security and velocity. Firewalls - enemy of both security and velocity. And the network - specifically in private LAN construct network architecture - also an enemy of velocity and security. So if we can eliminate those three things, we help both, right? We help you simultaneously get better business velocity and stronger security. 

Rick Howard: So they're enemies to both those things because you have to slow down to configure them. You have to decide what a good IP address is and what a bad IP address is. You got to configure the firewalls. You know, you've got to do all those things. You're trying to figure out a way to get that done more quickly? 

Galeal Zino: Yeah, exactly. So as I mentioned, we serve three types of users - developers, operators and security folks. And for security folks, it's really obvious we're going to do secure by design. We're going to make things more secure. For, like, an application developer, though, if they never have to worry about symmetric net, asymmetric net, firewalls, hole punching, turn servers, bastion host, VPN... 

Rick Howard: Right. 

Galeal Zino: ...MPLS - if the developer never needs to worry about that again, they're very, very happy, right? So we enable them to kind of get those network constructs out of their vocabulary, so to speak, or at least so that they're not dominating their work. And then same thing on, like, the DevOps folks - like, our DevOps folks, they're - they say all the time, like, we need to automate everything. And, like, one of the things they can't automate - it's, like, what you described, Rick. It's, like, firewall rules and ACLs and certificate management on bastions and VPNs and MPLS. So they're enormously happy if we can do things like get rid of IP address, firewalls and LAN constructs. So yeah, that's where I see the merger, if you will, Rick. 

Rick Howard: So in a DevOps world or a DevSecOps world, that infrastructure is code, is it's handled for the developers. They don't have to worry about it. They could just write their code, and they don't have to worry about screwing anything up. It just kind of happens for them. That's what we're trying to get to. That would be Nirvana. 

Galeal Zino: That's it, right? That's - I think, Rick, that's the definition of NEOS Secured by Design, right? It's - like, it's secure without you or me having to worry about it. The security is put in there, so to speak. And obviously, it needs to be auditable and traceable. We need instrumentation and visibility and controls. But as you said, Rick, it's not what you and I are doing. You and I, as the developer or the DevOps person or a security person - we're just working to deliver the best experience to our customers. 

Rick Howard: So we're going to get this by automating a prominent strategy these days called zero trust. So let's talk about that. That idea got started in the early 2000s when the U.S. Department of Defense Jericho Project tried to make something happen. Nothing really materialized from that research. But in 2010, two things happened. John Kindervag wrote the - his seminal white paper on zero trust, and Google got hit by a Chinese cyber espionage attack that caused them to redesign their network from the ground up using zero-trust principles. You know, you and I have been talking about this. Here we are over a decade later. Most security practitioners that I talk to are nowhere close to running a mature zero-trust program, and they're pretty tired of security vendors claiming that they have a zero-trust solution to buy off the shelf. It seems to be the buzzword of the last five years or so. And I got to tell you, just this week, I followed a Twitter conversation with a gaggle of CISOs that I admire. And at least half of them were saying that zero trust is just too hard to do, that the amount of effort it takes to establish a zero-trust program is not worth the security benefit. I don't agree with any of that, but that was the gist of the conversation. So if I was going to put zero trust on the famous Gartner Hype Cycle, I would say that Kindervag's paper was the technology trigger, and the idea traveled through the peak of inflated expectations sometime around 2015 or so. But it's been spiraling down through the trough of disillusionment ever since. So you're a zero-trust company. What do you say to your potential customers about that? Have we hit the bottom of the trough? They're now just moving up the slope of enlightenment? 

Galeal Zino: Yeah, there's a lot in there, Rick. 

Rick Howard: (Laughter) There certainly is. 

Galeal Zino: I mean, listen. I mean, you know that game, Rick, where if I say something, then something good or bad happens depending on what I say? You know, we try to play a version of that game where we try not to say the blank-trust word because it's become... 

Rick Howard: (Laughter). 

Galeal Zino: ...Marketing fluff. 

Rick Howard: We're immediately turned off by somebody saying that now, you know? 

Galeal Zino: Yeah. 

Rick Howard: So... 

Galeal Zino: The journey is difficult. Of course it is. But the - like, the marketing journey is - I don't know. There's really great marketers out there, and they've commandeered the word. And now we're zero-trust-washing like we Cloud-washed or AIML-washed. It's become a bit ridiculous. But, Rick, if we take it back to first principles, if you look at the Kindervag paper you referenced, if you look at the Google BeyondCorp architecture, which I believe... 

Rick Howard: Yeah. 

Galeal Zino: ...You're alluding to, if you look at software-defined perimeter, which in some ways... 

Rick Howard: Yup. 

Galeal Zino: ...Was the word given to this before zero trust was commandeered by the marketeers - the first principles there are identity, authentication, authorization, least-privileged access, right? It comes back to our start of the conversation in terms of, by design, reducing the attack surface, reducing the blast radius. I think if we can throw all the marketing stuff out and just look at, like, use cases and look, as you said, at the journey and what we need to do - because the North Star is great. Like, we all agree on the North Star, right? 

Rick Howard: Right. Right. 

Galeal Zino: How do I get to the North Star? That's maybe a more interesting question. 

Rick Howard: I know. And that's what my peers are struggling with. You know, what's the path to get there? In that CISO Twitter conversation, the naysayers weren't wrong in that implementing a robust zero-trust program is hard, mostly because you have to be able to do DevOps and DevSecOps and the automation of security orchestration. This is a muscle that security practitioners don't necessarily have. You know, we really haven't been tasked to do that job. But your company is involved in an open-source project designed to improve that situation. In fact, your commercial products are built on top of that open-source code. It's called OpenZiti? Is that what - is it spelled Z-I-T-I? What is that? 

Galeal Zino: OpenZiti - it is, Rick. 

Rick Howard: OpenZiti, like the spaghetti. 

Galeal Zino: Yeah. Yeah. It tastes good. Don't Google ziti 'cause you'll find all - you'll get hungry if you haven't just eaten. But yeah, Google OpenZiti if you want to - well, we say build in - or maybe bake in if we want to stay with the pasta analogies - you know, bake in security. Build in security by design. We take that open-source-based platform approach because - and I know platform's overused, too, but platform in the sense that we enable builders, makers, operators. We enable them to build things on that OpenZiti platform that are secure by design. So you have a proxy, and you want to make it secure by design. You can use OpenZiti. You can insert some code into your proxy. You can make it secure by design. You have an IOT application. You have a web browser. You have a back-end database, right? With our OpenZiti platform, whatever you have - and I think this is really important for the journey because you can start anywhere, right? So you have a new edge cloud IOT project? Start there. You have a new greenfield application? Start there. It gives you that type of flexibility, Rick. And at the end of the day, we believe that the paradigm shift here is if you're just trying to bolt on, quote-unquote, "zero trust," if you're just trying to, like, make your network more secure - something that's inherently not secure, right? Networks are made to deliver packages. If you're just trying to make that thing more secure by bolting stuff on top, well, good luck to you. That's going to be a long journey. 

Rick Howard: Yeah. And of all the times I've tried to do that, I can tell you that has never worked, OK? So, yeah, I'm with you on this. Go ahead. 

Galeal Zino: Yeah. It's tough, right? I mean, listen, we have a lot of clever engineering and good technology, etc. Don't get me wrong. It's just you're starting from something that's inherently not secure, and that's really difficult. So what we kind of say is, well, what if you could build it in? What if you could build it in to your application? What if you could build it into your service, your use case, your remote management tools, your actual use cases? And what if you could build it in a way that's not going to cause you to, like, forklift everything else? Like, you know, I don't want to necessarily touch the underlay networks. I don't necessarily want to touch an adjacent use case. I might not want to touch another user group or another cloud or another edge. You know, what if I can take a more modular approach to this, kind of build zero trust in, in a way that matches my business partners? Well, that's cool. And that's the idea of both OpenZiti, which is the open source, and then NetFoundry is essentially the hosted version of that, the SASE version, the easy button version. Either are great depending on what you need to do, what you need to accomplish. 

Rick Howard: So it sounds to me that we may have hit the bottom of the trough of disillusionment and are starting up that slope of enlightenment. Is that the main takeaway today? 

Galeal Zino: I hope so, Rick. We're standing on the shoulders of some giants, like you... 

Rick Howard: Yes, we are. 

Galeal Zino: ...Mentioned earlier, so we can hope. And, you know, I said the other way, are we really going to be successful in kind of a hyperconnected, like, massively distributed world? Like, that whole kind of digitally transformed world - it's all built on this kind of assumption of secure networking. So we... 

Rick Howard: Yeah. 

Galeal Zino: ...Really do need to get it right. And I believe we're making progress to do so. 

Rick Howard: Well, that's all good stuff, Galeal. But we're going to have to leave it there. That's Galeal Zino, the CEO of NetFoundry. And thanks for coming on the show. 

Galeal Zino: Rick, my pleasure. Thank you very much. 

Rick Howard: That was Galeal Zino, the CEO of NetFoundry. And we'd like to thank Galeal and Amanda Fennell, the CIO and CSO for Relativity, for helping us gain a bit more clarity on how to think about zero trust. And finally, a special thanks to NetFoundry for sponsoring this show. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. 

Rick Howard: Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And I'm Rick Howard, signing off. Thanks for listening.