Hello, everyone, and welcome back to another episode of shift happens. I'm your host, a lot of renown. And I'm joined here today by Todd Ellison. Todd, welcome back to the podcast. Thanks, Alana. Todd, give everyone a little bit of your background. Sure. So I'm a Solutions Architect, and I've been here for about a year. Prior to joining Niall, I spent 10 years in the reseller space, really kind of a consulting role, helping companies build their networks build their security around their networks, I read the I lead the networking and security architecture team at that reseller.
And then prior to that, I spent 15 years in the Internet Service Provider managed service providers face dealing with customers kind of all over the southeast all over the country, again, just really helping them build their networks from kind of the beginning of networking. So it's been a fun journey. I love that you said the beginning of networking, because I think that's kind of setting a good stage for the conversation that I want to have with you today around zero trust. What is zero trust? And what do people get wrong about zero trust? So let's start there. Can you give me a definition? What is zero trust shot? Yeah, so unfortunately, I think that the definition of zero trust is really muddy right now. And that's partially the industry's fault.
1:35 Their zero trust is a framework. And it's a framework that was come up with years ago to address a change in the way we approach security. So we used to, you know, way back in the day, we thought, you know, the bad guys are on the outside, the good guys are on the inside. And as long as I keep that, you know, the bad guys on the outside the good guys on the inside, then we'll be fine. And we won't have any security breaches. But it turns out that the bad guys figured out ways to get on to the good guys devices, and you know, the computers and the devices that they bring into the office every day. So zero trust is really a framework to address that, that we should not trust any device inherently just because it's connected to the network, or either because it's a corporate device. So you can look at different sorts of papers that are out there different research organizations that talk about zero trust, but when it comes down to it, it really is just that I don't trust any device to be inherently good.
And so I control the devices that connect to my network. And then I specifically control the things that they are allowed to do on the network, in order to make sure that they're only doing the things that need to be allowed for them to function for them to do their jobs. And if they start to do something malicious, that should be blocked by default, inherently zero trust is a default position of not trusting anything that's that's connecting to the network. So what are people getting wrong? And I know we've had this conversation offline a little bit, people are muddying the waters when it comes to claiming that they have zero trust principles. Can you talk a little bit about that? What are people getting wrong?
Yeah, so I guess there's a couple of things. And one of the things that we didn't talk about offline is that a lots of organizations, lots of manufacturers are kind of CO opting this zero trust naming convention or this idea that, you know, they have zero trust. And so first of all, zero trust is a default position. And so we, some manufacturers are out there saying, Oh, our version of zero trust is that first we allow the device to do whatever it's going to do. And then we figure out whether that's allowed or not. And then if it deviates from what it was allowed to do, then we alert that's not zero trust, that's learning what something is supposed to do. But by default, that thing is trusted, right? Because there's a learning period that you have to go through. So that's one thing, not really being precise enough in your zero trust architecture. That's a big one. But one that happened just a few years ago is this, these products started coming out really during the pandemic called zero trust network access.
And the idea for zero trust network access was we sent everyone home, but they still need access secure access to their applications, and their applications might be in a datacenter, it might be back at their office might be in a cloud somewhere. So this traditional virtual private network remote connection back to the office concept really didn't work very well, for that. So zero trust network access was was invented sort of as a replacement to a VPN or virtual private network is software client that you install on your computer. It allows you Remote Connectivity back to back to those those devices, unfortunately, because they use the term zero trust network access, what I saw was a lot of organizations went oh, that's zero trust, I can buy zero trust now. And so they started, you know, taking out their checkbooks. How do I go buy zero trust? And that's not really it's not really a full zero trust solution. It's a component of it.
5:00 zero trust solution. But when you have people coming back to the office, it's really not the best solution for users that are local users back in the office software client, you have to install it on every machine, you've got other appliances you have to deal with. So But anyway, that's they've taken this this zero trust concept, right? And a lot of organizations have have thought they could just buy zero trust. But when users come back to the office, it doesn't function quite as well. I want to touch on that a little bit. You said? No, a lot of organizations think that they have zero trust implemented and they they necessarily don't do you have like an example? Maybe a story around that? No, I don't think that there are a lot of organizations that that would say they have zero trust to implement it. That's that's kind of the the problem, right is there's a there's a journey that you have to go along to get to true zero trust. And so there are a few organizations that have gotten zero trust gotten some of the zero trust concepts in place a lot, I would say have gotten zero trust concepts in place.
But it's only pieces and parts, because eventually what happens is they'll run into something that they didn't realize was coming something that they didn't know, was already going on, on their network. So that's I see, organizations fail over and over again, because they start down this zero trust path, and they go, Okay, we're going to restrict everything, just the way that zero trust says, we're going to restrict everything to exactly what these devices need. But historically, we've had no visibility into what the applications are actually doing on the network, and what these devices are actually doing on the network. And so we ended up, you know, restricting it too much, because we didn't have the visibility or, you know, trying to implement software clients to understand how all those things can act and how they operate.
And that software client fails or, you know, it's it's a very, very complex thing to do. And I've only seen a few organizations really say that they have full zero trust implemented. And honestly, one of them put it to me perfectly, very large organization, their CIO CIO told me, yes, we have full zero trust implemented, it took us five years to figure out how to do it. And there are two people on my staff that actually understand how it all works. And so when are those two people ever gonna go on vacation? Right? So that's, it's a big, big problem we're trying to solve here. Okay, so let's say we're approaching this, and I'm in an organization, I obviously want my networks to be extremely secure. But right now I'm dealing with
7:28 parts, I have pieces and parts of zero trust. What is my solution? What do I do if I want this like kind of full stack capability that you're talking about? Is that like, a pipe dream? Or is that something that's real, that can be achieved? So traditionally, it would mean first of all, just a ton of due diligence, like understanding every application on the network, everything that communicates with everything else, starting out with the most critical applications, the ones that either, you know, are required for the business to operate, or that, that hold the crown jewels. So a lot of times it's starting there and kind of iterating and working your way out. That's why it takes so long, because you just have to understand so much. So traditionally, it would be that and then in terms of products that you have to layer on, it's you know, an authentication product, it is a network security product, it's a visibility product, it's usually all of these separate pieces and parts that you're buying.
And by the way, even if you buy them from the same manufacturer, it's up to you to integrate them, it's up to you to you know, build all of that at your site. So I would say prior denial, like building that yourself is a very, very difficult proposition. It just takes a really long time. Well, let's talk about it. Talk about the now solution, please. And how it's kind of a game changer when it comes to securing your networks. Oh, absolutely. So so like I said, zero trust is a default position. And networking historically has not been by default, a security solution. It's been an access solution. Let me try to get these two things to talk to one another. So a lot of times why security and networking tend to be a little bit at odds because networking wants to give access, they want to allow things Access and Security wants to deny things access that or not, you know supposed to be allowed. So with Niall
9:17 Niall does host base isolation by default. And so what that means is these devices that come into the network, like I said, zero trust is a default position. They're not allowed on the network unless they're identified and authenticated. That's kind of step one, zero trust don't allow things to the network just because they found a place to plug in. Everything has to be authenticated, that connects to another network. And then everything is isolated. Host by host so for example, if I brought in my laptop, put it next to your laptop, we were on the same network together. There is almost no reason for my laptop to ever talk to your laptop. no legitimate reason for my laptop to ever talk to your laptop. I can talk to printers right now that I shouldn't need to talk to your laptop
10:00 So by default, Niall prevents that out of the box with no configuration required. And then now, since that basically allows you to control what is allowed from that point, so now it gives you visibility into what the devices are trying to do. It gives you the ability to inspect the communication between those devices. And it gives you the ability to block traffic even between devices that are on the same network, which is really a revolutionary concept that no other network manufacturer is doing by default today. It feels like something that's a very bold statement to say that right, but I think it's true. And it's also like necessary for us to reach this like true digital transformation and actually having secure networks. Todd, thank you so much for being on the podcast.
But before you go, is there anything that you want people to walk away with, from this podcast when it comes to zero trust? Yeah, the biggest thing is to understand that zero trust is a default position. It needs to be built that way from from scratch. And so there's a lot of architecture, there's a lot of pre work that needs to be done. Before you implement zero trust on your network. It requires a lot of a lot of building. Awesome. Well, thank you so much for joining us today. listeners. If you want to get a hold of Todd, maybe pick his brain more about zero trust, feel free to reach out to him on LinkedIn. We will have that in our description. And Todd, thank you again so much. Yeah, thank you, Elena. Be sure to like and subscribe to the podcast and we'll see you again on the next ship.
