Zero Gravity: Chris Childerhose Talks Tech with the Ootbi VSA | Join us >>
How to BuyRequest a demo
  • Blog
  • Out-of-the-Box Interviews: Jason Garbis Zero Trust Expert
Business

Out-of-the-Box Interviews: Jason Garbis Zero Trust Expert

| 11 min to read

Geoffrey Burke: Hi Folks, we have with us today. Zero Trust expert and author of countless works on ZTDR. 

Welcome Jason, Tell us a bit about yourself.

Jason Garbis: I've been in the technology industry my whole career, which is almost 35 years at this point. So that makes me extremely old.

I started out as a software engineer, writing C and C++ code for distributed systems. In that role, I not only got to understand how software systems really work but also how enterprise architectures work. After doing that, I switched to a professional services consulting role for a middleware vendor. In that role, I had the opportunity to travel to and visit and work with many enterprises that were using this particular vendor's middleware to build large-scale distributed systems. That, in turn, exposed me to the 360° picture of enterprise challenges. 

I began to get into the security world about 15 years ago, working in the identity management arena: identity, governance, and life cycle management. From there, I shifted into what we call Zero Trust network access today, working for a vendor in that space. I was leading the product management team there, but I also took a leadership role with the Cloud Security Alliance as part of the software-defined Perimeter Working Group at the time.

Today, I lead that group, and we've morphed it and expanded its scope to be focused on zero trust. So in those roles, I work a lot with enterprises and a lot with people in different performing different jobs like the security team, the IT team, and now, in the last couple of years, working with the folks here at Object first, the data protection, backup and recovery team.

Let’s Talk About Zero Trust

Geoffrey Burke: Where did you hear about the Zero Trust first? Was it more from a networking perspective?

Jason Garbis: I think it was around 2015. I was working for an Identity Management company, which was acquired by RSA in 2013. That was right after or shortly thereafter, the First zero-trust paper was published by John Kinderrock up at Forester. That was in 2010, so I had some awareness of it. Then, I left RSA and joined a company that was launching what today we call a zero-trust network access solution. 

In this space, I was exposed to the concept of zero trust and realized that this is really interesting. It's taking all the stuff that I've done around identity management, identity governance, and best practices and applying it at a real networking level. 

In the identity management world, you need to make sure you understand who should have access to what. Identity governance does things from a business process perspective, making sure that people are in the right groups and enforcing segregation of duties. However, there had never been any hard enforcement.

Then, we shipped into the zero-trust world and recognized that you need to enforce it at the network layer as well because there are so many vulnerabilities and so much in the attack surface that can be taken advantage of that you need those identity-aware and contextually aware policies to be enforced at the process level, at the identity level, at the application level, and at the network level.

Geoffrey Burke: Ransomware must have significantly enhanced the need for Zero Trust in the industry. One of the prime tenets of zero trust is assuming a breach. Do you think IT professionals have accepted this concept?

Jason Garbis: It has. I think we can all look at the prevalence, damage, and frequency of these major ransomware attacks and understand just how challenging our threat landscape is. The premise of assuming breach, segmenting your network, and enforcing the principal least privilege is a great antidote to ransomware and making sure that you make it harder for attackers to do anything.

Assume Breach

Geoffrey Burke: One of the challenges with Zero Trust and the assume breach idea is that you are essentially saying that your system has been broken into before the fact. Some Managers might not like that kind of pessimistic vision.

Jason Garbis: You bring up an interesting point, and that's one of the reasons we need zero trust. When you talk to enterprise networking teams and listen to what they have had to do, it's been very difficult because they haven't had the security tools or the vocabulary to enforce real access policies. The networking teams have had to change their focus. Their goals in the past have been primarily to build reliable, fast, resilient networks, but they haven't had the ability to enforce the security to which the network is tied. Things like Identity and context. Before, it was like we didn't know anything about the application. We don't know anything about the user, and If our user is malicious, guess what? Their malicious packets will get there just as reliably and fast as everybody else’s. 

Zero Trust now gives you a chance to move away from that and say we know what identity is on this device, and we're going to either allow or disallow those packets based on policy.

Geoffrey Burke: Is it true that today, data protection and security teams have to work together more than ever before due to the wide variety of threats?

Jason Garbis: Yes absolutely. You brought up an important point: the need for security teams and data backup and recovery teams to work together and recognize that, first, everything we do in our enterprise is now digitized. Everything runs on it, and therefore, everything is a target and needs to be secured. It's not right to treat the data, backup, and recovery system just like another application because it's not. It is a huge target for the attackers. It is also an emergency parachute.

If you get attacked and you have invested all of this money into backup recovery systems, you want to make sure they are still available in an emergency and that the backups were validated as being recoverable on a regular basis by means of DR Testing.

Utilizing Zero Trust Strategies

Geoffrey Burke: What strategies would you give to people trying to achieve the above? 

Jason Garbis: That's a whole hour-long conversation. I've seen some really bad situations where you get resistance from the non-security folks in the enterprise. There are many bad ways to do things, but there are also many good ways to do things. There is a clear balance between carrot and stick in terms of motivating or forcing people to follow these procedures.

We know that going out as a security team and metaphorically beating people about the head with a stick and saying, "No, you have to do this,” isn't a great way to enforce things, but sometimes, you do have to have elements of that.

We look at what our enterprises are doing today. I don't think anyone will claim victory and say we're doing great. We are in an adversarial environment. We as a society have mastered so many technical things, like electricity engineering, transportation, communication, and medicine.

In all of these things, we have made phenomenal advances, yet we really stink at security objectively.

We have adversaries who are just as innovative, well-funded, and malicious and keep pace with our investment countermeasures. So, security teams have to recognize that they have a responsibility to improve the security of their enterprise, and people will have to accept changes there.

We need to grow as an industry, and security teams must recognize that you simply have to do the basics properly. You cannot have people deploying servers or services on your network that you're not aware of that aren't classified in the right way.

That's simply not acceptable.

Likewise, users can't just attach random devices to the network and access things. The good news is that with the modern set of security-related technologies, we can improve the user experience and security. We can adopt biometric authentication, password-less authentication, and other measures. A zero-trust initiative can deliver value to the business in many ways, and the right approach is to use a little bit of stick and a lot of carrots.

Geoffrey Burke: We don't necessarily own everything in our environments. Take the supply chain, for example. Is the IT Industry taking this seriously and able to apply the tenets of zero-trust in places like that?

Jason Garbis: Yes, and there's a significant initiative, especially in the government, around S bombs, software bill materials, and understanding where that comes from. If you read some of the NSA guidance on zero trust around devices, they go deep into this, as you would imagine.

  • Questions like where is this hardware coming from?
  • How do you know this hardware hasn't been tampered with?
  • Do you have any malicious components embedded there?

Take, for example, what happened recently. Fortunately, an open-source library with malicious code embedded in it was caught before it went out. If I were a malicious actor, I would pursue a really interesting avenue: getting embedded in an open-source project, contributing for a couple of years, and then placing malicious code in the project. 

So I want to finish up the last point there, you know, the assumed breach, which I think is obvious here. You are not going to be able to validate every single piece of open source code that's in your environment. There's a level of trust that you have to have in the community, and clearly, you should be doing this for your custom apps’ source code scanning, you know, dynamic and static and things like that, but. 

You also want to reach a point where there is no daylight between what you expect an application or system to do on the network and what it actually does.

Geoffrey Burke: That's a good point. I was going to ask you also about the future because I was at the Winnipeg Security Conference in April, and their big guest speaker was Mike Rogers, Admiral Mike Rogers, former head of the What scares you the most? What keeps you up at night? He surprised me by saying that in the next three years, it will be a combination of AI and quantum computing. You know, I was thinking about 10-15 years.

Jason Garbis: I'll start by talking about the easy one: I'm not terribly worried about quantum right now. While there is clearly a set of vendors and researchers who are highly interested in this, they're not investing in quantum or cryptographic agility at this time. They want to be aware of it, but they're not ready. When the time comes, they can rely on their libraries or providers to update quantum-proof algorithms.

I don't work in the intelligence community but in the commercial private sector and even for non-DoD federal agencies. We recognize this is coming, but they're not proactively doing things like shifting over to different algorithms. So I'm not terribly worried about that. It will come, and there will be a bunch of work. It'll be, you know, like the Y2K problem times ten.

That is a great example of when the industry put a lot of work into it, and it became a non-issue when the Millennium change came because of all the investments and work. I think we will see the same thing with Quantum computing.

AI, I believe, is a much bigger problem. It is not so much from a direct security angle because AI is not creative. It will not create a brand new way to attack, but it will allow you to amplify the current set of attack methods by 100, 1000, or 1,000,000. Organizations need to be ready for that, but I would say the harder problem comes from deepfakes and the inability to distinguish an interaction with someone or something.

We've all seen this as real versus fake, where you get AI-generated entities on a Zoom call like this. I mean, how do you know that I'm real and not AI-generated?

The Future of Zero Trust

Geoffrey Burke: Do you see zero trust evolving further? What do you see in the future in that respect?

Jason Garbis: There are a few angles here. Clearly, an AI system needs to be protected in the right way, just like any valuable application that you want to apply to your trust principles.

The notion of context has not made its way into any application, let alone AI applications, so we cannot say we're going to the AI model, and it is going to return potentially different information to you based on attributes about you. We're not at that point in the industry.

I think there is a need for that in general, which is the ability for any application, whether it's AI or a standard application, to be aware of and consume the zero-trust context and make decisions based on that.

A really simple example is geographic location. We have an application that has data in it. You can access it depending on where you are based on data protection or privacy regulations. It's a really basic type of thing, but it is harder than you think to ensure that we can still be productive because it relies on proper data or metadata.

Geoffrey Burke: Let’s say I am brand new to Zero Trust. I see that Veeam and Numberline have developed this new Zero Trust Data Resilience practice.

How did that come about? What is ZTDR in a nutshell? How do we apply it?

Jason Garbis: We looked at the state of the industry, in particular, the zero-trust maturity model. I mentioned the pillars that it covers, including identity devices, networks, application workloads, and data. However, there are gaps in areas where that model is silent. In particular, it does not mention anything about data backup and recovery. We wanted to provide some guidance and thought leadership around this topic. How should people apply zero trust principles to the realms of data, backup, and recovery? We created this concept called Zero Trust Data Resilience. 

We are extending the Zero Trust model and providing concepts and a maturity pathway within that domain.

Zero Trust Data Resilience is built on three primary concepts: 

  1. First, follow the Zero Trust principle of segmentation and separation: You must separate your backup software from your backup storage. They need to be geographically isolated and have different control points. In the model of assumed breach, if one of those components is breached, you want to ensure that the other isn't.
  2. The Second principle is enabling multiple resilient zones. We're all familiar with the 3-2-1 concept, and this extends that by saying you need to make sure that those backups are in geographically distributed places.
  3. Then the third item is immutability. The backup data needs to be immutable and supported by the right platform so that you are protected even in the event of a breach from someone who can delete that backup data. So those are the three core concepts, and then we formalize this a little bit by defining some additional capabilities. 

For example, modeling how your backup and recovery system accesses the sources of data backing up the enterprise, making sure production systems are monitored, and the monitoring system also has to be protected by zero-trust policies. Likewise, access to the backup storage, both reading and writing, must be protected by zero-trust policies so that only the right entities (the backup software) can read and write.

Backup administration access, like any privileged system, needs to be carefully controlled and strong authentication applied.

You make sure that even when your lead person is, you know, on vacation or away, someone knows how to follow the runbook successfully. Those types of things make up this whole concept of zero-trust data resilience. So, we have given this to the industry, and it provides a road map for doing this. It also enables the backup and recovery teams to have informed conversations with the security team about adding Data Protection to the overall Zero Trust initiatives.

What Comes Next?

Geoffrey Burke: As a final question, what are your plans for the future? You see yourself writing another book. You've written two books already, at least on zero trust, right?

Jason Garbis: Yes, I am. I spent a lot of my time working with enterprises on their zero-trust strategy and architecture. That is, I really enjoy doing that. I learned something from every engagement, and as I do that, I continually refine the model, approach, and methodology around it. So that's something that I want to keep doing, helping enterprises and perfecting and improving this model. This is something that gets more mature, and I'll be sharing it with the community at large. 

I'm in the early stages of thinking about what a second edition of the book would look like, with an expanded scope and a real emphasis on it. Making and providing practical guidance on how you apply this maturity model. How do you create a road map? How do you map the capabilities in your platform to the ultimate goal? What is the definition and enforcement of these access policies?

Geoffrey Burke: How do you stay in the trenches while also working as an educator? There's always a dilemma: if you become a teacher, you become more of a theorist. You're not on the ground battling it out, so you start feeling a kind of separation. Are you still getting involved at the work level, like at the trench level of zero trust, on top of writing the books?

Jason Garbis: Yes, and there's no substitute for the really hard work of being on-site with a customer and enterprise, conducting a two-day workshop, and interviewing dozens of people to understand.

  • How are they doing identity management?
  • How are they managing their networks?
  • What does their data protection or data security strategy look like?

It's hard work, but it's also invigorating to learn about it because, like I said, I learned something from every single one of these. I share that and reflect on it with every enterprise I work with moving forward.

Product news

By submitting this form, I confirm that I have read and agree to the Privacy Policy

You might also like