Ford, Carolyn  
When I think about zero trust and when I hear you talk about zero trust, it sounds like it's part of that defense in depth, philosophy and strategy.

Blake, Michael  
It is.
Yeah. Yeah, it's a collection of industry best practices.
Really, it's all the things that we should probably have been doing anyway, but.
More formalized. And then there are specific kind of checklists and some criteria that you can now be evaluated against to verify that you actually have. Kind of achieved some of the goals that zero trust sets out.

Ford, Carolyn   
All right. Well, let's set the table and give it to me in plain English and just give me the core principles of zero trust.

Ford, Carolyn  
There's sometimes there's five pillars CISA likes do 5 pillars.
DOW, I think has six or seven. They always have to have more.

Blake, Michael  
Yeah. So, I mean, it really comes down to the concept of.
Containing the breach or the blast radius is what is often described.
So when malware comes into your network, does it have access to everything?
If a  malicious actor exploits and gets inside your network, do they have access to everything? And in the old way, if you were, if you came in the office and you weren't on the on the VPN and you came to your desk, you just had access to everything that was out there on the network.
Work whether you needed it or not.
And over time, it's become much more finely grain controlled about having access to only things that you really need to have access.
What zero trust has done is, and it's been proven pretty well by many of the different like salt typhoon breaches that have been out there.
The nation state actors are persistent on many of these networks, so it's no longer assumed that if I come in and I bring my computer from home and I can plug it into the corporate network that it's going to be nice and clean.
The new assumption is that we probably have a persistent malicious actor at some point in our network, whether it's a service technician that brings in a laptop to do fix something, right.
You just assume that that thread is there.
So then if you assume the thread is there, you don't know where the thread is.
So you don't trust anything? Everything has to authenticate.
All of your data flows are supposed to be mapped.
So you figure out what machines need to talk to what machines, and that way if a hacker comes in and finds an exploit and lands on one machine, they can't do what's called a pivot.
They can't immediately jump from there and spread it out across your network, and that's what that's kind of the thought process now is I don't trust my employees. 
I don't trust my machines.
Not necessarily, because they're a bad actor, but the devices and the environments that they go into.
To have those nation state actors present.

Ford, Carolyn  
Right. And the old metaphor of we no longer just give keys to the castle and you have access to everything inside the castle.
But you've got to have access to the individual rooms and even the individual data, but we'll get to that.
Chris, why did you feel a need to talk about this?
For our Australian friends.

Chris Rule  
Well, I think you sort of touched on it earlier.
My sense is that the concept of zero trust in Australia.
In quotation marks is newer than it.
Perhaps it is in the states, so like you, whenever I talk about zero trust, I always think about ringing up Michael for advice on it.
But one of the observations that we make at GME is we circulate, in particular amongst the defense organisations, the national security organisations and some of the critical infrastructure markets who are considering their cybersecurity arrangements.
One of the observations we make is they've heard of zero trust, but the level of maturity in their understanding of zero trust as an approach to network security is highly varied.
And my observation is generally less mature than what I see in here when we're talking to equivalents in the States now, I guess that's a matter of opinion. Many of my Australian friends might dispute that, but it's an observation and what we see, perhaps not when we're talking to the IT crowd, but when we're talking to the business level leaders.
Is this idea that they know zero trust exists but many think it's just a pure technology solution and they can buy it off the shelf where you know the more I talk to folks like Michael.
The more I realize, of course, is that it's not about technology, it's about process. It's about people.
It's about organizational behaviours, you know. Zero trust is almost a lifestyle if you like.

Ford, Carolyn  
Oh, I like that.
So we call it.
I mean, I've referred to it as architecture, a philosophy, but I like lifestyle and what you said about ideas around zero trust in Australia? I think those ideas are still here. I feel like I've been around it so much now that I it doesn't seem like I hear people say as much.
Oh, do you have a zero trust product?
But certainly even five years ago, I would go to a trade show and people would come up to our booth and say, do you have zero trust like it was a product? And I suspect we still get that here.
Michael, do you still hear that?

Blake, Michael 
Yeah, people think it's like some salt that you can just sprinkle across the network and you'll be safe, right?

Ford, Carolyn  
Yeah, right.

Blake, Michael  
And so there's there's.
Like I said, there's definitely good things that it introduces, you know.
Data at rest being encrypted.
Data in motion being encrypted.
You know.
Making sure that you have good role separation between your privileged and your unprivileged users.
And what they do or don't have access to.
So there is a lot of good things there, but it's not a panacea.
It doesn't solve all your problems.

Ford, Carolyn  
Right. It's a lifestyle.

Blake, Michael  
Yeah, well, it's really the zero trust words that are used are actors and objects, and so an actor. Is an application could be, could be a user, could be another server asking an object.
Asking for access to an object so it could be the data right?
So that's a file.
It could be a particular amount of information that is trying to query from a database.
So that is the transactional nature of it.
Can this actor have access to this object and so?
That's good they flay it on top of that behavior based access so.
Am I in the office at at the normal office hours that I can do certain things if I'm outside of those office hours? Maybe I'm not allowed to do those things, and so there's additional kind of constraints outside of just yes or no. Do you have access to this thing so it can get pretty complicated as far as how much of the sensor data that they get like is your computer actually patched?
Are all your virus definitions up to date?    
So that's your endpoint security. So it measures the device that is managed on the network, the user's behavior and the time of the day and things like that to establish these patterns of what is normal behavior and then tries to anticipate potential and flag potential things that may look odd.
So the kind of the thing that it doesn't do once the actor has access to the object, that is where zero trust ends and cyber security comes in because the kind of the threat vectors that you can have once those things are allowed to talk to each other or interact is you have data corruption that can happen, right?
That can be unintentional or unintentional.
Zero trust is not gonna prevent a person from corrupting data if that's what they want to do. It can malicious content if I open up an Excel file.
That I have access to, I can write a visual basic macro and there's pretty powerful things that you can do with visual basic inside Excel. I can copy that over to somebody's file share and give them permissions to read it, and when they launch it I could.
Have you know a button in there that maybe says calculate the cell, but it actually will scan the file system and let me know the names of all the documents in their document folder.
And so those kinds of things that happen once the access is granted is really where cyber comes in. Supply chain. Working with external companies, ingesting data from external sources you don't know where they are on their journey to zero trust compliance.
You really need to be conscious of those external boundaries for the businesses that you interact with. If you follow strict zero trust.
And they don't.
You don't have the ability to measure their computer and whether it's been patched or not, you would say, OK.
Well, they are just not going to have access to my network.
Well, then your supply chain's broken at that point, so you have to.      


You have to be able to assume a certain amount of risk and then figure out how to mitigate that risk so that you can continue with your normal business operations.

Chris Rule  
So there's some complexity here, isn't there?
And wherever I see complexity, particularly where clearly implementing zero trust approach in an organization is a whole of business affair, it's not.
It's not for the IT team alone.
And where there's that complexity, education is required and I guess going back to your earlier point, Carolyn, in terms of my sense of where?
The Australian ecosystem is on this.
It's early days for Australia I look.
I look at how education is being promoted from the Australian Government on the philosophy around zero trust and it exists and so our lead signals intelligence organization in Australia, the Australian Signals Directorate, has an important arm called the Australian Cyber Security Centre. That's the defense focused side of our national signals Intelligence organization really involved in national cyber security.
They are promoting zero trust.
They're promoting it.
Under a broader banner called Modern Defensible Architecture, or MDA.
And they've pushed that out publicly. And so listeners can go to the website for that and haul down their MDA papers. The observation I make is February 2025.
They put out really a discussion piece on MDA and zero trust for commentary that tells me that they are also in the early days of how do we communicate this to the public.
How do we reinforce the principles that Michael started to outlay as something that businesses and government agencies now start to think about?
I suspect NSA and the equivalent agencies are a bit further down the track than perhaps what I'm seeing in Australia, but I'll stand corrected when I'm proven wrong.

Blake, Michael  
Yeah, there's a big, big piece of its big dependency on really becoming zero. Trust compliant is modernization.


There's a lot of legacy equipment that just doesn't support endpoint security and things like that that you really need to have a robust zero trust implementation.
So there, there are definitely upfront costs.
Inside the American Department of War, money was put out there to help organizations.
And it's modernized key parts of their infrastructure.
But that was like a one time deal.
And there wasn't enough money for everybody, right?
So the kind of the key programs got to modernize.
A lot of their infrastructure.
There's still a lot of work that has to be done after that, so there's to your point it was kind of an undefined problem.
They've tried to give it some testable criteria so that you can say whether or not you did a good job with your zero trust implementation, so now there's a zero trust self-assessment that government agencies do. So they go in and they implement their zero trust and they go through the security controls and then they do the self-assessment and they come up.
With a certain level of compliance with zero trust.
That is handed off and you can actually have.
A formal assessment of your zero trust network, and they'll do some penetration testing.
But if your score isn't high enough.
On the self-assessment they won't come.
Test your network 'cause they know.



They can get in like you haven't really implemented anything to the point where you're gonna prevent that lateral movement of malware or something like that across your network.


So there's kind of the identifying what the key things are in your network that you need to modernize, modernizing those things, isolating them and then to start monitoring how.
Now I've gotta start monitoring to make sure that I  have a good idea that all of those things are.
Have properly addressed, you know, software patches and things like that, and so a lot of the a lot of.
Cyber incidents that have happened have have been around Patch software so.
And almost all of the the breaches have AVPN involved, so the the firewall and the VPN aren't aren't enough to really secure networks anymore.


The the threat has become way more complex than those things prevent.

Ford, Carolyn  
And Michael, you said a couple of things.
So you said that once a bad actor gets in the room and has access to data, then that's where zero trust ends.
And then you talked about these legacy systems, both of those things.
I guess it leads us to another myth that we've run into and we're running into this now in the states.
And I think, Chris, correct me if I'm wrong, but you are as well.
Is that is that if you have a zero trust architecture in place, which by the way, a lot of people think zero trust is just having access management in place, right?
So if you have a zero trust architecture in place, then you don't need cross domain systems.
And so is that right, Chris? Are you running into that myth in Australia?

Chris Rule   
Yeah, look, we are.
There's a general observation, I think, that people interpret a zero trust approach. A zero trust architecture is all about being able to validate every entity on the network, whether it's a document, a person, a laptop computer, a piece of operational technology. If I'm validating who they are.
Where they are in the circumstances in which they're accessing the network. I know what they can access and what they can't access and therefore I have the luxury of not having to secure the boundaries of my network.
The challenge, I think, of course, is and Michael could talk this more elaborately.
That's actually at odds with the zero trust approach.
But also it's it's thinking that leads you down the path of trying to boil the ocean to ensure that every part of your network and every part of the network that you control wants to connect to other networks.
Is covered by this approach.
It's almost unachievable.
And so the principle of segmentation and boundary management, as I call it, remains key and I'm sure Michael would offer that in fact that level of boundary management is what makes zero trust possible for any particular enterprise.

Ford, Carolyn  
Talk about this myth about not needing cross domain. If you have zero trust architecture in place.
'Cause. I'm just gonna put it out there. I don't think you can have a true zero trust architecture unless you have cross domain. But you could argue that.
That point.

Blake, Michael  
remember the premise of zero trust. The reason that you don't trust anything is because you assume the malicious actor is present.


And so if that's not the mentality and you're looking at it as though you're getting back to, I'm gonna implicitly trust people.
So that the whole idea is there is no implicit trust.
Everything is explicit and so you not only control access, but you need to really think about. What could a malicious actor do once they had access to the information or the resource?
And that is kind of the, you know, the piece where cyber does come in the modernization problem, right?
Figuring out what you can afford, you can bound that you can say, OK.
I'm going to build a zero trust architecture around these key pieces of my enterprise, and I can put the behavior analytics and all that kind of stuff inside there.
And I can have a really robust security posture.
But on that boundary with everything else, the legacy networks and my external companies that have interfaced with maybe users have bring your own device.
You know they're running applications for work on their phone, those kinds of things that are outside of your managed devices.
That you have modernized, you just assume that there's gonna be a persistent threat there and that's when it becomes key to inspect the data that goes in and out of the network.
Number one, what's coming in? Making sure that those malware threats are not there and the data going out. Making sure that you're sharing only the data that you need to be sharing and part of that is gonna be, you know, tagging all of that data, making sure you have the appropriate data tags that when information does leave the enterprise, you can make a decision whether or not it should leave, and that is a pretty hefty lift.  


Blake, Michael  
Even the DoD, you know, they have some networks from 5 to 10 year retention policies for information. So.
A tremendous amount of data is already out there on those classified networks.
It's all marked at the level of the network. Almost all of it, and so even though it may be a lunch menu.
You because it's on that network.
It's marked top secret. Umm, so it's a real.
Kind of significant problem. There's just literally so much data out there that by the time they get it labeled, it'll be irrelevant.

Ford, Carolyn  
So the cross domain helps with knowing what's going in and out. Right, policing that is, is there a play there for data tagging? I don't think so.

Blake, Michael  
Yeah. So if you're coming up a lot of times in the Xero test architectures, you have your segments of your network and particular data gets tagged and it can go to that particular network segment.
If it's coming from a large pool of data that's on instead of a data centric network but a network centric network. So all the data's kind of at the same label, you can put some business logic into the CDs to make some decisions and put labels.
On data that otherwise wouldn't have been labeled.
So it's kind of like just in time labeling instead of investing a significant amount of labeling data that you may never need or request.

Ford, Carolyn  
OK.
Yeah. OK. That makes sense. I hadn't thought about that.
I can't think of any organization or agency that's starting their zero trust journey with a clean slate like building their network from the ground up.
They all have the legacy systems that you're talking about, like some with decades of legacy systems. Talk about what that looks like and how Michael these agencies are handling implementing zero trust.

Blake, Michael  
Yeah, definitely.
Large efforts to get to zero trust because again, there are some pretty significant benefits of having zero trust implemented.
When it comes to actually going to a program and telling them that they're gonna have to implement all of the zero trust into their business operations.
It can be quite disruptive and so there are many of them are applying for waivers.
They're saying yes, we know we need to be zero test compliant.
Yes, we understand that they're we've got to take certain steps, but we just can't tolerate a significant disruption in what we're doing and so then it comes back to, well, what can you do?
What can you scope in?
What can you manage?
What steps can you take today?
And then they ask for a plan of action, a milestone. So.
When are you?
When are you gonna start doing those key things and by what date?
So you can't just say I can't get to it right now.
You have to have a plan in place, and that plan can change.
They push it out another year every year, right? But.
It is a logistical challenge.
It is a sustainment challenge. The human capital of skill sets that you need to manage, and even if you have an external company come in and implement the, you know, dozens of products.
To get you zero trust compliant, that company leaves that set of integrators.
Now you need people inside to troubleshoot the network and maintain that huge zero trust infrastructure stack of products. That is a pretty significant skill set.
It's very broad and it's not gonna be one or two people. It's gonna be a team of people maintaining that suite of products.

Ford, Carolyn  
Have you worked on an implementation that you can share like an example of where you've seen this take place?

Blake, Michael  
Yeah. So like looking at into Paycom looking at their MPE environment that they're standing up there worked pretty, pretty well to implement a lot of the zero trust pieces, especially related to microsegmentation and access control.
But it's really you walk in the data center and it's the new things that have been brought in that are zero trust compliant, right? So. Oh, here's our, you know 3 racks of equipment that we just got in and we had all the engineers here and we built it out and that's that, those stacks of equipment, they've got zero trust in that kind of bubble. But it's not like it can.
Infect in, you know, sanitize the entire data center because you've got that rack of equipment there.



So there's lots and lots and lots of racks of equipment that they use for missions that have been there for 20-30, forty years.
I had one man.
That was at a conference talking about it and he said, you know, I can literally hear the relays clicking inside some of this equipment.
That's how old it is.
So from the 60s you've got this, you know, mechanical relays.

Ford, Carolyn  
These dinosaur boxes cross domain can still work on them, and can still isolate

Blake, Michael  
Well, you just again the role of the cross domain appliance is to inspect the data to make sure that it's good.
So that's number one. Is it properly formatted data?
Is the data in the ranges that I expect. So if there is a malicious actor out there trying to manipulate data and you know.
Poison your AI or or something like that.
You can take some steps as the data comes in.
And verify and and stop it before it even makes it to those applications.

Ford, Carolyn  
Yeah. So the old boxes don't matter.
Those old guys, that's fine.

Blake, Michael   
You're gonna. You're gonna arrive at a false sense of security. You assume that zero trust is gonna make you safe.
The mindset has to be there is a persistent threat out there, the companies, they're huge profit Centers for the, you know, different.
Countries that they work in, and so there are like 14500 companies now.

It's not a 16 year old in their basement with a hoodie on, you know, listening to Depesh Mode, you know it's a graduate team at a university sponsored by.
You know their senior project is to try to break into an Air Force site.
So it's a completely different scale and a skill set of what's being done out there and the countermeasures of that. It's gonna be really hard.


To necessarily anticipate everything that they're gonna do, but if you can inspect all the data as it comes in and out and at least get that piece of it there, you're gonna stop a lot of things that they could potentially do.

Ford, Carolyn  
How similar is the situation that Michael's just talking about, especially with the legacy systems? Chris in Australia?

Chris Rule  
You'd be pleased to know it feels almost identical.
And so if one was to look into the federal government sector in Australia, we focus in on the Department of Defense. The legacy environment is really comprised at the highest level of three independent.
Separated networks, a top secret network for the nation's crown jewels.
A secret work where all defense. A lot of defense commercial, a lot of defense operational data is kept and an Internet facing network for day-to-day business. Those networks have been generated over 30 years.
They're the product of a convergence of a range of discrete networks that have been set up by agencies inside defense.

It traverses traditional IT on Prem IT cloud based IT with a lot of operational technology within.
Those networks in particular On the Internet facing network and so all the problems that Mike's highlighted are echoed in Australia and it's a real it's a live issue.
So if one looks at the Australian defence, the forecast programme of records for updating defence capability at the forefront are our information technologies and cybersecurity uplifts.
So each of those three networks I spoke to are going through or about to start a major generational Uplift as we speak. They're gonna be cloud based, hyperscaled in instantiations of those networks and in the deployable environment. The field environment at sea, in the air and on the land. We're seeing major uplifts in the deployable network infrastructure and in speaking to program managers and executives associated with all of those programs that are that are underway.
Zero Trust is at the center of their thinking and I think the specialists are alert to the challenges that Michael's talking about that it is not a simple uplift.
It's going to be complicated.
And the boundary management and cross domain are going to be key attributes of any final solution.

Ford, Carolyn  
Is a really mammoth undertaking. And Michael, I think I heard you say this.
Correct me if I'm wrong, but with the Indopyacom situation, the way they're tackling this mammoth undertaking.
Is one bite at a time and using micro segmentation?
To you know, do it one piece at a time. Is that fair? OK.

Blake, Michael  
Yeah, they're, they're really is modernization.
So they bring new capabilities and they kinda said, you know, if you're gonna bring something new into the data center, then that has to be.
Part of the Zero Trust architecture that we're gonna be implementing, right?
So it's really a combining modernization with that hardening.

Ford, Carolyn  
OK.
And am I mixing things up when I say? They're using micro segmentation to apply a zero trust architecture to this piece of it. Am I confusing things?

Blake, Michael  
It's working with our foreign partners. And so inside there.Multi partner environment.
You can think of each foreign partner having their own.
Network segment, right?
So I've got my network broken up by kind of by country.


And inside each one of those I have different services that offer that are on their own particular little pieces. So.
You know that the video conferencing system, for example, doesn't need to talk to the storage system.
So. You would.
You would say there's no reason to have those two on the same VLAN.
So that's the kind of thought processes that comes in. So as they build out their capabilities, it's really kind of bringing them in from that understanding that I'm gonna try and minimize interaction and isolate things as much as possible.


That's much easier to do with those new capabilities that you're bringing in there. And then the concept of a national gateway is.


You know we have control of a certain aspect of that, but when we want to connect that foreign country into our MPE environment at that boundary, we need a cds because we don't know what the cyber hygiene or the technical maturity level of their zero trust implementation. And so we really want to share information and we have to collaborate.
But we need to be smart about how we do that.
And that's where the cross domain technology definitely comes into play.

Ford, Carolyn  
OK.
So when we're talking about micro segmentation, it's a big part of zero trust.
But are there pitfalls that people need to be aware of?

Blake, Michael  

Yeah. So you, you know, breaking everything up into independent networks, different IP space, if you follow the DoD standards.
Every country would be given its own IP subnet, which means that you have a router in between all those. With firewall you have different security certificates that you issue out there, and so when it comes, if you have a problem that you need to troubleshoot between those.
Network segments and the different services.
You're not gonna be able to just to go one place and find all the information of how things work.



So log aggregation is really what you need to do.
You need to take all the logs from all the different pieces there and feed them into one central log repository.
Typically, that's a defensive cyber operations or a socket.
You know there's different terms for that, but what that does is by creating.
This touchpoint, where the logging system now touches every microsegment you created a new attack vector. If the adversary can get onto the logging network, then they can take over the entire network and that blast radius just became the entire network.
So that's Owl's technology is used in a lot of the DoD enterprise and commercially to isolate those networks that collect the logs, so that when you do have your micro segmentation and you aggregate all that.
If the malware gets into one of your network segments and it gets into the logging network.
It can't move across the network to all the other micro segments. So we typically have our diodes deployed so that the logging information goes from the services in the micro segment into that log aggregation area.

Now you can do your continuous monitoring, which is a big part of zero trust. I can use my seam tools.
So the sore is kind of the more advanced part of that.
So the security orchestration, so maybe my Splunk dashboard is gonna set up some alerts.
The AI that's monitoring the normal business operations can look at patterns and identify some anomalies. And then based on those.
If, once proven out, take some proactive steps that doesn't necessarily need to immediately have a person in the loop, but can alert. Hey, I'm gonna. I'm gonna isolate this section of the network.
I'm gonna tell the firewall to close all the ports.
I'm gonna tell the router not to route any information out of there and completely contain that area that is potentially contaminated.

Ford, Carolyn  
What about zero trust at the tactical edge?
I mean, you've got people, you've got machines. You've got dispersed networks over, like, really far apart too.
And you know, different partners trying to talk to each other.
So they all need to share data.
They all need to talk.
How does zero trust work there?

Blake, Michael  
There are definitely more challenges at the edge, especially when you're not in peacetime.
Generally the thoughts are that the first volley of any attack is going to be a cyber attack, right?
It's frankly the fastest way to just be disruptive.
And you know, you're literally travelling at the speed of light across wires, you know, under and fiber cables underocean.
So you know, you'll think about continuous authentication.
Generally you want a nice enterprise centralized authentication authorization system with services for authentication, authorization that.
Are not at the edge, but actually back at a a hosted data center.
For continuity of operations, if that gets severed, you still need to be able to use those systems that are there. And if you can't authenticate, then you're denied access to everybody.
So there is a lot of thought into caching that information how long can you survive with that disconnection?
And then if it really is the kind of first wave of a kinetic attack, most likely that's going to be an extended disconnect.
Do I have brick glass accounts?
Is there a way where I can actually say you know I  recognize that the threat is there and I'm going to have to live with it. I'm going to have to open up some of these locks.
Take my security posture and take some of those risks because I need to use what's there and I can't isolate myself from it.

Ford, Carolyn  
Chris, what are you seeing in Australia as far as trying to apply?
Zero trust architecture at the tactical edge.

Chris Rule  
And we're certainly seeing program managers and those folks responsible for acquiring, you know, defining their requirements for deployable networking.
Talking zero trust, and I think Michael touched on a few really good points here.
To me it's the diversity in devices that you want to connect the diversity of people in the circumstances that are in that you want to connect.
Make it more and more complex for you to be confident in your zero trust implementation across the enterprise reinforces for me, I guess two things.
One just from a cost management point of view and a risk management point of view, you've got to focus on your Crown jewels.

Don't try and secure everything when you simply don't have the time or the resources to do so effectively.
And again, that draws me back into my thinking around segmentation and bounding where you try to apply the zero trust architecture. But autonomous systems,  remote systems, International partnerships.
All increase complexity.
And and and reinforce, I think the point Mark's been making about segmentation and boundaries.

Ford, Carolyn  
And I'm just thinking about, if we don't want to say that cross domain is part of your zero trust architecture, then I still want to say it, but if you're practicing this defense in depth, and especially at the tactical Edge, Zero trust, it feels like it's not enough.
You've got to do the segmentation with the cross domain.


Blake, Michael   \
In the Department of War Zero Trust Reference architecture, they talk about not.


Blake, Michael   They don't specifically call out acds, but much of what Acds does they talk about in the gateway and broker that sits between the segments and the job of that is to terminate inspect to validate all the information that goes between the microsegments.


So it's not just that there's a firewall there.
But there is actual inspection of the information that's being exchanged to make sure that it meets what we understand to be known good data and good requests.
And that is kind of if you follow it to the next generation firewall with Splunk instance doing the continuous monitoring with a gateway that's inspecting all the data that's being exchanged.
So it's not just at the boundary of the Zero Trust architecture that you've built interfacing with the outside world and maybe doesn't have zero trust, but even internally depending on perceived risk, you may want to have that deep content inspection and data validation just between the pieces inside the network, because again data corruption and malicious kind of activity can be.
An internal actor to the company.
Disgruntled employee.
Those kinds of things are not going to be stopped by zero trust.
Until the consequence of, it can be pretty severe.
So you want to be able to make sure that for those crown jewels you are validating the data that's coming in and out of there and thinking about what could a malicious actor do?
Am I taking steps to try and mitigate those things that a malicious actor could do?

Ford, Carolyn   
So what about AI?
We have to talk about AI for a minute.
So we've got these autonomous systems, we've got AI coming online.
They're becoming more integrated with these critical networks.
What kind of complexities is that introducing for a zero trust architecture?

Blake, Michael  
I think.
AI really needs to be treated like a person when it comes to giving it access to information.
You still need to be concerned about what data it's aggregating because depending on if it's a large language model that people can ask questions, they might be able to construct a question that gives them access to information that they otherwise wouldn't have access to.
So it can definitely rapidly consume information and condense it.
But when you're looking at least privilege and the ability to commit fraud or things like that.
You really need to start looking at kind and I think this is where some of the AI agent kind of thought process that brought those things about is instead of having one AI that does everything.
Have particular instances of AI agents that are more specific, and then you can kind of bound the information that that piece has access to and what rights it has on your network.

Ford, Carolyn  
So you're segmenting.
The AI ability to move laterally through the systems, OK.
All right.
Well, we're bumping up against time, but I love a good list.
So I want to know Michael if you can end with like 5 concrete steps that leaders can take today to start their zero trust journey.

Blake, Michael  
So the very first step is just to identify what's on your network.
I think that there's a lot of.
Shadow ITs  often the term that's used with it. It can be very helpful and get things done quickly in a small company where people will just, you know, stop on the way to work and stop at Best Buy and pick up some infrastructure for the office and they bring it in and it stays there for 15 years.
And a lot of times.
That isn't catalogued or indexed, or tracked or sustained.
And so there's a first big step of just figuring out what is on your network.
What are the things that are there?
Do you actually know everything that is on your network?

Ford, Carolyn  
Honestly, Michael, that's making me tired.
That sounds like that could take years.
I mean, I don't even know what's in my cupboards. How do you?

Blake, Michael  
Yeah, there are. There are.
There are companies that do.
Offer that as a part of the Zero trust stack, right? They.

Ford, Carolyn  
Like observability, like a data dog or a dynatrace.

Blake, Michael  
Yeah, it'll go out and try to catalog everything that's on the network.

What I've seen kind of that comes out of that is when you find pieces of equipment that nobody knew about.
Then you've got to make the decision.
Do I replace it if it's multiple organizations involved, there's a lot of finger pointing going around because they didn't plan for it.
They didn't budget.
So. There really has to be some C-Suite kind of governance that comes down and just kind of.

Ford, Carolyn  
We're gonna have our own show just for that one.

Blake, Michael  
OK.
Yep. So once you do that, then the second thing you need to do is yes, next is figure out you know.

Ford, Carolyn  
OK.
So inventory is one now.
Now what's next?

Blake, Michael   
Taking a step back from that, I'm inside the network.
I'm plugged into the office.
You know, minimizing the blast radius by figuring out what things actually need to talk to each other and making a plan for segmentation. If you don't know what the things are on your network from an application standpoint or a data standpoint, and the interactions between all of those.

Different pieces then you it's going to be really hard to have a plan for micro segmentation.
So that's the second part of it, is the planning and the isolation and activities in your network.
Once you've done that, the data validation piece of it is the cyber piece of it comes in along with your starting to implement multi factor authentication things like that.
Are you separating people on your identity management, your access management based on their roles?
A lot of times, you know you can put a lot of information in your Active Directory tree, but it's got to be populated and so as people have moved around jobs in the company.
A lot of times they'll move departments that are somewhat related that are supposed to be isolated and they carry along their privileges, right.


So there's another step of,  if my network's been out there for a while and I've got, you know, a lot of people typically have moved around.
And this is again something we should be doing anyway.
Go back and look through the data, right? So the people in the different departments that they're in and verify that they only have the rights that they need and that they haven't overtime just by reorgs or whatever have happened, you know, accumulated extra privileges that they don't really.
Need anymore?

Ford, Carolyn   
So role based management.

Blake, Michael  
Yeah. And validation of that, that creep of privilege over time.

Ford, Carolyn  
OK. 

Blake, Michael  
.
Then the, then the kind of the next piece of that as you're getting more mature is kind of budgeting, so now I've got a plan for my micro segmentation.


I've got my devices identified.
I've got to look at what can actually run.
Some of these monitoring agents to determine that it's in a good state, probably gonna find some stuff that's completely end of life, end of service. And you're gonna have to replace it.
So there's what can we do and what should we do, right?
Those aren't the same thing.
And you don't want to spend a lot of money and have a partial implementation that doesn't get you the security that you were hoping for, you really wanna try and say, hey, well, this is my budget. Here's what I'm trying to protect.
Try to come up with a schedule and a cost estimate and make sure that that is something in a business that you're able to do.
In an upfront cost, you're able to absorb the resources to staff it and the skill sets in the company.
Are you going to be able to do it with the people you have there, or are you going to have to bring in some outside help to get you across the finish line with that?

Ford, Carolyn   
Are we to our did we get 4?
So we got 2.
I got role based management.
We're gonna budget.
And then what was my last one?
Or was the budget my last one?

Blake, Michael  
Then there's yeah, the very last piece is the human capital piece, right?

Ford, Carolyn  
OK.
That's right, because zero trust like there's a lot of skill sets involved, like you've talked about the US government talks about like zero trust in a box, and you shared with me that it's 35 different tools.

Blake, Michael  
Vendors, yes.

Ford, Carolyn  
Different vendors, different skill sets.
So the human capital piece here is huge, OK.

Blake, Michael  
Yeah. So once you've looked at that plan, it might be that that's when you go to a Dell or somebody like that and you say, you know this, this is just too much for us as an enterprise to take on as a company to take on and consider those four service providers that will do that for you.

Ford, Carolyn  

So you guys we’re really running up against time?
Can I keep you a few minutes past the hour?


Ford, Carolyn   
Are we good? OK, because the tech talk questions are my favorite part of the show.
And I know it's gonna take longer. So these are just gut reactions. And I'm gonna. We'll bounce between the two of you. Who has to answer first.
So, Chris, what's the weirdest legacy system that you've seen still connected to a network?

Chris Rule  
I'm not sure whether the devices I'm thinking about are really weird, but it's happened a few times both in my past as a military officer and in an organization running a lot of OT.
And that was finding Windows XP devices and Windows 98 devices still connected into a range of military applications and a range of factories running OT.
And in both cases, no organization wanted to move them out because they did a discrete job.
It worked and no one wanted to touch them.
Also, the number of applications that we keep coming across that are written in C.
Harder and harder to find software.
Engineers and programmers to maintain that product.

Ford, Carolyn  
OK, Michael.
What about you?

Blake, Michael  
I think mine was in the finance.
I worked at a university finance department and there was a computer that sat in the corner.
It was an interface to the state baking system.


Ford, Carolyn  
Wait, what?
Like is in cooking.

Blake, Michael  
Banking.

Ford, Carolyn  
Baking, banking. Banking.

Blake, Michael  
The banking, yeah.
And so again, It worked.
Nobody really knew what it did or how it did it, but that's how money moved around.
And they were afraid to death to touch it.

Ford, Carolyn  
Oh. Oh my gosh.

Blake, Michael  
And so it was actually.
My job to try to nurse it along when things broke. And so when you took the case off the top of it, there were literally wires where they had electronics. They call it blue wiring, but they weren't blue.
They were different colored wires where there was a problem with the board layout and before it shipped from the factory they had soldered wires to fix the problems on the PCB because it was a really, really old first run computer, right? And so you look at that and you think, my goodness, you know, if that dies really in trouble.

Ford, Carolyn  
Yeah.
The world ends. That's right.
All right, Chris, what's a cybersecurity myth you'd like to delete forever?

Chris Rule  
I've thought about a few of these over the years. The one that I keep landing on is the myth that my standalone computer, my standalone network, my disconnected piece of factory equipment can't be hacked.


My experience is that those disconnected computers or devices probably aren't. Most of these devices are either connected and nobody knows about it, or they're connected intermittently and exposed as much as any other network.

Ford, Carolyn  
Well, I'm gonna continue to love my personal myth that my iPhone can't be hacked.
I'm sticking with what I need.
I need that you guys so.


Ford, Carolyn  
Michael, what about you?

Blake, Michael  
I think I said this before in one of our other misconceptions is that people assume that if they're working from home over the VPN that they're secure.
I think that VPNs definitely protect data in transit, but they provide a level of confidentiality that will also hide bad content the same.
It was a little hide. Good content.
So in some ways, A VPN can protect you.
From a confidential confidentiality standpoint, but from a cyber standpoint, there really isn't any significant protection from today's threats that VPN offers you.

Ford, Carolyn  
Yeah, I don't.
I don't want to know that I'm yes, it can.

Chris Rule  
I'm relying on it.

Ford, Carolyn  
It can protect me.
OK guys.
Chris, I'm gonna have you do this one first. Again. You wake up in a dystopian future where your digital identity has been stolen and repurposed as an AI assistant for an evil empire.
What's your first move to reclaim it? And who or what do you recruit to help?

Chris Rule  
OK.
I'm not sure this is a characterize this as a fun question, Carolyn, but hey, I'm gonna. I'm gonna make the assumption that my stolen digital twin, if you like, is speaking to the user of the AI assistant with their, with my normal voice. And so I'm gonna.
Hope that the evil empire was anticipating that the vast majority of identities that they were sourcing were from the United States and that such they are not expecting an AI assistant with a harsh Australian accent.

Ford, Carolyn  
And they just can't understand you.

Chris Rule   
Yeah. So my first step will be to speak quickly and then my second step will be to use Australian vernacular to confuse and bewilder listeners.


In short, I'm going to try and make it too difficult to work with, and so I'll be set aside in favour of more useful AI assistance. But to be fair, Hope's not a plan.

So the first person I'll be calling is Michael, whom I called to Get Me Out of all sorts of it related jams.

Ford, Carolyn  
Yeah, that's who I would call first too.
Michael, what about you?
What would your plan be?

Blake, Michael  
Well, I think you know.
Identity management.
From the technology standpoint, it is typically done with PKI, right today, right?
Which is.
Which is annoying. Difficult users don't like it.
As identity becomes harder and harder to prove.
Exactly what you're talking about, right?
Creating. Virtual presence That isn't what it appears to be is going to be commonplace. I think people will create their own personas.
Their own avatars because it'll be so easy.
So given that, I think what is gonna happen is it's gonna make us really do the important stuff in person, because that's the only way you're gonna know for sure that you have authentic interaction.


Ford, Carolyn  
Yeah, I saw today a colleague shared with me her digital twin and she pulled it up on the screen and I  said, which one is you and which one is the digital twin? Now, when the digital twin started talking, I could tell it was still a little bit glitchy, but next week that will be gone and I would not be able to tell.


Ford, Carolyn  
Which, if it's really her, or if you know am I, is it really you guys?




Are you guys really talking to me right now?

Chris Rule  
That's the obvious next question.

Ford, Carolyn  
Right. All right, Chris, as organizations are trying to navigate this zero trust implementation, where can they reach you?

Chris Rule   
Sure. Well, you can reach me on LinkedIn, but equally you can.
We can link up via the GME website.
So gme.net.au in Australia, and that there's a nice conduit there as well to both me and our cyber defence colleagues.

Ford, Carolyn  
Michael, how about you?

Blake, Michael  
Yeah, I'm in LinkedIn as well.
And you'll find me on the Owl Cyber Defense website as well.

Ford, Carolyn  
All right.
Well, thank you both for this conversation today.
You, Chris, early in the morning, you late at night, Michael.
Thank you for making it work.

Chris Rule  
Around the world. Thank you.

Ford, Carolyn  
All right. And thank you listeners for joining in.
Please share this episode.
Please give us a review.
It helps us reach people that can benefit from this content smash, that like button Tech transforms, is produced by show and tell until next time. Stay curious and keep imagining the future.