Engaging interview between 451 Research Principal Research Analyst Garrett Bekker III and Banyan Security CISO Den Jones exploring why some organizations fail to start their zero trust deployment despite their interest, getting executive sponsorship, the importance of the user experience, and the planned and unanticipated benefits of zero trust.
View Transcript
Garrett Bekker:
Hi, my name is Garrett Bekker, and I’m a principal research analyst at 451 Research, which is now a part of S&P Global Market Intelligence. And I’m very happy today to be joined by Mr. Den Jones who’s the chief security officer at Banyan security. So thank you very much for joining us today, Den.
Den Jones:
Hey Garrett. Thanks for having me, great to be here.
Garrett Bekker:
Today. We’re gonna talk about a topic that’s been, uh, near and dear to my heart for the past few years, and it’s also gotten a lot of hype and, and buzz the marketplace. And it’s the idea of zero trust. And, uh, one of the issues that I have is if you, you pull back the onion a little bit and you look at actual deployments, uh, versus interest levels, we’ve seen, I think about a year and a half ago, about 13% enterprise deployment.
Garrett Bekker:
And back in October, jump to 23%, which is great, but it’s still well below other things like firewalls and endpoint security. So I think it’s fair to say that zero trust has a little bit of a ways to go before it becomes mainstream. So that leads us into our first question for today. And that is basically, what are some of the obstacles and what are some of the reasons that deployments are lower and what do we need to do to sort of get things moving in the right direction?
Den Jones:
Yeah, that’s a great question, Garrett. I mean, there’s, there’s three things here, right? So the, the first thing is marketing. Um, everyone is marketing themselves as a zero trust vendor and zero trusts means many things to different people because you’ve got all these different companies saying they do zero trust. So if you, if you read one company’s white paper on zero trust, you get one perspective and then you’ll get another from another company.
Den Jones:
Now that leads on to the next problem is really where do you start? Right? So it’s like, I, I don’t know where you start because everyone’s angle and the education that’s out there is so varied that no one really knows how to begin. And then the, the third piece is everybody makes it sound so complicated. They make it feel like it’s really hard to get going. Um, and, and, and it’s one of those never ending things.
Den Jones:
So if you’re ready to deploy a firewall, you know, there’s a start and end to deploying the firewall. Um, and then there’s operational life after that. But when you’re talking about something like zero trust, you’re trying to peel back that onion layer to what is it, where do I start? And, and then you get put off by this thing that seems to be so complicated. I was, I was fortunate in my last two companies before joining Banyan that we deployed in two large enterprise environments.
Den Jones:
And one was five months and one was seven months and that’s a combined 150,000 users. So I certainly have the experience to say it doesn’t have to be that complicated and it doesn’t have to be one of those never ending endeavors.
Garrett Bekker:
So would you say that the, the barriers are more technical or are political? Because, you know, you led some zero trust deployments at some big companies like Adobe and Cisco. And I guess, question in my mind is what are maybe the secret to getting executive buy-in and sponsorship at some of the, the senior levels of the corporation?
Den Jones:
Some of it’s very political. I mean, the, the way, the way that this is structured as, as a solution of an architecture, so you think of like zero trust. I think of it as, as a bit of an architecture, a bit of a strategy, but, but it’s one of those that blends between identity and networking. And the first thing when you’re trying to talk about getting some momentum in the company, especially in executive level, you’re trying to appeal to both of those teams that run those services and capabilities, as well as the security leader and the IT leader.
Den Jones:
So I spent a lot of my time in, in the previous efforts, working with our CIO and CSO just to ensure that the three of us would align on what the objectives are and what the outcomes would be. And I think this is the, the most important thing about any of these initiatives, is stray away from worrying about, is it called zero trust or not, and, and go directly to what are the outcomes I’m going to deliver and the business benefits.
Den Jones:
The minute we started to do that, then everybody was really excited by what we were gonna deliver, because they knew they could see it, touch it, feel it.
Garrett Bekker:
So what about somebody at a smaller firm say that maybe doesn’t have the same level of resources as an Adobe or a Cisco or, or a Google?
Den Jones:
Yeah, I mean, so provided they’ve got a team that runs the identity platform, a team that runs their existing VPN platform and then a team that does their endpoint management, endpoint security stuff, you’re really leveraging the exact same resources. I mean, one of the things that I continually tell people about is this isn’t necessarily a huge investment because you’re doing a lot of these things today with the people that you’ve already got in your organization. It’s really about bringing them together in a way to get some common outcomes.
Garrett Bekker:
Got it. And what would you say might be maybe some, some, I don’t know, quick wins or some common ground that you might find for somebody that’s looking to do one of these deployments?
Den Jones:
Yeah, I mean, I think the, the first thing is, is if you’re, if you look at just the, the way people log in for, traditionally in the identity industry, you’ve logged in with username and password, then, then over the years where we’re doing multifactor authentication, but we were never looking at the posture of the device. So a really good quick win is to actually say, hey, we’re gonna enforce some posture checking of devices and actually enable users to self remediate.
Den Jones:
So, so we, we would see thousands of devices posture improving really, really quickly and all because the users themselves were like, oh, I didn’t realize the firewall wasn’t enabled, or I didn’t realize this wasn’t done. And in some companies where they’re not fully MDM and forcing that configuration, it’s a really great way for users to self improve the security posture on all their devices.
Garrett Bekker:
Yeah, exactly. It’s not just about, it’s, you know, it’s not good enough to just authenticate the user, right? You also have to authenticate the device, so, uh, agree a 100%. Um, what might be maybe some unanticipated benefits of, of doing zero trust that maybe somebody might not think about or might there possibly be some happy surprises along the way?
Den Jones:
Yeah, we, we, so one thing I loved during our journeys in, in both companies was we removed the need to change passwords every 90 days. And when you do that, there’s a, there’s a bunch of great benefits. First of all, the user frustration drops because they’re not every 90 days, like spending 15 minutes trying to recover their first, you know, two or three devices. And then the other thing, but the biggest thing was the service desk ticket reduction.
Den Jones:
Password change related tickets are in the top 10 of all service desks and all enterprises. It’s really common across the industry. The minute you change from needing a p- a password change every 90 days to not, all of a sudden, you can see like 60 to 80% ticket reduction just on password related tickets. So that was really, really cool.
Garrett Bekker:
Interesting. Um, and what about user experience too? Because that’s something I’ve been harping on for the past couple years. Um, you know, why MFA adoption levels on higher? I, I generally find the user experience is not very good. Um, what about, you know, the admin user experience or in, in a DevOps environment, what, how does that fit in and how important is that for making sure you get zero trust right?
Den Jones:
Yeah. Well, there’s, there’s three audiences, right? So first of all, we’ve gotta understand the audiences you’re working with. You’ve got end users where you might have thousands and thousands of them. You’ve got IT admins that manage and, and support the, the, the thing you’ve deployed and there’s few of them. But then you’ve got engineers who are building and developing, they help run your business.
Den Jones:
Almost all companies these days [inaudible 00:07:47] technology company because they all leverage automation and, and IT and technology to, to try and improve the cost of that operation. So ensuring, and this is the, the most important thing, our goal in this is just to enable all of these people to access their apps and services as seamlessly and frictionlessly as possible and in a secure way.
Den Jones:
So if you can enable someone to do DevOps and, you know, work on platforms and infrastructure and code without always getting bombarded with yet another security requirement and they can get straight to doing their business, the company will be more efficient. The users will be happy and you’ll see your profits go up.
Garrett Bekker:
Excellent. Uh, agree a 100%. Um, maybe one last one, this sound like a cliche a little bit, but to me, zero trust is, is, is really a journey, right? It’s, it’s, it’s not a discrete, you know, set and forget it kind of thing. I mean, would you agree that it’s more of a, a process and a journey?
Den Jones:
I, I would say anytime you’re delivering any service whatsoever, you’re always on a journey. There’s a thing called continual service improvement. So the reality for us in both, both our experience, uh, deployments was we were going from getting initial deployment with some basic posture checking, some basic, um, access for apps and services and, and then gradually improving and gradually adding more features and capabilities.
Den Jones:
Um, I always think about like a little bit more [inaudible 00:09:18] bang along the way. You really want to try and, and improve the experience along the way. You, but if you don’t start small and with a simple use case, then you kind of never get off the ground. Um, but what we done within five months in Cisco and seven months in Adobe was we managed to deliver that initial user experience with password list and without using a VPN to access absence services, we done that in months, not years.
Den Jones:
And, you know, there’s a lot of executives out there that would love to finish a project before they retire. So if you wanna do that, then this is, this is, this could be the one for you.
Garrett Bekker:
Yeah. A, a 100%. And I, I think you mentioned earlier what, where, you know, you might start. For me, you know, identity has always been a critical part of zero trust. And if you can’t get the identity part right, you’re, you’re kind of doomed. So I think, I dunno if you agree, but I think that’s, that’s largely a good place to start as well.
Den Jones:
So I used to run the authentication service of both companies, I never asked anyone’s permission if they would like me to improve the authentication experience. It’s like, would you like to log in less? Didn’t seem like one of those questions you want to ask people.
Garrett Bekker:
Well, that was great, Den, and thanks for joining us. And also, thanks for everybody else out there for listening. Um, if anybody would like more information about Banyan Security or wants to contact Den, Den, how can they go about that?
Den Jones:
So our website is Banyansecurity.io. So it’s, it’s a great place to go and learn more about what we’re up to. And then the other thing is I, I, as a practitioner, would love to connect with anybody out there that wants to talk about things from security to zero trust. So easy, easy to email me, Den, at Banyansecurity.io or within the website, you’ll find the office hours listed.
Garrett Bekker:
Excellent. And if anybody would like to learn more about 451 Research or our views on the identity and access management world or zero trust, uh, you can, uh, certainly come to 451research.com. Thanks everybody.
Close Transcript
Book Office Hours with Den Jones
If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.
Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.