Frankly Speaking, 3/10/20 -- Saying what you mean in security!
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, blockchain, and cloud.
If you were forwarded this newsletter, you can subscribe here, and view old newsletters here.
I'm finally coming up for some air after RSA, which was pretty rough, and I feel like it gets rougher every year. I do want to congratulate my portfolio company, Soluble, for doing a great job at Launchpad! You can watch their pitch. I know I'm biased, but I think they are doing something pretty disruptive in the Kubernetes security and DevOps space.
Anyway, the good news is that I have a bunch of content for my newsletter given my recent frustrations at RSA.
LET'S BE FRANK
At RSA, I was on a panel where we discussed a variety of cloud-native security topics. One thing that the panelists brought up, which included Mario Duarte from Snowflake and Ely Kahn from AWS Security Hub, is that security companies should really say what they mean and be descriptive about their products instead of using buzz words. Buzz words do help categorize a company, but they don't really provide meaningful information. In fact, nowadays, buzz words only create more confusion because there's a proclivity to using shorter buzz words.
The main example we discussed surrounded one of the main buzz words of RSA: zero-trust. What is zero trust? See how unhelpful this word is! The core idea behind zero trust is that we assume the network is malicious. For context, back in the early days of the internet and security, the best way to protect a company's infrastructure is to have a perimeter, and a company protects access to this perimeter using a firewall, IDS, etc. You can enter by being on the network physically or using a VPN to connect through the general internet. Once a user enters the perimeter, the user is trust and all his/her traffic in the network will be trusted. However, there is still a chance of insider threats.
But, thanks to Google's Beyond Corp efforts, we are moving toward a zero-trust world, which means that the network is considered malicious and no longer trusted. What does this practically mean? It means that when endpoints (and services, etc.) communicate with each other, it's a secure and allowed communication. To have this, you need to have strong endpoint protection and identity. As a result, identity and endpoint products have become increasingly popular. Also, insider threats can now be classified as regular threats because we aren't assuming anything is on the "inside" or "outside." This has given rise to companies and products around SD-WAN to define a "private network" on the public internet. Also, managing the identities and access to endpoints and services start mattering a lot more, so we have to "clean up" our identity management, especially to critical assets.
Anyway, the point of this long post is partially to describe how I understand zero-trust, and to show the subtleties that cannot be captured in buzz words, which actually confuses buyers. We just need to try harder as a security industry!