The hard thing about Zero Trust

A conversation with Nicole Perlroth, Ted Schlein, and Tarun Thakur

I recently got a chance to moderate a panel with three cybersecurity experts, and there was one question on my mind: why are companies struggling to execute on zero trust strategies? It was a good conversation. Though our panelists came with diverse perspectives, we concluded that the hard thing about zero trust is the challenge of “identity.” That is to say, no organization has been able to answer the critical question of who can access what data.

Our panel included Nicole Perlroth, former lead cybersecurity reporter for The New York Times for a decade. She’s also the author of “This Is How They Tell Me The World Ends”. In our discussion, Nicole spoke about the challenge of controlling access in an era where “every employee is their own CIO.” Organizations struggle to know what SaaS apps or data a given employee is using. She also digs into how 2017’s NotPetya attack forced companies to reevaluate how they thought about access to their most critical data assets and processes—the “crown jewels”. Companies may have systems to list all the employee identities, and assign them to groups and apps, but they are simply unprepared to say which of those identities can access sensitive data. She shared how Colonial Pipeline was a wake-up call for the entire cybersecurity industry because of a problem with identity: an ex-employee still had access to critical systems, and an attacker exploited that to effectively shut down half of US energy systems.

Nicole Perlroth on how the NotPetya attack of 2017 changed how organizations think about their “crown jewels”

Our group also included cybersecurity investor Ted Schlein, Chairman and General Partner of Ballistic Ventures and General Partner at Kleiner Perkins (he was also the Founder/CEO of Fortify Software). Ted gave us a candy-based metaphor of “M&Ms” for zero trust. In the old world, the model was to put a hard shell (perimeter) around a soft center (data). That was plain M&Ms. But now, with the movement of data and workloads to the cloud, that perimeter became porous, and security professionals needed to harden the center. So, now it’s more like peanut M&Ms. Ted described the permissions to access specific data in a system as “authorities”, explaining that companies will need technologies (like Veza) to automate the hard work of managing those authorities. Ted is betting on “Zero Trust Authority” as a core theme in his new investments and believes that authorization is the next frontier in security.

Ted Schlein: “Why hack in when you can log in?”

Tarun Thakur, our Co-Founder and CEO of Veza, joined the discussion, as well. Agreeing with Nicole and Ted, Tarun explained that Veza was founded in response to these challenges. In his words, “it’s time for identity’s second act. Veza was founded on the insight that the modern IT landscape has brought a proliferation of Role Based Access Control (RBAC).” Each system has a unique RBAC model. Tarun described that Veza’s opportunity is to normalize RBAC and build a control plane for access to every SaaS app, database, and cloud IAM system. “By creating a standard language as part of an Authorization Graph,” said Tarun, “Veza is helping companies automate the work of maintaining Least Privilege.” Typical use cases are privileged identity access, SaaS posture, unstructured data access, and access review automation.

Tarun Thakur on the challenges of RBAC at scale

Watch the full webinar here. We’d love for you to join the conversation.

Table of Contents