36 min read

🎧 #112: Demystifying 'Zero Trust'

“Complacency is no longer a viable option. If you're looking around and you're seeing your third parties getting carte blanche access to your networks inside of your building, it's time to do something about it. If you have open ports exposed to the public internet, it's time to do something about it. There's a better way to do it."


—Jim Anthony

Welcome to Nexus, a newsletter and podcast for smart people applying smart building technology—hosted by James Dice. If you’re new to Nexus, you might want to start here.

The Nexus podcast (Apple | Spotify | YouTube | Other apps) is our chance to explore and learn with the brightest in our industry—together. The project is directly funded by listeners like you who have joined the Nexus Pro membership community.

You can join Nexus Pro to get a weekly-ish deep dive, access to the Nexus Vendor Landscape, and invites to exclusive events with a community of smart buildings nerds.

Episode 112 is a conversation Richard Miller of Buildings IoT and Jim Anthony of Appgate on Zero Trust Architecture and Zero Trust Networks.

Summary

We talked about how building networks are built unsecurely today, why that must change moving forward, what Zero Trust means, example use cases for Zero Trust technology products, why Zero Trust means a lot more than just products, what to look for in a product, and how to make the transition to Zero Trust.

So without further ado, please enjoy the Nexus podcast with Richard Miller and Jim Anthony.

  1. Buildings IOT (1:09)
  2. Appgate (2:43)
  3. Podcast episode with Joe Gasperdone (6:33)
  4. STP Gate (18:57)
  5. The Catalyst Podcast with Shayle Kann (47:48)

You can find Richard and Jim on LinkedIn.

Enjoy!

Highlights

  • How were things done before Zero Trust (3:52)
  • Zero Trust architecture (8:31)
  • How this concept applies to who is taking responsibility (16:06)
  • Use cases for the end user (20:07)
  • Products that aren't really Zero Trust (25:37)
  • The Journey to Zero Trust (29:29)
  • Connecting ZTA back to the Horizontal Architecture (40:20)
  • Carveouts (44:03)

👋 That's all for this week. See you next Thursday!

Whenever you're ready, there are 3 ways Nexus Labs can help you:

1. Take our shortcut to learning the Smart Buildings industry here (300 students and counting)

2. Join our community of smart buildings nerds and gamechangers here (400 members and counting)

3. (NEW) Sponsor our newsletter & podcast & get 5k+ nerdy eyeballs and earholes on your brand, product, or business.


Music credit: Dream Big by Audiobinger—licensed under an Attribution-NonCommercial-ShareAlike License.

Full transcript

Note: transcript was created using an imperfect machine learning tool and lightly edited by a human (so you can get the gist). Please forgive errors!

[00:00:03] James Dice: hello friends, welcome to the nexus podcast. I'm your host James dice each week. I fire questions that the leaders of the smart buildings industry to try to figure out where we're headed and how we can get there faster without all the marketing fluff. I'm pushing my learning to the limit. And I'm so glad to have you here following along.

[00:00:31] James Dice: This episode is a conversation with Richard Miller of billings IOT, and Jim Anthony of app gate. On zero trust architecture and zero trust networks. We talked about how building networks are built unsecurely today. Why that must change moving forward? What zero trust means. Example of use cases for zero trust technology products. Why zero trust means a lot more than just those products.

What to look for in a product and how to make the transition to zero trust. So without further ado, please [00:01:00] enjoy the nexus podcast with Richard Miller and Jim Anthony. welcome to show rich. I'll start with you. Can you introduce

[00:01:06] Richard Miller: yourself please? Certainly. Um, I'm Richard Miller. I'm with buildings, IOT. I've been with them since 2018. When they acquired my boutique managed services, networking company.

[00:01:19] James Dice: Cool. Can you take us a little bit further back in your

[00:01:21] Richard Miller: background?

Yeah, sure. Um, I went to a, uh, a very well known, uh, networking company or excuse me, networking, uh, school back before there was such a thing as an internet. And, um, essentially they taught you everything you needed to know about being a Nobel certified engineer. And was quickly scooped up by one of the leading companies in Alameda county.

And since then, um, I've focused on networking and security. Um, primarily. Routing switching, uh, designing networks. And then I had a customer, uh, that was buildings, IOT that we [00:02:00] were being brought in to help on, uh, operational technology networks doing some cleanup when things didn't go so well. And we eventually decided that it was time to, to bring those forces together and allow us to, to really bring a professional team of network engineers and designers, uh, and hit those projects, you know?

From the, from the gate, what was this

[00:02:25] James Dice: company called? The buildings IOT acquired.

[00:02:28] Richard Miller: Um, it was previously known as Oni. That was the, the company that I. Cool. Very

[00:02:35] James Dice: cool. All right, Jim, how about you? Can you introduce

[00:02:37] Jim Anthony: yourself? Yeah, sure. Thanks for having us, James. I appreciate it. Uh, Jim Anthony, I work for app gate.

I am the, uh, SVP of sales engineering. So I run the, uh, the technical geeks that work for the company. Uh, we help, uh, partners like rich, um, integrate our product and our capabilities into what they're taking into the market. We also [00:03:00] sell directly to, uh, end customers and things like that.

[00:03:03] James Dice: Cool. Cool. And, and app gate is not a name that a lot of people in this audience are gonna have heard of before.

I don't think, do you guys serve more than just buildings?

[00:03:13] Jim Anthony: Oh, we do. Yeah. We have a, uh, a zero trust, uh, network access solution that, uh, implements, uh, a lot of the principles of zero trust, uh, and least privileged access to networks, whether they're IOT, devices, buildings, humans, other servers applications.

Uh, if it's, if it generates network traffic and needs access to a, a destination in a data center or a cloud platform, we can control that access. That's what our solution actually does.

[00:03:44] James Dice: Cool. Okay. Yeah. And obviously we're gonna dig into that in much more detail, everyone that didn't know what

[00:03:49] Jim Anthony: that meant.

Um,

[00:03:51] James Dice: so can we start with just kind of the old way things were done? So we're gonna talk about zero trust architectures. We're gonna talk a lot about [00:04:00] what you just said, but what would be. The old way that things were done and let's kind of zero in on buildings, right. We want to talk about mostly how, how networking is done in buildings.

Maybe rich you start, um, how what's the old way,

[00:04:15] Richard Miller: um, you know, going back it, I really was shocked at some of the things I saw and that won't be any big surprise to the audience. I, I don't think, um, Primarily, you know, it, it's a very well-established fact that risks are, are created by lackadaisical, uh, administration.

And whether that be from the manufacturer or the engineer that was chosen to install a network or network devices or how they put it together, maybe lack of budget I think is, is one thing we face a lot. Um, a lot of times those networks are simply kind of brought in as an after. Originally that's changing a lot.

Um, and as I'm, as I'm sure [00:05:00] most people know, you know, in the last two or three years, that the focus on security and architecture has really, really been, uh, started to step up. But as that relationship that I described involved, Um, it was really embraced by buildings, IOT, which is something I was very, very much gratified by.

I saw a real impact that, that exposure that we were able to make. Um, but you know, the typical problems, um, incorrect choice of, of equipment. Um, over provisioning where entire subnets are allowed to talk, uh, or in some cases, networks that have direct access in from the internet, uh, and, or transporting sensitive, critical data, uh, from, for the building, um, right across the internet in free, free and clear traffic, uh, free and clear passwords, uh, usernames, that kind of thing.

Or even building systems that like I said, were exposed. To the internet and you still see a lot of that [00:06:00] today, but again, um, you know, don't get me wrong. We have some really well established, large customers that are doing a fantastic job. They have very well qualified, uh, it teams, and I really enjoy working with them and, and we get an opportunity a lot of times to step in and help someone, um, Really beef up that infrastructure and make a lot of those good design choices.

Uh, and that's the part that's been, like I said, really gratify. Yeah,

[00:06:28] James Dice: totally. Yeah. The building's world. I mean, we've talked about this on the podcast before with, uh, Joe other people as well around just separate silos, each system in the building, having separate unsecured, uncontrolled unmanaged, uh, networks, you know, individual networks that are just not set up in a secure way because they weren't set up by people that really cared about that sort of thing.

Um, Jim, do you see that in other verticals as well outside of building.

[00:06:57] Jim Anthony: Absolutely. I, I think, uh, [00:07:00] there's a lot of other places in the world where networks are deployed that run. The exact same problems that you, you just described in buildings. Um, there's a, there's sort of a competing requirement. If you think about it, uh, I need to put something in place that allows users to access an application or ant device to send data somewhere.

And of course it's gonna use a network. And so the network guy's philosophy has traditionally been, I don't want my network to ever go. Right. So they're, they've got redundant this, and they've got multiple pathways and, and the more technology you put into it, the more restrictions and the more things that could possibly go wrong.

Are there. Right? And so, and all of a sudden along comes security saying, oh no, wait a minute, you guys gotta get this under control. Uh, so now you start to run into this problem, right? So defense and depth kind of became a thing and you know, where do I do the encryption? Do I do it all the way to the destination?

Do I do it in the network path? Um, you know, how do I handle passwords and expirations, uh, are passwords even [00:08:00] required when, you know, when do I do that? So there's all kinds of things that come into play, but it's, it's. This competing dichotomy of yes, the network is required, so let's set it up. So it never goes down.

And I don't have to get involved to make dynamic configuration changes to it. When somebody goes and spins up a new webcam, for example, uh, versus how do I make this thing secure so that not just anybody can access it and if they do get into it, they don't have access to everything else. That's on the same network.

Right. So you got those kind of problems that are floating around out there. Yeah.

[00:08:29] James Dice: Yeah, totally. All right. So let's dive into zero trust then. Um, well, for those of you that need a, like an intro to networking and buildings, we'll put links to those sorts of things, um, into the show notes, we're gonna, we're just gonna go right past it.

uh, and, and dive into zero trust architecture, and, and really that I'm excited for you guys to educate me because I've seen this term or acronym, depending on how it's presented. Um, For for many years now, I just have never really dug [00:09:00] into it. Um, and I'm excited to hear more about it. So what,

[00:09:03] Jim Anthony: what is it, where can we start there?

Yeah, maybe let me jump in and then, uh, maybe we can get rich to apply it to, uh, the building concept, right? So just generically speaking, what is zero trust? Um, zero trust is really the idea. That, uh, just because you know, the device, just because, you know, the user, just because the traffic is coming from a known location that it's trustworthy, that should be taken off the table.

Uh, you should not trust anything by default is what it really means. . And so the first thing that people start to think about is, oh, okay, well, I've got, you know, I've got my password. My database is password protected. My applications all require logins and things like that. Well, that's, that's great.

That's a step in the right direction, but ask yourself the question. If I'm a user of a company and I go to work in a company office and I power up my laptop and connect to the network, do I just instantly have access to the network where the, where the servers [00:10:00] live, where the applications. that's a violation of zero trust.

You've just been granted access to that data center network because you're in the corporate office. Well, what if somebody stole your badge in your laptop and they walked into the office and pretended to be you, um, you know, things like that, right? So zero trust basically says we should establish trust with the.

Human the device, the network where the traffic's coming from. And a lot of other things before we grant that thing, access to the corporate, uh, data repositories, whether they're applications, databases, storage, erased, whatever. We should build trust from the ground up before we grant any access. And of course, I keep talking about it in terms of humans, but this applies to anything on your network, whether it's a human, another server ant device, an entirely different network, you gotta build trust from the ground up to make sure that it's something that you expect and you wanna grant them access to that thing.

And the second factor that's [00:11:00] associated with zero trust is the idea of the principle of least privilege. Just because I decide that I trust you. No matter what you are. Uh, I shouldn't give you blanket Carlan access to the network that you're trying to access. I should give you access to the very specific things you need to get your job done.

So if you're a webcam and you're sending data to a storage array, you should only have access to that storage array. In fact, you should only have access to the port. It takes to write data to that storage array period. That's all you should have access. Um, you know, similarly, if I'm a human and I'm in the finance department, I should only have access to those applications that it takes for me to get my job done as a finance team member and nothing else.

I should not have access to the customer service system. I should not have access to the, uh, repository of customer data, or even the webcam footage that I just described. I shouldn't have access to any of that. I don't need it to get my job done. Yeah. Rich,

[00:11:55] Richard Miller: what else can we add? So, you know, I, I like to apply the [00:12:00] concept of objects to what is being viewed across the board as components of your network.

So for any entitled object, once we've validated the identity and we can establish the identity, even like, like Jim said, for a server, for a sensor that continuously needs to be evaluat. And once that object, whether again, it's the user or it's a data collector, or if it's a controller or a Niagara server sky spark, whatever, um, we can create establishments of entitle.

Or we can establish entitlements between those entitled objects and then massage and inspect that traffic so that we know things are doing what they need to be doing. And if they get out of line, uh, if there's maligned traffic, or if there's a man in the middle attack or something irregular happens, then we can terminate that session and create an.

And have an opportunity to go and, and check it out before things get outta [00:13:00] hand. Um, and those key foundations are what are typically left out from some of the other solutions that, uh, we see on the marketplace. And it it's really saddening to be honest with you. Um, this is the new big buzzword. In in, yeah.

So in acquisitions. Um, and I think it's, you know, those are the things that, one of the reasons why, uh, we really wanted to do this and, and bring this new expression, um, you know, to the table, to the, to the smart buildings community and try to help increase that awareness. Well, yeah, that, wasn't

[00:13:37] James Dice: just what I was gonna ask you about rich is, um, And if you look at all the networks across the industry today, how many are using this sort of approach

[00:13:46] Richard Miller: today?

I would say probably maybe 10 to 15%, but that's also going to encompass more, uh, a more legacy approach. To having a very dedicated firewall [00:14:00] engineer, um, a de very dedicated switching team, uh, and application folks that are like Jim said, interacting with each other and care about the other aspects of the network.

Um, you know, purely from the networking side, we, we have. Way too many people that are tunnel visioned. Um, you know, I'm the DNS guy. I'm not the firewall guy. I'm not the switch guy. You know, that's where those gaps start to develop, uh, in between. Yeah. Yeah. And James, I go

[00:14:31] Jim Anthony: ahead. I think another interesting thing to answer your question as well from a slightly different perspective is that zero trust.

Isn't a binary concept. It is a spectrum of capability. And, and that means a lot of things. It means that you can't just go buy a product and turn it on. You're not gonna, you're not gonna do that with a single product. Uh, it involves at least a product, but typically multiple products, depending on the things that you want to try to accomplish, it also involves.

Processes, it involves [00:15:00] collaboration, teamwork. Um, it, it involves policies as well. Those have to be defined for zero trust as well. What does it mean to be a trustworthy source of traffic or a trustworthy destination of traffic? And so all these things come into play. Um, you asked your question and, and, and, uh, you know, you gotta, you got a quick response about, you know, how, what percentage of companies are actually using zero.

And yeah, full on zero trust. It's a very small percentage, but everybody's using zero trust to some degree because it falls on a spectrum somewhere. Mm-hmm , uh, you know, you've got a firewall at the edge of your network. You've got some zero trust principles already in play. You've got some, anti-virus watching your laptops.

You've got, uh, a network intrusion detection system watching the network traffic. You've got some zero trust concepts in play already, but you need a platform that helps you tie it all together. And react when one system sees bad stuff happening. Um, how do I react to that? And how do I programmatically react to it [00:16:00] to prevent that bad stuff from getting any further that's when you start to really get into these principles.

Got it. Got it. And yeah, when I,

[00:16:06] James Dice: when I think about a lot of the organizations, I always like to talk about who's taking responsibility for the networking and the, the health and the security and the integrity of the networks. Right. Um, is it the it folks or is it, are the OT folks and are they OT vendors or the in-house OT people.

So can you guys talk about how that this concept applies to that who's taken responsibility piece?

[00:16:31] Richard Miller: Well, there would ultimately be a partner that would be responsible, I think, uh, or a group internal to a larger organization. They can really look at the overall umbrella and because you need to analyze, uh, like Jim was saying, um, you, you need to analyze who is involved, what level of access do they truly need?

And then what are the potential outliers, um, that would need to be accommodated for as well. So again, we're [00:17:00] connecting these objects together that have been entitled only after that they've been. Fully authenticated and identified. Um, and then it's a matter of just maintaining that posture. It's more of a way of life to, you know, for, at the risk of being kind of corny.

Um, but you really need due to, uh, you do need to understand. You know what the requirements are for an application to function, even something as simple as a web browser application, uh, there are well defined methods to access that, uh, that web service. And then you need to know how to handle the response traffic.

Or any other queries that it might be, you know, going out there and reaching from like a database or a log server or other places where it's gonna incorporate data and then send that back. So it's kind of more of a big picture thing. Um, you know, your it department is definitely gonna be involved. Um, your applications team is gonna need to be involved.

Uh it's it's like Jim was saying, it's a group. [00:18:00] It really is.

[00:18:01] Jim Anthony: Got it. Got it. I think to rich, I think to your, to your point, the gone are the days that the network guys just do the network thing and the firewall guys just do the firewall. You gotta get together and you've gotta collaborate on, you know, uh, if I, if, if the firewall team makes a firewall policy change, the network team needs to be prepared to see a new kind of traffic.

And is that traffic gonna be allowed through the intrusion detection system and things like that. So it, you know, you, you begin to see. More collaboration, the deeper you get into the, into your zero trust journey. Got it. Okay.

[00:18:34] James Dice: So we have this overall philosophy, right? We have this overall way of life. You said Richard.

Um, and then you guys have been talking about needing a platform or needing a product that can help implement some of these things. Can you talk about. What are some of the use cases that, uh, that this product would need to be able to do?

[00:18:54] Jim Anthony: Yeah, we, we talk about, uh, our product gate STP quite often as a [00:19:00] platform that not only does X, Y, and Z.

And we can talk about what X, Y, and Z really is. But the idea behind a platform is that you should be able to integrate into other things, other investments that companies have already made as well, whether it's a trouble ticketing system, a SIM, uh, desktop support mechanisms, intrusion detection, systems, firewalls, um, you should be able to integrate.

This underlying supportive platform into those other investments and take advantage of those capabilities that helped you decide to buy that other platform in the first place. Uh, for example, you know, certain firewalls, they do great things. They're but they're firewalls. They, they do one thing. They do a certain thing.

Um, how about if we could integrate. To the firewall and make dynamic adjustments to it on the fly. As we see new threats happening, or we see, uh, new applications coming up on the network, things like that. And that's, that's what I mean by integration. One product, doesn't do it all, but you've gotta be able to integrate and any, either [00:20:00] manipulate those other products or take advantage of the data that they collect to help make better decisions about who has access to what in real.

Okay.

[00:20:07] James Dice: What about use cases for the end user? What, what is this enabling the product enabling me to do? And when I say product, I mean, software for helping with implementing this zero zero trust approach.

[00:20:23] Richard Miller: Um, I, I think one of the keys there is, again, like Jim said, we're tying into different authentication sources potentially or different, uh, multifactor authentication sources.

Um, you know, one of the things I like to throw out there is that, you know, buildings, IOT has always been a champion of the converge network, and this is really an extension of. Concept, because you're taking these different parts, um, say update as the glue and you're able to create an overall umbrella product that really satisfies a lot of different needs.

So like for the end user, uh, a [00:21:00] significant piece of that is once the identity has been authenticated and you receive your entitlements, they're also contextually. They know if you are in your, your company office or if you're in an airport or if you're in a Starbucks down the street, or if you've suddenly gotten off a plane in Malaysia and those, uh, entitlements are then adjusted based not only on your identity, but also based on your context.

And there's, uh, a huge variety of, um, of checks that can be run. To establish that contextual awareness. So I think from an end user perspective and that bleeds straight into management, finance risk analysis, um, those lend new functionality that really isn't available in a lot of other products. Um, and I

[00:21:48] James Dice: still want you guys to go one step

[00:21:50] Richard Miller: up though, in,

[00:21:53] James Dice: in detail, like less, less detail.

More, what is this enabling me to do from a smart buildings [00:22:00] perspective? Right? What, what do, what do I need, or what does this enable? Right. Um, related to I, you mentioned remote access, allowing people to log in authenticate and then have access to something. You mentioned connection to the cloud. Like tho those types of things are what we're talking about, enabling in a secure way.

[00:22:22] Richard Miller: Correct. Correct? Correct. What else is there? So a, a good use case would be from the perspective of your building owner operator, um, you know, you have these silos that have been established and one way, um, or one thing that you need is, uh, ultimately for you Tru to truly be a smart building is they're going to want to, or going to need to interact in some way.

Um, so the establishment of connectivity between the silo. Is is one really great use. Okay. And knowing that this Fido built by vendor a [00:23:00] doesn't overlap with the fiefdom built by vendor B. And if it does. We can, we can also make adjustments for that, but we can make sure that the traffic that's necessary is allowed and that you're not over provisioning access and, and something else is, is disallow.

Um, but then that use case extends to providing support by that vendor. So how do you know. Who the vendor's, uh, employee is where he's working from. Um, is that device safe? Does it have antivirus on it? Does it have recent patching and updating, um, is it something that you've truly given access to and that individual, so you can apply all those same concepts of.

Identifying the user identifying the context and then giving them entitlements that are contextually aware based on what that vendor needs to needs to get access to rather than your vendor just setting up their own remote [00:24:00] access mechanism and they have access to the entirety of your building, potentially, which I think is, is what a lot of vendors or most vendors are doing nowaday.

Got it.

[00:24:09] Jim Anthony: And to take it a step further, imagine to take the example that rich just outlined. Now imagine a multi-building scenario. I now own multiple buildings and I've hired a vendor to do a certain thing in each of those buildings. The solution should also be able to connect that vendor to all of my building simultaneously instead of putting the burden on that vendor to know, oh, okay.

Building a is at this address and building B is at this other address. And so on. I should give that vendor the ability to connect to my entire network of buildings, uh, and move seamlessly between the buildings, applying the rules and the logic that I've asked them to do. You know, under the contract, so to speak.

Uh, so that's a, that's a taking it one step further in terms of complexity. So I don't have to teach that vendor, uh, all the different ins and outs of the different, uh, buildings that I've set up that [00:25:00] I

[00:25:00] Richard Miller: want them to manage. Got it. Got it.

[00:25:02] James Dice: Hey guys, just another quick note from our sponsor Nexus labs. And then we'll get back to the show. This episode is brought to you by nexus foundations, our introductory course on the smart buildings industry. If you're new to the industry, this course is for you. If you're an industry vet, but want to understand how technology is changing things.

This course is also for you. The alumni are raving about the content, which they say pulls it all together, and they also love getting to meet the other students on the weekly zoom calls and in the private chat room, you can find out more about the course@courses.nexus lab. Start online. All right, back to the interview

[00:25:37] Richard Miller: Okay. So rich,

[00:25:38] James Dice: you've looked at a bunch of different products, buildings, products that are like app gate that are being sold into the buildings market.

Talk to me about like, what to look for, because I've seen. I've seen a lot of products. Obviously. It's a lot of what I, the work I do. And I keep seeing products that are saying. Like we're [00:26:00] zero trust or like you're buying zero trust. But what I'm hearing from you guys is that's, it's a philosophy. It's a way of life.

It's not, you can't just buy a product. And then now you have a zero trust architecture, right? So rich, can you talk about some of the, the different categories of products that are trying to help in this space and, and what you'd sort of recommend

[00:26:19] Richard Miller: people check. Yeah. Uh, as you, as you navigate the spectrum, you'll also find, in addition to people making slightly erroneous claims about their products, you'll also find that there's a very broad spectrum of what zero trust means to different companies.

So you may sit down in a meeting, uh, with vendor a and their description of what zero trust does and doesn't do or what their product does. And doesn't do can be completely different than the meeting that you have an hour later. With vendor B. Um, so that's one of the things is to identify you really want to know, uh, to what degree or to some degree how connectivity is gonna work.[00:27:00]

Um, what the resources are that you're going to look to secure, um, and what paths, all of those. Those mechanisms need to diverse. And, and that's why, you know, that glue, that middleware, uh, that helps to facilitate that journey like app gate does shameless plug, um, is really something that's, that was a significant choice for us.

Um, and you know, there are certain properties in a building that are a little bit outside, the beaten track, things like protocols, um, and you know, the way that they're consider. Um, they have different sets of goals. Um, you don't necessarily in the controls network need to have multi terabyte network connectivity, but you do need that network to be very reliable.

Uh, and it needs to be able to transport, uh, protocols like backnet or, or Modbus, um, efficiently, you know, with a. Minimum of chatter. [00:28:00] Uh, and, uh, you know, there's a lot of timing, sensitive devices like controllers, um, that really need to have top-notch communication between them. Um, so that's, that's what I would say is that if you're looking for a platform and a vendor, make sure that they're being realistic about what their aims are, make sure they fit your needs.

Um, if you're looking for something that provides access, they're probably gonna call themselves a zero trust access. Uh, platform in some capacity, um, because there's also other, uh, zero trust vendors that are focusing on data security, data storage, uh, and modeling. Um, so it's, it's kind of a broad spectrum.

So do some research first, um, and really get an idea of what, what your goals are. And it

[00:28:48] James Dice: sounds like the software needs to be able to collect data from the network, talk to each device on the network, right. And the ability to analyze. What they have installed, what software, what [00:29:00] firmware, you know, what they are, but then also be able to integrate with all these, like you said, Jim firewall, threat detection, all these other applications as well.

So it's, it's a lot of the same architecture that we talk about on the other types of building, uh, smart building systems that you're talking about implementing here, some sort of data layer with the ability for a user to log in and make administrative changes.

[00:29:25] Richard Miller: It does.

[00:29:26] Jim Anthony: Yeah, you're definitely on the right path.

[00:29:28] James Dice: Cool. So let's talk about, you said 10 to 15% have some aspect of zero trust. Objection. That means ideally it sounds like we're trying to get the rest of the building stock. uh, more towards the other end of the spectrum. What's the sort of journey. What do people need to do if I'm a building owner? What do I need to do to go from here to there today?

And I know that's a massive question, but maybe some, what are, what are the couple, couple big steps they would need to go through to, to get from here to there?

[00:29:58] Richard Miller: Yeah. [00:30:00] Um, normally this type of adventure starts with remote access. Uh, that's Al also a really good way to get, uh, a good idea of how capable that vendor is, what type of connectivity that they can provide or interconnectivity, like I was saying between, or, or Jim mentioned a security platform and authentication.

Uh, platform authorization platform, um, and that'll help you really get your feet wet and then being realistic about what that initial implementation is or does, and identifying a set of users, uh, that really are your most critical or probably the most. Um, the most concerning subset of users, uh, as, for instance, like I said, the, uh, the vendors that work for you, um, kind of wrangling in that, that free environment that they, that they're used to playing in and making sure that there's good handoff, there's good [00:31:00] documentation that you understand what they're doing when they're connecting to your build building and when they're connecting and, and how often, and making sure that all of that access is authorized.

The other side benefit to that is when they let someone go you'll know, because they'll need to decommission that identity and then recommission someone else from their team. Um, so there should be no sharing of rights, privileges, passwords, or devices in, in that, in that journey. Um, got it. And then moving up the application layer, um, you know, identifying.

What are your critical systems talking to, uh, and, and having a better idea of how, you know, in the, the nexus foundation model, how those silos are talking to each other, uh, and what the real requirements are. And, and that part of it is where you really need to spread out the team. Uh, because I'll be honest with you, James, a lot of the application guys, if you ask them what port they need.[00:32:00]

Uh, to make a, to make available through a firewall or through an access platform or something like that, they don't even know. They're really not sure. And that's part of that. Like I was saying before, the, the specialties, these areas of, of where I do this and you do that, um, those need to be bridged and, and you'll start to discover those gaps and then you can work to smooth them.

[00:32:24] Jim Anthony: Got it. If we, if we reflect on that 10 to 15% number, you might ask yourself, why is that? Well, one of the big reasons is that battling complacency is a big issue. And so to get, to get to the answer to your question, you know, what are the things that you need to convince somebody in order to start their zero trust journey?

You gotta convince 'em to get off their butts. Um, complacency is no longer a viable option. Um, if you're, if you're looking around and you're seeing your third parties getting. Cart blanche access to your networks inside of your building. [00:33:00] It's time to do something about it. If you have open ports exposed to the public internet, it's time to do something about it.

There's a better way to do it. Uh, these are all attack factors. Uh, if you're, if you're giving a single identity to your third party or to your team, uh, to log into, so. It's time to do something about it. And, and that's what zero trust is really all about. Let's let's battle, complacency and address the things that you're assuming are good because it never caused you a problem.

Um, it's time to start looking at them in black or white. Are they good or are they not? Am I protected here or am I being exposed? And that's really where we need to.

[00:33:41] James Dice: Got it. Got it. Yeah. It's like a philosophy shift. And then it seems like maybe in between the philosophy shift and all the good stuff you said, rich is like, we need new standards and processes for how we're approaching implementing this.

Right. And then rich, you just gave the roadmap right. Once you [00:34:00] actually get started, it starts through own access. And then all the other things

[00:34:02] Richard Miller: you said, go ahead, go ahead though. Richard, you know, I wanted to point out though, there's been a huge. Evolution between say 10 to 12 years ago when primarily everything was done, either by hardware or air gap and virtualization and compartmentalization, micro segmentation, all of these advances in how networking can become more virtual.

More flexible. Those are really what has really facilitated the growth because, you know, zero trust started off as a concept by the Forster, but 10 years ago, but now only, well, I would say. The most experienced, um, and the most well budgeted companies could probably afford to even make an attempt at that.

Uh, but now the cost, the factor, uh, has really come down. Um, you still need, uh, very dedicated, uh, experienced team in a lot of those different factors, but [00:35:00] that realization or that, uh, possibility is becoming a lot, uh, a lot more accessible now. Um, and if you look AR the world around you. Um, you know, simply leaving ports open to the wild, um, is just not gonna cut it, like was just said, uh, there are teams that are aggressively looking for prime targets, uh, and that threat grows, uh, more and more.

I don't like to be a scaremonger, but that's the,

[00:35:28] James Dice: can you guys talk a little bit about, so lemme go back to my, my days, probably 10 years ago, implementing things like sky spark in buildings, where I was dealing with the it, people trying to gain their trust, uh, for lack of a better term, but also fits with our conversation, trying to gain their trust so that they.

Let me do what I wanted to do, and I didn't really care about the security or the networking really. I mean, I cared, but I didn't wanna cause a big problem, but I was trying to get what I was trying to get done, done. Like I was trying to implement [00:36:00] energy savings projects using this data analytics product.

Right. Um, and one of the things I, I would like you guys to like, think out loud about here is that there's this inherent secured, like. We're we all have these end outcomes that we're looking for. Security is one of them, for sure. But it's more. A thing we don't want to screw up while we're enabling our end outcome, right?

In the smart buildings industry, we're trying to create more efficient, more sustainable buildings. We're trying to create a better human experience. We're trying to make people more efficient at their job and operate in the building. Right? All those things are kind of the primary end outcomes we're looking for.

Security has this like thing. Well, yeah, you have to do all those other things, but you can't expose the building to a massive problem. Right. Um, so can you talk about this inherent, like, it goes back to the complacency, like you said, Jim, this inherent sort of, um, battle between getting end outcomes done and not screwing up security and kind of where [00:37:00] and how people should be thinking about.

Those two battling

[00:37:04] Jim Anthony: values. No one, no one wants to pay attention to the garbageman in New York city until they go on strike and they don't pick up the garbage , then everybody pays attention. Yeah. And that's, and that's where network security and zero trust comes in. Nobody wants to be that guy that says, oh, you can't implement that solution on my network because it's gonna create a hole that I don't want to expose.

Right. They don't wanna be that guy. Right. But, but you've gotta have systems and processes in place that help you safely and securely implement things like that. Uh, and grant access to the appropriate folks. There's a whole different way to solve that problem now, uh, that, that complacency doesn't help you solve it.

[00:37:44] Richard Miller: Totally. And I think the incentive factor has. Quite bit. I see a lot more cooperation in projects that, that I'm involved with now, between the application folks and the networking folks. Um, I think that gap is starting to, you [00:38:00] know, to, um, to close just a little bit. All right. All right. Cool. That's

[00:38:05] James Dice: good.

That's good. Cause when I got started, it was

[00:38:07] Richard Miller: not fun. Exactly. So I have a, I have a good story. I'd like to tell if you don't mind. Go ahead. All right. So as an example, um, let's say you're at the supermarket and you need to get these groceries that you just bought home. So you get to the, to the front gate of this gated, secure community that you live in.

And, uh, once you're there, the guards check your identity, they check your car. They allow you through the gates. And as you're going down the street, you have, you know, a mile straight, a left and a right. And then you're at your house. They know exactly where you're going, but as you leave the Gatehouse, a little security cart follows you and they follow you.

And if you stop. Or if you make a left turn, when you were supposed to turn right, they will, uh, accost you and, and [00:39:00] find out what's going on, right. Send you back to the gate, uh, or let you continue on your way. If it looks, you know, something, uh, benign, once you get to your house, there's another garden. He checks your identity as well.

He checks your vehicle. He looks for changes on the outside of the vehicle. And once he allows you to go into your house, Being the very conscientious person that you are, you drop off your groceries, you take the paper bags and you turn around and you go back to the store. So that, that kind of conceptualizes things, but the best part as you're coming back home from the store, and this is something we haven't talked about yet or touched on, but as you're coming back from the store, you think to yourself, nobody going the other way ever looks to be turning.

Into my gated community. They never stop. They never turn in what's going on. And then you realize they can't even see the entrance to that gated community. Only. You can only the people that have been authenticated and [00:40:00] that's, that's a model that. App gate has chosen to follow. And that's one of the things that really drew us, uh, to, to looking at a partnership with them.

[00:40:10] James Dice: Cool. Cool. Yeah. You lost me a paper bags because I always forget my reusable bags. When I go to the

[00:40:15] Richard Miller: grocery store.

[00:40:20] James Dice: Just kidding. No, that's a great, that's a great example. Um, I wanna, last thing I wanna talk about with you guys is, um, I've been doing this series on the horizontal architecture and how, you know, we need to, as an industry transitioned from this siloed, you know, many, many vertical parallel, um, silos, vertical architectures to this.

Um, horizontal architecture. So just to catch you up, Jim's probably very similar in other industries, transitioning to a device layer, a network layer, a data layer, and an application layer, right. Those four. And there are different definitions of what a horizontal architecture means, but that's. Kind of [00:41:00] the, the broad summary.

So can you guys think about out loud and, and think about how this zero trust architecture applies to that new world of a horizontal architecture? I mean, obviously it sounds like there are potentially new devices that are helping with security. There are obviously we're talking about a network layer.

Um, software right as well. Um, there's a little bit of data layer aspect. It seems like as well, where you're collecting data and, you know, you're providing applications. So it seems like it plays on all four layers. Can you, can you talk about how this kind of fits to that horizontal architecture model?

[00:41:40] Jim Anthony: Yeah, James, one of the ways that I describe it is, uh, very similar to what you just laid out. It's all about the network at the end of the day, a network is in. You gotta use the network to allow sources or requesters of information to talk to the destination or the source of [00:42:00] information, right? You you've, they need a network to make that happen.

However, You should be able to look at, first of all, that traffic that's flowing between a source and a destination, uh, you should be able to encrypt it so that you don't actually have the ability to sniff it, inspect it, read it, understand it, especially if you're an outsider seeing that traffic or it's going across a public network.

Um, but you should also be able to use any other layer. Uh, and falling back to what I always talk about is the OSI model, because it's a layered approach to computing technology. Anyway, you should be able to use any other layer in the model to identify whether or not I should allow this network traffic to flow.

And, and that includes identity. It includes contextual information, uh, that rich was talking about. Where are you on the. Uh, what's the health of your device? Are you running an antivirus? Is your hard drive encrypted? Is this what you normally do? Is this something related to your job or have you stepped [00:43:00] outside of those boundaries?

Uh, so, so looking at all those other layers to make that determination as to trustworthiness is very important. And not only do you look at it at the beginning of the traffic flow, but you look at it throughout the traffic flow, as rich was describing in his analogy. You're following the traffic across the network, and you're saying, all right, are you still headed to the same place that I think you should be headed to?

Are you still headed to your house or am I gonna need to pull you over and figure out why you took a path that your is not your normal path? Right? So those are all things that come into play, but that's a great way to think about it at the end of the day, that network is down at the bottom layer and you've gotta be able to control it in some way.

And that's, that's what we try to do here at app. Got it.

[00:43:42] Richard Miller: Cool.

[00:43:43] James Dice: Um, let's close out. Thank you guys. This has been super informative. I feel like this is a topic where, um, There are probably questions that I don't even know to ask at this point, but I think that was a good introductory, um, level, maybe even 2 0 1 level, you know, [00:44:00] introduction to zero trust architecture, let's end with some carve outs.

Um, what books, TV shows, podcast, movies, newsletters, conferences, maybe would you recommend to the audience and it could be related to zero trust architecture, or it could be just something that you think people should check out from your personal life.

[00:44:18] Richard Miller: Personally, I always recommend the nexus podcast series. Oh, thanks first. Uh, it's the first

[00:44:24] Jim Anthony: answer. Shameless plug shameless plug. Kidding.

[00:44:30] James Dice: you don't need to do that because they're already listening

[00:44:32] Richard Miller: to it. Yeah, that's true. But I said, I recommend. So there are some extensions. Um, the zero trust extended ecosystem is a good topic to, to look for.

Um, if that's, you know, if you need to get a little bit deeper knowledge, um, the thing again, the thing to ultimately keep in mind is that zero trust can mean a lot of different things. And a lot of companies are trying to shoehorn [00:45:00] themselves into that model. Um, instead of the other way around, um, Personally, you know, I, I really follow all the major, uh, security conferences.

Sounds good.

[00:45:13] Jim Anthony: You good, Jim? Yeah. So, um, look, one of the things that I'll say is that we, I think we started this conversation along these lines.

There's a lot of, there's a lot of info out there about zero trust. It's a buzzword, right? Well, I'll go a step further. And this is our, this is our marketing campaign for 2022. There's a lot of BS in the market about zero trust. Uh, and so we have a no BS marketing campaign that we're doing right now.

Where if you ever come across us at any trade show, Uh, our booth, our people, our employees, uh, even our friends will, you know, we're talking about no BS. Let's step into the booth. Let's have a no BS conversation. Um, and so, you know, what do you mean by BS? Well, there's a lot of vendors out there that claim I have a zero trust [00:46:00] platform, or I have V zero trust solution or by my solution and turn on zero trust or accomplish zero trust.

Um, Ask questions dig into it. And this leads me to, the next thing to start thinking about is always be learning. Well, what are those questions that we should be asking? Um, does the zero trust platform necessarily include a multi-tenant component will zero trust and multi-tenant, don't seem to jive with each other.

At least in my mind, they. Why would I buy into a platform that has multiple customers on it at the same time, especially a cloud based platform. Right now, if I've got multiple vendors accessing my building, that's a different scenario, but why would I route traffic through a platform that other customers that aren't even related to me are also routing their traffic through it?

Yeah. So there's, that's just one little example of BS that's out there. Rich sort of mentioned another one and that is these vendors that have platforms and products. [00:47:00] That were built originally for one purpose. Like maybe they were originally a content delivery network. And now they're trying to back into a zero trust solution and they're trying to leverage this investment they've already made.

And this other solution to back into this zero trust concept. Be aware of that kind of BS it's it's out there. So, uh, always be learning. And I don't care if you're learning about technology or if you're learning about mountain biking or woodworking, or you're watching YouTube videos, uncontrollably, whatever it is, learn, learn, learn, because you're never gonna realize the things that you're learning, how they're gonna be applied to some problem that you have in the future.

Keep learning don't ever give up on. Love it love

[00:47:39] James Dice: it. Okay. Mine has nothing to do with cybersecurity or zero trust architecture or anything. It's just something that I've been nerding out on this week. And it's the catalyst podcast with shale con. So she con's a, a climate tech, uh, investor and he's like a total polymath.

He knows everything about everything. And it's really [00:48:00] fun. Listening to him, kind of ask people questions around all these different types. Climate change tech. So we'll put that in the show notes, along with what you guys just recommended. So thanks so much. Uh, and it's been great having you guys in the show.

[00:48:15] Richard Miller: Very good. Thanks

[00:48:16] Jim Anthony: James.

[00:48:16] James Dice: All right friends, thanks for listening to this episode of the Nexus Podcast. For more episodes like this and to get the weekly Nexus Newsletter, which by the way, readers have said is the best way to stay up to date on the future of the smart building industry, please subscribe at nexuslabs.online. You can find the show notes for this conversation there as well. Have a great day.