A lot of vendors sell Zero Trust solutions. Or do they? Most are based upon their own product line that existed before Zero Trust became a thing and have simply been adapted, and none of them are complete solutions. I work at a company that is 100% cloud based, no perimeter or VPN, an open-source BYOD background, with a 100% remote employee base. We use dozens of SaaS solutions as a company; we have hundreds of servers/containers/images, multiple cloud providers for our services; and we are growing exponentially.
We wanted to deploy Zero Trust solutions as there are many benefits from a security standpoint of doing so, but after looking at the landscape out there, we had to get extremely creative in how we deployed any solution. Our solutions are not for you–they are for us–but we learned a lot getting to the point we are at now. I’ll describe what has happened so far, what we plan to do next, what has worked and what has not, and cover some important lessons that we think might be beneficial to all those considering Zero Trust, or simply shoring up security in general since that is essentially what most of Zero Trust boils down to.
Mark Loveless (@simplenomad)–aka Simple Nomad–is a security researcher, hacker, and explorer. He has worked in startups, large companies, and hardware and software vendors. He’s spoken at numerous security and hacker conferences worldwide on security and privacy topics, including Blackhat, DEF CON, ShmooCon, RSA, AusCERT, among others. He has been quoted on television, online, and in print media outlets as a security expert, including CNN, the Washington Post, and the New York Times. He’s paranoid (justified), has done ghost hunting, been mugged four times, storm chased, and seen UFOs. He is currently a Senior Security Researcher at GitLab.