Brad Arkin leads Cisco’s Security and Trust Organization, whose core mission is to ensure Cisco meets its security and privacy obligations to our customers, regulators, employees, and stakeholders. Before joining Cisco, Arkin was Chief Security Officer at Adobe and has held management positions at @Stake and Cigital. He is a respected industry thought leader and serves on the RSA Executive Security Action Forum Program Committee. Arkin holds a bachelor of science in computer science and mathematics from the College of William and Mary, a master of science in computer science from George Washington University, and a master of business administration from Columbia University and London Business School.View the profile
About the talk
Brad Arkin, SVP, Chief Security and Trust Officer, Cisco Systems, Inc. Cisco's transformational culture was a key driver in deploying Zero Trust to over 100,000 global users, including 120,000 devices, in just five months. From rethinking its approach to networks, perimeters, and security, to managing the complexities of migrating cloud and on-prem applications, this session will focus on how to plan, influence, communicate, and deliver on the promise of Zero Trust.
Hi, eyebrow darkening. I'm the chief security and Trust officer here at Sysco and I want to take you through our 0 + architecture. Roll out from Zero to Hero, how we deploy zero trust in 5 months. For the agenda. Today, we're going to start out by defining. What do I mean? When I say zero trust your truck has a lot of definitions. Depending, who's talking. I wanted to find very clearly what. This means for me, in the context of this description in the troll out. What does your organization have today?
Sitting out there in the environment in one anchor, metal building blocks. Do you need to deploy in order for you to be ready for a co-trustee roll out but your environment and finally I'm going to take you through exactly the different steps that we Cisco 2 hours or trusts employment and we did it in just a few months into sit back. When I take you through all those details as we getting to the beat of it. The first thing I want to do is make sure everyone understands what we mean when we talk about zero trust their trust has become a marketing term. That has so many different definitions
that you can apply to just about anything in the context here that I'm talking about zero. Trust for this presentation, the important points for us or captured here on this Slide. The most important thing is you want to move Beyond using user passwords and relying on the mess of security control. The real fokin is looking at the user certificate that we associate with a user at that device certificate that we associate with each particular device, the user might use it. So if you have a phone, a mobile tablet, laptop, you might have three different device, certificates
associated with one user certificate. An accommodation, we do die user. Hey has device be in together. When you make a connection request, we can start to ask questions around the device. Posture is this device to purposely pass to the configured. The way it's supposed to be configured and all of that gives us a health determination and if we like what we're learning to that health, check process, the next step would be to issue a multi-pack specification child in to the end-user. And so this might be a push notification that the user to respond to. If they yelled at me. I
initiated the request. I now ready to go. Now where things might go, different is what resource the user is working to connect to, in some cases. It might be a third-party SAS application that hosted somewhere out on the internet and all this diagram. We have that indicated by Salesforce. And so if you're connected to the connection with another flavor, connection would be the user connecting to what was previously and on-prem deployed service. And it is example, we have the Cisco corporate internet has the old
days, you could only connect to this service by first initiating, a VPN connection. And then once on the corporate Network, you could then connect to the internet website for this beastly defying, the song Prem service and making it available to the user wherever they are. Is there a Starbucks at there at home? If not an airplane. The connections to just flow through a network of the end user perspective. They don't need to know the difference between a third-party cloud-hosted application and an on-premise application. This man has been hosted in Charlie by
Cisco user experience on the backend, should be the same regardless of how you through the Journey of what we deployed, how we rolled it out and how we did it so quickly to get it roll down in just a few months. San Francisco, zero trust architecture. In the beginning, you got your own printer apps that are on the left and you got your staff apps that are over on the right in the middle. You got this. DMZ. And so what we want to achieve it as whether you're an endpoint deployed internally within the system, corporate Network or externally sitting in a Starbucks sitting
at home somewhere off-premise. We want to be able to create these exact connection so that regardless which employment you're sitting at, you can connect to all of these different types of services. And so what we find is that most people was in your corporate environment today, you're going to have some kind of Enterprise single silent. You can have some type of directory service which we have here, the labeled with a active directory, energy provider to make sure. Depending what chap you're trying to do. You have our permission.
Educated accurately surgery, providing whatever that single or multi-factor authentication is. So pretty much every organization looks like this in the beginning. And then the question is, how can we then to Desert Rose compliance? We need in order to achieve that trees are just our catcher that we Define on the previous fly into here at Cisco. What we did was we rolled out a few new pieces. To the architecture is starting in the middle, may be the most important pieces, the network Kate way. This is what allows external in points for that laptop sitting in a Starbucks to connect
through the network, gateway, to then, get to the on. Perhaps that is probably the most interesting piece here and there are some people who feel threatened by the don't know, it's inappropriate, is not it, that's not fair. You should only connects through the VPN it over to get to your on prednisone. For me, I don't understand what all the fuss is about because what is a VPN, if not a different name for with network, Gateway, that lets you go from the outside to the inside from either the exact same thing. And if you ever plan it properly, you can figure in a way that consistent with
your security outcomes of your policies. I think you could be just as secure with a network Gateway as you would be with the VP. And so for me, it's a new component or somebody he trusts perspective and we were relying on the architecture to keep us safe. I think it's analogous to what we have with us. That were Gateway in the top Center, as the first movies. The next piece, has some kind of cloud certificate Authority and multi-factor authentication Service it. So we had to have the green bubble on the right there. Other ways. You can actually deploy this in a way that
might be internal on crab. In our motto. We used to call provider to do this. As soon as I got the flu on the right and that is going to deliver us Tupac. The certificate chops that were doing. And then another thing that we have is a certain it was. So let's just keep track of every device certificate and ever. Use the certificate in what is associated with, what? So that we can look these up. Make sure it's turned hasn't been revoked. Make sure it's still valid if signed by the CIA and Interpol these things pass, then we can move
that device on to its next sequence. In the workflow for the deer chops. I think you should process it with these new pieces here with this allows us to do is to create a pathway for the off-premises to connect to the Zone per massage. And we also have the ability for the author midpoints the cactus not doubt their external they should do all of this together. Now gives us what the main components are and how the information flows. Go back and forth to deliver that beer truck experience that we Vidal produce life.
So we've got over a hundred thousand in a split between Mac and windows. And those are just flat-out. We have a large number of mobile devices which would include Iowa's, Android phones and tablets. It's a large set of endpoint manager of Isis. And then the number of these are all that we were seeing about ten thousand a day. And this number is going well, build a gas station. And in the beginning, we started with a group of about 20 application that were previously hosted on priem. Only accessible through VPN in.
Through this project. We wanted to publish it exposed through the network. So they be accessible to manage endpoint that are working through that zero, trust for flow. If we start with about twenty, we think that there might be several hundred when it's all said and done. We're going to roll in this process, but maybe only the top hundred or so are used widely across the company. If we wanted to start with a course, I found a really important things like the corporate internet, has every day throughout the day. And if we can get those workflows working through
their shots architecture, then we can start to take off after you've gone like the more exotic Services application that were used by small percentage of the company. And the goal here is that we wanted to include all of the different input devices that are users use throughout the day. It was not just laptop, such as workstations, but includes mobile devices and mental health in Tahoe. This is the sort of what we needed to get done. The hardest part
of this entire project is making sure that everyone involved understands but transformational nature, get into zero trust architecture goal. Now, this is not an incremental change that we could just deploy a new component of the move on. We needed a lot of different teams from across the company to get involved and understand. We're really looking to transform the end-user experience for how they access these corporate resources and given the attention. And the time that it deserves and making that decision and leave it at my post is what
allowed us to get this project done so quickly because everyone understood that, this was not a business-as-usual Improvement, but it really dramatic before, and after change and once everyone is on board with that, understood the change that needed to happen, then we are able to move forward with a really good project plan and make. This will not happen very quickly, but maybe not. And collectively as a group across the entire company that we need to delete. That was definitely the hardest part of the project has made that decision the next part for us became just a matter of executing
across the timeline. And so, we started small in the lab, getting the components working together to prove that a can of work. And then building out the infrastructure that it would notice for the loads that we intend to deploy on this environment and didn't give me ready for the pilot and co-pilot had thirty-five thousand in it. I have uses everyone forward with the pilot in about 20 application that we did when we did the initial goal in life. And then from there, we are able to scale out to cover the rest of the company and then start to ramp up in a supportive. And as we got
that roll down, we didn't have to do as much advertising because people would click a link in their email. It would just open up in the browser. Because everything that happened behind the scene, when the certificates out to these employees, getting it at work anyway, to figure and getting all the browsers configure. So that when you just click the link, it would just work for the accusers for most of them, no training or contact tired because it works the way they expected it to be on it. So that was really satisfying
to see that uses numbers go up. So dramatically once we went behind the next steps here are expanding. This is your top architecture to include the mobile in points. Do you get the same kind of experiences you have today from the laptop working on the mobile devices as well. We also want to make it a lot easier to get your applications so that when they are connected in getting a new application, onboarding getting that connected should be as easy as possible. Get them on board it and roll. It is your choice architecture as seamlessly as we can.
And then also looking at understanding. How do we support Partners third parties, that we work with, who they may not be on management using their own Court Hardware. They still need to connect to certain Services. Is that how we're going to handle those things, which are a little bit more exotic than what we had supported in all of that account for us, but the initial deployment from when we started the project when he went by just a few months. The communication goals that we had here was to make sure that every team that we needed involved in the critical path of the project
deployment. Understood their role understood, the transformational nature of War II plane and that it wasn't something they could defer for a year or two years, but they need you to get lined up to the aggressive schedule, the week before work and be sure those hooks to the priority understood. They couldn't say no, thanks, but they could say I need extra help. I need more resources. I need help adjusting my priorities to make room for this. That was really one of them for the rest of the day to you and things are going to change. If you're very perceptive of your surroundings. You might notice
that they were closer involving. Don't be scared. It's ok, Google. Our population was there. That was more for folks who would be interested main focus of the communication for the property. They are involved in helping to transform the company. And how we connect in from external, if we did a lot of work at sprinkling and deduce that this project was coming when we had all hands meeting. So, with our CIO and be talking with each other, my boss had staff meeting for. We talked about the project and potential headaches, friction
overriding into in all of these things help to keep the pressure on that if we get stubble and project execution, we could spot that quickly bring in there, no resources and then keep moving. And that proved to be really, really helpful for us. The other thing was very useful. What does he stay in the project stakeholders? Such as Leaders would get this email. It's a place closer to going live countdown. Timer. What we got done in the past week. Yours was coming up next and there's a section. Labeled think that things were we need help.
Did that get attention in over the weekend and coming in Monday, morning, to get these things? I'm blocked and I keep of it. That was the goal for the communications. Make sure that we didn't slow down or get stuck going down the wrong. It might take us weeks to recover from Show me. And what we got from. This was a vastly improved and user experience for what. It's like to connect a phone to an external employee to an on-premise application. We did. So not only did we not reduce our security posture but we enhanced it. Cuz we're now getting the moment to moment fostering health checks at
the endpoint in the ways can figure is that someone makes a bad mistake and figure out today, we can spot that intervene and have the official shirt place to give a message to the user. I had a great corrective action. What were they able to be able to intervene right at that moment? It's allowed us to meet a much better security hygiene for the fleet and also to reach people right when they're looking to access information as opposed to doing something after the fact. And that's the really helpful for us and what we now, have with this new setup, checkpoint Avicii
of a broader set of governance opportunities. An overall, this is going to provide building blocks for us to deploy do security. Keep your lies in the future. That's going to make me feel much more confident. As we meet the new threat that we see in the world that we live in. Is it for all of you? My goals today is our time together. Is that you had the chance to learn about how to take your current employment and infrastructure which likely doesn't have any network Gateway or certificate management. Apologize. A
lot of situations. What are the different Steps in Lisle? Stone Center project plan that you need to have in place in order to have a successful rollout. Have to take 3 years. It's something that we can squeeze in and do a lot tighter. And in this environment with a very large set of using appointment with a roll this out, while hundred percent of the population is working from home in just a few months. It, finally, some best practices around. How does Lupine and
leverage your sleepover community and make sure they have good communication, one back and forth. So that we need to hit points. A portion of the project, be able to hear those and keep going and keep up with the project schedule. It allowed us to the end users within our environment, access their services, that they need to get their jobs done and we got it done in such a short. Of time. This involves not just the communication work. We have aggressive technology will allow but a lot of people coming together and understand it from the beginning that this is a transformative
project for how the company rolled out new technology that touching every corner of our club is a lot of fun to share the details with you and I'm really happy if you have questions to ask, we can talk about
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.