Skip to navigation Skip to content

Michael Sutton: The future of zero trust (and how we'll get there)

Minute Read

Welcome to the Secure Communications podcast

Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress.

Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast.

Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.

In this episode

Michael SuttonStonemill Ventures Founder Michael Sutton knows a thing or two about secure communications. As the former CISO of ZScaler and now an angel investor, he's been involved in multiple companies doing cutting edge work in cybersecurity.

In this episode of The Secure Communications Podcast, he talks about the concept of "zero trust" and how it is designed to solve the challenge of user risk. 

Never has this topic been more relevant than now. With the Coronavirus driving organizations to send their employees to work from home en masse, securing teleworker access to corporate networks is critical. 

Traditionally, the work from home security challenge was solved by installing VPNs, but in today's world, organizations no longer have control over where their employees are working, how they're connecting, or what devices they are using.

Zero Trust was developed in response to just this challenge. 

Listen, watch, or read

Want to learn more about Michael's insights on Zero Trust?

Listen to the audio podcast, watch the video of our conversation, or read the full transcript below.






Kathleen (00:01):

Thank you for joining today's episode of the Secure Communications Podcast. I'm your host Kathleen Booth and today my guest is Michael Sutton, who is the founder of StoneMill Ventures. Welcome, Michael.

Michael (00:39):

Thanks for having me, Kathleen. I appreciate it.

Kathleen (00:41):

I'm looking forward to talking with you. Before we dig into our topic today, can you share with my listeners a little bit about yourself, about StoneMill Ventures, and your background and how you came to be doing what you're doing today?

Michael (00:54):

Yeah, for sure. So I've been in security pretty much my entire career. I spent the majority of my career in startups as an operator in IT startups in the security space. Typically I was the guy who would build the research teams and the last role that I had in that world was with Zscaler. I was one of the original employees. Zscaler stayed there for a decade. Ultimately I became the CISO of the company and got into investing later during that time and just really fell in love with angel investing. I've always loved building things and that's why I was in the startup world. And then as I became an investor, I loved the fact that I was doing that, but doing that with multiple companies and amazing founders who were pouring their all into these great new startups. And I kind of decided that that was the path that I wanted to go down. So when ZScaler went public, that opened the door for me to step down and do investing on a full time basis. And so that's what I do now. I do full time investing and pretty much exclusively focused on cybersecurity.

Kathleen (02:04):

Boy, as a side note, I can really relate to that because I owned a business for 11 years and when I decided to get out of that game, I had a lot of different options and with where I was in my career, I think a lot of my peers tended to gravitate towards larger companies. And as somebody who's owned a business, I love growing and building things. And so I too had that kind of affinity to startups. It's a very particular world and it's not for everyone, but I think if you've got that entrepreneurial bone, it's a pretty good way to address that need in your life.

Michael (02:39):

Yeah, totally agree. And I always say being an investor is like being the uncle as opposed to the parent where I get to have all the fun and work with these founders and get to work on the ideas. But then when things get really tough, I can go over and help another one and hand the baby back to them. So, it's kind of the best of both worlds.

Kathleen (02:59):

That is awesome. Less stress. I love that analogy. Well one of the reasons I was really excited to talk to you is that on this podcast we look at all things relating to secure communications, which admittedly is a pretty big umbrella. And one of the topics that has come up again and again is this notion that at the end of the day you can have an amazing security architecture, but your end user is still in many cases your greatest risk. And that has really led to the advent of this movement towards zero trust. I know you've got some thoughts on that. You've been looking into it, you deal with a lot of different companies that are playing in and around that space. And so I'd love to just start out by getting your thoughts on the advent of zero trust and why you think that the time is now for it.

Michael (03:58):

Yeah. So I think it's especially pertinent now given that we're all working from home and we can dig into that deeper as we go. But you know, working remotely and having technologies to do so is not new. We've been doing that for a few decades now. But historically the way we would do that was using VPN technology, virtual private networking technology. And now we're starting to see new technologies like SDP, software defined perimeter, and we can get into kind of the differences between those. But the concept of zero trust encompasses a few things, but obviously the connectivity pieces is core to that. And so you need a technology to be able to do that. Now, the term probably originated about a decade ago. I know Forrester, John Kindervag at Forrester was pushing this probably back in 2010 and he's probably the guy who first coined that. Google has been talking about zero trust, although they typically talk about it under the moniker of their beyond corp initiative.

Michael (05:05):

So they've kind of been doing internal business that way for a long time. And really, the philosophy is that we're changing a paradigm on how we connect remotely. Whereas we used to have this philosophy of we just build an impenetrable fortress, all of the assets are in the castle and we have the impenetrable moat around it, and we decide if you should gain access and once you gain access, you're good. Now that worked when we were in a world where the corporation controlled all of the assets and they all sat in one place. But obviously the world has changed dramatically. And that's not the case. You know, typically, I'm working remotely. I am on a personal device. I am using a cloud based resource. So the enterprise no longer controls the device. They no longer control the network, they no longer control the data.

Michael (06:02):

So zero trust kind of shifts the focus from saying, Hey, we'll make sure you're a good person and then we'll let you into the fortress to, we're just not going to trust anybody. We don't care where you're sitting. You could literally be at your desk on the corporate laptop. I'm not going to treat you any differently than the sales guy who's sitting at the airport on his iPad. I'm just going to assume that everybody's untrusted and I'm going to authenticate you in real time specifically for that task that you're trying to complete. And once that's done, it's done. And then we'll worry about the next request when the next request comes. And so it's a very different philosophy on how we handle remote connectivity.

Kathleen (06:45):

It's interesting to me because I think one of the guests I just spoke with in a previous episode, that episode was all about the human factor and why it's been so difficult to solve because that's not a new issue. You know, you have your end users and you can build these amazing technologies to protect the corporate network. You can put in place great security solutions, but you still have people on there. They're unpredictable behaviors and they're doing the things that are easiest and most comfortable for them whether or not they make the most sense from a security standpoint. So it's interesting to have this conversation on the heels of that because I feel like that is sort of where we've come to is that even with well-meaning end users, there are still behaviors that they will engage in that with the best of intent put the corporate network at risk. So, what is the implication of zero trust not being solved? What do we stand to risk if we can't put an architecture like that in place?

Michael (07:56):

Yeah. So, you know, the world is changing and so we have to adapt with it. And if we don't, it's really gonna impact not only security but our productivity. Like if I say, you know, let's be really archaic and say you can only work in the office and you can only work on the corporate issued laptop or desktop, well right now your company would be shut down because that is not an option. So that's a bit of an extreme example, but I think it illustrates where we're headed. And I think it's also important to know, you know? Often I'll get asked like, Hey, what are zero trust technologies? Zero trust is not a thing. It's not a technology. It's really a philosophy. It's what we talked about earlier where it's just changing the paradigm on how we do security, how we decide who is allowed to do what and when.

Michael (08:45):

So it's really a combination. It is a collection of technologies. Everything that is used to handle that authentication, that connectivity, figure out the risks associated with it. So it's actually multiple technologies. And it's a change in the philosophy and we're doing security at a separate layer whereas we used to do security at the network layer, what I was talking about before, like, Hey, we'll decide if you need to get in and we'll give you that open pipe to do whatever you need. And now we're really doing security at an application layer where we're doing it specifically for whatever task you are trying to achieve at that time. So again, zero trust is not a thing you know? It's really an approach. It's a philosophy on how we do security and it's just, it better fits where the workforce is headed and gives us much more flexibility and ultimately hopefully more security as well.

Kathleen (09:44):

Now when you look at the landscape of organizations, and organizations being a really broad term, encompassing private enterprise, government, you know, nonprofits, educational institutions, you name it, when you look at the world of organizations and then you think about the varying degrees of zero trust implementation from zero, I haven't done anything with it to 10, perfect world, I've got it completely on lockdown. Where are we right now? Sure.

Michael (10:15):

Well, I think we've just gotten a shot of adrenaline, and that may be a silver lining of this pandemic that it's forcing us to kind of accelerate some of our thinking and how we do things. But you know, where we're at, different companies, so as I mentioned earlier, like Google was talking about this publicly back in 2010 where, and they weren't selling products related to it. They were talking about, Hey look, this is where we think the world is headed. And so we're internally building tools and technologies to allow us to do this. So they were certainly ahead of the curve. I think on the other side, more conservative organizations like especially federal government, Intel organizations, things like that, they're moving more slowly, more cautiously toward that. And those that simply aren't able to put a lot of money into innovative technologies like not-for-profits, they might not be doing it as much.

Michael (11:13):

But you know, a couple of things there. One, it's no longer a costly venture. As we move toward more SaaS based services, cloud based services, you know, that's one of the beauties of technologies like that you don't have to build and buy and maintain and set up and infrastructure, you know, you can literally rent that infrastructure. So some of these cutting edge technologies are accessible to everybody in a way that they never were before. And then back to my earlier comment that this fact that we've suddenly had to go from maybe a handful of remote employees to all remote employees, is really forcing to rethink things and say, okay, from a couple of perspectives, I think companies, number one, they just have no choice. It's either shut the doors or figure out a way to handle remote work and zero trust is a platform which enables them to get there.

Michael (12:09):

You know too, I think when the dust settles, a lot of these companies and employees are going to revisit this and say, this wasn't such a bad way to work. Companies are going to say, I didn't have to pay for office space. Employees are going to say I didn't have to sit in the car and traffic for an hour every day. So we were always moving in this direction. We were always moving toward cloud and SaaS and mobile devices and personal devices and suddenly I see us getting the shot in the arm that's going to cause that trend to accelerate.

Kathleen (12:38):

Yeah. I'm already hearing those conversations. You know, it's really interesting, both on the employee side of, I don't know if I can go back to 40 hours a week commuting in and also on the corporate side of companies saying maybe we should renegotiate our leases. Maybe we should downsize our space or get rid of our space. So that is interesting. I liked that you mentioned costs because my question, following on what you were talking about, was going to be, what does zero trust do to the cost of a security solution. And you said it doesn't increase it, but it's interesting to me why that is. Because on the surface, when you think about introducing that added layer of like check and balance at every new, call it, action that an end user will take or every new entry point or every new task, it seems like it would seem as though that's adding layers of bureaucracy and security solution architecture design. Is it just that these products are now being developed so that it's so baked into the system that it doesn't introduce a lot of inefficiency and additional costs.

Michael (13:42):

So let me answer that from a big picture perspective. So I wouldn't suggest to someone that, Hey, you can just throw out everything you're doing and move to a completely different security paradigm and it's not going to be costly. It will be costly because you're going to have to fundamentally change a lot of what you're doing. Now if we go even a step above zero trust, Gartner is now talking about SASE. That's sort of their new buzz word and it stands for secure access service edge. And really what they're talking about is zero trust is a component of that. What they're talking about is, Hey, look, world is changing and so let's combine everything that we need to do to get there. And they're combining the security and the networking technologies under one umbrella, which makes sense because it's pretty hard to separate the two at this point.

Michael (14:32):

Everything's interwoven. And they're saying we're now delivering security and networking in cloud based solutions, whether it's infrastructure as a service or SaaS based solutions, things like that. And that encompasses a lot. Zero trust is one piece of it. But things like your SD WAN technology, your secure web gateway is all under that umbrella. So if you're going to do zero trust properly, it's not a small endeavor. It's not just well, okay, you used to do things the old way and just give people network level access and now flip a switch and we're going to do zero trust. No, you're going to fundamentally change your network architecture, your security architecture and your security philosophy overall. So, that is going to be a costly and lengthy journey and you're not going to just rip it out and start from scratch and do it overnight.

Michael (15:36):

It's probably going to take several years and you know, as certain technologies come up for renewal, you're going to start replacing it. Now, if you're a greenfield company, it's very different. I mean if you started a brand new company tomorrow and you just started hiring people, let's say you're a small company, you're less than 20 people. I mean that's just the way you would do it. You wouldn't set up an email server, you wouldn't set up file sharing, you wouldn't set up servers and clients. You would go and set up your G suite and sign up for some SaaS services and you would hit the ground running. So you would go down the zero trust path from the get go. So it sort of depends where you are as a company based on how challenging, timely, costly, this movement will be.

Kathleen (16:27):

So have you seen any companies right now that you think are kind of the standard bearers for how this should be implemented? I mean, you mentioned Google. I'm assuming that they've gotta be drinking their own champagne. I like that phrase better than eating their own dog food. But other than Google, are there any out there in the wild that come to mind that you think are really leading the pack with this?

Michael (16:51):

Sure. Going to my statement about how if you were starting a company now, prior to my time as an invester, I was at Zscaler for a decade and we really drank the Koolaid, the zero trust Koolaid, for good reason. That was a big part of our business that we were selling, but that was really core to our philosophy. We're very adamant that we were going to do everything in a SaaS based model. You know, everything was going to be single sign on. We weren't going to run servers. I still remember a conversation, you know, as the CISO focused on security technologies and I was looking at this technology from a well known, but I'll keep unnamed, vendor. And they said, Oh, you just have to install this component on your internal servers. I said, I can't, so what do you mean?

Michael (17:41):

Like it's, you know, it's just this little virtual thing you just decide. I said, I don't have any servers. And he looked at me like I was nuts. At the time we had two employees, so we weren't a small company, but that was core to our philosophy and although we were kind of bigger than most companies that would have been die hard on the whole zero trust philosophy. That was the reality. And I think that any company that starts running today, we'll follow that same path. I think technology companies, especially any technology company that's started within the last half dozen years, that's just a given that you're going to go down that path.

Kathleen (18:20):

And you know, obviously with this kind of a shift, you're moving from taking ownership of your security at the local level to really, I guess for lack of a better term, outsourcing that to the cloud providers. How confident can companies be that their cloud providers have this all on lockdown?

Michael (18:44):

Sure. You know, that's a question I'd say I get less now because we're more comfortable with it. But I used to get hammered with, well, since this is security, I can't outsource security. And to me, that's not really a decision right? There is one thing you can't, whether or not you're doing that in house or you're doing it in the cloud, you still can't outsource the responsibility.

Michael (19:13):

I would absolutely argue that for the vast majority of companies, if you hire the best security talent, you know, entice them because they were coming through this really cool growing company that was doing some really fascinating stuff. It's pretty hard to get good security talent when you're a widget factory. So I think the vast majority of companies would see far greater security when they move to cloud providers because that is their key focus.

Kathleen (20:15):

So now you mentioned before that zero trust is not a technology and I think you made a great point about that. It's a philosophy, it's a culture within the organization. Having said that, are there some technologies or providers that you're particularly excited about with regard to, you know, them doing really cutting edge work that's gonna feed into the ability to solve for zero trust?

Michael (20:40):

Yeah. So I think, you know, again, zero trust kind of has all these components. It's got an authentication component, an identity access management component, and a security component. But I think a key part of it is, for those remote employees, there's the connectivity piece and that's where we're seeing a shift in the way that external entities will connect to a system. Whereas historically, we would use VPN technologies, now we're moving to something called SDP, software defined perimeter. And really to kind of just summarize the differences between the two, VPN is a ,networking technology. So, ,the idea is I would connect to somebody at one time, ,authenticate them, make sure that, Hey, this is a trusted person, trusted device, but once they're in, they're in and then they can do whatever they need to on that network. Access whatever resources...

Kathleen (21:33):

Keys to the kingdom, right?

Michael (21:36):

Now it's not wide open. I would use access controls within the environment, but that's sort of a separate thing. I have to do a good job on that if I make a mistake. And you know, some of the big data breaches in the past have resulted from that. A really famous one is target where an HVAC vendor had the network connection or VPN connection and obviously it wasn't locked down and I mean, all they were supposed to do is check the HVAC systems, but the attacker was ultimately able to leverage that to get to the point of sale systems. So software defined perimeter, which is a zero trust technology takes a very different approach. It's not network level access, it's application level access. I'm not getting a connection at the beginning of the day and then keeping it open.

Michael (22:25):

I'm connecting as I need it. So I'm in an application, it needs to access a file that could be anywhere. And that's an important part of it. It's really transparent to the end user. Could be in the private data center of the company. It could be sitting in AWS, could be on internet resource. It doesn't really matter to me. I just know I need to get it. So it would establish that connection at that time for that purpose, and authenticate me. And once I'm done, I'm done. It doesn't mean I have to type in my password every time I change a cell in an Excel spreadsheet that's transparent to me because other technologies like single sign on are taking care of that. But that's kind of the core difference philosophy. You know, a networking level technology like VPN or an application level connectivity technology like SDP or software defined perimeter.

Kathleen (23:12):

Great. And any companies out there coming to market with really interesting products to solve that?

Michael (23:20):

Yeah. So there's a lot of players in the SDP space. Zscaler, that's a big part of our business. A lot of the networking VPN companies have pivoted. You know, the Checkpoints of the world, the Pulse Secures. I'm also seeing a number of startups. In the past year I've had some companies pitched to me like Meta Networks and New Edge, both of which have actually already been acquired. And that's not entirely surprising to me, because it's an increasingly hot space, but also because you need agents on all the devices and it's increasingly hard to convince the CISO to install agents on thousands of devices. So, the incumbents have a leg up because they already have that real estate taken care of. So a lot of them are leveraging those same agents to now offer an SDP kit, the abilities. So a lot of it is kind of the usual suspects in the networking space, the VPN space, that are now offering this as functionality. They're Acquiring SDP startups to get there.

Kathleen (24:30):

Great. All right. Shifting gears. I have a couple of questions I typically ask my guests and I'm curious to hear what you think. I guess the first one being, you know, with the way that we communicate and manage data changing so quickly, what do you see as the biggest challenge that we're going to face with respect to securing communications in the next few years?

Michael (24:55):

Yeah, so I'll give you two answers to that. One very immediate term and one longer term. You know, the immediate term as we were discussing, you know, we feel forced into the sudden change of everybody working remotely. Well at some point we're going to have to go back. I think the new normal will not look like the old normal for a lot of different reasons, some of which we discussed. But from a security perspective it's going to be tough to roll that back. You know, companies quickly throw the policies and the rules out the window because, you know, we just had to stay functional. So, you know, it might've been like, Hey, you could only work two days a week, or Hey, you can't access that server unless you're in the office. And suddenly that got chucked out the window and it was like everybody gets everything.

Michael (25:36):

Well, what happens when we go back to work? And that has to get real bad. And as a guy who's worked in security most of my life, I know I'm drawing a line in the sand and holding to this one thing. Coming into a new company and saying, okay, all the stuff that you used to have, all this flexibility and access that you used to love, it's going away. That's really hard to do. So I think, recalling these rights is going to be an immediate challenge. But I think the longer term challenge, security talent is really the biggest challenge that we're going to face. You know, there is a major shortage of security talent. And that's one reason why as an investor, I'm very interested in companies that can help. It'll make things easy for companies to do security. Not, I don't really need expertise. I don't have to build this massive, expensive and heavily staffed security operations center. So that's always going to be a challenge that we're going to face.

Kathleen (26:36):

So what new security technology are you most excited about in the next five years or so?

Michael (26:43):

Yeah, so I spent a lot of time looking at artificial intelligence, machine learning, technologies in that, you know, it's a fascinating space and unfortunately, much of what you hear is hype. We're not there yet. I'll be the first person to tell you that AI and ML is not a silver bullet to solve all of your problems.

Michael (27:08):

But you know, there's no doubt that that's where we're headed. Now, anytime I get a pitch where it will, number one, I don't think I could possibly get a pitch where the person doesn't mention AI and ML. Like it's just, it's kind of a, you know, the belief is like you're expected to have and you are.

Kathleen (27:26):

How often do they really have it though? Because I've noticed people over and over, they have used those terms and use them liberally when they're not really accurately describing the product they're talking about.

Michael (27:38):

I'd say nine times out of 10 as I started digging and pulling on the thread, really once you get under the covers, it's the same old stuff. Signature-based technologies and things like that. But again, there's no doubt we're moving in that direction. So if I get a pitch where it's like, Hey, we use AI and ML to create this black box, it's magic and just put the data in and all your answers are coming out the other side, that's going to be a short pitch meeting because that's just not true. That's not the way it is. But, we are already at a stage where AI and ML can do narrow tasks quite well. Like giving an example, what we're not good at doing is just, there's unstructured data and it's, Hey, go find bad stuff in there. That's just too complicated. But if it's more specific than that, like, Hey, in this pool of data, can you tell me what was the human being and what was the machine? It's actually pretty good at that because machines behave in a very predictable manner. You know, they only go to a couple of domains and they only, and they do it at the same time of day. So it depends on what, you know, what problem you're trying to solve. But you know, absolutely fascinating and critical technology that is going to take time to live up to its full promise. But there's no doubt in my mind that it will be driving every security solution that we have in the future.

Kathleen (29:00):

So third question, company or individual, who do you think is doing really interesting and cutting edge work in the field of secure communications right now?

Michael (29:12):

Mmm, good question. So I think it's too easy to just say, Hey, we're going to throw out the old with the new. So let me give two answers to that. One, you know, it's important that we still are enabling and empowering existing companies that aren't able to move to some of these that we've been talking about because you know, I'm still going to have, for example, I might have legacy devices that I can't go install some SDP agent on. They still need a way to get in there. I'm going to have situations where I don't have control over that endpoint. Like maybe I'm not dealing with an employee, I'm dealing with a contractor or a consultant and there's something that's not going to allow me to install something in there. So I still need a way to be able to continue on with some of these technologies like VPN technologies.

Michael (30:15):

So Attila, who I'm on the board of, you know, they're really answering that challenge by having, you know, taking that technology and making it accessible in a way that it wasn't before in very small, hardware based devices that are very secure. And so they're able to answer some of those challenges for companies that have situations where they're not going to simply be able to just move to an entirely new paradigm. And then on the SDP side, Zscaler I think is really the market leader there that they've really pioneered a lot of this and made it so that it's very accessible and very easy to deploy. And you know, I think they've won a lot of people over, who have seen that, Hey, you know, this is where we're headed in the future. And you know, now with this workforce that is just a completely different workforce - it is remote and mobile - this is a new paradigm that we need to move to work.

Kathleen (31:13):

Yeah, no doubt about it. I think it's going to be hard to put the cat back in the bag at this point. Well, thank you for joining me this week Michael. This was really interesting and I loved hearing your thoughts about zero trust and where it's going. If you are listening and you enjoyed this episode, please consider leaving the podcast a review on Apple podcasts or wherever you choose to listen. We do want to hear from you and if you have an idea for a future episode or you think there's somebody we should interview, tweet us at @attilasecurity. In the meantime, thank you, Michael. It was great chatting with you.