Adopting Zero Trust

AZT: Zack Butcher on Building Zero Trust Standards and Securing Microservices

Oct 19, 2023

Zack Butcher, founding engineer at Tetrate, discusses building upon NIST’s Zero Trust policies and standards. They explore the challenges of implementing Zero Trust, the importance of identity-based segmentation and API security, and the role of service mesh in enhancing security and control in a distributed system. They also discuss the implementation and evolution of the Google BeyondCorp system.

54:57

Creator website

Episode guests

Zack Butcher

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The core elements of a Zero Trust strategy, as outlined by CISA and NIST, provide a vendor-neutral approach to removing implicit trust and building a Zero Trust architecture.

The service mesh, exemplified by the BeyondCorp initiative at Google, acts as a force multiplier for DevOps and DevSecOps teams, enabling centralized control and policy enforcement to streamline operations and enhance security in distributed systems.

Deep dives

Podcast Summary

This podcast episode explores the world of Zero Trust and its significance in cybersecurity. It emphasizes the importance of identifying and protecting the infrastructure and implementing access controls. The discussion delves into the service mesh, a tool that enables centralized control and policy enforcement across heterogeneous infrastructure. The service mesh acts as a force multiplier for DevOps and DevSecOps teams, streamlining operations and improving security in modern distributed systems. The episode also touches on how the service mesh aligns with the BeyondCorp initiative at Google. Overall, the episode highlights the role of the service mesh in implementing Zero Trust principles at scale and its potential for accelerating modernization efforts.

Introduction

4min

Adopting Zero Trust Standards and Securing Microservices: Exploring the 800 207 Installment and Runtime Challenges

2min

Defining Zero Trust of Runtime and Five Policy Checks

5min

Rethinking API-centric Security for Zero Trust

20min

Service Mesh: Enhancing Security and Control

18min

Implementation and Evolution of Google BeyondCorp System

6min

Season two, episode 16: Zack Butcher discusses building upon NIST’s Zero Trust policies and standards, and ZT’s influence on a service mesh as it relates to microservices.

Catch this episode on YouTube, Apple, Spotify, Amazon, or Google. You can read the show notes here.

There are several guiding concepts that make it easier for organizations to build a Zero Trust strategy. The first that typically come to mind come from CISA and NIST. These core elements, ranging from the five pillars through to building a ZT architecture, offer a vendor-neutral path towards removing implicit trust. Organizations like CSA also do a great job of expanding upon this knowledge with more contributions from technology and service providers. This week, we take our first step towards understanding what goes on behind these policies, standards, and recommendations, and for that we have a well-equipped guest to walk us through it.

Zack Butcher is one of the founding engineers over at Tetrate, a vendor that provides a consistent way to connect and protect thousands of individual microservices and deliver Zero Trust security operations across any environment. They also have their roots stemming from a team that worked at Google, which many of you are likely familiar with their connection to Zero Trust through BeyondCorp. However, he is also the co-author on NIST special publication 800-207A. If that looks familiar, it’s because it’s an expansion of the earlier mentioned core NIST resource, 800-207.

NIST SP 800-207A builds upon that core architecture piece and hones in on access controls in cloud-native applications in multi-cloud environments. That is a bit of a mouthful, so here is Zack on what you need to know.

When we talk about Zero Trust at runtime, there's a lot of FUD and a frustrating amount of FUD in the in the marketplace and a lot of vendors claiming certain things are Zero Trust and not.

And you know, in that landscape, I wanted to really kind of push for people to have a very clear definition of Zero Trust at runtime, and it's a minimum definition. Let me be clear. You can do a whole lot more than what we talk about in the SP, but I try and give a very, very simple minimum definition. And that is five policy checks at runtime, and we call that identity based segmentation.

Butcher also co-authored NIST SP 800-204A that focuses on building secure microservices-based applications using service-mesh architecture. So this week, Neal and Butcher ran down the rabbit hole of expanding upon these core Zero Trust resources, implications of a more secure environment at runtime, and identity-based segmentation.

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.