Risky Bulletin Podcast Summary
Episode: Sponsored: Making Zero Trust Work with Non-Critical, Crappy Applications
Host: Patrick Gray (risky.biz)
Release Date: July 6, 2025
1. Overview
In this episode of Risky Bulletin, host Patrick Gray delves into the challenges of implementing Zero Trust security frameworks, especially concerning non-critical and legacy applications often overlooked by traditional security solutions. Sponsored by Knock Knock, a company specializing in dynamic IP allow listing and identity-aware reverse proxies, the discussion features insights from Knock Knock’s CEO, Adam Pointon. The conversation highlights the prevalent issues in internal network security and how Knock Knock’s innovative solutions address these vulnerabilities.
2. The Current State of Internal Networks
A. Flat Networks and Poor Segmentation
Patrick Gray and Adam Pointon express concern over the widespread lack of proper network segmentation within organizations. Despite segmentation being a security best practice, many internal networks remain flat, exposing numerous vulnerabilities.
Adam Pointon [03:08]:
"But it's really been surprising. I mean, some of them, you know, there's jokes that have been said to us like, these servers haven't seen the light of day, meaning they haven't seen the Internet for five years."
Flat networks facilitate lateral movement for attackers, making it easier to exploit multiple systems once initial access is gained.
Adam Pointon [03:08]:
"Turns out everybody just didn't actually do that. And I guess they focused on the cloud and they thought, we'll move everything to the cloud and focus up there and our internal walled garden will just be soft and squishy and we'll worry about that later."
B. Legacy Systems and Maintenance Nightmares
Many organizations grapple with legacy systems whose purposes are unclear, posing significant security risks due to outdated software and unpatched vulnerabilities.
Adam Pointon [03:36]:
"These things haven't gone out to get patches, these things haven't had updates... they are the boat anchor that no one knows, you know, the purpose."
Maintaining layered security controls around such devices becomes challenging when their functionalities are not well understood.
3. Challenges in Securing Operational Technology (OT) and Industrial Control Systems (ICS)
Adam Pointon highlights the complexities involved in securing OT and ICS environments, which are critical for maintaining essential services and infrastructure.
Adam Pointon [05:47]:
"Critical infrastructure has a critical role. Whether it's powering life support systems, energy, critical functions, it has real world consequences."
Traditional security measures like bastion hosts introduce usability issues and require extensive maintenance, complicating access for third-party consultants and outsourced staff.
Adam Pointon [05:47]:
"So you have to then support all of these different technologies and you can't really carve them up either. It just becomes a real problem."
4. Knock Knock’s Innovative Solutions
A. Dynamic IP Allow Listing
Knock Knock’s initial product focuses on dynamic IP allow listing, enabling organizations to implement network restrictions through existing firewalls. This minimizes the attack surface by only permitting access when authenticated via Single Sign-On (SSO).
Patrick Gray [00:06]:
"You can do network restrictions through your existing firewalls... their IP address is added to an allow list and then they can access that resource."
B. Identity-Aware Reverse Proxy
The newly released identity-aware reverse proxy is a significant addition to Knock Knock’s suite, designed to protect both critical and non-critical applications without relying on cloud-based solutions like Zscaler.
Adam Pointon [07:03]:
"It's a pretty big one, which is an identity aware reverse proxy... you can put it everywhere and even use it to protect your crappy apps."
This feature allows organizations to secure internal applications that are often neglected, ensuring that even less critical systems are shielded from unauthorized access.
5. Addressing “Crappy” Applications
A. Protection for Legacy and Unsupported Apps
Many organizations have internal applications that are outdated and vulnerable, often referred to here as "crappy" apps. These applications typically lack regular maintenance and are prime targets for cyberattacks.
Adam Pointon [08:12]:
"We call it Knock Knock Access Tokens Kat... removing attack surface and then the other one is direct access."
Knock Knock’s solution provides an additional layer of security by implementing IP address-based trust and access tokens, safeguarding these applications without the need for extensive overhauls.
B. Cost-Effective and Targeted Security
Unlike comprehensive solutions like Zscaler, which are suitable for critical applications but not for every minor application, Knock Knock offers a focused and cost-effective approach to securing non-critical systems.
Adam Pointon [10:09]:
"You can just roll this out for crappy apps... you can do something about it. Can you solve it? And we're like, well, actually, yes, we can."
This targeted strategy allows organizations to protect minor applications without the substantial investments typically associated with enterprise-wide security deployments.
6. Practical Applications and Use Cases
A. Third-Party Access and Usability
Knock Knock’s identity-aware proxy facilitates secure access for third-party consultants and outsourced staff who may not be able to install complex security software.
Adam Pointon [08:55]:
"They can't install some software. They just need to click on the thing and then get through and book the car."
This ease of use ensures that external users can securely access necessary applications without compromising security protocols.
B. Enhancing Layered Security in Complex Environments
By integrating Knock Knock’s solutions, organizations can implement layered security controls even within highly complex and segmented OT and ICS environments.
Adam Pointon [04:41]:
"Just in Time network access control, which means you can segment things up dynamically and that's best layered on top of existing segmentation."
This dynamic approach to network access ensures that security measures evolve alongside the network infrastructure, maintaining robust protection against emerging threats.
7. Conclusion and Final Insights
Patrick Gray and Adam Pointon conclude the discussion by emphasizing the importance of addressing both critical and non-critical applications within a Zero Trust framework. Knock Knock’s innovative solutions provide a practical and scalable approach to minimizing attack surfaces and enhancing overall network security.
Patrick Gray [11:17]:
"But you know what? We've got this crappy app that we all know is a horror show, and we'd love to do something about it. Can you solve it? And we're like, well, actually, yes, we can."
Listeners are encouraged to explore Knock Knock’s offerings further through available resources, including a detailed YouTube demo showcased on the Risky Business Media channel.
Notable Quotes
-
Patrick Gray [00:06]:
"The product started off as a way to do dynamic IP allow listing... minimizing Attack Surface on external resources." -
Adam Pointon [03:08]:
"Everyone just didn't actually do that. And I guess they focused on the cloud... our internal walled garden will just be soft and squishy." -
Adam Pointon [05:47]:
"Critical infrastructure has a critical role... it has real world consequences." -
Adam Pointon [08:12]:
"We call it Knock Knock Access Tokens Kat... removing attack surface and then the other one is direct access." -
Adam Pointon [10:09]:
"You can just roll this out for crappy apps... we're like, well, actually, yes, we can."
Further Resources
-
YouTube Demo:
A comprehensive walkthrough of Knock Knock’s new identity-aware reverse proxy feature is available on the Risky Business Media YouTube channel. -
Knock Knock Website:
For more information on Knock Knock’s products and services, visit knockknock.security.
This episode of Risky Bulletin provides a deep dive into the often-overlooked aspects of internal network security and presents practical solutions to enhance Zero Trust implementations, especially for non-critical applications. Whether you're a cybersecurity professional or an IT manager, the insights shared by Patrick Gray and Adam Pointon offer valuable perspectives on safeguarding your organization's digital assets.
