A

Hey everyone, and welcome to this sponsored interview here in the Risky Bulletin feed. My name is Patrick Gray and everything you hear in the Risky Bulletin feed this week is brought to you by Knock Knock, which is a company that makes an interesting technology. I should disclose I'm on the board of this company, so obviously I'm a little bit biased. I quite, I quite love it. But yeah, the idea behind Knock Knock is it controls network connections and ties that control to authentication, right? So to your sso. So you know, you're on a network, say it's your internal network and you want to access the lights out management system. You try to access that system, you can't, it is all firewalled off. So then you go and you hit the Knock Knock, you know, web app, which is just an internal web application. You hit the SSO button and bang, magically, all of a sudden you can get a port to the lights out system and do what you need to do and that access will, you know, expire after 30 minutes. So it's sort of like just in time. Network access, network allow listing kind of is how you would describe it. It's useful both for external resources and increasingly internal resources where people are using it to protect things like KVM over ip, they're using it to protect lights out systems or old legacy stuff where they just don't want anyone on the network being able to access it. So joining me now is the chief executive of knock knock, Mr. Adam Poynton. And what we're going to be chatting about today is zero trust and how some users and companies are kind of doing it right and embracing zero trust principles and others aren't. And about how the definition of zero trust has kind of been lost. And I think, let me just start by positing, Adam, that one of the reasons I think zero trust, the definition got watered down, first of all, it turned into a marketing buzzword and everyone's like, we do zero trust. And it's like, well, no you don't. And second of all, I think the network access control part, which is what Knock knock does, it sort of dropped by the wayside when everyone's like, well, we'll just put oauth logins on all of these awful web applications and we'll consider that as an analog to network control. That seems to me to be like one of the major wrong turns that zero trust as a concept has taken over the last decade.

B

Yeah, I agree with that. I think the zero trust architecture was the original idea, which is all about where the person is or where the system is, what network level access it has, what systems it can access. But you're right, that was sort of flipped into yes, marketing buzzword on the ZTNA side. But people saw the effectiveness of MFA and thought, well, I'm just going to kind of add auth everywhere and everyone's going to use the auth because that's the only way into the system apparently. And we're sort of going to solve it because every access is validated, verified, MFA is in there. It feels good. Let's let you know that that's going to solve our zero trust response when clearly not. That's. It isn't actually the premise of the architecture way of thinking in the zero trust architecture, that's just really adding authentication to as much as you possibly can, which is good. With still a lot of exemptions. It's great. Especially identity was a big problem. If you think, if you think mfa like it did actually solve a lot.

A

Well, I mean, when we say, when we say, when we say mfa, I mean it's not even just about mfa, it's just about adding that authentication to the applications like everywhere, even internally and whatever, and tying that all back to a single identity provider. So it was like, I think everyone went sort of octa crazy, you know, and thinking that was zero trust.

B

Yeah, I agree. That was definitely one of the pillars that the industry took. I guess there's the, you know, add auth to everything, centralize it, which is awesome. Zero trust networking architecture, you know, take the VPNs off, flip that around. That, that was effective, like we did a lot. But the user ultimately was still trusted too much. The kind of zero trust architecture network, just in time bit still still hasn't been.

A

Yeah. Now one of the things where you and I both have sort of mixed, we have mixed feelings on it. It's is the ZTNA sort of providers. Right. Because that's probably a little bit more zero trusty than a lot of the other stuff that calls itself zero trust because you are actually authenticating a user before they can access an application. There is sort of a level of network control. You're not seeing anything until you're authenticated. But I think where our admiration starts to wear a little bit thin is when you start looking at the way a lot of these things have been implemented. They're getting kind of old too. And I believe you were at a DEFCON talk about this stuff and it's like, you know, it's a bit wobbly. Thankfully nothing's happened. We haven't seen a big breach at a major ZTNA platform. But I mean, it sort of feels more like luck at this point, right?

B

Yeah, well, I think it's just shifting the target around. Like we knew that having a VPN on the Internet open to everybody all the time, like Ike and other services was kind of never a good idea. And everybody who did, zero trust way of thinking, which really was like the security people that knew, you know, always allow list as everywhere. You know, maybe it was paranoia, maybe it was foresight, but shifting that Internet exposure to a reverse thing and as you say, trusting a provider. Yes, there was the DEFCON talk, which is great, you know, talked about implementation, as you say, keys and authentication being bypassed, etc. But we haven't seen a breach. And it is better than, than having something sitting on the Internet, especially when you've got multiple locations. Like if you've got a VPN from a single product provider that's scattered across 15 locations facing the Internet, you got to, it's challenged to manage all of that. And then the zero trust architecture way of thinking is okay, once assume that's breach, what then happens? And a lot of people still get that wrong. And you know, if you think to today's terms, when there's load balances that are now potentially hostile in the environment, that doesn't really matter. When you've had the zero trust architecture way of thinking, which is you can't trust it. You need to assume that everything in your environment is brutal, reached, compromised, hostile. And if you've got a ZTA zero trust architecture in place, then you're probably not squirming too much about that.

A

Well, you're going to limit the, you're going to limit the damage. But I mean, look, I want to pull it back just to this ZTNA discussion a little bit because as much as like architecturally, like it's really good for core apps, the problem that I've always had with ZTNA is what does it do to protect your lights out system on your internal network? What does it do to protect your KVM over ip? Like absolutely nothing. You're not going to shunt that through Zscaler or Cloudflare, right? Like it's just not what, what they're for. So it's almost like this whole approach to zero trust network access. People just sort of forgot it was a good idea. And okay, sure, they're going to put a lot of stuff like their H Vac and this and that, and they have cameras. Hey, they're going to put that on a vlan. That's great. I mean that's a bit of segmentation. But all it takes is for an attacker to breach one device that straddles a couple of different networks and bang, they're on that VLAN and they're having a party. Right. So, yeah, I just feel like. I feel like, yeah, people just sort of forgot what Zero Trust was supposed to be about. You know, it's supposed to be a per device or per server. That's right. Segment. Like it's. Forget about micro segmentation. This is like. This is like pico segmentation, if you will. Right, yeah, Nano. Nano segmentation.

B

Nano segmentation, that's it, yeah. Well, DTA is all about dynamic at the point that you need the access verification occurs and then you have or do not have the access. Like it's meant to. Dynamic is in some of the definitions. Right. You look at the NIST standards and things like that. Dynamic is. Is there as opposed to where go to sort of put software on and then it's always open. You know, you need the software. It's just like you've got the key and now everything's open. As you say the device is breached, then you're in the soft squishy internal wall garden.

A

One thing we haven't specified too is the issue with having just slapping authentication and oauth on everything internally is that there's an awful lot of pre auth attack surface in basically everything on an internal network still in 2025. Right. So there's a reason you still want to do that network segmentation.

B

Exactly. You got to do all the things and that's why it's hard.

A

Yeah.

B

You know, if you look at the like going back to the DoD's zero trust mission, which is 20, 22, five years to 27 and then they've got another five years. One of the last things in the list of to DOS is like just in time dynamic micro network segmentation because it's hard and the world's not there yet. Some of the earliest stuff was, you know, do vulnerability management plan scanning and stuff like that. That's all taken care of. But the other thing that just in time is hard because we're just not really equipped.

A

It's funny, right, because when I talk with Adam Boileau about knock knock, because we do every now and then, it's not micro segmentation. It's not, no, but it kind of. It's sort of like nano segmentation just for like a specific asset. So instead of trying to carve up your entire network and micro segment your entire network. All you're doing is taking the worst stuff, putting it behind. Knock, knock and, you know, pat yourself on the back and go get a. Go get a coffee. So it's sort of like just. It's almost like, you know, what do we call it? Nanosegmentation. But only where absolutely required. Right. Like, is that a good way to describe it?

B

I think so. Well, I think there's two. There's two lines, there's two axes, there's size of axis, which is, you know, Dano. Micro, you know, segmentation or broad and then there's time.

A

So.

B

So as soon as you add time into it, it's another dimension. So you've got a small amount of access, but it's not always on. It's only for a limited, specified, predefined amount of time. So you're not only reducing the exposure, but you're through size or volume of access. But actually the time and amount of period that they do have access for, which then reduces a whole bunch of noise and allows you to focus down on, you know, the true sense of zero trust, which was that dynamic at the moment. Always verify exposure, opening up exposure, as you say in a nano volume, but also a small amount of time.

A

Yeah. Radio. Oh, well, let's see where we are. Let's see. In another 10 years we'll be talking about, you know, how they people still aren't doing zero trust. Right. And we'll, you know, shake our fists at the cloud. Great.

B

It's hard, like, to be fair, it is hard. Everybody should be doing it, but it is hard and take. Takes a long time. But I don't know, I think, yes, we're not there yet, but I still feel I'm an optimist around it. I do feel we've come a long way from not having any zero trust way of thinking in the world. It's just that we've got to wait for all those old legacy things to catch on fire and be replaced with something in the future. And I'm just sort of waiting around for that moment whilst trying to patch as many things and many designs as possible.

A

Yeah, I mean, I just want to finish this by saying slapping OAuth onto a vulnerable web application does not prevent remote code execution. That would be the last thing I would say about that.

B

Absolutely.

A

Adam Poynton, thank you so much for joining me for that conversation. Great to see you as always and we'll chat to you again soon.

B

Thanks. Great to be here.