Highlights from “Hacking Zero Trust” Video Chat. To watch the full video go here.

I moderated a discussion with:

Huge thanks to everyone who participated, and see below for the best quotes from the chat room. Lastly, congrats to Dutch Schwartz of AWS for offering up the best bad idea. Watch the video for that moment and how they handled it.

For as long as we can handle it, our video chats will be happening every Friday at 10 AM Pacific/1 PM Eastern. Please follow us on Crowdcast to get announcements of each new video chat and also be alerted the moment a video chat goes live.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our video chat sponsor, Infoblox

Best quotes from the chat room

“How do you zero trust those embedded and specifically real time systems without creating too much overhead that could cause a physical impact?” – Matthew Thomson, vp, IT security, Community First Credit Union

“If you can’t do it in theory, then you can’t do it in practice. That’s why we have zillions of opinions about it.” – Boris Taratine, cybersecurity architect

“I think this mirrors the definition of new regulation in the GRC space. Look at GDPR and CCPA. There are theoretical definitions, but the world is still trying to figure out how to practically apply them.” – Matt Winkeler, security program manager, Capacity

“Here’s a terrible idea: Create legislation that forces you to prove to an auditor that you’re utilizing a zero trust architecture.” – Dutch Schwartz, strategic lead, AWS global security services team *** WINNER of BEST worst question or idea

“Smaller organizations who use mostly SaaS products are ahead of larger organizations on the zero trust front.” – Matt Winkeler, security program manager, Capacity

“A far out question: Should companies spend more effort in developing a *realistic threat model* to apply zero trust and not try to apply zero trust in every domain? Similar to what the autonomous vehicle manufacturers do to secure AVs?” – Bob Henderson, CEO, Intelligence Services Group, LLC

“NIST auditing works pretty well between government entities, but I wouldn’t want to prove I’m following NIST as a corporate entity.” – Rick Woodward, senior information security analyst, Dominion Energy

“The cost of the control shouldn’t exceed the cost of the asset.” – Dan Walsh, CISO, Rally Health