This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Thanks for having me. Super excited to be here.

Yeah, it's always fun to see you.

We've done four of these episodes. The first one started off with bill. We just talked about digital transition and all this stuff that's happening with the digital transition of our. Healthcare world right now and how that opens up all kinds of new challenges and issues.

Yeah, think I mentioned in an earlier episode, it might have been episode three where we talked about inertia. I think one of the foundational things to do is you have to overcome that inertia within your organization. So once you've read the book, you get an understanding of what zero trust is and what it means to all the different stakeholders within an organization and how we can Better ourselves, improve operational efficiencies, improve financial, et cetera. That's where that inertia we have to overcome, and we actually outline a lot of that inertia that needs to be overcome and how we do it. But second to that, once you've overcome that inertia, I'd say one of the most interesting things that Is a foundational level for zero trust that needs to be done is you got to get your identity squared away without identities.

That's a First step one is get your identity done. If you're thinking about getting zero trust on board.

So tell me more about the identity cleanup and the challenges behind identity. It feels every time I'm with a CISO one of the challenges that they talk about is this struggle that they have with figuring out.

Both human identities and non human identity service accounts and all those kinds of things. Some of them, , sometimes they don't even know what they have in the environment and they don't have a good way to go look for that stuff.

Yeah.

Can Zero Trust and Zscaler help with that?

This is where that multi vendored approach we talked about is one of the myths that need to be busted is identity is a core requirement because you do have to understand your identities that exist and you do have to have some level clean up.

But working with your identity vendors. I think is a critical step. I'm not an identity expert like they would be. So you're going to want to work with again. There's many vendors out there. I love them all. They're all great. They all have strengths, they're all there to help you basically get through those projects.

It is a core requirement for this, including The non human identities, right? Because we are doing also the device piece of that segmentation for zero trust.

Identities is the first step on the path. What comes after that?

So after that is where things get a little bit more interesting, right?

Once you have this huge amount of visibility, our AI models actually help predict and show you and say, Hey, these are the types of groups that are talking to these types of application systems. This is suggested rules and policies to start implementing and start I think we talked about before, reducing that blast radius and you start making it so that everything else becomes invisible to those users.

It makes it an easy step to see that visibility of Who's talking to what everywhere. Even on that fourth step of data protection, you may not be ready for that piece yet to prevent exfiltration of data, but all that information will be available to you. It'll show you exactly who's accessing what data, where that data lives, where that data is moving and how it's moving so that you can also start thinking about your data protection policies as you're progressing along.

So that attack surface is immediately eliminated. So even if internally, your user can access anything because you haven't flattened all that down, the attack surface has already been significantly reduced. So even step one is a dramatic risk reduction that happens as you're moving into your zero trust plans.

First, I have to fix everything and then once everything is fixed, I can start to begin this zero trust journey. And in fact, what you're telling me is fast track past the fixing all this stuff and just get onto the zero trust path right away because it will immediately make you more secure and just the ability to have.

Insights into all the things that are happening on your network. That's I hear people ask about that all the time. So

yeah spot on. We're in the sense that even if you haven't turned on all those strict controls It becomes that non disruptive piece another myth that it's super disruptive it's not disruptive because you just change how they access things, but everybody still has the same access.

Love that. It makes sense. There's a lot of other models out there too. And I know in the book you talk about some of the zero trust maturity models the ZTA models that are out there from NIST and from CISA. Let's talk about those for a minute and how people can also, it can be worrisome, it can be confusing.

What should they think about the models that are out there and how you work inside those models?

Yeah the two most common and most popular, I would say, are CISA and NIST. The difference, I would say, between them Is the CISA version is a lot more geared towards, an executive level kind of conversation.

eye level best way I I describe it depending on who I'm speaking to. If I'm speaking to a CIO, I'm going to point them to CISA. If I'm speaking to network director or something along those lines, I'm going to send them to the NIST. And I love me personally. I love the NIST 800 207 because.

Actually was a contributor in that book, at least the first revision. I know they've had another revision since then, but I met with the team that wrote that and on several occasions and helped write that one. But again, it's way more in depth. That's more like our architects book.

think the overview that you provide in this book too can help people get their heads around what they're going to get into as they look at those other models and those other guides, of

Yeah, love it.

want to go back to talking about kind of identity again for a minute. Some users in healthcare organization are more risky than other users from the perspective of if they wind up being fished or breached, or , they fall into a trap. How does Zero Trust play into that?

Whether it's high level executives or IT administrators who have a lot more access. How do you guys help with that?

Yeah, think again, once we understand that identity and we're seeing how everything's communicating, it also includes the applications at the back end. What is critical, what applications are in use that you may not even be realized as a critical function.

T. team, they're going to be able to find anything that you may have misconfigured much quicker. I should say Other types of. Immediate risk users that we talk about are the ones coming in externally. That's usually one of the earlier things that we should be taking care of. So those are the remote users, whether that again, we talked about radiologists before, but any remote user.

There's a ton of remote users in our workforce nowadays as well as third party contractors and third party access. So we talked about researchers, but it's not just researchers, it's vendor contractors and all sorts of other third parties that we want to start securing and doing it in a way where, again, we can publish a portal, do a cloud browser, whatever it is, where you don't have to manage them, you don't have to have them maintain a VPN, you don't have to have them, do anything like that, and we'll give them that secure access.

So that's really starting to provide security

as a service, right? They're selling security and this is again, because you don't have to backhaul them through your security platform, the security is everywhere, right? So the security follows the users, no matter where they're at with us.

We basically are they're going through our security stack, which we're hosting for you as a SAS, right? So it makes it so much easier for you to also provide it for your own customers. If you want to sell that as part of your programs too. That is becoming popular.

Such a great conversation.

I'm really glad you joined me today. This has been a lot of fun. We still have more episodes coming. This was episode five in our zero trust series. If you're a listener, don't miss your chance to get a signed copy of the book at HIMSS along with the other book in the series.

So there's a whole lot more left to explore. you want to register for the webinar, check it out at thisweekout. com slash zero trust. You can get registered there. We'll make sure that you are in thanks again, Tamer for being here. I really do appreciate your time.

Yeah. Drex for having me.