Demystifying Zero Trust: A Fireside Chat with THG Ingenuity & Cloudflare

Well, thank you for joining us today. I'm thrilled to be joined by Abe Ingersoll, who is the CISO at THG Ingenuity. So first of all, great to have a local Manchester Cheshire customer, Cheshire, I guess, technically, originally Manchester Cheshire. I want to just give Abe a moment or two to introduce THG Ingenuity and introduce his role. And then we're going to spend some time going through Abe's experience of actually implementing trust and Zero Trust in real life. So we'll go through some of the reasons why that is, some of the challenges, some of the practicalities. And if we have time at the end, we'll throw it open for a few questions from the audience. So, Abe, take it away with an introduction. Thank you. I'm always really curious who here has actually heard about THG or THG Ingenuity, because we are local. We're at the far side of the airport. So THG, the HUT group, we started selling DVDs, shipping them from the Channel Islands. And this has morphed into a national, international e-commerce platform where we're now split. So the technology business is separate from the brand business. And most folks will know us for the brands. So things like My Protein look fantastic, Dermstore, Cult Beauty. You've probably received one of these boxes at your house, if not for yourself, for your significant other. So we are the platform that powers this. We use a lot of Cloudflare in a lot of different areas. And Zero Trust is one of these things. The Cloudflare Zero Trust product that snuck up on me after our developers had already adopted Cloudflare for other use cases. So I'm going to start with the basic premise of trying to demystify a little bit of Zero Trust, Abe. And I think maybe for the audience, there are two main observations that I have when it comes to the conversation around Zero Trust. The first one is that I think as an industry, we've mixed up what the intent of Zero Trust is with some technologies that now support implementations of it. So if you're familiar with the history of Zero Trust, it's not a new concept. It's over a decade old. It was kind of invented by a guy called John Kindervag, who was at Google at the time, who came up with the concept of Zero Trust. And it really was a concept about, if you think about it very logically, it was a concept about least privilege. So that was the foundation of Zero Trust. And then over time, like all good technology companies, we add more and more technologies around that actually help to support that. And I think in many cases, it gets further confused because some of the analysts now talk about it as SASE, which is the secure access service edge, which actually includes two separate things, the secure service edge and one edge. And the more sort of you get into that, the more confusing it can get. So that's the first thing. And hopefully we're going to talk about some of the practicalities around that. The second thing that I observed from dealing with this with many, many customers is that there's kind of two things that typically kick off Zero Trust strategies or zero trust implementations. One example of that is in the proactive side, and very often that's to replace VPN technology. So I don't want to suggest that Zero Trust equals VPN. But what I do say is that most implementations and most projects that we see usually start proactively as a result of wanting to replace VPN. And why that's really important is that for those of you who were around for the pandemic, which I'm sure many of you were, you know that lots of organizations rushed to implement VPN because it was the easiest thing to do to allow all of our workers who were suddenly at home to access the systems that they used to access in the office. Now what we're seeing is that, you know, perhaps that wasn't quite the right approach from a security perspective. It's not the most user friendly. And so that's from a proactive side. That's typically what we see on the reactive side. And I hope this hasn't happened to anybody. It's usually as a result of a breach. So we rushed to look at Zero Trust because something's already happened that requires us to look at security and application access in a sort of very different way. So Abe, let me ask you the question. So these significant events that I talk about, what was it within THG Ingenuity that sort of made you say, actually, you know, we're going to go look at Zero Trust, we're going to try and understand what it is. And we're going to go after the implementation of it. Was there a specific significant event? I think there's a little bit of a backstory here, which I'll get into. The way that I explain Zero Trust or our current situation when I inherited the practice was as if you would have like a hotel where all of the rooms, instead of having separate card keys, were just open to anybody who happened to get into the hotel. So this is your notion of perimeter defense, your notion of like, oh, if I'm inside the firewall, I'm okay. That's not true at all. And as an attacker, once you find a single soft spot, anything that is built upon this notion of perimeter security is just absolutely obliterated. So in our case, we had a contractual deadline. We had a real strong desire to leap into a better position, better product suite and marry it up with other aspects. So things descended to the secure services edge notion. But basically, how do we make it really easy for developers to expose their applications to our members of staff? And then further, how do we make it so that customers can come in and get to our origin or otherwise like interact with our mobile apps, our mobile app APIs, things like that, using the similar suite of technology? Because it's all kind of very, very similar how it works. So that was what led us to it. The other, for me personally, I was subject to a regime. I'm literally non-traditional background for someone who's a CISO. I didn't come from law. I didn't come from accounting. I didn't come from risk background. I literally came from systems and being a hacker, for want of a better word, myself. So I would routinely just avoid the prior apparatus, the existing solutions we had. And so I was really painfully aware of what this meant, subjecting end users to the different ways to access things, the different mechanisms of establishing controls that approximated Zero Trust, and then all the different ways that you could get around it. So I wanted something that would be acceptable, that would be like a carrot at the end of the stick. Like, yes, they want to do it. Yes, it's something that people want to adopt. And then the reason for Cloudflare was, a lot of people in this audience will know, but a significant portion of worldwide Internet traffic is on your network. So you probably have multiple different pops within a kilometer of this building. And that matters a lot when you're sticking something in between every single one of your end users and what they need to do on a day-to-day basis. So it was these combination of factors and then wanting to make a change, having a contractual deadline that forced our hand to make that change. And we just went for it. We leapt. We leapt into it. And there was a lot of unintended things that I don't, that I'd like to share that sort of, I bit off a lot more than I realized. But I think that it's been a two-year journey now that I would not go back and undo. Like, you could take Zero Trust out of my cold, dead hands. I don't know how you would operate at scale with international workforce, with a very diverse set of customers, a very diverse set of regulations and requirements without this kind of tool sitting in situ in all these critical places. So I want to just talk a little bit about outcomes, you know, because when I think when people sort of whiteboard or blue sky the idea of Zero Trust, we're all used to having very complicated environments, but they were relatively simple from an authentication perspective, especially if you use, you know, Windows integrated auth, where I log in once and then hopefully most of the applications that I use every day can consume, you know, that same authentication, maybe slightly different authorization depending on the app. But when you start to unravel that and you say, I'm going to make the assumption now that every connection needs to be untrusted. I need to make the jump into least privilege. I need to make sure that if there is an incursion, then my lateral movement is restricted from an attacker point of view. When you turn that into benefits, you know, you think about that from a CISO perspective, how do you articulate the benefits of that to the business? Because I think as technologists, we look at it and we say, yeah, there's 10,000 applications. There's a hundred applications. There's a mix of client server. There's a mix of SaaS. There's a mix of mobile. There's a mix of web apps and we could probably figure out how to get there. But with it being an investment and you having to explain that investment, you know, at your level, how did you put it in the context of benefits? It really depends on the type of executive, but the ones who are really focused on the money, the cash, you can draw a line between sets of very closely correlated things. So investments in like human resource management or the notion or concept of who the human is, the identity part. Investments in like what traditionally would be thought of as antivirus, but basically endpoint detection and response. And then when you marry that with Zero Trust, you suddenly have the actual realized value of the, not just the sum of those, but some multiple factor of it all comes together and it makes it so you just open your laptop and you're online. You can do what you want to do. There might be a little sort of a hop or a forced prompts to have you do a fingerprint or do the face ID. There might be like a little bit of a wobble trying to connect to airport wifi or the hotel room. But the notion is all these investments come together. We now know exactly which member of staff it is. We know exactly which piece of data or what system they're trying to get to. And then we know the exact state of the device. So is it up to date? Is it patched? Does it, does it have malware on it? All those kinds of things. It all comes together in a single spot. And it's just so fundamentally different than prior where you go in an office, that office is considered to be safe. Maybe that office has a MPLS connection or some sort of connection straight into the data center. So it allows the agility with the workforce, allows you to make decisions around acceptable risk, acceptable levels of risk that you couldn't prior do. And then it drives down the cost or allows you to use applications that are off piece to this. So the random SaaS thing over here that so-and-so in the business thinks is really critical and is going to accelerate their area. Those kinds of investment decisions were a lot easier to support as a CISO. Instead of saying no, it's a absolutely yes. That just goes over here. We have the risk controls. Thank you very much. Continue on, sir. Yeah. I think it's great that you have a CISO who's actually ahead of the business and an enabler, right? Because I think if you, there's been plenty of great comments over the years. I think my favorite one was that, the more a CISO says no, the less secure an organization becomes, which I just think is a great phrase that means that if you don't do something to do exactly what you've done, then your creative users will find a way around it, right? Whether that's buying SaaS apps with their own credit cards or doing all sorts of crazy things. So I think it's fair to say that most people will be either at the start or just kind of getting into maybe the later stages of an implementation of some kind of initial Zero Trust concepts. I think as somebody who's led an organization sort of start to finish through that and has put a blueprint in for further applications and different things that happen within the business, there must be some really key considerations that you've seen for maybe the audience who are just starting out on this. I mean, I get asked all the time by big customers, medium-sized customers, all over EMEA, can you help us get started? And the answer is yes, of course we can, but we can't dictate what your company culture is. We can't tell you how fast you should go. We can't tell you what your levels of acceptable risk are. And I think there's generally a feeling that we really want to do this, but we don't really know how to get started or we don't know how to turn the flywheel to gather pace. What would you say are the key considerations for, first of all, the strategy for zero trust, and then when you go through implementation until ultimately declaring victory? So we have this deadline because of contractual reasons, but I see this a lot in the adjacent space of adoption of AI, where you have to have a really well -defined endpoint or goal, and that has to align to business value that has nothing to do with Zero Trust. But just Zero Trust happens to be this enabler to achieve that goal faster. So those two things right there, if it means picking out a sub -population, so going after developers, going after execs, going after a call center, if you find that one area where there's a real distinct, definite endpoint with business value and business need, you marry it up behind that, because this is one of those things, they technically call it a non-functional requirement. Unless you have some regulatory thing, unless there's an outside reason, you're going to have to search for that. So once you find that, drive into it, it's a case where a lot of people are reticent to change. So I would tell my staff, the one thing I'm really good at doing, or the one thing I can help them do, is manage the aspect of human change. I can go and fight battles for budget, I can go and maybe break something if they let me touch a keyboard. But on the whole, it's that aspect of dealing with interrupting people's current way of accessing things, their current way of working, and saying, ah, there's a better way. So I think that's the key insight, is have that distinct endpoint, and then be ready to go for it yourself. Be ready to go in the weeds, sit next to the user, watch them, help them. Once you have those champions, once you have the internal promoters of the solution who realize this is a better way to work, then it's going to slowly, other people are going to see it, and then those little influencers will spread. And before you know it, you'll have people knock on your door saying, hey, I want to adopt that pattern. Can I please have that? What is that? That's cool. I think that was one of these things over a two-year journey that has really paid dividends. The other one is, we had to shift our team's approach to how they managed things. And we effectively adopted a software development lifecycle. So a lot of the things you would have heard about, or a lot of the concepts that come from DevOps, so infrastructure as code, or the idea of having pipelines. So our security staff initially was like, oh my god, what's this Cloudflare thing? Fundamentally, they've now made this leap to, they themselves are software engineers. They are writing code. It's going to a build pipeline. We've split our practice sub-delineated into multiple different Cloudflare accounts based on an acquisition, a business unit, a type of facility. And this has really helped them have confidence to make change and react to when users come and say, oh, you've disrupted me. There's something that's blocked. It shouldn't be blocked. We have a really high degree of confidence that when we make a change or when we want to otherwise modify how that practice impacts users, we can do that with precision and at pace and scale. So even like a Friday afternoon change, it's not a problem. I wouldn't advise it. But just in general, the high degree of confidence combined with that business outcome, combined with having stake in the game yourself. So I want to go back to something that I said at the start, because I think for those of you who are on the start of the journey, I think it's really important to not conflate the intent of Zero Trust versus the technologies that support the implementation of things that meet the intent. And so when I have these many conversations with different CISOs, CTOs, CIOs around EMEA, they often ask, what do you mean by the fundamental principles of Zero Trust? And I think the ones who really understand it and the ones who make progress ask themselves four really simple questions. So what do we have? Where is it? Why do we need to protect it? And from who? And those are four really, really simple questions that underpin the very nature of the things that we talked around, around least privilege and just-in -time access and the things that you would expect to see from a successful Zero Trust implementation. So have you talked about the fact that you've gone into this huge global e-commerce platform? And a key part of what we talk about relative to Zero Trust is, how does that help with protection of data, protection of application, protection of assets, and then maybe even the privacy angle of privacy of your own systems, but I think more importantly for you guys, privacy of your customer information and customer data. I don't know how many transactions you process every day, but I would imagine it's a lot. I would imagine you process and handle a lot of customer data, whether that's PII data around the customer themselves or credit card transactions and things of that nature. Was there a point when the Zero Trust discussion got into the question of how can it help us with better protection and better privacy? It's one of those topics, it's data protection generally. It's like bringing up politics or religion because you get total bimodal approaches with this. People who realize that data protection came from the ethos of enabling cross-border commerce amongst very diverse sets of attitudes or regulations or just cultural norms, how they handle data, to people who are all about data subject rights and individuals' rights to fight the man. So it's just kind of fundamental. You have to be able to know who's touched what or who's seen what or how they can access what things if you want to have any chance at all of actually meeting the letter of these regulations, and then be able to confidently say, this is where that data is and this is who's accessed that data. So there's not a direct line between the two. It's more just this first principles thing that allows you to then confidently operate at scale when you have questions around like, hey, if we train our own model off of this stuff, what does that mean for this stuff over here? And being able to know that the connection between them is this and this is how this end user access is and these are the exact audit logs of who's done what, that's streaming from the device, that's streaming from the application. The synthesis of all that is where you have to have that. If you want to be able to attest to a third party, yes, I meet these requirements. So if you bring the risk factor into that and you say, one of those questions was, what do we need to protect? I would argue that you don't need to protect everything the same way, right? Some data is more confidential. Some data is less important in the wrong hands than others. It would be great if we said, unilaterally, all data is the same. It should be protected the same. I don't know that that's practical certainly in larger organizations. So did you start by looking at some of, let me call it the crown jewels, and starting small and saying, what are those things that we really, really need to protect? Because if they fell into the wrong hands, they carry a significant risk to the business. So I didn't stop myself and go through. We would have what's called records of processing activities, which is something that's required by GDK, GDPR. We would have done a data mapping exercise to understand precisely which databases exist, what fields, what data is in certain fields, classification of the different data. But if we pull it back just to the generic thing, on a day-to-day basis today, what I can do is, given an application, given an individualized identity, and given the device, I can make a decision, or basically the code is making a decision, is that person allowed to access that piece of data from that device? That's huge. So if someone's on a mobile phone and needs to and it's not highly proprietary data, yes, done, decision, permissive, you can access it. If it's a low-level administrator access to a database, nope, you've got to use biometrics, you've got to be on a corporate device. So it's that gradiation of being able to, it's a common tool chain. It's nothing abnormal about the user. They just do the fingerprint. They're just using their laptop. But we get the chance to say, nope, that's like, you're missing your Chrome patch. There's a Chrome zero day. Sorry. Please upgrade before you touch that piece of data. There's really practical little things like that that I could never do, I couldn't dream about, unless I'd actually implemented all these tools. So you talked a little bit about where the Ingenuity name came from and understanding that the Ingenuity piece now is in effect a technology service provider to the brands and to the rest of the business. I would imagine that, like many in the audience here, the demands that you're getting are not receding. The demands are becoming more complicated. The availability of technology, the pace of technology, all these things that we have to consider, it's a bit like whack-a-mole. Remember the old game when we think we've got one thing figured out here, something else pops up over here. So just maybe a broad ranging question. So we kind of figured out Zero Trust, and then we then think about AI and all these things that are going to happen where autonomous and semi-autonomous systems are going out making decisions with data and systems that are not a true end user, that don't come from a device. So what's next? Shadow AI is here. It's everywhere. So when I join meetings, if I don't have my video on, my initials show up as AI, and people think it's a bot. And when I've gone and visited remote offices, they're like, wait a second, you're a real person. So yeah, the workforce adopting these tools at pace, at scale, in a controlled way, that's something that I don't, I lose sleep about us missing it. So it's easy to come down hard and say, sorry, you can't use ChatGPT. We're going to block Anthropic. We're going to block everything. It's either copilot or nothing. But that's not an approach that's going to win, especially when you have developers running DeepSeek on their laptop. So what we're trying to do, or where I say like 80% of my focus on a day -to-day basis now is empowering people with the right AI tools that I can distinguish human actor to agents, which is really tricky. They're getting craftier and craftier. And then finding that value and that use case, communicating that investment and the results to the people who don't necessarily understand it or aren't deep in the weeds. And then coming up a way to translate that to something that customers and partners are going to understand as well, because they want to know like, what do you mean you've trained a model and you've done this and that, and now I don't need six people to do that task. And you still have those six people, they're just doing something else. Or those six people are actually training the model. So that's where everything's headed. Cloudflare has some really interesting integrations with GPUs at the edge. So every one of these pops, including the ones in Manchester, I can do inference. So imagine guard models, which is a really weird concept, basically have a one GPU, evaluate whether it's okay to send that data to another GPU. But that's where we're all headed. The machines are going to be in control. Either you're going to be controlling the machines or the machines are going to be controlling you. So I think we've kind of gotten used to micro-segmentation as part of the story at a traditional network level. Now we're going to start to think about further segmentation of maybe the actions of agentic AI, maybe where the models run, maybe what those interactions are between models that live within your environment and third party systems that extend those models that we've been seeing with the introduction of things like MCP, for those who've been following along with what's happening in some of the AI pieces. So I think plenty of work for us to consider in terms of what comes next from Zero Trust. But I want to wrap up by just maybe asking you the top three things. So you've gone through this, you've been very successful. I'm sure many people in the audience would love the blueprint of what you've done at THC Ingenuity. I would say that, well, I would say this because you're one of my favorite customers, but I'd say this anyway, that I think you're probably a lot further ahead than many in terms of where you've gotten to. What would be the top three takeaways? So it can be either from a stakeholder management perspective, a technology perspective, leave the audience with the big three things that they can go back to their teams and advise them to try and get that flywheel going to make progress. So number one thing is get rid of your VPN any way you can. So I think when I walked in the door, we have I have three or four distinct ones in active daily use. I myself would have to log into different ones. So as much as you can reduce your external surface or attack surface area with these legacy devices and legacy vendors, honestly, that's number one huge because that perimeter is not to be trusted and it's going to drive you into the investment decisions around like what solution do we pick? The second is really adopt the tools. Give the tools to people who can make the most of it. So instead of having to be a network team or a security operations team or security engineering team, give it to the developers. I think that's the one thing for us where they hated the fact that I was doing man in the middle on every single one of the requests. But these days they walk in the front door and they say, hey, can you please have more? Because we've said here's the configuration, here's the code, you're more than welcome to submit pull requests. I think when I looked at our repository, we restore this stuff. We have 46 individual contributors over the past 24 months. I was really surprised and like that makes me feel good about the decision that other people are adopting it. And then finally, like log everything. That forensic record streaming from everyone's laptop is incredibly useful. So more often than not, what this has caught is not nefarious behavior, just accidents, right? But being able to go in and like reconstruct a user session and then go and talk to them about that. Like, hey, did you mean to do this? Ah, I didn't. Instead of it ending up being like a legal case or some big to do, it's just a conversation with someone around, hey, we can see what you did. Was it a mistake? I guess it was. Okay, great. Move on. Fantastic. So I think we're at time. I just wanted to say thank you so much for the attendance. A huge round of applause for Abe, who's a wonderful partner and very, very, very brilliant guy all around. Abe, it's always a pleasure. Thank you for your partnership.