Applying Zero Trust to Humans and Things

Okay. So without any further delay, I would continue to scout see it over from four truck. Welcome on stage. And here is the clicker. Thank you. The green. Yeah. Good afternoon to the zero trust afternoon.

Yeah, I'm really happy to be here. This is my first in person presentation. Ever since that COVID COVID thing happened so excited to be here.

My, the previous speakers were from Siemens, so we are here in Germany and I think everyone know Siemens, not everyone may know for trucks. So maybe a few words about the company I'm working for. We are a leading identity and access management vendor. We have a very comprehensive platform for identity and access management built in a modular way. We have heard zero trust is a journey. So companies typically need to determine their own pace at which they progress, which our platform allows our customers to do. It's also modulars.

So you can start on one end and that extend it as far as you want, identity and access management is a simple thing, right? You have three questions to ask, who are you? Should I trust you? What kind of access should I give you? Yeah. And that started a long time ago with usernames and passwords actually, does anyone know how old usernames and passwords are about 60 years? So more than 60 years ago, passwords appeared so back to the presentation.

So the, the presentation today is giving zero trust, access to humans and things. And there's a few questions I'd like to answer today. Why should we do it? When should we move to zero trust? What needs to be protected? Is there something that needs to be protected? That's worth the effort that we have just heard in the previous discussion and how to do it. And I'm not gonna go into the details of this slide. It shows that, you know, cyber incidents are increasing. So I have another question. When was the first cyber incident? It was a worm. It was kind of almost an accident.

Anyone knows about 30 years ago at the end, he's Googling at the end of 88, early 89, the Maurice worm. It was intended to count computers, but he got wild. So 60 years ago, a password, 30 years ago, the first cyber incident. And then we are now on a exponential function of, you know, the risk that's out there for organizations that can kill your brand that can kill your business. And there's one thing that's important to know. Most cyber incidents can be traced back to lost, stolen, weak credentials. So usernames and passwords are really a lose lose thing. Passwords are difficult to remember.

No one wakes up in the morning and says, oh God, I look forward to, to log in. And I look forward to use one of my 51 passwords. And so no one does that. So it's bad security and it's bad user experience in the us. We did a study. You can find that on our homepage, the breach report there, the lost stolen credentials increased by 450% last year in the us alone. Now totaling 1.5 billion sets of credentials. And we also have some chairman numbers, every incident, even the smallest one, you average the cost per cyber incident. You're almost 5 million per even every incident.

Of course the damage and the cost varies widely. Yeah. So that kind of gives you sort of a sense of urgency. It's better to start now than tomorrow, but it's a journey. So you don't do that overnight. And in the old days, it looked like this. You had customers and you could argue your customers had remote access. They were not on campus. And same is true for some of your external business partners, but the world, everything else was simple. People were working from the offices. The data center was on the campus. It had all the functions in it. You had your production.

In many cases, the production was air gapped. So you had an, a network island that was not connected. At least that's what people were believing for a long period of time. But then this happened, and this is not just COVID, but COVID accelerated it. But it's been going on for many years. We have things all over the place. There are connected. Some people say there is more connected things today than there is people that use the internet. And you now have also a convergence of requirements between external users and employees, because your employees are no longer in, within the pyramid.

They are working from everywhere. And if you use your PC, whether it's your own or not, if you use it in Starbucks, the network, there is less protected than the corporate network. So there is risk there. And if that is a power user or a specific user that has administrative rights, that does require some attention. And you know, this is the old, I, I have different slides, but some of it is repetitive for the afternoon. From the afternoon, the threat can come from everywhere.

It can come from within that doesn't mean that the person within the organization commits a crime, but because the device is not well, you know, it's an UN in an unprotected environment, in an unprotected network. So we have to stop trusting everyone. And that's really what zero trust means, right? Don't implicitly trust anyone and protect at the smallest possible surface. So if you respond to this with the world's best firewall with thicker walls and, you know, with, with guards that that's not a response to the, to the challenge we face. I also said, we need to look at what we protect.

And it wasn't some of the questions earlier. This is not an exclusive list. And by no means it's a detailed list, but there is of course, corporate assets, IP, personal data of your employees, personal data of your customers. Those need to be protected. And in many cases, this is not the company deciding I protect it, or I don't protect it because I don't care. There is laws that mandate these organizations to protect those data. So it's not at the discretion of an organization to do that. And so there is, you know, dependent on what you do.

You have to apply more or less because security is not as switch that you flip on and you have absolute security and you switch it off and you don't have any. So it, it depends of what you protect now. Zero trust is unfortunately not a one stop shop. You cannot go out and say, I'd like to buy zero trust for my employees. We have heard that in the previous presentations as well, it consists of a variety of components. I have selected three important ones here. One is of course, the network itself and the segmentation.

We've heard about it, devices in the it space and in the OT space is also important. But since I am representing an identity and access management company, we will today focus more on what identity and access management can do in zero trust. And you know, also on the, from the previous presentations, I was happy to hear it is a foundational pillar to zero trust. And that is what we, what we will focus on just a quick side step before we go into more detail of what it means to identity. And of course you need to collect the initial set of credentials, but then you can't stop there.

You need to understand what device the user is using is that device a trusted device, and then some other attributes. And we've heard earlier, also on the impossible traveler. If you log in, in the morning here at the conference before breakfast, because you do some stuff and then an hour or two late, the same IP address is used halfway around the world. That's an that's impossible. So that needs to be locked out. Or if it's not as brutal abridge, then maybe you can get some reading access to some, not so critical data. So zero trust is not a black and white.

It does have many, many gray shades in between. So what can identity and access management do in zero trust? And there is initially of course, you need to identify who that person is, but then you also need to take care throughout the session.

You, it's not good enough to basically authenticate and authorize a person. And it's, this is like going through the front door of a building and then you can move around everywhere. Zero trust means you have to basically have to have a key for, you know, an authorization policy that opens your specific doors and you get checked at every door within the building. And even when you go back out the door and you try to go back in for another transaction, you get checked again. So that's the continuous aspect. It's not a single event. It's a process that you go through continuously.

And then there is the context, whether this is impossible traveler, whether this is device security, trusted device, or many other signals that can be identity related or not even identity related that allow you to make that confidence score that then gives access or not, or ask for step up verification so that you can get access. And that does require that the platform is open. I said earlier, zero trust is not a one stop shop. So naturally you're gonna have more than one platform or more than one product that contributes to the zero trust architecture.

And if you have an identity and access management platform that is open supports the identity standards, whether this is, or, or, or, or whatever standard you have and has rest APIs that are also open for partners to integrate, then you can have that best of breed concept. And if you have already solutions in existence, they're more easy to integrate. We've heard briefly about the authentication assurance levels. And this is my one of my favorite slides because I can badmouth the password again. So I really think it's a loose, loose situation. It's a memorized secret.

It can be stolen, and it's a bad user experience. If you go to a L two, you already have multifactor authentication and some cryptographic software. And that actually does both. It improves the security and it improves the user experience because thank you, modern cell phones. We are all used to face recognition to fingerprint, to some behavioral analytics. And if you use that, it's a good user experience and no password gets transmitted. Only the access token gets transmitted. All that stuff stays within the device. So it increases the security and it increases the user experience.

Of course, you can go step it up further. And there's UBI key out there. A partner of us that provides hardware keys to have even higher levels of security, but that initial step is only the initial step. And that's, that's really all it is. And you can have the absolute best first step as the session progresses. Your confidence level decreases is the user still the user that you authenticated initially.

And so, yeah, you could interrupt the session. You can say, okay, I terminate the session.

It's, you know, it has a timeout. And if the session is inactive, that may be appropriate. And if no one does anything, it's been sit sitting idle for a while. It's okay. It happened to all of you. You have to log in again, but if you are in the middle of something, that's pretty bad user experience. You don't want that. If that's an employee, you lose this productivity. Probably some work is lost. If it's a customer, you may have had a customer because there's another study that we did.

You can find it on, on our homepage, what people expect from online services and they are not accepting bad user experience. They will find another service. So what can you do? You can do step up security. And the way you do that is you can either do it in the background periodically or ongoing with behavioral analytics, with, you know, how you type, how you use your mouse, how you swipe your screen. That gives you a level. You have a profile in this. It's still matching. That gives you an assurance level, or you can do it based on transactions.

You, you all know that you log into your bank account and you can see the balance. The moment you want to do a transaction, or you want to put an order in, you are asked for an additional factor and that you can do also in the corporate world, if you access very sensitive data or specific applications that require special permissions, you could can perfectly ask for another factor. And I think it was early in the afternoon, where there was the discussion of whether this increases or decreases user experience and confidence.

And our experience is people appreciate it sometimes to be asked for a second factor, you do your daily routine from your home office, with your computer every morning at eight o'clock you log in, it's basically log list. You don't even realize it. You get access because this is a low, no risk access.

Now, if you travel halfway around the world and you access from there with your own computer, it's perfectly legitimate to be asked for a second factor. When you log in, and if you use a local computer, you maybe you be even asked more questions or, you know, checked via a phase or an Iris scan. So you can get the access that you normally have, where you don't have the friction when you're using it for your, from your home. So zero trust for identity and access management means it's not a single event.

It's basically a loop, a process that you constantly go through, and yes, you collect user and password, or hopefully just a fingerprint. And you combine this with additional information and I'm gonna show you, I'm not gonna get very technical. Even though this light is a bit technical, I show you how this is done in the for truck platform. And you take all these signals and then you come up with a confidence core. And when the confidence is high, you get basically instant access. And the confidence is low. You will be asked for another factor.

So you can check that the person really is the person claims to be. And I've, I've talked earlier.

It's the, it says here on the five extended protection, that's really the network of partners. And just to give you an idea, what we do in for truck with more than a hundred technology partners that are mostly much more than 85 are integrated technically. So they can be plug and play integrated into the, for truck platform. So this shows you how, you know, this is an access journey. It's a simple one, and I'm not gonna walk you through it in detail, but basically you have a user comes in and is either known or unknown. And when the user is known, he gets to his preferred way of logging in.

And in this case, I think it's an Iris scan. If not basical, basically the person registers and then gets presented with options of how that person wants to authenticate when the person comes back. And that can be a fingerprint or whatever, you can have have choices and the user selects. And what we also experience when you give the user a choice, the acceptance level goes up.

So you can, you can give that choice in that, you know, you build that process for a, a user coherent cohort, and then you can even do testing, say which one is more popular, how much performance do I need on one over the other, what you see at the bottom here, this is directly taken out of the platform. There is a no code graphical editor, and we call these little blocks here, nodes, and there is a big variety.

And if you have partners that are, that you want to integrate, and they're already, I integrated with, for truck, then you have a node where you can drag in the functionality and use that signal. So in a zero trust world, of course you, that could be like a, you know, an endpoint security service, because you, you know, we've heard you have to know whether the device is protected or not, or compliant with the device policy of that organization. And so you can check that signal and it becomes a part that then is used for calculating the confidence level.

Now, the title said zero trust for humans and things. And in this case, I also mean non it things. It's not your Mac, it's not your phone. It can be a printer, but it can be also some factory equipment. And so what the platform can do is you can give a first class identity also to non-human users the same way. And so devices are used exactly the same way. And that's why I have this device registration journey here. That is an OT device. You can't differentiate.

So the it manager now has basically a single source of truth for all digital identities and can see whether all these devices have been updated and not just the PCs and to what we see today, often in customers and prospects. We talk to that. It has a very good visibility into everything that is office computing, but very little into some of the T silos that get implemented by the individual departments that make use of the data that they get.

And by giving this single and central control of management also for devices that gives the it and department and the sea of an organization, that single source of truth, where he conceive all his devices are compliant to speed up a little bit. Yeah. So zero trust basically is a continuous effort. We have this advanced engine and we continuously need to make that risk assessment with all the signals we have.

And the more identities you have in that repository and not siloed knowledge and siloed information, the, the better your risk signal gets because it can use additional input signals, Just a few words. So this is the platform, and I'm not gonna explain the entire platform, just one comment. And it's line number three, all cloud deployments. And we've touched this in previous presentations as well, a little bit. We have 1300 some customers as an organization in for truck. We have close to 400, what we call very large customers.

And I have, I have not talked to all of them, but I talked to a lot of them and I haven't found one that doesn't have a strategy to move to the cloud. They all wanna move to the cloud or have a cloud first strategy. I also haven't found one that is a hundred percent cloud yet. They all say, yeah, it's a state of transition.

But it, in, in the truth is it's a semi-permanent state that state of transition lasts for many, many years because many organizations may have core applications that are critical to their business that are only available as a mainframe application, or that are only available as an on frame application. And those need to be protected and they need to be protected properly at the same time. These organizations wanna benefit from all the innovative services that can only get as a cloud service. And so now you need a platform that can do both.

And we for truck have decided to use basically the same code base, irrespective of very installed. You can install it on-prem, you can have it from a third party as a managed service, or you consume, consume it directly from us within the, for identity cloud. And there is also a license model that I'm not gonna go into it that helps to support that transition. So the organization should decide based on their business needs of what is in the cloud and what is on-prem.

And they should not be forced to transition just because they have an identity and access management system that only supports one or the other. And since that's a state of transition that will not end quickly, but this, the board is on-prem. And what is in the cloud will shift over time. It is important that a platform, when you select one can support that case. He's looking at the watch side. Am I late? This is my, this is my last slide anyway.

So yeah, we'll have some time for questions since this is my last slide here or this one here. Yeah. I like it. It's not a classic closing slide, but I like it because it nicely illustrates that with modern identity and access management, you can have, as the Americans would say, have the cake and eat it at the same time, you can have great user experience better than you have today with the lose lose password. And you can have better security.

And the more you consolidate all these individual identity silos into one fabric that becomes the single source of truth for all identities, you also become more efficient in your operation. So there's three things that help the user. It helps the security it's easier to administer. And of course, ultimately when you achieve that, it also lowers cost. Yeah. With that. Thank you. Any question.