So first I'd like to introduce Martin Kuppinger founder and principal Analyst, Analyst of KuppingerCole author of many books regarding information security. And of course also frequent speaker. As many of you may know now, zero trust was coined by John Eck back in 2010 as an approach to security that relies on concept of never trust. Always verify. Martin mentioned that so allowance has teach us that traditional zero trust isn't enough. Consequently, we must extend the zero trust paring beyond networks, security systems and identities, and applied to all types of software don't trust software period. Welcome Martin to this panel.
I
Then I'd like to introduce John John Tolbert, who is our matching director in the United States, and also lead Analyst with two topics in his focus, cybersecurity and itis management. So perfect candidate for this panel. And he, I, a quote of him I'd like to make is zero trust architecture, must constant network layer thinking in order to be successful. Zero trust architecture requires proper authentication and authorization for each session involving users, applications, networks, obviously, including clouds and data. Happy to have you here, John today.
Thanks Albert.
Hello everyone. And our third panelist Alexei Alexei, Balaganski also Analyst with, and he has his special focus on both cybersecurity and artificial intelligence and, and covers a big range of topics, including database security, API security, cryptography, and AI-based security automation. And he of course is also regular author of, of reports. And he just recently wrote one about zero trust. And a quote of him is AI and machine learning capabilities are key differentiators between IGA vendors today. And I'd like actually to make another quote of you, because I really like that one Alexei say it's probably because of your Russian background, because one of your quote says almost exactly a hundred years before zero trust lair lady in one said the electron is just as inexhaustible as the atomic nature is infinite. Well, it seems that this idea is just as applicable to the notion of zero trust over decade after its conception. It keeps on giving. Very nice quote, thank you for that. Welcome to the session.
Thank you be hello everyone.
Now, the first question Martin goes to you and it sort of relates to the quote. I just mentioned in relation to Alexei a, we recently organized a group of this group of CSOs, a session with actually this John who was the inventor of the term zero trust. And of course, zero trust concepts have evolved over time. What's your take after this discussion and why do we need zero trust today?
Yeah, I, I think the take after discussion is not that much for different from what I had in mind before the discussion. And I think it's also what turned the discussion fully, fully agreed and also promoted that the concept of zero trust has evolved that it has manifests that network securities, such endpoint securities essential, but also identity access because at the end, that's what I also talked about previously in my keynote today, identity access are so important and last not least we need to don't need don't need to stop. We, we must. So we must evolve the concept towards software security and to, to understand, although we can't trust software, we must secure and verify that area as well. And so it is still an concept in evolution. On the other hand, it has proven to be a very strong foundation for architecting, your cybersecurity infrastructure and environment of the future.
Yeah. Thank you for that. Alexei day is zero trust an idea? Is it a feature or is it a product or something else?
Well, I guess that's the greatest point of zero trust at our notion that it actually, it resonates on all levels. This is why it's been so popular for, or actually not even 10 years, but like almost 20, because although the term is only like 12 years old, now the ideas behind it are, have definitely appeared in the early two thousands. And the point is that zero trust is a philosophy is a kind of profound way to explain, like what have you been doing wrong in the area of cybersecurity for so many years? And how do we fix all of those problems if you go higher? Yes, it actually gives us a set of very practical recommendations, the tenants of zero task. Like what do we have to fix? How do we fix it? And then as a cherry on top, it actually sounds like a pretty interesting, intriguing buzzword. This is why it's so beloved by marketing people and the customers around the world. And the biggest challenge for everyone is to understand the difference between all those levels of abstraction, if you will, because if you are only start thinking about zero trust in networking, or even if as Martin just mentioned, you only focused on software security, you won't reach that goal. You have to think on a very broad and kind of big picture, large scale architecture level.
I think that makes sense. Thank you for that. Now, China, I know that at the, at, at the end of last year, beginning of this year, you very much looked also into what happened in the solar wins incident, but what can we learn from that incident and how does this relate to zero trust?
Oh, that's a, that's quite the big topic. You know, I think what one of the lessons that I've taken away from that is that for a long time, I think people in it look at some of the, you know, the outlier cases in security as being things that, oh, you know, that that's a very sophisticated attack and, and nobody's thought of it that would take such a level of effort. Nobody would try it, but, you know, with solar winds and some of these other attacks, like the exchange server thing that followed soon thereafter, we see that it's supply chain security that we really need to be worried about. I, the it supply chain and the attackers are realizing that they get much more value out of their attacks, the higher up in the supply chain that they go. If you look at specifically solar winds, the number of impacted customers was, was huge. And same thing with the Microsoft exchange server attack is just taking it one level up and being able to compromise far, far more victims. And from a zero trust perspective, I, I think this also exposes why and where zero trust would have at least made it much harder for the attackers to have been successful in those attempts. If there had been, you know, proper authentication, proper authorization in place for all the different resources that were affected.
Yeah. And I think it added a new approach for how to, to enable lateral movements. So to speak in, in the sense of, it was a different way to, to, to pass the door into the organizations that were finally enter attack, instead of going through the firewall, it was going through the software. And then again, letter movement happened in these targeted organizations. And again, this goes back to the zero trust notion. So, so never trust, always verify and never at the end of the day, in many of the affected organizations, there were obviously too few verifications at the end because everyone trusted something and it turned out okay, was a bad idea to trust them.
But I guess it still opens one kind of additional aspect to think about like who watches the Watchman. What if someone managed to sneak a back door into the actual, like zero trust enforcement product, be it part of your identity management architecture, or some kind of a network security, micro segmentation, what even those tools become compromised. How do you end the meta second level of zero trust on top of that?
Yeah, that, that brings us to layer security. That brings us to, we need multiple elements and zero trust is not to find something else, a single element to trust instead of the firewall it's to use the firewall, to use the identity management, to use analytics, to use elements in network segmentation and, and, and, and also to combine that perspectives on. So across systems to understand, oh, there might be something going wrong. And, and I think that that is the risk of saying, okay, maybe if we add a CASP or if we add that, that, that we are done, no, that that's not true. It will always be the combination of the concept of multilayered security from the identity and the device to the data. And that will help us to get better. And we never will be 100% secure.
Now, John, I know that that, that you are concerned in your research around identity and access management, a lot around authentication and authentication authorization. So what kinds of authentication mechanisms are organization using to achieve strong authentication?
You know, I think it depends on the use case, the value of the resources, you know, the mechanisms that are available. I think, you know, for high security use cases, we've had things like hard tokens for a long time and they will continue to be popular in certain scenarios, you know, but there's also this consumerization of it that we've been seeing going on for the last few years where enterprise workers realize that, Hey, there are different ways of authenticating that are less troublesome, you know, when I'm doing conducting, you know, business, personal business from home. So there are, excuse me, like mobile application mechanisms that don't necessarily require passwords because we do know the passwords are problematic from a security perspective, same thing with the knowledge based authentication security questions, you know, for recovering accounts, those things are not really good for security. So, so I would say, you know, mobile apps, mobile biometrics have become, you know, much more accepted in lots of different contexts, both from the consumer side, as well as increasingly now in the enterprise with 5 0 2 and web often being able to integrate, you know, mobile authentication with your windows, hello, and, and also to various websites as well.
So I think that, you know, moving in the direction of using a mobile device where possible is, is definitely good, because then you can leverage things like, you know, secure SDKs and those native biometrics
Martin topic of the conference is, is around IGA. And IGA is a very mature concept. Product goes around lifecycle management who has access, which resources, cetera, cetera, all the known stuff. Obviously we have to get this right, but how does this, how does zero trust come into the equation of IGA? What, what kind of role does zero trust play here
All the other way around at the end of the day? So we need to manage entities. We need to manage the accounts we need to assign entitlements. We need to implement governance. We need to use AI based approaches for access governance that identify outliers anomalies in the entitlements that start looking at user behavior so that there are a lot, lot of elements where I IGA helps there on the other end. I think it's also this. We, we need to enforce security. And this is part of what we do in IHA at many places. And so both topics are tightly related. I I'm there to say there's no successful zero trust without the strong, I am also with strong processes you have in place with good policies you have in place. And so on the other hand, zero trust also is driver for modernizing what you do in it. When it comes to go beyond traditional role based access to policy based access, when it goes, comes to trust and time provision, when it comes to more, let's see, be careful with AI, but, but more analytics based approaches looking at where our entitled, where our risk etcetera. And so I think zero trust is, is also pushing IGA modernization at the end of day.
Yeah. Yeah. That's, it's interesting. So, so Alexei, Alexei, Alexei, what's, what's your, what's your view on that? Is it from your perspective possible to build some kind of serial trust architecture without strong IEM and, and, and what if so, what would that mean?
Well, let me kind of give you a controversial opinion for a second. Absolutely. It is possible a typical trivial example. You have a computer, you store some data on it, you shut it down, you unplug the network cable, you have a perfectly zero trust environment, which is completely inpe trouble on the questions. Like how much use do you get from that? Unfortunately for real life scenarios, you have to implement something more usable, both from the kind of user experience and productivity perspective. As in, as Sean just mentioned, such as multifactor authentication, adaptive policy based real time, like this is the point real time access decisions and has the same applies to identity governance as well. Like it has to be real time. It has to be smart. It has to be a continuous process and not like quarterly review. So zero trust is all about making it continuous, smart and automated, I guess.
Yeah, just done. How can we avoid zero trust, disappointment. So what are, what are the things, so, so what, what, what, what would you to do in order to avoid disappointment?
Well, I think start with realizing that zero trust is not embodied in a single product or a single service and that it, you know, it takes a while to get there. It, it begins, I think with looking at the entirety of your architecture, not forgetting that there are, you know, cloud aspects there and then probably other things that you other shadow it, things may be going on. So take a holistic, look at your architecture and then start by upgrading, you know, some of the core services that can provide zero trust, like your authentication and authorization and, and things like micro segmentation on the network side are still valid. But then also consider the application side, how are you, how are your applications able to consume authentication authorization information? And, you know, applying that to at the data level where you're deciding which data objects are of a higher value and need to be protected differently than say some of the defaults. So, you know, it's a, it's a long process and it's, it's one that you're never really done with because it requires near constant reevaluation too. So set your expectations, such that, you know, this is you're in this for the long haul and you won't be disappointed
Martin to that point. Obviously companies are not starting on the Greenfield. Many customers have already invested big time in other securities solutions. How will zero trust affect those investments? Do they have to throw away everything and make everything new? Or what's your advice here?
Yeah. You know, I think probably of many organizations I keep, I try to keep you short. I could probably spend the next hour on that, but could kill the agenda, keep a chart. The problem is the situation is not a problem. The situation most organizations have a Sue of cybersecurity tools and zero trust sort of brings in the impression we need even more. And probably you need some more, but you also need to think about which may be, may you retire. So go and start with a portfolio analyzer. Think about from the big picture Trump talked about to which deliver most to security compared to the cost, the effort they have, which elements do you need to combine to, to, to stay within budgets, to, and to deliver the best and security you can do. So this is from my perspective, really one of the essential starting points is portfolio assessment, and then moving from there into a roadmap into well executed planning.
Yeah. Yeah. Thank you. So, so let's, let's do a final, a final round perhaps, and the challenge will be limit your answer to ideally one sentence. And then we make that a brief, a brief round. So what's Alexei say, what is your number one advice? How should companies start? How should they start that journey?
First of all, trust, no one is this trust, no vendor and do not trust their labels. Look for specific capabilities, understand how those capabilities address your business challenges and do not hesitate to reach out for helping guidance, not necessarily to keeping a call, but at least to people who, whose job is to help you.
Yeah. Thank you. Number one, pitfall when implementing zero trust,
It's probably thinking that it is something easy that you can do by just, you know, rolling out one or two products that say that there's zero trust. It's, it's more of a lifestyle change. It's more of a, an architectural decision and, and perspective that you have to take. So look at it. As you know, in, in many cases, a large effort to get there.
And finally to you, Martin, what's the, the best advice you would give people who have not yet started to look into zero trust. How should they prepare for this well important new step?
How should I prepare? I think the most important thing is really in cybersecurity, never act in panic mode or in headless treatment mode, but follow the plan you have made.
Yes. Well that sounds reasonable. Yeah. Thank you all. I think we, we have come to, to the end of our session, it was interesting. We could have talked for another couple of minutes or even hours. I know that, that, you know, so much about this topic that we could spend all day on the rest of this session for it, but thank you for your insights. It was a pleasure. And I handed back to Annie.
