Analyst Chat #106: 2021 - A Retrospective

Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I'm the lead advisor and senior analyst with KuppingerCole analysts. My guest today is Paul Fisher hailing from London.

Hi, Paul. Good to see you. Hello Matthias. How are you? I'm fine. How are you? We are getting close to the end of the year, right?

Well, yeah, before that we have Christmas though, so that's right. The holiday season as we should call it. Exactly. And this is actually the final episode for this year. We want to do a somewhat different episode for this one. We want to do a retrospective on 2021. We want to avoid the word pandemic or Corona. So once having them set once we ignore them, as of now, hopefully if you look back at 2021 and as an analyst doing lots of research for KuppingerCole, what are the most important memories, the most important facts that you remember for this year?

Well, you, you said don't mention the pandemic, sorry for that. So I'll mention something that kind of benefited from the pandemic, which was ransomware and, and cyber crime in general, I think did benefit from the fact that we continue to, to work at home and we continue to work remotely and businesses organizations found themselves vulnerable much and even more to things like ransomware. And I think if there was one constant throughout the year, if there was one word that kept coming up, it was probably ransomware.

We, we, we obviously had a workshop at EIC. We've done webinars on it. And you know, even our rival analyst firms have been talking about it as well.

I mean, the thing is there seems to be two, two issues that have come out of this epidemic of ransomware. If I could use that phrase, one is, do you pay the ransom or don't?

And the, the, the official advice normally tends to be, you should not pay the ransom because that only encourages the attackers and quite often, and there is, there is documentary evidence for this, that companies that have already been hit once by ransomware and paid the ransom, get hit again a bit like when your house or a house is burgled quite often, sadly, the house will be burgled again quite soon afterwards because the, the, the, the criminals know that, that there is a fairly easy way in. However, having said that the official advice is don't pay the ransom.

We know that also in the real world, that many businesses will pay the ransom because they want to get back in business as quickly as possible. And the problem with that is though that now these taxes have become even more aggressive and, and also quite malicious in that even if some companies pay the ransom, they don't even unlock the data and files, et cetera, that they've, they've bricked up. So it's a horrible, horrible business.

And it's, you know, there is no clear cut or easy answers. I mean, our official advice would still be, I think, do not pay the ransom.

However, the, the best advice is to improve your defense. Think about things like privilege, access management, identity and access management, identity governance, all the things that we, we talk about all the time and while traditional defenses, such as firewalls, et cetera, anti-malware can do so much. The fact that privileged accounts are targeted by ransomware distributors shows that they, they know how to get into a business and how to target those channels, which lead to the essential data that the business needs.

So our, my official advice would be, do not pay the ransom, but it's easy for me to say, but I would also say, think about how you can improve your identity and access management, posture and policies and technology to at least make it much harder for ransomware attackers to succeed. So blocking off those lateral channels that they use to go across the network. And don't just rely on your firewalls and anti-malware systems. Obviously the, those are important. They still catch 99% of, of viruses, et cetera.

So I'm not sure what the latest on ransomware is, but I'm sure, although we, weren't going to talk about with the pandemic, but given that we now seem to be in the, you know, globally, at least, well, in at least in Europe and United States that were now seem to be affected by another wave, then sadly, I think ransomware will continue to be a big problem into 2022. And then just one last point on that is that the attackers have also become smarter and more sophisticated in their delivery systems.

So even then we tell our people don't click on this link, be careful of these emails, et cetera, they're now using file lists payload systems. So you don't even know that a dodgy email contains malware, et cetera. So stopping them is becoming harder by traditional methods, Right? But on the other hand, we have seen, we have some also real improvements in the, in the cybersecurity industry, focusing on ransomware and on endpoint protection in general. I think that is something that is the other side of the coin to say, okay, we really see solutions that are really dealing with that.

And of course this is driven by this development by the even professional business model that these ransomware attack us follow. But nevertheless, it's still a cat and mouse game between protecting and actually doing the attack. But what we've seen also an improvement around the technical solutions, but also the organizational solutions that is processes that is internal training awareness trainings for the, for the staff, et cetera. So it's really getting better there as well, but it's by far not yet a solved problem. Yeah.

And awareness training is can only take you so far because human beings tend to forget awareness training, or they don't even listen in the first place. So yeah, it, it it's, but, but that doesn't mean that we shouldn't do it, but don't rely on it. That's what I would say. It's one part of the Patel.

Yeah, exactly. Call it. Just say to be a little, don't do this, don't do that. And then not doing anything to prevent them or preventing that to happen in the first place.

So the, the, the, the other, I think curious thing is ransomware as a service. So bit like in the past where, you know, there's, there is criminal gangs and state sponsored actors and all those that do majority of attacks, but now people who are sort of in their bedrooms or wherever being able to do ransomware by piggybacking on, you know, the, the, the attacks by major criminals. So that makes the problem even was so, you know, you can go get a ransomware kit, you can download it and go and block your local pharmacy. Exactly.

So it's real, it's really a, a business model and, and be much too easy, too convenient to get there. So that, that is also a sign of the times if we look back on this year, and the first thing that comes to our mind is it's a threat, something that endangers us and where we need to be protected from any, any, anything that is on a more happier side. When you think back of 20, 21. Yes. There is a, there is stuff to be positive about.

And I think one of those things is dream, which is our new acronym for paradigm, which is obviously about protecting networks, but it's also about taking or getting business advantage from cloud infrastructure. So for those that haven't seen it yet, dream stands for dynamic resource entitlement and access management. I believe that's correct Matthias. Yes.

Just to make sure, make sure I've got the degree, the official term there, but dream is really an extension of what we've seen from a cloud infrastructure and entitlement management, but we've taken it further into a way of managing and controlling access to hybrid and multi hybrid architectures, which are now proliferating, where we have, for example, an organization which still has data centers, private data centers that have stuff on premises, but they'll also be using AWS or Oracle or Google or any, any one of the cloud service providers.

And also they'll may have private clouds within their organization. On top of that, they also now have clusters of DevOps and DevOps pods, and they might also have other departments which are setting up their own or buying their own cloud provision of AWS or Microsoft.

So that, that creates what I've, I've been talking about, which is the ever expanding it universe, which is based on the, the theory of the actual universe, which started with the big bang and as an expanded ever since, and is hugely complex and, and in some parts on stable. And, and I think that even the smallest organization will, may start off with a, a fairly manageable infrastructure, but by its very nature, the growth of a business, we'll always add to that infrastructure. As soon as you start doing stuff, you know, even the first email you'll send adds complexity to your infrastructure.

So if you looked at the infrastructure of a large business, so, you know, a major pharmaceutical company or a major automotive company, you took that infrastructure. We tweaked it. We tend to often picture infrastructures in sort of straight lines with little squares and circles and things and very linear. But I think the reality is, is, is much more, three-dimensional much more complex and chaotic and lines of just going everywhere and new constellations of data and servers will appear.

And that is why we've come up with dream because whilst you co POS you can't technically control the expanding infrastructure, you can control identity and access management to that. So we've been looking at ways of, of sort of assessing products for dream. And in 2022, looking ahead, the first leadership compass on a dream will appear, which has been written by me funnily enough. And that will include what we call pan for DevOps, but it also include the sort of existing CIEM vendors, at least some of them.

And also we will be looking at access to, or rather certificate based access to things like DevOps itself. So that's something to look out for. Doreen was, was first unveiled at the EIC in September this year. But what are the point I'm trying to make is that we need to stop thinking, well, I think we need to stop thinking about infrastructures that we can control. And except rather like, you know, we, we accept that attacks will happen on our business.

So now we need to accept that the infrastructure of our business or the it infrastructure is going to be chaotic and it's going to be inevitably bigger by the day, but we can still manage that. I think if we can manage the access and if we manage that, we also can help prevent things like ransomware getting through to stuff because why ransomware it succeeds is because the, the malware goes off and is hidden. And then it attacks some part of the, of the infrastructure that we don't know about or the security people don't know about. And that's what causes the problems.

So that's meant to be a positive thing. And I think it is a positive thing. And I think that the work that we're doing on realigning, how we talk about infrastructure and how we talk about organizations is, is, is, is valuable.

And, and I think that, you know, you're you yourself, you're, you're doing some work on identity fabric, which is another one of our philosophies. So I think where we probably alone amongst some of the analyst community, thinking about this restructuring and rethinking about the way that we look at it, architecture and infrastructure. Absolutely. I think we need to deal with complexity. We need to deal with, with volatility of this infrastructure. It is changing. We have to deal with that.

And the concepts that, that you've mentioned, so deem as one core component, but also the management of infrastructure, applying policy-based creation and maintenance of infrastructure over time to make sure that we understand every part of the infrastructure, be it there for a long time, or be it there only for a short amount of time, that is really important to get a grip on these changing architectures. We, the, we see this kind of cloudification in various aspects, and of course we are happy to say, Hey, the system needs more performance.

So let's just spawn two or more instances of the same software solutions though that it scales up. But once we do that, we need to understand that there are again, identities in there there's data to be protected in there. There needs to be cybersecurity infrastructure around these added containers and of this needs to be dealt with as adequately as we deal with the performance issue.

So the concept that we're talking about, and that you've mentioned that you're covering in the leadership compass, then this is, this is the other, the, the complimentary part to what we need when we implement the new kinds of business processes and the new scalability for this, for this changing digital economy. And so we need to be capable of achieving that and this leadership compass and the concept that you mentioned are really important, building blocks to getting there. Absolutely.

And what happens is when we get these, like you say, people just spin up another cloud or they spin up another virtual machine, but they don't spend them down again. So that becomes another part of this universe, which if it's not known about is, is very useful to attackers and so on.

So it, it, it still comes back to access, I think, and identity. And we've been talking a lot about obviously machine identities as well. It's not just human identities and how they fit into the identity fabric.

So, you know, we, that's something that we've been having discussions about as you know, internally. So yeah, the other thing was I wanted to say was that we also, from the discussions that I've been having with some, some vendors and, and clients, is that we shouldn't just think that cloud is the future for everything. And that cloud is somehow better than on premises or data, data centers, or even mainframes, et cetera, because there are reasons why companies still prefer to have data in, at the center of their universe rather than somewhere out there as it were.

And they like the fact that it's their data center that they control it. And so that's why we get this hybrid infrastructure situation. So they'll use cloud, but they won't put all their eggs in one basket. They won't decide to, you know, we'll, we'll, we'll put everything in AWS, we'll put it all in Google, et cetera.

So, and then again, there are companies that will do that. There are businesses, as you know, they're totally cloud native, totally fine. And running the whole thing off one cloud provider. I think I know less this, this time, this year than I did last year. And let me qualify that that's actually a good thing because I realized that there is so much more that we need to know about modern it. And there's so much more that we need to do to manage identity, to improve security. And I think we're, we're just starting to sort of get there.

And I really love being sort of at the center of this because, you know, one of the great things that happened this year was having the EIC conference actually take place in life. And that was a highlight, definitely a highlight of my professionally anyway, was to go to Munich, see my colleagues, but also enjoy not just the, the sessions that I was involved in, but just to meet the vendors, talk about where things are and just basically do what we used to take for granted, which was just go to conferences. So that was, that was, that was great then about you. I don't know. Yeah.

Fully agree that Yeah, absolutely. We actually have two hybrid events. So hybrid means there was some life part to it.

So we, we have pic in September and we had the cybersecurity leadership summit in Berlin in November, and I was happy enough to join both of those just before the numbers were rising again. But nevertheless, we are also looking forward to 2022 and then having EIC again at the usual date date in the year. So it will be in may again, and we plan to have it as hybrid as possible. And we will do it for the first time in Berlin at Berlin Alexanderplatz.

So that would, will be a nice venue, the change to the tone and to the atmosphere, but everything that you've mentioned, meeting the right people, having this kind of, of, of class reunion of all these identity people being at vendors at customers at analysts that consulting companies that I'm really looking forward to just getting in touch with those people again. And it was a pleasure to meeting you in Munich and to meeting all these people again, in some kind of normality we hope we can get back to. And even though it was hybrid and probably maybe there weren't as many people there live.

And traditionally I was actually surprised how many people there were there and there was a great atmosphere and it felt, it felt like, you know, a conference, it felt like people sharing ideas and listening to, you know, some great presentations. So yeah, I CA I really looking forward to Berlin, nice to go to Berlin as well for a change of scene.

So, so that, that was my highlight, But actually we also adapted very well, very well to, to, to this working from home time of, of, and just doing these KC life events, which, which are different format are, are fully digital, are shorter focused on one day, half a day. I think that also makes very much sense for our, our, our customers, for our vendors that we deal with. And it also has a different tone to it.

So I think we will continue that with that anyway, but moving more closely to also this, this, this hybrid kind of events, this is will really also be the touch point where we can really talk to people apart from doing advisory or research. Yeah. And I think we should give a big shout out to a technical team that Casey live and EIC.

I mean, I think they do a wonderful job of producing our events and, or I I'm biased, but I think that our hybrid events are better than anyone else's in, in the way that we managed to mix, you know, someone actually presenting and also having people live. So it's as close to watching a live presentation as we can get.

And, and I have to say that some of the efforts by some people in the, shall we say the vendor community really were not good. And I'm, I'm pleased that we, we managed to do hybrid or even not, not even hybrid events, but just purely digital events, but all, but still allowed great integration with the attendees and interaction. So there was proper Q and a after which also another highlight, I think, has been the, the increase popularity of our webinars.

You know, we we've done, I don't know how many webinars we've done this year, but it's a lot. And the ones that I've done we've, we've had very good attendance, but we've also had, you know, registration in the hundreds, which shows that people there is a thirst out there for, for knowledge and a thirst for guidance and advice on, on everything that's happening.

So that, that, that was also a highlight for me, was the interaction on, on webinars and also working with the vendors on those who obviously contributed to them.

So, Yeah, but, but as a summary for this year, I think that is really a good starting point, really giving a shout out to, to our events team who make sure that these webinars can take place and that these are as structured as said, and that they also really benefit the participants that are not just talking about product, it's learning something, getting, getting the message across understanding trends and, and, and really assessing trends on the one hand shouted also to the teams that, that created these, these virtual events and the hyper defense, especially and make them work.

And also to our technical partners who did the, the, the camera work, the, the, all the directing work onsite and online, I think that is really something that we can take as a, as a final note for looking back on 2021 and ask this, we'll continue with the same team, the same people, maybe at even a larger scale. When you look at Berlin, I think that is something to be proud of for the lottery and to look forward to for the next year. I couldn't agree more.

Yeah, absolutely. And I think research and events work very well together, but we've, before we get to, to Metta, I don't know if that's the right word, then maybe just quick run. Some other things that I think have been constant throughout the year, zero trust, I think is having a, almost like a, you know, it's a, it's a 10 year old sort of theory philosophy, but I think it's been developed beyond the original concepts.

And I think it's having, you know, a second wind now, as more organizations become interested, it also works very well with our, with our concepts of dream, et cetera, if privileged access management, that's, I that's my sort of special area, but that, again, as we go into 2022 is a, is a, is a sector that is still throwing up surprises. It's throwing up new vendors and it's still very competitive. And it's great to see that the vendors are also kind of in line already with some of the dream infrastructure ideas that we have.

And finally, I have saw security orchestration, automation and response, which is about automation. We haven't really, we haven't spoken about automation, but automation again is, is a theme. That's come up 2021 and we'll undoubtedly continue through next year and beyond because the more that we can automate successfully that is automate successfully. There's no point automating things if, if they don't do it correctly, but the more automated, the less that have to do the better for, for us all.

So we'll, we'll be talking a lot more about that. And finally, API security, which is something that our colleague Alexa Balaganski has been looking at. And I think that again, is moving from a kind of a specialist area into a more mainstream area, as we become more dependent on APIs, not just for actual business functionality and processes, but also for the security and identity processes themselves. So I've run out of ideas now, matures. Yeah.

As you've mentioned, automation, that is, of course also included in this dream paradigm, because if you have a volatile infrastructure, if you have volatile identities, this is nothing that you want to manage manually. And this is nothing that you can, can manage manually. So this is really something where automation policy-based automation and maybe even policy based access decisions at run time without having to have provisions and automation at that park. This is something where this is of utmost importance. Yeah.

We didn't talk about much about policy, but policy management obviously is hugely important. Part of all this without policies to begin with you, you can't really do much, so. Yeah.

Good, good for PR for remembering that. Right. Absolutely.

And so, so I'm having identified some of the most important topics for the, for the last year and keeping up to date with the changes and the trends and challenges within the business for the upcoming year. I think you've mentioned many of the topics that there are more in the individual areas that our analyst colleagues are dealing with as well, but, but I'm happy that we will be covering the important topics over time through our events, through our research. And hopefully also in our advisory work that we are dealing with with our, with our entities, our organization, and, and customers.

So to close it down for this retrospective of this year, it was really great to talk to you Paul, about what happened in the last year, even under these restricted circumstances that we have, and having a, hopefully more positive outlook on 2022. And, and hopefully seeing all of you, most of you are virtually or in person in Berlin, any final words from, from your side, Paul, to talk about the outlook.

Well, the outlook, I like to be an optimist. So I like to think that things will get better in every way that this dreadful pandemic will finally end, or at least we'll, we'll, we'll find a way of working around it, but I'm also optimistic about where everything is going technology wise. And I think, you know, I think it's, well, you know, technology is always exciting, but I think our area is probably the most exciting it's been for a long time. So I'm looking forward to more research next year, you know, working with more vendors, new vendors.

That's the other thing that we we're seeing, the number of vendors that we work with and the type of vendors we work with has changed, which is great. And yeah, I think, I think 20, 22 will be a good year for all sorts of reasons. There's a well cup in 2022 as well. So let's not forget that.

Thank you very much, Paul, for giving that positive outlook on 2022 for being my guest today for being a regular guest on this podcast, which is highly appreciated and looking forward to doing more episodes together with you next year, this podcast will continue after a short break for the Christmas and the new year's time. And then we will be back early January within your episode of this podcast. So thank you very much, Paul, for being my guest today.

Well, thank you, Matthias and Merry Christmas, Merry Christmas. Bye-bye