Beyond Zero Trust to Achieve Zero Friction

Thanks. It's a pleasure to be here and I always enjoy coming here to share the stage and share the event with you. It's always great to interact and, and get some of your feedback and lessons. And today I'm gonna take a little bit of a journey. We'll go through a little bit of a history lesson, then we'll get into a little bit of practical use cases and hopefully I want to expand your mind and start stepping back a bit and start thinking about what is beyond zero trust. Because sometimes I feel that we get stuck in focusing on the car and forgetting about the destination that we're going on.

We're too busy looking around and fidgeting with a car and thinking, oh great, but where are we going? What are we trying to achieve? And that's ultimately want I want to do is open your mind to that. So when we talk about the zero trust, we talk about the journey and the destination. Really what we're trying to do is the reality check is we've got so many different threats out there.

We got attackers basically targeting organizations constantly with trying to get access to the systems through malware and back doors that are deploying ransomware, bringing businesses to complete standstill and stop. They're looking at financial fraud, whether it being business email compromise or modifying invoices in order to get basically financial profit for cyber criminals out there. This is a business for them and they want to be able to be successful in that, whether it being data breaches to business downtime and dedo attacks.

We all have to deal with these types of attacks on a daily basis and they're constantly growing all the time. And this is what keeps security leaders up at night. And for me, one of the biggest impacts that's driven a lot of these initiatives has been around ransomware and ransomware. We have to sometimes step back and sometimes we look at ransomware and we put it into the IT or the security team's bucket and say it's their responsibility. But ransomware is not. It's a business responsibility. It goes well beyond IT and security and it gets into a business impact.

And what gets into a business impact, we have to look at it differently because we have to think about business resiliency and so forth. And a lot of ransomware cases, what they tend to target is they want to target privileged users and privileged access and organizations. Sometimes we get into assuming that privilege access is solely within the IT team or infrastructure team, but today it's expanded well beyond that team.

It's no longer just about the users and the roles it gets into where it's about applications, it's about integrations, it's about hybrid cloud and how those clouds are actually interconnected. So it goes well beyond just the people. It actually gets into machines and applications in code and then also expands even further to not just being about users and administrators. It gets into the business side of things. Those users who who have access to sensitive data are also should be considered privileged users as well.

So we're at the point where all users should actually be considered privileged. It's not to say that they're all equal, they don't all come with the same type of risks. Every user has different risks in the impact of the business if those credentials are entities are ever compromised. So what things, what have we done? What can we do to reduce these risks? What can we apply? And I've been in this industry for a long time, I know you're looking at me and you're thinking, how could you, you can be any older than 25, but I ha I am a little bit older than 25.

I've been around for doing almost 30 years in this industry and we once lived in a bit of a simpler time. When I started in this industry, sometimes security was actually a key to the door where the computer was. But we've kinda evolved from that. And in the kinda the early two thousands, what we end up having was we had two separate lives. We had our personal lives, the ones that we actually socialized were friends, we had our own devices at home, which basically we used for our entertainment purposes. And this was a place for basically nothing was trusted, it was the public internet.

We, you know, it was the wild west of the, you know, the world. Everything was dangerous, lots of viruses going around. And then we had the workplace, the workplaces were something that we actually, once you got access through the front door, then everything was trusted within that perimeter. So we had these two separate worlds that we were living in. And the last couple of years, specifically the last 10 years, it's evolved quite significantly. We had these two separate worlds, our personal lives and the digital our, our, our workplace. And they've converged together.

We've actually moved some of the technologies has really advanced. This is around things like B Y O D, bring your own device. And I say that we've evolved from bring your own device to actually bring your own office. Now employees are no longer just about bringing the device, they're actually bringing an office environment with them, whether it being working home users are working remotely, but these worlds are converging. Your personal lives and your work lives are connect converging into one.

And, and what's happening is this complexity of mixture devices where people are taking the work devices from the workplace and bringing them home and then bringing their personal devices from home and bringing the workplace. And this basic cross pollination means that organizations have to shift the way that they look at security. They can't look at it as the public ended up being this wild place where we have to trust nothing and the corporate, you know, intranet or workplace that we had to trust everything. We had to treat it differently. So along came the term zero trust.

And zero trust is nothing new. It's been around for a long time.

You know, previously it was thought as the cab cream egg is that, you know, the chocolate in the outside and the soft department in the inside was around the mid nineties, but the first time it was coined, it was around 2010. And the reason why it was introduced was it was a focus around that network segmentation. That's where it started. It started actually in the late, you know, around 2008, 2009 when we had these B Y O D devices coming into the work or when people were bringing their work devices into the home environments or the public domain that those devices we can no longer trust.

So if you heard of terms like snack and snack, when those devices came back into the office, what we'd end up doing is we would segment them off, we would scan them for potentially malicious viruses and changes and configurations. And then once we trusted it again we brought it back into the corporate network. So that's what basically where zero trust started, it was all around network segmentation. It was creating VLANs and then scanning these systems for potential malicious viruses before they were trusted again.

And it's really kinda getting into that assuming and now much later of course as we start seeing, you know, the attacks increasing in ransomware and other types of threats is that we started thinking about, well you know, we no longer just think of it as network segmentation and no longer trusting the corporate network, but let's zero trust everything. All of a sudden it became this everything. And you start seeing products being called zero trust and you start hearing people about, you know, implementing and installing and becoming.

But we have to start thinking about what is zero trust, what really is it? And one of the best terms I've heard is actually it's a strategy on how you operate your business in a secure way. It's an operational ability. It's not something you install, it's not something you become, you are always on the journey. You're always operating in a zero trust strategy. It's about getting the principles, it's about practicing. So we have to stop thinking about is that it's something that you can check off and become zero trust.

You will always be practicing it and you have to break it down into smaller things. You have to break it down into smaller components, individual services and how you apply it and how you can actually do certain use cases in a zero trust principle of zero trust strategy. And for me, I'm always in a bit of a headwind here. When we talk about zero trust, it typically comes from security people because we like to be empowered, we like to enforce things, we like to be the enforcers, we like to put policies in place, we like to, you know, make sure that things are secure.

And when you take zero trust, it's great from a security practitioner. But when you talk to the business and the business users and the executives and say, we're going to implement zero trust and the business users go, what? You're no longer gonna trust our users, how are we going to operate? And it creates friction. It actually creates friction. When you try to apply zero trust basically to the business side, it actually creates friction between the business because they want to do their job, they want to do what they've been hired to do.

They want to do what they're actually getting their metrics and performance based on. They wanna be successful. So we have to sometimes change our terminology and this is really where we start having to think of a well a zero trust. It's great when we talk to security teams and security people and those who are focused around that, that enforcement and policies. But we have to start thinking about zero trust. It's really about zero assumptions. It's about assuming that security has not been satisfied, that it has not been achieved. And therefore we had to go through the case of verification.

We had to go through about is this access or this, is this user justified in order to have, do they have the right intent to basically do the job or tasks that they've actually been assigned to do? So we had to start thinking about when we talked to the business side of things, it's about applying zero assumptions. But we even had to go further. We had to go beyond that because we want people to enjoy security, we want them to want to use security. And this is really where zero trust can create a bit of an image problem.

When we start talking to the industry and business users, and we really have to start when we actually talk about the destination, it's really about getting to zero friction. We want security to become frictionless. When we actually think about IMP implementing any security controls, it always has to be better than their previous experience. It has to be better than the previous thing that they've done the previous process or previous way, our previous method or technique.

We always have to improve it because we want users to use it, we want to enjoy using it, we want them, there's something that they actually it it's, it removes that cyber fatigue and removes friction. And the security team becomes a team of yes and not no and not zero trust. We have to be the team that actually is about building trust. Zero trust is the baseline and you start building trust based on that and you have the continuous verification to maintain that level of trust.

And so, so one example that I get into using here is around this context based security or adaptive security we always get into where we look at policies and we look at rules which are based on static context security that the threats of the past, a lot of the security controls we apply are always protecting the threats of yesterday and they're not really evolving to protect tomorrow's threats. And this is where we start happening to get into adaptive and context-based security where it becomes rules-based, it becomes the threat landscape, it's risk-based.

And we start having to think about, I heard a great panel session earlier talking about policies. And for me being based in Estonia, I learned a very important lesson.

Estonia, it's not about policies, it's actually about the destination is about the service that you're providing and measuring that service end to end and building the experience and the user experience around it. So it's always about focusing on what is the intent, what is the goal, what is the action you're trying to achieve?

So when we talk about, you know this and getting into security where it's almost like a living organism within the business and depending on the threats out there, you can actually increase and decrease the security controls to satisfy the user's needs and to make sure at the same time you're keeping the business resilient. So I've taken this example of a use case here.

We're a remote worker and that could be actually a user, it could be a remote system or application machine, it could be code or keeping, could be an API that's keeping cloud integration together between different cloud providers and sharing of data. So ultimately they will be tied together with some type of security identity from an identity service provider or an idp, wherever it might be. They have an identity that ties it to understand about what that asset, what that attribute or object is.

Ultimately it will need to have access to something, but rather than accessing directly during the segmentation, and this is where we separate between authentication and the authorization segregating, those will provide you a much better reduction in risk. And ultimately rather than going directly, you can actually get and check and do a level of trust and building trust. This is all about where you start with that zero assumptions. I don't assume that security's been satisfied and I will actually start building that level of trust.

You might do something like multifactor authentication in order to do that initial verification of a user of a machine. Ultimately if that satisfies the risk, they would get access to those target systems or applications or services ultimately giving them access to do their job. And oh look for of course things change. They might need to have access to much more sensitive database that might have health records, that might have the legal documents of the organization, it might have customer data.

So they ultimately, and I had to go through the level of, did the level that I come in under that trust level, do I need to up it? Do I need to increase it? Do I need to go and provide another level of security? And ultimately you get into things where you can start checking reputation. You check in the location, is this user typically accessing the system at this time of day or from this IP arrange or from this location? Do they have the right security controls already in place and getting into checking those and applying a risk score.

And it also might be peer review, you might have, it might be a very sensitive system and therefore their colleague needs to go and approve that additional access. And ultimately if they satisfy those security controls, they will get access to the target system.

And also you can apply this, they're not just on-premise and judicial systems, but across multiple cloud and hybrid cloud to provide you a much more consistent security pane of glass and to make sure that everything is having the same security controls being met ultimately of, of course across comes the attacker and they compromise the user. What you've done is you've isolated it, you've isolated the user to that specific system or machine or application and preventing them from laterally moving.

That's ultimately where you start applying those zero trust principles in an operational method and a use case. So it's always important to really break it down into these smaller achievable use cases rather than trying to achieve this massive monolith. Cuz zero trust has many different implementations and applications that you can go and try and implement an organization from a use case perspective.

But it's important to break it down into smaller chunks that are achievable, but at the same time, focusing on the usability, making it something that as getting to zero persistent privileges were it's on demand and privileges is achieved when you need them at the right time and you don't have them for the life of the user or the life of the, the session itself. Ultimately getting into, we gonna apply this to the principal lease privilege and then ultimately making sure that privileges are the lowest, basically privilege that's possible, but they get elevated on demand.

And this is where you get into service base. When I talked earlier about having a service focused, meaning that the person has the intent in order to do this job or they need to run this report or access this application, then that access can be given on demand as long as they provide the right authentication, authorization, justification, and intent. So long comes the user and they ultimately need access.

So rather than actually going in under that high level user at the beginning, they can go under a level of user, which is basically about, I'm going with my domain user or my identity that's been provisioned to me. And ultimately then I'm verifying I'm going to show that I actually need to have access. I'm providing justification and ultimately the right security controls are applied. But when I get access to the target system, I'm not privileged.

It's just giving me the access, it's giving me the ability to go to that destination, but then I have to go and provide just in time under just in time elevation or on mind elevation. So I always like to think of this as almost like a digital polygraph test for access. I always like metaphors to try and understand what it's like in the real world or in the world that we live in. And ultimately this is almost like a digital polygraph test for access. It's about asking the right questions. And this is part of your journey.

When you think about implementing or operating in a zero trust manner, it's always about what is the questions that you need to ask, whether the user or whether the machine or you know, the controls you wanna put in place are the policies or rules to make sure you can verify that this is an authenticated authorized and that the user should have the access at the time they're requesting it. So getting into that, asking the right questions and thinking about what those questions are. And when I talk about questions, I'm thinking about the security console. These don't have to be interactive.

They don't have to be directly interactive with the user. There can be a lot of controls that can occur in the background, that can be behind the scenes that we can reduce friction that only when you really need to interact with the user, that's when you can create that interactive, when it might be an MFA push or some type of verification. Majority of the security controls we can do today can be done in the background, reducing friction. And when I go through this process, and a lot of people ask me, well, okay, when we talk about that operating in a zero trust strategy, what else?

One, they ask me about biometrics, how does biometrics fit into this? And for me it's important to understand that biometrics are a great way of moving passwords and putting passwords into the background. But it's important to understand that biometrics, they don't replace the password side, they replace the usernames because ultimately biometrics by themselves are not secrets. They basically have the ability to, they have a better way of identifying people, but at the same time, the security attributes are much stronger than simply just usernames.

But it's always important to make sure that we add additional security controls on top of it, that we can't just rely on biometrics alone. And this is really important to make sure that when we get into these types of principles of continuous purification, that we think about what security controls they apply. And then again, I get asked about, well how does passwordless fit into this scenario? And I think we've got into the kinda the misunderstanding of what Passwordless really is.

For me, I like to step back and think of passwordless. It's actually a passwordless experience. The password is not disappearing. What it's doing is it's moving into the background, it's actually, it's changing and evolving. That password is no longer just a password. It's become a backup key. It's become a provisioning key. It's become a recovery key, it's become a passphrase, it's become a temporary key or a private key that's running in the background. The way that we interact is moving and changing.

So when we think about passwordless, it's really a, it's a passwordless authentication experience from a human perspective, but from a security and IT and management side, we still have something that that manage in the background. And it's always important to make sure that we step back and think about the broader side of things when it gets into it.

But ultimately my goal is that along these years of doing these different types of implementations and strategies, it's really important to understand that while I come with a, as a cybersecurity background, it's ultimately we have to understand about what it is we're trying to achieve. We're ultimately here to reduce risk to the business, to help make the business become resilient, to help make the employees be successful.

Our, we don't exist in a vacuum. We have to make sure that we're helping the employees do their job successfully. So we have to get into the role of how do we empower them? How do they make them the ability to actually do their job successfully? And this is why I always say that when you're going down and you're talking about zero trust, that is, you have to make this to be your priority. It's about whatever you put in place from a zero trust practice or operational, that it has to be better than the user's previous experience. That's how we get it to be successful.

And you might want to start thinking about different ways of communicating with the board or with the executive team or with the business that you start thinking about it as a zero friction approach or a zero assumptions approach. But within the security you can keep that zero zero trust definition. So at this time I'd like to open up for questions if we have time. And hopefully this has been educational and a little bit of a different approach to a zero trust talk that you've had today. Thanks Joseph.

I don't see any questions online, but if anybody would like to raise their hand, we've got time for one. Okay, well, okay, I'll be around for the rest of the day and if you're interested, I do have a talk later this afternoon which actually be, you know, putting my hacker hat on and I'll be doing a live demonstration of privilege escalation technique. So if you wanna take a run for that, catch me later at five 30 for my second session. So thank you. Take care and have a great safe day. Thank you. Thanks again, Joseph.