Dr. Torsten George - How Zero Trust is Creating a Game-Changing Security Experience

In this age of expanding access and mobility, untrusted actors exist inside and outside your security perimeter. Zero trust security is required in this new threats game. With zero trust security hackers have no power breaches. Do no harm and access is secure. Remember the rule never trust, always verified with zero trust security you can trust again.
Good morning, everyone. Thank you for joining us today for the session zero trust creating a game-changing security experience on behalf of cope Cole, and Centrify. I really welcome you for me. It's a special pleasure. That's my hometown. I live in America, but coming back here to present, it's really a rare occasion for me. So I like to start my presentations with always some good news. So when we look at our industry, we have taken strides. We have invested a lot of money to really mature our security posture. According to one of the leading Analyst firms in the world this year, we're estimated to spend 114 billion in it security. So that's, that's a huge number. However, I get up at four 30 every morning, and one of the first things I'm doing is I'm checking the news. And unfortunately, every day I read about the next data breach and reality is that 66% of organizations are still getting breached and it gets even worse.
They're not getting breached once. They're getting breached more than five times in a 12 months period. So when I hear that, when I read all these news, I start scratching my head. We're spending $114 billion, but we're still getting breached. Something is wrong in this equation. And so one of the challenges that we face as security and it professional is that we're dealing with an ever expanding tech surface. Most companies have outsourced it into the cloud. They're using SAS applications like Salesforce and, and Dropbox to really handle their business operations. And then once we hit the smartphone in our hands, we created new challenges for it. Managers course, we're now bringing in a tech surface to work every single day. And then there's this new acronym of IOT, the internet of things that makes things challenging. And most people, when they hear IOT, they think about their Google home or Alexa sitting on their nightstand.
But that's not what I'm talking about. A lot of enterprises today are leveraging IOT devices in their own environment. When we look back target in the us was a very good example where a smart IOT device ax system was leveraged as the attack point. So with that in mind, we really have to get to a real check and really post mortem analysis gives us a good understanding. What should we really focus on when we want to secure our posture in an organization? And research really shows that the majority of attacks today, 81% are leveraging lost weak and compromised credentials for their attacks. And Martin talked about privileged accounts and why it's important to also look after privilege accounts course out of these attacks. 80% of them go after privileged account credentials. That's a huge number. And when we combine that with the spending where we spend 114 billion, we have to realize a lot of times we spend on malware, we spend on firewalls, data encryption, but we rarely spend on identity and access management.
So there's a mismatch. And one thing we have to remember, it takes only one compromise credential to impact millions, millions of users, millions of data records, as well as millions of dollar that an organization has to pay out to settle data breach claims. A few example here for Europe is for instance, in UK, they faced the national letter, faced a breach where somebody compromised the credential. Who's able to really infiltrate data from 10 and a half million users under armor with their fit bit application recently faced a data breach, 150 million users impact, and then time hop another example, 21 million users effect. So these are just a few examples. Again, you wake up, you read about the next data breach. So what can we do in this new threat scape? Obviously, if I leverage a compromise credential, a firewall or data encryption doesn't help me any longer.
Of course, I'm a legit user and camouflaging my attack using a legit identity. So if I enter the organization and the data's encrypted, if I am a legit user, if I am a privileged user, I can decrypt the data and just take it away. So all of these traditional measures are no longer working and that's why we have to look at an approach of zero trust security. What does that mean? Zero trust really assumes that bet actors already exist either inside or outside of your network. The parameter has disappeared and we have to adjust our strategy accordingly. And so in the past, we were operating a concept, always trust, but verify. But under these new conditions, we have to remove trust entirely from the equations. So zero trust is not something that Centrify or any other vendor came up with, but it's a concept that was developed by an Analyst firm and collaboration with the national Institute of standards and technology.
And nowadays is being adopted by companies like Google and they're beyond core initiative. So the core principles, principles of zero trust are really about, you need to know something about the user. Why would I have to give that person access to my enterprise resource? It's also important. We're not the person that shrinks like Enman and goes into the network. We are leveraging devices to access the network. So we need to know about the device, cuz it represents a risk factor itself. And then we have to always authorize every excess request, not just once, but over and over and again. So the new mantra that we should follow is really never trust, always verify. And to go more into detail here, when we look specifically at identity management, they're kind of four pillars, they're important in the context of zero trust security. So we have to verify the user, make sure that it's an identity that I know we need to validate the device so that I know it's a trusted device, that it, the proper operating system that it's equipped with anti malware antivirus so that it can't carry any attacks into my organization.
And then a very important pillar is really limiting access. Again, it's very important to do that. Cuz a lot of times we assign privileges to users and they have that all the time. But right now I'm speaking to you guys. So if I'm a database administrator, why would I need access to that database? I'm speaking with you. I'm not working on that database. So that's what I mean about limiting access and privilege. And then everything taking in is really leveraging machine learning technology to take input data from all of these data points and now analyze the behavior and learn and adapt. So let's dive a little bit more into the details. So when it comes to verifying a user, one of the first steps to do is really identity consolidation and then single sign. So identity consolidation, that's very important. A lot of organization, especially when it comes to privilege, users are still leveraging shared passwords.
But when I use shared passwords, I don't know is admin one or admin two accessing the enterprise resource. So there is no accountability. I can't determine who really access the enterprise resource. So it's important to leverage sources like active directory as your identity source. Once you do that, obviously it becomes challenging sometimes for people to remember. I know my it managers always tell me you need separate passwords for each of your application. I barely cannot remember the phone number of my wife. She always gives me a tough time for that, but Hey, so a lot of people write it on their sticky note, put on their computer, correct? But there ways to help employees with the productivity, with the security and that's done where single sign on where use a one time password token that gets injected. The user doesn't even notice that they're really authenticating, but it really helps with productivity and security cuz men in the middle of techs are completely ruled out.
The second step is really move affect our authentication everywhere. It's very important, not just for your laptop, but do it at the server level, do it on your cell phone, do it everywhere and do it not just for end users, do it for privileged users too. The third thing is really about behavioral based access. Martin kind of showed you these nice charts where obviously we're taking into account your location, your geo velocity. And he showed the example where there was a lock in, in Germany, but also lock in, in the us. If that occurs within minutes, the machine should know that this is simply impossible. There's no jet in the world that flies within minutes from one continent to another. So these are really helpful tools that you can leverage when you verify the user. The other thing is around validating device. One of the first things which many people did when people carried things into the environment was application and device management and really applying policies.
What can I install on my device? What can I use on my device? But that's a fun, fundamental step beyond that. You have to look at the device context and the security posture of the device. Does it have antivirus on it? Does it have anal on it? If I'm a public space, do I use the public wireless access point or not? These are all factors I should take onto account when making access decisions. And then it's very important. A lot of people only encounter this when they have a problem with their laptop, but believe it or not, laptop also contains the privilege account, an admin account. So you have to look after that too, because it's an attack point. So you have to lock that down and make sure that techers cannot leverage that. The third pillar is really about limiting access and privilege. And so here it's important to establish granular role based access and limit thereby lateral movement.
So how can I do this? I mentioned earlier the example of a database administrator. If I'm assigned to maintain a particular database, that's the only area I should be able to access. A lot of times if I'm working remotely in the past, I have received VPN access, not a good approach. VPN access gives me access to the entire network segment. So somebody compromises my credential, they can move around freely. I should limit access to what is really needed for my work environment. So as a DBA, I should be focused on my database. The next thing is really installing just in time access. And how do I do this? I'm levering workflow of flow tools like ServiceNow to really help me with establishing that. So what do I mean with that? I mentioned earlier, I'm a database administrator. My rights are limited right now to just run a couple of commands, just to maintain a database, but I'm getting a call right now.
There's an emergency. We have to restart the database. So it's out of scope out of my normal commands that I'm allowed to run. So I should file a ticket with my supervisor and ask for elevation of the privilege that I get the commands that I need to fix that database. My supervisor will receive this request and nowadays, thanks to technology. They can get that on their cell phone when the simple click of a button, they can approve it and I have immediately access, but by doing so, I'm really limiting my exposure to compromise credentials. Another thing, and that's not just for governance purposes is really auditing everything and you should do that really across your entire environment and really the technologies that are out there allowing you to have almost a HD video. It's like your DVR, where you can watch what somebody's doing. It's amazing.
It really helps you with your audit. When an audit that comes in says, show me what you're doing, how you're doing it. You can show them in real life what's happening. And then as we set taking all the data points and combining it with machine learning technology, to really determine, should I block access, should I add additional factors to authenticate? And just as an example, when I came to Berlin, it's my first business trip to Berlin. So it was abnormal behavior. I wasn't able to use my outlook client. So I was challenged. I was asked to provide a second factor. Once I did that, I had access to the enterprise resort. Second day I was here. I didn't have to do the same thing cuz the machine started learning. If I now return once a quarter to do these presentations, obviously the machine realizes that this becomes normal behavior and adjust my user profile.
And that's important cause we don't have the head counts in our organization to adjust these manually. So Martin talked about zero trust. There's a lot of hype around it, but it's not just hype. Quite frankly, there is quite a bit of momentum behind it. IDG run a survey and it shows that 71 of security fo 71% of security focused it, decision makers are aware of zero trust security. 8% of organization already have deployed zero trust security model in their organization. A lot of them do research about it and they really realize that things have changed. So when you implement these best practices that are just talked about, people have experienced 50%, fewer breaches that were able to lower their costs, but cost is not everything. It's also about business confidence. So there we're really able to operate their business with more confidence. Cause they were more conscious that they have taken the right steps to avoid any type of attacks.
So they were able to engage with their customers and partners. They were able to support remote broker and they were able to secure their Duff ops environment. So to get started a lot of times I get questions, Hey, do we have to rip everything apart? No, not really. You can do this step by step can first establish identity assurance. For instance imply MFA everywhere. You can limit letter movement by applying excess zones, you can then move to enforce these privilege. And the ultimate goal is to audit everything. So it can be done step by step. You don't have to rush to it. And that's the beauty of zero trust security. So with that set, thank you very much. If you wanted to have more information, join us outside in the booth area. We're just around the corner on the left side. Thank you.