Panel | Getting Started on Your Zero Trust Journey

Getting started on your serial trust journey. I'd like to know if you guys could share, maybe we can start with you, Rubo, how did Serial Trust started in your organization? And then maybe we can go to Brian and then to re
Yeah. So happy to share that. So I mean, in our case, we, we enable our customers sort of along their zero trust journey. But from my perspective, I actually started as a, as a practitioner. So I spent 15 years in the financial services industry doing network security. And one of the, my last project that I executed was actually around micro segmenting, high value applications. So in the case of my, of my previous employer, there was a very specific need to be able to protect these critical systems, which are franchise critical and ensure least privileged access around them. So I think if you look at sort of various approaches to, to zero trust and how you make progress along that journey, it often talks about identifying that, that thing that is of most important, sort of most critical to your organization. Where can you make the sort of the, the easiest first step to reduce that real risk, Right?
So in, in the case of, of my experience, it was choosing, it was identifying those high value applications and establishing least privileged access around them. Now, some other sort of in terms of now as experience as sort of working with customers. So customers often say they look at it and say, Okay, in our case, the highest risk is that there is a collection of sort of ports that are accessible across the infrastructure. We know that and ransomware is a real threat and we're concerned about that. So from our perspective, what we need to do is ensure that these ports can't be freely accessed. So often their starting point is let's block these high risk ports. And once we've done that, it established a level of sort of security posture, which is an improvement on what we have today. We'll then think about what's the next step that we take to further restrict that access.
Thank you, Brian.
Zero trust. I mean, again, I approach this from the enterprise perspective. Zero trust really started, if you wanna call it this from day one at our new company. So this is going back to 20 16, 20 17 when Yahoo and AOL merged into a company then named Oath. We've since been rebranded twice. So from an identity aspect, it's been a little bit painful having to kind of ream and rebrand everything multiple times. But we ended up at Yahoo again as you know. But when Yahoo and AOL first came together, I remember very clearly us sitting in a room with pretty much every leader across IT and IT security as well as a handful of architects that were discussing really how we wanted to look as a company. We had a very unique opportunity to build a, a greenfield enterprise. We had 20 years plus of infrastructure on both the AOL and Yahoo side.
And from an IT perspective, we wanted to keep almost none of it, which is, you know, kind of a kid in the candy store moment. You are not, excuse me, you are not restricted by, you know, the legacy infrastructure and decisions as much. Yes, you're going to have to maintain that and we're going to have to find ways to move those services. But at the end of the day, it was how do we build a zero trust greenfield environment? So we started planning out what platforms and systems we were going to use, and particularly we really approach our, our identity team as a service, a service organ organization first and the security organization second. And we do this because we always wanted to think first and foremost about the user experience of application owners leveraging authorization, the authentication services, kind of like what I mentioned in my talk.
And, and the chief reason for doing that is if you don't make it easy for them, they're going to do their own thing. Even if it's against security policy, you'll find things kind of creeping into your environment. Oh, this person released an application, it manages its own credentials. Why doesn't just use the standard enterprise method of credentials. You want to avoid those types of things and you're, the best way to avoid that is by making it a service that's very easy to use. And likewise, we wanted to think about it in terms of user experience. If, if you think of like the panacea of passwordless, and I'll admit we're not fully there yet, but it is kind of something on our long term goals and roadmap of what we'd really like to achieve with context, with context based authentication really coming into view. Like we're starting to see light at the end of the tunnel on the potential for passwordless. But if, if you're thinking about Passwordless in terms of user experience, that's, that's an even better argument almost than the security one. Think about how much more productive your entire enterprise will be if you do zero trust, right? And so that message resonated really well with everybody and it's been part of our fabric since our day one as the new company.
Thank you. Brian Rener, what are your,
Yeah, obviously I'm also coming a little bit from the, from the vendor perspective and it's, you know, there's always that, that that gap between, you know, the vendor and, and, and the end user, you know, obviously, I mean zero trust and there seems to be a lot of confusion also around, you know, zero trust architectures and Coru development in general. And I've been, I mean, I'm kind of pretty new to the security space only. I've been doing this for 30 plus years. So, so the, obviously we, you know, when we started, you know, with the, with the network perimeter and we built everything secure and that, that was all great, but you know, then, you know, we had to open up our networks and, you know, we opened up more and more ports in, in the perimeter and, you know, Soya perimeter was kind of a Swiss cheese and everything was just tunneling through.
And then you with layer seven protocols securely going through the firewall and then people started doing, you know, TLS termination packet inspection and all these things. And it's always like, you know, and, and so there's a lot of confusion or co trust, what is it? And, and first of all, you know, it's to make it clear, right? It's, it's not a skew, it's not an off the shelf skew, right? It's just if somebody in my, a kind of nice definition of co trust or the best I heard really is it is what that guy on the other side of the table is trying to sell you, right? So that, that co trust. But, but there's a really good, actually there's really good write up about Zero Trust, which is aist special publication. I think it's 802 or seven if you wanna look it up. It's, it actually is a really nice summary and what we are seeing and hearing what, and, and, and zero trust is really what securing everything at, at all, at all, at all points and all.
And, and it's, it's, you know, it has frameworks, it has architectures, it has technology, you know, it, it's kind of, it's a very large, really lop of things, right? And, and I think Brian hinted on that. I mean, you heard him talk about also it includes evolution, right? As much as, as new things. But still trust in my mind is more like the, the evolution of everything we developed over all these years and plus also an evolution of existing new things we developed over the years. You know, like, okay, we had identity management and we had access control, right? In the form of all and attribute based access that accumulating in, in into policy based access. It was a really great talk by Brian there, really spelling this out, right? How this, how this all evolves. And in addition to that, right, we have all these different components.
So we have the front end, right? We have the access piece. So how do I, how do I access my resources? And you know, the, the, the front and the access piece really is typically it's comes down to, you know, identity and credential access management. So there's an identity, there's a user, you know, a user has username, password, two factor, you know, he has some biometric characteristics, right? The fingerprint face, then there's the device, right? The device has a, has a unique fingerprint, you know, and, and hopefully I can do some assessment of the device, right? The device once or the platform or the hardware platform, it runs on a, in an operating system, right? I can assess all these things. And then the third component sort of is the, is is the metadata, right? Associated with the access, which is like, you know, geolocation time of day, you know, you know, does this request really makes sense?
And then it all flows into, into a policy, right? So we have these policy engines, we have basically a policy decision point, right? And a policy enforcement point that really then executes on, on all these, you know, on all these decisions. And that is really, these are really the core elements that you want to look at from a, from a vendor perspective, right? You have to ask the vendor, okay, so which part of zero trust are you actually trying to sell me? Well what are you solving in that, in that zero trust puzzle, right? And then, so from from keeper for example, right? We see that the credential management, so people want, oh yeah, give us something that users can execute, you know, certain operations at a certain level of privilege without really having full access to other credentials, but they're sort of automatic injected and then that the credentials are rolled, right?
You have like a, a one time access and then the credential is invalidated, replaced by a new credential and so forth. So those are all elements that we are seeing and hearing people asking. And then of course there's also the, the aspect of, you know, you, you want to, to make sure that you lock and report and analyze all this, right? So there's logging, there's, there's reporting, there's alerting, you know, also, this is also a big piece that, that you want to take a look at. So, I mean, there are a lot of elements and I think from a, you know, from a, from a vendor perspective, what I'd say is, you know, people should really, you know, understand all the components and really ask the vendor, you know, so what, what component do you bring to the table? And what, and it helped me to solve my problem. You know, this is really something where, you know, the vendors and the, the customers, you know, need to partner and, you know, we need to develop, you know, best in class solutions to really make that serial trust a reality.
Thank
You. Right. I that's a long answer, but
Oh no, we appreciate it. Thank you. I agree with you. I think it's important to consider many aspects when it comes to getting started on a serial trust journey. Maybe the final question for you three, I know this depends from organization, from organization, but what would you say were the main obstacles your organization faced?
I think with the, with with zero trust, again, I'm gonna speak from a customer perspective, right? Cuz I'm, I'm, I'm from a vendor, so I think with, with zero trust, the, the challenge is that when kind of, when you express it, right? And often what you're doing is that you are transforming an existing brownfield existing applications that are running. And you've gotta keep in mind that when you're trying to secure something that is existing, the primary focus, particularly if that's a critical function, that from the business's perspective, from the application owner's perspective, they care about the availability of their application, the reliability, the performance, right? Often far more than they care about the security of the application itself. It's important, don't get me wrong, right? But those other factors trumpet. So if you are trying to establish security, right, which is often taking away access, particularly when you think about zero trust, we talk about least privileged access and just restricting access only to what is required.
It's often about taking away access. So what is important in order to, to, to be able to build support from the business is show a very clear pathway through which that posture of better security can be established in as a, from a application sort of availability perspective in a as least risky approach as possible, right? That I think is really important so that the business understand the benefits they're getting from terms of the improved security posture, the improved resilience, right? The lower risk of the, the, the lower risk of threats, et cetera, right? Understanding that, but also that they can achieve that with a minimum amount of impact to their business processes that I think is essential in order to make that first step. And when we talk about, when we talk to customers and customers ask, Okay, what, how can I drive this really fast?
And we say to them, well, whether it's our technology or someone else's, right? You can find a good bit of technology to solve your problem from a technology perspective as an organization, any kind, any organization with some level of maturity can build a process that is able to use that technology in a business as usual way, right? So just think about it, right? You can build a process to operate your firewalls, you can build a process to operate your identity, et cetera. Often those two bits are never the problem, right? The challenge is two things, is first, getting the mandate from the sort of the sponsor, the exact sponsor, the cso, head of infrastructure, whatever it may be, that this is an initiative that is important to the organization, it's fundamental to the organization. And the second thing is then getting the buy-in of all the stakeholders, right? Getting, solving those two problems, which are over, which are typically people problems, is fundamental to actually driving adoption.
Thank you. We're a bit over time, so maybe if you can briefly respond to this Brian and Reiner.
Yeah, I, I just, again, enterprise side, I would agree with a lot of what was just said. It, it, it's really kind of, you know, building that relationships. I, I I would add on, you know, explicitly for the enterprise side, dialing in the policies the first year or two was a challenge. There was, I remember some pretty clear and direct examples of negative user feedback of, you know, people just being confused as to why they had to re-verify their access to a particular platform however many times a day. Now, it was a critical platform. It it was a platform that had very sensitive data on it and we all agreed from a security perspective that it deserved a fairly aggressive policy. But in, in the previous legacy environments, it just, it didn't have that level of enforcement, frankly. So when we, when we later applied it early on in our efforts, it caused, frankly it caused overhead and it caused a little bit of backlash and it took a little bit of negotiation with the business in order to really dial in that policy to something that was more acceptable for all parties involved. Now if you've got a thousand internal applications and owners to match them, that's obviously a lot of potential conversations that you have to have. So it's best to kind of get the rhythm and get that right as early as you can.
Yeah. So, so yeah, I think an important point to, to pick up on this, you know, kind of vendor, customer friction, you know, sort of, I totally agree. I mean obviously customers looking at business continuity, right? And, and usability. And they wanna make sure that they get their, their business done and executed and they want effective solutions that are simple, easy, right? And, and a lot of that doesn't really square security. So I think that that's the biggest friction point, and this is really what we are struggling with the most. You know, trying to come up with these kind of things, implementing, you know, best of breed technology, very secure, don't compromise on on security while at the same time remain, you know, agile and, and easy to use and, you know, easy to integrate, right? You want, you want to get into existing logging systems and obviously as a vendor you don't wanna reinvent the wheel and, you know, roll out a brand new system that is, you know, very complex and people have to learn it.
It's more about you, it easy and simple integration of your solution into, into an existing environment, right? Which really is key to, to adoption and, and ultimately adoption is key to you really getting where you want to go. So yeah, I mean that, that is definitely, that's definitely a big thing. And then customers, we still see that customers still have a mindset of like, you know, the sort of perimeter approach. Like, oh yeah, we are, you know, we terminate TLS on our, you know, application gateways or firewalls or whatever. And then the back end, you know, it can be all http, you know, no problem. You know, and then we just say, no, it's, it's gotta be encryption end to end. Which part of zero trust did you not understand? It's just bottom line of zero trust is like, you know, it, it's zero trust everywhere.
Any, anywhere you look at it, it really does not matter where your technology or is deployed or where your asset lives or where your access or occurs. Right? Zero trust, you'll trust has to be everywhere. You have to restrict lateral movements. You have to make sure that you apply this principle, you know, without you know, saying that, Oh, this is more trusted than this. And, and no, it is not right. I, I don't care really where it is. It's, it's the same thing. So I think that that is kind of a key point. I'm often trying to drive home with customers to really understand this and adopt this mindset and, and philosophy, which I, I think is really, really important. To really have the, the right mindset to, to get where you want to, to go is where I think you should be.
Thank you, Reiner. I appreciate you guys joining me. Thank you.
Thank you very much.