Dr. Torsten George - Zero Trust: Solving IT Security’s Identity Crisis

Thank you. Good morning, everyone. What I wanted to do is really introduce you to the concept of zero trust and how it can resolve your securities identity crisis.

So, one good thing to start with is our industry has spent far more money to address cybersecurity challenge over the last few years, 86 billion in 2017, that number is supposed to increase to 96 billion. So great job. Give yourself a round of applause.

However, I'm starting to scratch my head every morning. When I wake up and read or hear about the next cyber data breach, what's going on about 66% of companies are still getting breached and it's getting worse. They're getting breached on average five or more times. So something is not working here in the equation. So when we look at who's exposed, we hear all about these big data breaches at AFAX and at Uber. And it's not just north American consumers that are impacted, but across Europe, but it's not just big Brent names that are impacted.

And the number of of exposures has increased five times over the last few years and the cost associated has risen. And it's not, as I said about the marque brands, it can be small companies. There's a UK based shipping services company called Clarkk. When they underwent the Ransome attack, they're stuck when down 3%. So everybody should be concerned about how can we tackle this problem? Unfortunately, things are not getting better. Companies have outsourced their it development and, and environments into the cloud. About 90% nowadays host that on the cloud.

We use a lot of enterprise cloud solutions, SAP, Salesforce. It really expands the attack surface. And then there's that smart phone that we brought into the enterprise. And that creates a special challenge for organizations. And then there's this acronym O T internet of things. Most people don't even think about it, but it's already present. I'm not talking about Alexa or Google home sitting on your nightstand. I'm really talking about IOT applications within the enterprise. Target was a good example.

Most people did not realize target was an IOT device, a smart climate system that was attacked and then used for lateral movement. So all of these components really contribute to an expanding attack surface. Now I wanted to keep this interactive and ask you, what do you think are the cyber security tactics that are most effective? Again? Cyber attacks is it network security is that NextGen endpoint, security, vulnerability management identity and access management data security.

So please use your application to kind of vote on what you believe is the most effective tool waiting for couple seconds to kind of get the results in here. So please use your application. Okay. So identity and access management. Congratulations. I knew I'm coming to a small place, unfortunately that's not the common perception. If you look at surveys that are being conducted across the world, people believe and follow the hype of marketing of many vendors, threat intelligence, endpoint security. You go to the big trade shows. That's where the focus is.

We just conducted a research study with wall street journal, where we ask sea level people, what their perception is. What's the most effective tool. 62% of CEOs believed it's malware software that can handle that disappointing. Let's do another poll. What do you believe is a primary attack point for today's data bridges and knowing that I am with smart people, it's in the room. It's probably easy answer software tech network attack or human attack surface, or do you believe Okay, again, right on the nail?

Cause reality is that post-mortem analysis shows that identity is the top attack vector. 81% of today's hacking related attacks, originate with weak stolen or compromised credential, 81%. That's why you're in this room. That's why you wanna progress the agenda focused on identity management, not on endpoint security, not on anything else. So when I look at this new threat landscape where a techers camouflage that data breaches with legit identities, there needs to be a rethinking of security.

If I put a firewall in there, I put the data encryption in it doesn't really address the number one attack factor. If I am a person that has authorized to access data, to decrypt data, I have access as a hacker. That's the problem. And that's where zero trust comes in. Zero trust assumes that bet actors already exist inside and outside of your network. So don't trust your CEO. Don't trust your VP of it. And if that's the case, if that's the new reality, you have to remove trust from the equation.

And so the core principles of zero trust, which was originally introduced by Forrester and collaboration with the national Institute of standards and technologies and today's practice like companies, Google and their beyond initiative have deployed that it's really based on on three standards. One is you need to know about who is trying to access your resources. You need to know about the devices that they're using, cuz they might represent the specific risk and you must always authorized. So in the olden days, we talked about always trust, but verify, but these things have changed today.

You can never trust. You always need to verify. So with this in mind, I want to talk about the four pillars of zero trust security. It's about verifying the user. It's about validating their device, limiting access and privilege, and then learning and adapting. And so let's go through each of these pillars and kind of fill in a little bit more details. So when we look at verifying the user, it's important to really consolidate your identities are a lot of practices still coming in the enterprise where system administrator share route admin passwords.

If you do that, you don't know if Torsten George or John DOE accessed a server and therefore there's no accountability. There's no way to find out who really did want. And so consolidating identity, tying it back to active directory is one first important step followed by applying single sign. Obviously we're all human. I can't remember even my wife's cell phone number. So she always gives me a tough time for that. But fact is that people use a single password across the different applications. Doesn't matter what your it manager is telling you about security standards. You're doing it.

You're human. So applying single sign on really helps, not just with productivity, but more importantly security course. It doesn't expose your username on password and a manner of the middle of attack. But instead really uses one time password technologies to inject and get you access secure access to the application. The second thing is multifactor authentication everywhere. Something that we preach. And when we talk about multifactor everywhere, we're not just talking about applying this to applications, but we're applying it to end points.

We're applying it to infrastructure, meaning servers, and we're also extending it beyond your end users. You should apply it to your system administrator. You should apply it to customers and you should apply it to your partners. The third step is really leveraging behavior based access. If I'm currently here in Munich and I'm not here very often, then this represents obviously an abnormal behavior and therefore I should be challenged to step up my authentication and provide another factor. The other thing, the second pillar was about validating the device.

So very fundamental step, especially with the bringing your own device movement was how can I manage the device? How can I manage the applications? That's a foundational use case, but you have to think beyond that, you have to look at the device context, the security posture. If I'm connecting here and I'm connected to the public network, obviously the device that I'm leveraging to access my network represents a higher risk. When I do that from my home office. The other thing is you have to apply endpoint, privileged management.

What do I mean for the server side, we're all familiar with privileged management, but on the laptops that you have to sit in front of you while I'm talking here, there's an admin account. And so you have to lock this down too, cuz otherwise it's a blind spot. It's something that somebody can take advantage of when it comes to the third pillar and that's the central pillar of zero trust security. It's about limiting access and privilege. So in the first step you should really apply role-based access and limit the privilege to limit lateral movement. In a first step, you should define zones.

If I'm a database manager, I should only have access to that database and not to our financial system or other systems. So that's the first step. The second step is I'm a database administrator I'm talking to you right now. Why would have somebody assigned to me the privilege to access that database right now? Why I don't need it? I'm talking with you. So limiting access providing just in time is very important to really allowing, to keep hackers out of your network.

The other thing is auditing everything doing session recording so that you can go back and you can see what is really going on, what commanded that person apply when they entered into the service system. So the fourth pillar is around learning and adapting, taking all the different data points from the user, from the device, from the limited access, the access requests that are coming in and applying machine learning technology and automatically blocking access. The earlier speaker talked about at Microsoft, they have 64 access policies.

If I would have to maintain them on an ongoing basis for each individual user, that's a lot of time, a lot of headcount that I have to apply with machine learning technology. You can modify the user profile. If I'm coming to Munich on a monthly basis, it's no longer abnormal behavior becomes regular behavior. And therefore my user profile should be amended and my access policy should be changed accordingly.

So when we talk about zero trust security in one a row there, we hear a lot of times everybody nodding their hat and saying, yep, that's that's the right approach, but to move away from too many passwords, too much privilege, I'm not the Google. I can't start from Greenfield. I can't rebuild everything that I have built over last decades. And that's a good, a good question. How can you achieve your trust security with your current environments? The good news. It's a step by step approach. You don't need to do everything at once. You can do it really in digestible pieces.

You can start with establishing identity assurance, things like multifactor authentication, everywhere, SSO everywhere.

You can then move on to limiting the letter movement by establishing excess zones, applying conditional access, protecting your defs environment as part of the overall environment, and then moving towards and forcing least privilege and really applying just in time privilege, just enough privilege and then ultimately moving towards a continuous monitoring approach as it's even propagated by N and really analyzing the risk monitoring all sessions and potentially in real time, sending out alerts and intervening with any abnormal behavior.

So we worked with a research firm and, and kind of looked at the spectrum of, of customers that we're serving to kind of see if they applying these best practices. What's the outcome. It's nice to talk about models and, and ideas, but what really counts is the impact on an organization. So for those organizations that apply the zero trust security model, they're really able within months of implementation to cut their risk exposure by half the insurance companies love it and they can cut their cost tremendously and also the cost on, on technology.

Cuz if you apply that and you offer it as a single platform, you're really able to do vendor consolidation. So instead of fragmented identity and excess management technologies, you can use a single platform to apply that. So with that, I would like to thank you. If you have any further question, please feel free also to stop by our booth. We're one of the platinum sponsors here. So glad to answer any question at the booth also, Thank you. So zero trust definitely is an interesting topic.

I'm personally a believer in the term zero trust because it's more maybe a distributed trust than zero trust if you wouldn't have to dress at all. So, so maybe determine, but it does that your mistake. It's probably mistake of the one who invented the term zero trust, which is not the very best I believe. But the concept behind that I think is something which is very important because we have the end of the parameter. And so we don't have this wall, which protects our castle anymore in that sense. And so we need to move to new architectures. Let's have a look at the questions.

We have a couple of questions here. Maybe let's start with the number three here. You talked about machine learning and your system at some time learns that you're more frequent in Munich, but if you already know that you'll be in Munich, if your outlook calendar tells that you're in Munich, shouldn't the system reflect this as well. That's correct. And I can kind of combine the first question in the second. And the third question it's it's really best security is invisible, correct?

We all know that if, if you provide a barrier to an end user, that they have to do something, they don't want to do it. They're not doing it. So leveraging machine learning technology is really a big promise in our industry, cuz it really can take other input sources like outlook and contextualize that data related to your identity and the behavior that you have shown. So it really minimizes any human interaction.

It, it adapts your user profile, your behavior profile. And so also to answer the first question, machine learning can really tremendously help with usability and the identity and access management space. Okay. So also let's have a look at the second question right now, the third one.

So, so how, how to get the security department. I think we talked about the CEO in, in an earlier Q a the security department, which might, you know, be used to traditional parameter based security, how to get them on board for the new concept. This is a challenge or is it just something which today works Seamlessly?

I, I think we have seen over the last 18 months a shift where in the past was very, everything was very compliance focused, and I would say risk has become the new compliance and with the risk focus, the mindset also shifted within the security departments. And so it's easier to communicate to them the benefits of zero trust security. And at the end of the day, their nowadays being pushed, I think target was a watershed event where the board members were put into a liable spot. And so the boards are far more involved nowadays and are really pushing down the mandate to do something.

Unfortunately, as I mentioned earlier, still a lot of focus on, on unnecessary tools and not necessary on identity access Measure. Okay, perfect. Thank you. And you will be probably at your booth. So for the other questions, trust with the booth and ask to directly, thank you very much again for your keynote on the insights on zero trust. And with that, I trust wanna highlight a quick things coming up.

So we have a woman in identity launch today and there's a GDPR excellence lounge where you can talk with GDPR expert lawyers, the launch happening today and tomorrow from 11:00 AM to 3:00 PM at the gallery, the woman in identity, lounge, lunch being this noon up there, have a look at this right now we have coffee networking. So it's immediate thing to get some cafe or something to eat after that we restarted the 11 and the various rooms with the drag. So in Tryer the coffee break and see you later in one of the auto sessions. Thank you. Thanks. Thank you.