Okay, sorry about that. So I'll start again. Welcome to this workshop on zero trust. My name is Paul Fisher Fisher. I'm a senior Analyst with KuppingerCole. We'll be joined. I hope by my colleague, John Tolbert. Who's he's here. Okay, good. He's he's in Seattle, so it's very early in the day for him. So let's get started. So this is our agenda for today. So I apologize to anyone here that is an expert on zero trust. Maybe some of this might be obvious, but the idea is it's a workshop, so we're try and share ideas cetera. So the agenda is what is zero trust, and then looking at what zero trust means today. And then we'll look at some of the challenges that zero trust has or other, some challenges to implementing a zero trust architecture. And then after the break, John will take over and he'll go into a lot more detail about some of the technical aspects of zero trust, looking at the N architectures and things.
And finally, before lunch, we'll have a look at some of the options for zero trust and access management in the, in the market today. So as I said, it's not meant to be just a workshop where I just stand up and speak. So hopefully we can share some ideas between us all, but doesn't, I'm not gonna pick on anyone. It's purely voluntary. It's the last day of, of a long conference. So I know that we are not everyone wants to speak, but let's try and make it as interactive as possible. I do actually have another colleague with me today. I just realized I should introduce Warwick, who is a fellow Analyst, but he's here. Don't worry. He's not taking notes for any sinister reason. He's actually doing our newsletter. I believe so welcome Warwick as well. So what is zero trust? So this is where I hopefully get it, right.
This is a quote from the N, which is the us Institute for, is it security and techno, I think it's something national Institute for security and technology. Anyway, it's a government. Yeah. Standard. Thank you very much. So this, they have become a kind of, you know, the benchmark for what zero trust is. And they said, it's, it's not a single architecture, but a set of guiding principles for workflow, system design and operations to improve the security posture of any classification or sensitivity level. So that's kind of quite a complicated way of describing, but I think it does. The key thing is it's not the single architecture as we'll, we'll find out.
So this is I'm gonna hit you straight away with a quick exercise. So how would anyone here define zero trust? Anyone? Was it too early to pick on anyone? Okay. So stuff to think about then rather than, than standing up and, and saying, but think in your own how you would define zero trust perhaps in your organization. What, well, the tenants of zero trust, how would you define it on some basic sort of pillars? And what do you think it will bring to, or could bring to your organization? Is, is a platform or what else is it? So I think the first thing to say is that it isn't a platform. It is actually an architecture or a way of doing things. So anyone want to no too early. Okay. Warwick. Ah, yes. Fantastic. I I'll give you, but you could just say who you are
Swisscom. You know, I'm definitely not an expert in it, but for me, it's the concept behind this is you can't take anything for granted, no matter if it's the architecture, no matter it's the person having possibly physical access or hold of a device. So you need to basically double check on anything wherever you can to be sure or to have at least there's never absolute guarantee, but you want to have at least a high, the highest possible level of certainty that the person who you're dealing with is acting what he or she may access nothing else.
I think I've just broken the COVID rules there by handing the mic. So in future I'll so we're, we're best friends now. So in future, I'll just hold the mic to anyone, but yeah, that's great. Thank you. You're from Swisscom. Did you say, did you win the, the barbecue? Was it you
For,
Oh, okay. I just I'd like to meet the person who won the barbecue. That's all they, oh, it's Eric's yeah. They, they won two awards. Yeah. That was a bit suspicious. Wasn't it? Yeah, they won. I thought they were gonna win all three at once, but so, okay. So that's, that's our first exercise, which thanks very much for, I realize it's quite early for that, but okay. So let's, let's delve into some of the basics about it. So the guy that you may have heard of that came up with zero trust was called John kinder a who at the time was working for Forester who are, obviously, we all know who Forester are. He doesn't work there anymore, but he came up with his concept of zero trust, I think about 10 years ago. And he said it should be designed. Networks should be designed without implicit trust, enforcing, strict identity, verification, and least privileged access policies.
So he, he was really talking about networks, but I think since then, it's been extended into a whole concept. That's more not just about networks themselves, but about identity management and accessing resources. And so as a concept, it required a major shift in then the, the, the way that people were doing things. And I think that it probably still does require a major shift. And we, and it was noticeable at the conference this week that virtually not virtually every presentation, but quite a few were mentioning zero trust. So people are definitely thinking about it, but it must have strict identity verification and access controls for every user or device. And of course, what's complicated. This now is that we're not just talking about human users, we're talking about devices, machines, applications, et cetera. And the other thing, which I'm sure you already know, it's not something that you can create and put into a product. You can't say that this identity and access management solution has got zero trust or this firewall has got zero trust because products can contribute to a zero trust architecture, but you can't say that this product on its own is going to create zero trust. Any, any comments on that?
So this is a, what we come up with. Anyway, it Kuppinger is a model for zero trust. So we have zero trust. This is like the circle of zero trust. So zero trust devices, data networks, workloads, and people. And I think also we should maybe mention the other theme that Martin Kuppinger were talking about, which is dynamic resource entitlements, et cetera, and access management, where we're now looking at clouds, multi clouds and hybrid clouds, where people and teams are looking to access clouds on a much more dynamic basis and much more rapid basis. And so applying zero trust was probably difficult 10 years ago, applying it now is probably even more complicated because of the changing nature of, of computing and the changing nature of business. And if you, if you talk to, you know, senior management in, in an organization and say, we want to implement zero trust because it's very good for security and it keeps things safer, et cetera, they're probably gonna be saying, well, we don't understand what zero trust is.
We Don, is it gonna cost us a lot of money? And also we've got more important things to do, like developing new products, becoming more competitive, et cetera. And so, and, and it's the same in all areas of identity management, that there is this kind of battle between what the company wants and what security wants. And I think at the moment the, the company or the business is probably winning because they like the fact that they have agile environments. They like the fact that they have DevOps creating new solutions every day, new, new applications, and doing it as quickly as possible. So I would suggest that all of this, the zero trust circle has become far harder to manage than it was 10 years ago.
And this is, you want to define a zero trust network. You can't do better than actually the internet. If you take the whole internet, it is actually the perfect example of a zero trust network. As in you can't trust anything on it, where, you know, every, every company at some point is now internet facing, whether it's when you reaching out to your customers or whether people are using social media, et cetera. But it's, it's obvious that once you go from your trusted networks, so called to the internet, you're suddenly in a whole world of pain. So the crazy thing is that our whole business world, our whole way of doing things these days is basically based on facing the internet without, without that interaction, nothing would work. You know, nothing on our phones would work. Most of business wouldn't work. Most of the supply chain wouldn't work. In fact, if the internet goes down, it'd be interesting to see what would be left. It would be probably carnage. So we have this, this model, this completely untrustworthy network that we are connecting to, which is sustaining economies around the world.
So let's look at what we call some building blocks for zero trust and how these can be layered. So we have at the start, our users, users, after all are still the most important parts of our organizations. We haven't all been replaced yet by bots or robots. So we need to manage the identities and authentication of our users first and foremost, and I mean human users. So everybody needs to be authenticated. And I think we are gradually approaching that position where employees, workers, et cetera, now have to go through some sort of authentication to do even the most basic task. You have to log onto your windows workstation or, or desktop, et cetera, just to get started in the morning. Increasingly that means also endpoint management endpoints are now become something that a lot of people are talking about even in non-technical circles, cuz they understand the endpoints can now mean all of us that I'm sure that most people here, at some point we're working at home, maybe still are and we need to manage those endpoints.
Well, we need to manage the people at those endpoints more securely than we did before. And of course what happened was I I, in the, you know, the first wave of the pandemic last year when everybody in Europe and United States suddenly found themselves having to work at home, a lot of organizations were simply not prepared for that. But because like I said, if things completely broke down, if they weren't able to do the tasks that they were doing normally in offices, then, you know, economies would, would start to suffer. So what happened was what that actually translated to was that people were at home with their children or wherever and using a laptop that maybe the kids were using before, or it was just an iPad or something that was full of all sorts of stuff that had been downloaded. And that obviously wasn't very secure, but because they had just had to get the job done, we accepted that.
So we've actually evolved a bit since then. And as I'm sure you know, that we've improved the device management at the end point. And so people now have more secure, they've probably been given better laptops. They've probably improved the security, but, but that was a great example of convenience. Overruled security, because it was better that way just, but the, the other side of that was that we definitely didn't have a zero trust network that cases of ransomware and malware, etc. Just went through the roof. And that was obviously a serious problem. And as I said in, I think I said, I can't remember what day it was, but I said that I think that this kind of hybrid working or, or working from home, et cetera, is, is like to stay in some form. And I think, I dunno, maybe there's a show hands here that how many people work at home on a regular basis.
Yeah. So, and do you think, do you think that you you'll stay working at home or yeah, but will it be a mixture, do you think? Yeah. Okay. So, and you all do kind of technical positions, I guess. So you, what you do is fairly important. And I would imagine, I I'm look at you're nodding, so it must be very important what you do in Poland. Yeah. So we, we probably will, you know, carry on having homeworking and office working and Starbucks working. So moving back to the building blocks the network, the traditional network, the security of the network is limited. So how to deal with access from everywhere and the network because the network, what is the network? Now? It used to be what we used to call the perimeter. I mean, I I've been sort of covering the security space or industry since 2006 and way back then people were talking about de parameterization.
It was like this buzzword. So that was 15 years ago. And we're still talking about it. We're still talking about the extended network, but I think we, we are much more progressed down that road than we were in 2006. And then we have to talk about, you know, how our systems and applications within those networks. And finally the data that we, we we use or we need to access to get stuff done. So those, the users, devices, networks, systems, applications, and data, oh, you're kind of building blocks for zero trust. So you need to, those are the things that we need to think about protecting, and, and there's probably more where, I mean, I haven't actually mentioned things like third parties, supply chains, and of course, customers that are now entering workplace as in, we we're building digital relationships with those.
Sorry. Is there a question? I, no. Okay. And again, just to sort of reiterate that the remote working, working from anywhere I've want go on about that. The cloud, even though we'll talk about, excuse me, we talk about the cloud a lot and obviously everybody is using some form of clouds. IBM recently told me that IBM security services said that on average, their customers now have about 10 to 15 different clouds in operation. And those clouds are all from different providers. And then on top of that, they probably have some private clouds. And then there is a term which I heard this week, which is quite nice shadow, shadow databases. So that's people setting up their own clouds within a department because it's so easy to, to buy, you know, a cloud. Is that something that you have experienced? You, you nodding there or you set up, you set up your uncle.
Oh, shadow it. Yeah. Yeah. Okay. So you do that. Do you, you, you, you you're the guilty ones, but cloud is, is very, very difficult to control. And, but at the same time, we shouldn't get run away with the idea that everybody moving everything to the cloud, lots of organizations for very good reasons are still keeping stuff on premise because they want to, and that's fine. But that still means that we now have this very complicated picture of clouds on premises, things to manage and then network and securities is converging so that we have new buzzwords to, to like sassy, et cetera. SDWAN software defined networking. And some of that is, is kind of marketing buzz. And it's also reality, but it does mean that every time the technology shifts, it means there's another challenge to make that zero trust network or, or a zero trust environment.
So it's, it's hard for you to keep up with these changes. And then of course, we've now got edge devices, which is another buzzword where another technology, but it's a buzzword where it is a technology that actually has some use, but it does mean that we're now extending the, the network or the infrastructure even further out. So beyond our sort of endpoint remote endpoints. And that's increasingly something that the, the motor industry talks about a lot because they want to be, they want to be seen as software companies now as much as they were seen as automobile companies. And that means for their vehicles to fulfill the advanced functions that they want them to, to succeed in the changes, electrification and everything else, those devices are on the move obviously very fast and it's harder for them to connect to a conventional network. So that's why they're creating edge devices or edge mini kind of data centers, or literally sit by roads and motorways.
But again, that, that means that's yet another thing that needs to be secured and the actual cars themselves and the identity of the drivers BMW now advertise the fact that you don't, you know, we we've already had keyless entry for some time, but soon you'll be able to get into your BMW, drive it off through the identity that's held on your phone. So there'll be absolutely no interaction, mechanical interaction between you and the car. But when you think about it, an old fashioned key in the old days, when you actually put the key in the ignition, well, there was generally just one or two copies of that. And you tend to keep that to yourself. You imagine if your identity is stolen and cloned, they can quick, quite easily find the car that you own and drive it off. So we create, again, we've created convenience and it looks cool and sexy and everything, but we've probably made it a little bit less secure.
And finally digital transformation. We've been talking about digital transformation for, for a long time as well. And of course that's happening. And the example I just used for the car industry is a, is a fantastic example of an industry that's moving very rapidly from what you might call a, a very industrial very non-dynamic model into a transform one because well, because they know that their market is under threat, not just from people like Tesla who have basically just taken the existing model of what a car is, but electrified it. But they're under threat from other services such as what we now call, which to me is a, is a, is a slightly weird word, but mobility. So they know that people don't necessarily need to buy cars now to get where they want to be. They can use, you know, they can hire an Uber, they can share cars, they can even get on an electric scooter if they're stupid enough. But that's another, that's just my opinion.
So digital transformation is happening. It has to happen. Companies have to do it to, to survive and compete, but again, it needs support. So that question mark, there was intended to be a point of discussion when I was planning this workshop, but so I'll open it up to the floor and we don't have, ah, yes. So I'll get it right this time. I'll hold the mic. I just want you to put some more words on, what do you mean by edge? Can you define that a bit more? The edge? Yeah. Yeah. What is the edge? Okay. Yeah. So the question was, what is the edge? What the edge, the example I used was really one just for the car industry, but edge computing could be for example, in health. So you could have edge computers that monitor the right. So this is a bit, little bit science fiction, but you could, for example, we, we in head medicine, there is quite often clusters or things happen in areas like there might be a cluster of cancer or there might be a cluster of heart disease at the moment.
We also, we have a, a, a medical philosophy of curing rather than prevention. So imagine a future where you had an edge device that monitored your health in your own home. And then that sent back to the data center in, in a hospital. So then it might, it would know that you're perhaps your subject or, or at risk of a heart attack or something. So, I mean, an edge device can be a phone as well. So it's, it's really an emerging technology, but the, does that make it any clearer? It's really something that's separate from main, from mainframe, from network computing and extending it further out.
Can I, Paul, can you hear me?
Yes. Did that. Okay. Ah, John, I, didn't sorry. I forgot you were there. How, how are you?
Good, good. How are you? I, I was just gonna add to that, you know, for edge, I think of like the content delivery networks too. So you've got, you know, obviously the infrastructures of service cloud providers that have data centers in various places around the world, but even they are somewhat localized. The content delivery networks have hundreds or in some cases, thousands of data centers, you know, that are more evenly distributed, closer to the end users. So that's one way I conceive of the edges getting data sort of in between the cloud and, you know, a local user base, just a place or a way to increase performance, decrease latency.
Thanks, John, is that your cat in the background?
Yeah. Yeah. And I was also gonna say if anybody's on the attending virtually has any questions feel free to pop 'em in the chat window here. We'll we'll take them as we go too.
Yeah. I'm, I'm very sorry that I forgot you were there. John just been Chapin on here. So this is John Tolbert, who is a lead Analyst with Kuppinger and he'll be leading the, the next session of this, but we can hear you, John, but we can't see you. So I guess that's given it, it's like two in the morning. That's probably a good thing. You,
No, that that's fine. I just minimized it so that it wouldn't take up everybody else's screen space.
Oh, well, don't be shy. Okay. So thanks for that. I hope that, oh yeah. Sorry, Warwick.
Sorry. No, for me a classic edge computing example would be like in manufacturing. So instead of the manufacturing plan, sending all the stuff or they kind of maintenance data into the cloud for analysis, and then back again, edge computing in that case would be an onsite sort of pre-processing so you, you're getting more real time and feedback and so on. So it's stuff that's kind of as, as John was saying between the, the site and the cloud. So it's, it's kind of like a distributed, but more local to where the, where the data's being generated, it's being processed. So you're not relying entirely on the latency and on the connection to the cloud to process it. So you're needing to cover not only your on-prem stuff, but also this kind of transitionary edge computing case and your cloud side.
Thanks, worry. That's actually a very good point. And, and I think you explained it much better than I did there. It, it does it, it's all about speed, especially like for the motor vehicles when they need information much quicker when they're going at 200 kilometers an hour. Okay. So here's a nice diagram for you. I'm now gonna read every single one of those. Now what this is actually meant to convey is just how complicated zero trust architecture can get. So we have obviously many potential components, but I think the, the, the reason we have the arrows there between data centers and network clouds is really just to show the relationship between how data is still gotta go from data centers up into the networks, et cetera. So now that you've digested that entire diagram, is there anything missing there, do you think? Oh yes. Oh, brilliant
Morning. I think the, the main point what's missing, it starts with strategy because if you don't know the business capabilities, you can't create business value and to create business value, you need it as an enabler and we can start with it, but I think it start with the strike you of the company or, or the organization. And that's what I'm, every time when we talk about serial trust, we miss that as one of the important components and also in this picture, it start at that level.
Oh, so the business you're saying we should start with the business value before we think about the architecture. Yeah.
Because it is the enabler to create business value and the ease of use for your customer of your clients means that the risk appetite can increase. So that has also an impact on the way you do architecture.
Good point. Good point. Did you have something
As well?
Well, it's, it's merely a remark. This is of course a theoretical model. So you see all the components mentioned separately, but in a real architecture, you would have a suite that would do three or four, five of these together. And then you would have another tool that would, which would overlap and do also 3, 4, 5 of those together, but different ones. So if you re it's, in fact, it's a lot more complex in a real, because they're doubling in many places and linked and
Yeah. Depending on the business capability,
Not, that's not really,
It's not, it's not very not realistic. Yeah. Well, well, I mean, it is, it is a model, so, but it is great to hear because, you know, we come up with these, these fancy diagrams, actually, John came up with this, so I blame him. So, but yeah, but I agree. It really does depend on what you need, what you're doing. What does your business just out of interest? What, what do your company do?
Well, I'm a chief information officer at the worldwide company, salvation army salvation, army salvation. Yes. And before that, I was head of enterprise architecture at AB Nero. And at looking at the bank, it always starts with strategy. If you make a reference architect here for future, you don't start with it, or you don't start with a model. You start about what kind of business we want to have in a couple of years. And coming from strategy, you go and think about this capabilities, business value, and how can it be enabler in that? And that's why I'm talking about this because that's the way we did it at AB Nero.
So at the salvation army, what, what is your, what is your number one sort of business? Because obviously you're a charity. Yes. So, but so you don't wanna make a profit, but what, what, sorry. I mean, it's serious serious question. What, what would you sit down and think? Right. Okay. This is, this is what our outcome is. What is the outcome?
Well, the, the biggest challenge we have in salvation army is everybody is talking about identities and digital identities, but homeless people don't have identities. So how do you gonna create identities for those kind of people in the world? And what we see is that group is just increasing and increasing. So we need to think about also identities for people that don't have a social security number, those kind of thing, because we need to protect them too, in order to provide the right care that they need. And that's the biggest challenge we are face seeing at salvation army.
That's a great, I mean, it was brought up actually at the, the keynote, I think on whatever day that was Monday, Tuesday. But yeah, we we're talking about the digital divide and the co the pandemic has actually made that worse, particularly in sort of financial transactions. Whereas in back home in UK, cash is almost disappeared. So you can function in the economy as long as you've got a bank account, or you've got a card or a phone that you can swipe. But if you haven't, you've suddenly been relegated to a position of almost no economic identity. So I, that's a very
Point is our, our needed customers. And those are the biggest groups are the, the people that are homeless. So how do you think from homeless people back to your own company and how you gonna provides trust architecture in your company? It start with identity, but these people don't have identity. So that's my biggest challenge. How are we gonna put them in our environment? So,
Okay. Thanks. That's some great points. Anyone else? Good? No. Ah, yes. Sorry. I'll come to you. Maybe also, maybe similar to that in general, I miss people in those picture and all the groups of people reacting so good and the bad, the admins, the end user and all of that, because we are talking about awareness and all the stuff for security. And I think zero trust is a model which is going in the area of security. So I missing the actors in the that's a great point. Yeah. So we are missing two things really, which we have, we tend to forget at technology conferences, which is actually people and, and why we, why we are doing this in the first place, which is to either help the charity in this case or, or the business. So, thanks. That's great. John, did you get
Feedback? One question. Can you hear as well from remote?
Oh, hello. Yeah.
Hello,
Welcome. Where can you tell, say who you are?
Ah, so I'm you Stein. Yeah. And I'm information security officer at Delian technology and what I'm missing in this picture. I am, so I think architecture picture or a model is always a basis for something, what you plan to am so needs to say that protect need analysis is necessary to build up later an architecture in before as well, a risk impact analysis. Yeah. For something like this. Yeah. And what is missing from my point of view here is in this picture as well. The is governance aspect, because it's not only sufficient to define an architecture. You later need to ensure that this architecture and the rest will be reached. So this four, you need a governance structure on top to ensure that this model is really later working and implemented in practice. And this for it's, it's not only it, it's not only it governance, what you put on this. It is really information. It could governance. What, what is mentioned before it's as well, the people and the buildings and other topics. Yeah. So physical assets should be as well within such a model from the, from a perspective of a security parameter. Yeah.
Thank you so much. That's another good point. So we're missing the physical architecture. That's what you're saying. Hello?
Yes. Yes. And as well. So when you look for example, on, on, yeah. Let me say frameworks like ISO 27 or one. Yeah. You have different domains in area. So one domain is a physical domain. You have, you have it domain in there. You have data, human resources, whatever. Yeah. I think in such a model to guarantee that you have really zero trust architecturals or let me say a minimization of your security post chain. Totally. Yeah. I think you have to really, to look at all these aspects, which are in the, and, and to reduce your risks in the forms that you have an overview, a transparency where potentially attack vectors could, could happen and then to place in there an appropriate technology to reduce the risk.
Okay. That thanks very much for your, your, and where did you say you were working from again,
I'm working at S technology insurance technology. It's Alliance. Okay.
So you work in insurance, so that's, that's a high risk industry. So do you, have you implemented any kind of zero trust?
Yeah. Portions of this? Yeah. When you look at this points over there in this picture. Yeah. So identity access management was implemented. We have endpoint security implemented. We have data center implemented. Yeah. So if you put it everything together and you would have an end to end pictures, this it, this are the, the pillars of such a picture. Yeah.
Okay. Well, thanks very much for your, your, your comments and hope you enjoyed, please jump in if you feel like in, in, in the future. So before we move on, is any, anyone else got a comment on the zero trust? And that actually, this is, what's great about this workshop because we've got feedback as well, so oh yes. Hang on.
Yeah. Take,
Yeah.
Just an idea. Why business strategy and possibility to RO out derive zero trust thing from that is missing on that picture because maybe on most of the company it's still missing. Yep.
That's that's exactly right. Yeah. So the nothing
You working in it yourself.
Yeah. So you're, you're you feel like you're in a silo to use the word, would we, we all familiar with yes, sir. Like I'm on TV. Yeah.
It's, it's a really good discussion. So two thoughts for myself first. I don't think we need a strategy to put in zero trust. I mean that it is secure as a foundation. It's, it's a factor. So it's our job to make sure that it happens and you don't need to get, go to the boards to, to ask them, do you want your company to be secure? Of course, it's a matter of investment and how much do you want to put in? So you have to, you know, still get him into the loop, but I think it's a foundation. And then the, the command of uric, I felt really interesting about physics, but also looking at cloud, you know, cloud isn't cloud, you can have it privately kind of it public, and you can have different types of containerization. So depending on how you do it, you might be more or less exposed or what happens if you're container is somehow compromised. So I would advise that you put this in as well, and then people look into what, what kind of workloads do you have out there in the cloud? How sensitive is data and what risk are you willing to, to accept?
Thank you. Thanks. Thanks. Great point all. So that was excellent. Thank you very much for all those inputs there. So let's okay. I think now we now move into the next section. How does everyone feeling? Do they need some water or, or do you want to carry on? We, we can go straight into the next section, which is actually John, are you there? Ah,
Yep. He's
He's disappeared. Just when he's
Got section four.
Sorry, jumping the gun here.
Yeah. So
Yeah, I am. Aren't I, yeah. Sorry, go. You can go get another coffee. Sorry about that. So yeah. Yeah. John, can you turn your camera on please?
Sure.
Even though you're not speaking, but it'd be nice to see you. Cause I keep talking to the speaker box here, which looks weird.
Okay.
Anyway, sorry. There is another section here that I'm doing. So the tenants of architecture and design, which is actually really something that we probably, you can just read through this when you get the downloads. Cause it is a bit boring just to read through all this, but these, these tenants are actually taken from also from, from N I think, but one, I guess one of the key, this is where it gets kind of complicated is the, when you, we talked about the, the theory of zero trust and, and how great it is. And, you know, if we, if we apply and it is easy for the, the guy that invented the term zero trust, because he was sort of, you know, theorizing about a perfect world, but then when you start looking at all these things that you're supposed to do, it becomes a lot less easy. So yes, sir.
Speaker 10 00:42:24 Just, just the question. There is the hoo form Yahoo form, which was developed in the early 2000 years. And is this strongly connected to zero trust or is something totally different? Because for me, it's all very similar that you deep Ize the, your infrastructure and that you get need to know and, and connect the identities together.
So your question, is it from some,
Speaker 10 00:42:51 No, the there, the forum was yeah, right here.
Jericho Jericho. Yeah. Oh yeah. My friend, the Jericho form, actually the, yeah, Paul Paul, Paul Simmonds actually is one of our, our Analyst fellow Analyst. Yeah, exactly. Right. They, they came up with the whole idea of deep per they, they were the ones that came up with the word deprioritization and yeah, they, if Paul was here, he would probably say that he invented zero trust. So I guess we will, but we'll stick with the, the guy from Forrester, but yeah, there was a lot to be serious. The, the Jericho forum actually should be credited with, you know, proposing a lot of these theories a long time ago. I mean, Paul's now moved on to the cloud security Alliance. I think it is. So he's still doing good stuff, but yeah. So all of these kind of like commandments rules of zero trust, as I said, are very easy to write down, like all access decisions are actioned on a per access basis, et cetera, blah, blah, blah, all communications between resources must be secured regardless of their locations and so on. And then we can move into another set of rules. And the one we put in red there, this is the, this is probably the one that is hardest to, to actually implement. I'd be interested how you feel that each access decision is made on a real time risk evaluation. That includes all these things, behavioral analysis, environmental conditions, history of previous accesses. Well, that's an awful lot of stuff to process in the kind of milliseconds that you've got between someone requesting access to something and then wanting to do something. So yes,
Actually we did implement for access for identity. We tried or implemented this number. We started in 2014, then it was really new. So it's a big decision. I engine when we had seven types of contextual stuff that we would analyze. And, but you see that for at least for banking customers there's looks like you would have a lot of rule because you do this rule based and then get a risk score. So you have to have your risk framework. And, but it's more simple than it looks like because you had a lot of parameters, a lot of attributes attribute you based access control, but only a few rules and the behavior of customers would be quite consistent. So you have a sort of frozen predecided elements that you can then combined. So the real time sounds very terrible and it's difficult to implement, but,
But you've, you've done it. You're saying you. Yeah. And, and, and what did you use? Did you go to the market to get, you know, no,
Partly partly, no. Well, I have to say that at the group, the security group had done the same, but the negative side of it at fraud detection, and you could put the fraud detection parameters also in, but they had built their own fraud detection rule engine, which worked very, very well. And that brought the idea that you could do the same for that preventative controls. And if you make preventative and detective controls work together and use each other's parameters you're well on your way. Yeah.
So that's, that's encouraging yeah.
Big architecture. So there was no tool and yeah, that was really a lot of components in itself.
And that's ABN you work for yeah. Oh, well, well cuz it, it failed,
But I was in charge of that, so. Okay.
Where are you now? Sorry.
I'm now working for the European union for the SF lab.
Oh, European union. Yeah. We, we used to belong to that in the good old days.
All we have a question from the virtual room. Do you wanna go ahead and ask your question?
Speaker 11 00:47:21 Yeah. Hello. This is here. I'm from Phillips, I'm from enterprise architecture from Phillips. I think somewhere you're mentioning regarding the, you know, the car example, which is with respect to the car industry. Right. So I was just curious about that. One is like, can you please explain on the use case more in a vivid manner where suppose a partner service with respect to hiring cars. As for example, we have in green wheels in Europe in many, in many countries, right? Like a self-driving taxi related to the centralized authentication through which they make, which, which the user can make through their public transport identity cards. How does, how does that relate to the zero trust part? So it's like, you know, if we, if we have this kind of use case, can you just, I know because I'm, I'm trying to grasp this whole concept. This is quite new to me. So with respect to, with these kind of use cases, how do you relate this to zero trust part?
So the use case, could you just repeat the use case? Sorry.
Speaker 11 00:48:20 So there are partner services in Europe, which is like, you actually actually have mentioned in while defining this whole zero trust thing regarding the car industry. Right? So like we can hire cars in Europe, like for example, Greenville, where we can use our, you know, our public transport identity cards to actually go and start the car. And we can use that as a self-driving taxi from certain point to another point. And then it could be charged from, from our public transport I card. So it's basically just hiding a, a car for a short travel and making that as a taxi service for hours. So this is a like, you know, you, you mentioned, and I was, I was just curious that how does that these kind of things relate to the zero trust? I know thoughts. So yeah,
Well, yeah. I mean, I kind of, that's what I was alluding to earlier about the car industry that, that exactly we we're talking about the convenience more than the security in terms of an actual implementation of how you would secure that. I'm, I'm actually gonna hand his over to John because he's probably a little bit more clued up on that. John, do you think you could fill that out? Fill in a bit there?
Yeah, I could try. I mean, I'm not really familiar with that company or that use case, but I would say that probably what goes into that is some identity proofing looking at maybe national IDs driver's licenses to, you know, establish the identity before you get the card. And then there are probably identity federations between the relying party, car service and whatever identity providers they've chosen to accept. And then from there they would be able to authenticate and authorize a driver for some period of time. I, I, I know that there are some other sophisticated use cases out there where you can actually do geofencing and place limits on how far a user would be able to take a car in that, that case. Okay. But I'm not, not exactly sure how this particular company works, but you know, I think a lot of the, the basic building blocks that are available in IAM and consumer, I am today, especially around identity proofing and, you know, multifactor authentication, mobile based are, are building blocks that can easily be used to put together a pretty satisfying use case like that.
Speaker 11 00:50:55 Okay. Yeah. I'm just trying to understand how the principles of zero trust works in this case type of use cases, you know? So that was more my, like, you know, trying to understand that part. So rather map map to, towards those principles, what we will be actually using in these kind of use cases. So yeah. Okay. Got it. Yeah.
I mean, we actually,
That's one, I think it's an advanced use case because not only do you need to know the person, you know, the potential driver's identity, but you wanna make sure they have a valid driver's license insurance, you know, depending on what the regulations are. So all that need probably a lot of runtime checks before a person would actually be able to pick up and, and drive away in a vehicle.
Speaker 11 00:51:38 Correct? Correct.
Yeah. Yeah. We, we had actually, one of the speakers here was from BMW that worked on a ID project. So I might try and get in touch with him and find out a little bit more because he was actually in charge of a project that has helped develop the, the, the, well, not just kilos, but the completely seamless entry into a car. So we'll, we'll look into that. Cause I think it's a, it's a really good point and it shows that there are limits of, of zero. Yes, sir.
Speaker 11 00:52:13 Thank you.
Speaker 12 00:52:16 If I can improvise for a second, just to show you a little bit of the context. So the good start is really with your device ID. So you're allowing, creating an identity and then whatever you can do with an app, if you're trying to hire a car, you can do gear fencing, for example, for your car and for your mobile, whenever you are detecting an anomaly that your car is in different place than your mobile, then probably you want to adapt. So you want to apply the zero trust saying, okay, something is not quite correct. So I'm gonna reduce the speed limit or ask to stop. So have the action reaction proposal, then you're having more and more sensors. So you can take a look into like even based ArcHa architecture and over the time as you are seeing, how is the driver driving? So by his style of driving like behavioral biometrics, you can limit his speed or ask him to do something else or never ever give him a car again, or like limit his car, you know, availability because of that. So this is like the online decisions that you're making based on the signals that you're having on the anomalies. And it's really based on the user experience. So it's not about like, Hey, we are all having a lot of legal building blocks because architecture is out there. It's about the user experience. That is really the key to understand what to Allo user when with this minimal
Rule. Yeah. I, I guess that's kind of like a, a extension of keyboard analytics, you know, where now we can see if someone's keyboard behavior is changed. That suggests that perhaps the wrong person is in charge of that, that, that laptop or you're drunk. Well, that's where, that's where it breaks down. Yeah, because that could be the real person, but they're just drunk or, or having a stroke or something. But, but for a car, generally, if a car gets stolen, the, you know, the people that steal cars won't treat them with the same care that the, the real owner is used. They tend to, you know, speed or they'd be used in a robbery or something. So that's one way of, of implementing some kind of zero trust, I guess. So thanks for that.
Okay. So I think there's a one more slide here on yeah. So that guy there is trying to work out how to implement the tenants of architecture and design, I guess that sort of sums up some of the challenges. So that I think is, oh, sorry. Yes. Just wanted, this is a interesting slide because as I mentioned right at the start zero trust is not, not a lot of products and, but people in the industry will have cottoned onto zero trust as a marketing device. And this is a group that decided to somehow measure what they said was a zero trust market, which they came up with a figure of 59.4, 3 billion. The thing is, you can't really say that any, that there is a zero trust market and you can't really value it because you might as well just value the whole security market because, you know, so be careful of, of, of vendors out there that we'll tell you that their product now has added zero trust because it's pretty much like the old, the old detergent ads, which we'll tell you, it's got, you know, ingredient X or, or something that makes it now wash everything whiter.
So yeah, I mean, it's, it's kind of an obvious thing to say, but there's no such thing as added zero trust, but she she's, she is, she's happy there with her tired, so, okay. I think we've, we've kind of discussed quite a lot here. So was there, would there be anything you'd add to that list of tenants that came up with anyone? No. Any anyone online that would like to comment? Okay. So yeah, maybe. Yeah. Oh, be interested. If you have had vendors that have offered zero trust to you.
Speaker 12 00:56:29 Oh, I I've seen multiple of them in the type train, but I believe one of the thing that is underestimated is really the dynamics because like that's missing in the architecture and design realistics from my perspective, the, a lot of the system as they were built as done, as they're maintained right now, they're used to use the static data. Like the identity with all of the context is static, but the reality it's changing ever-changing so it puts a lot of nonfunctional requirement that you need to adopt your system. So not only your identity provider, but also like microservice service providers, they need to be able to adopt in real time. So whenever you're late with things, you're providing a gap and as the context is always changing, that's something that is very high push on the new architectures. That's one thing that's missing for me.
Okay. Thank you very much. Anyone else got any interesting vendor stories? Just out of interest? No. Okay. All right. So I think break time. That's what I was trying to get to earlier, but I was a bit, I, I was too optimistic, so I think we have maybe 20 minute break now. So feel free to get some refreshments and thank you very much. So zero trust challenges. One thing I didn't do and Warwick kindly pointed this out and probably should have done right at the start was just ask you how far, or have you embarked on a zero trust project if you have, how far have you got or are you not even considerate? So if it maybe just a show of hands, like, are you doing zero trust to put it that way? Trying, okay. Yeah. Anyone else like further down the road or still thinking about it?
Okay. So it's a fairly, fairly new audience to it. So let's just look at some of the, the challenges that we talked about, what zero trust is supposed to be, and you know, whether it makes sense. So let's just look at some of the challenges. And I heard earlier that technical debt was some, you used that phrase there in the audience and, but is something that is a challenge. So zero trust isn't magic. It's not going to make things happen overnight. And a lot depends on what you have in place at the moment. So you updating old applications is hard and costly. So how, how are you going to you decide you want to implement a zero trust network. Then you gotta think about how your existing architecture, your legacy applications, your infrastructure, how are you gonna make that work in a new, make it zero trust, aware, et cetera, how are you gonna deal with things like privileged access, privileged access is kind of the, an, the, the reverse of, of zero trust because you have to give certain people a level of access that other people don't.
The problem is that privilege access in a zero trust world is becoming much broad, more broadly defined. So it used to be that privilege access was just for admins or so-called super users, who'd access sort of route, route directories, et cetera, or they would be allowed to make changes to other people's techno platforms. But in, in the kind of the multi-cloud the, the hybrid world, the dynamic world, that we're all talking about, people that are defined as privileged users are becoming a much wider and broader number of people because they need access to things that are now considered to be high value. So high value data, or think doing things which are sensitive projects. So you've got to somehow manage or marriage the concept of zero trust to also giving people privilege access at the same time. So that's, that's a challenge. We talked also about digital transformation. And when people talk endlessly about digital transformation, how do you, how do you transform the business? So you get all the advantages of, of that, but at the same time, implement zero trust. Because again, digital transformation is about being open. It's about being sharing. It's about collaboration and it's about sharing secrets. So all of that is, is difficult to then married to a zero trust philosophy, especially when the concept of zero trust is now itself, 10 years old.
Hello, are you, hello? Are you making a comment there? Oh, are you, are you making a que asking a question?
No. Okay. So DevOps is also related to that. You have zero trust. How do you apply that to your agile teams? How do you give them the access they need? And finally, you know, multi-cloud and the shadow it that we've been talking about, it's not unheard of for people in organizations to find good ways around the security policies that you have, particularly in certain parts of the organization, particularly in sort of development where people will share passwords because they can't be bothered to go through the normal process. And because they think it's it's okay. So all of that, all of that technical debt, legacy architecture, et cetera, multi-cloud all of those things are just some of the challenges that you are gonna face. And I'm sure that you probably know that already, that it's actually quite hard to change what you have already. So any comments around that or any experiences that you've had that we haven't already discussed? Okay.
So this is what we called the road to zero trust. And again, it's a very simplified kind of roadmap of how you would app achieve some kind of zero trust in your organization. So the first thing, and again, this is like a huge thing. It's easy to say, identify your sensitive data at rest and in transit in your organization. Okay. So, but how do you actually do that in reality? It's, it's, it's, it's something you've really gotta think about, and then you've gotta do data discovery, then you've gotta classify all that. And then you gotta segment and, and zone networks based on that data classification. These, these are the kind of the print, the guiding principles of implementing zero trust. But again, saying all that is easy, but how do you go about identifying the sensitive data, especially as today, some of that data you don't even know exists because of people are doing things like shadow it. They're putting stuff up on Amazon, they're buying their own clouds. So do you even know where that data is? So look, are you, have you got a question or you just kind of come on, let's have a question,
Not really a question, but I think first of all, you need to set up a data quality sort of function and define data ownership. So you need people who are accountable for the data and especially the meta data, because in my opinion, data, quality and data classification is managed by meta data as well. And if you have no clue on who owns the data as a technician, you can never do this job. That's a business function. So you should first go to the governance and find the people who give you the right to do so, or are in charge of this business data.
And, and do you, have you invented in any data governance platforms to do that? Because a lot of those claim that they will find data everywhere.
Well, you could do technical discovery of data, but setting up the organization who remains and is in charge of data, quality and discovery and classification, the non-technical part that would always change, of course. So you need a data quality process almost in order to be able to do that.
And unstructured data is the big problem, isn't it? Because that's the stuff that you have no idea
Structured data is a big challenge because it would be duplicated in many systems that would be copies from copies, with enrichments, with whatever types of replications. And, and I think the whole data architecture is, is, is, is a sort of shadow architecture next to your systems. Yeah. So who is in charge of that?
Yeah, sure. You just, you just agree with that. Yeah. Yeah. Okay. Fine. So, yeah, as I said, it's easy to, to write this down, but these are, these are the things you're gonna have to go through. And then again, you need to think about how you map those roots for sensitive data, for access and egress and classify the resources that may be involved in the processing or digital exchange of sensitive data. Once you've of course have classified what your sensitive data is, and once you've found it or the other way around once you've found it, and then you've classified it. And then think about the workflow of the data and redesign that if, if, if necessary, which probably would be necessary and think about your existing workflows and whether you need to verify those, whether you need to redesign them, et cetera. So data is, you know, we talk about data all the time as being, you know, fundamental to, to business.
And of course it is, and most, most organizations are not really using data in the best way that they can. And that's why they're all very excited about consumer identity and access management so that they can get a better idea of what their customers want and what they're doing, and even what they're doing on their internet facing web, et cetera. But again, to do that, we have, you know, we have that again, we have that conflict between the business side of the business and then the, the old fashioned it security side of the business that, you know, wants to make sure that all this is secure. So zero trust applying all that to data is, is, is a huge challenge.
So John will talk a lot more about micro perimeters in, in the next session, but that really is kind of, you're segmenting your organization now into, we used to have one big perimeter and then we didn't have any perimeter. So we're kind of going back to parameterization but calling them micro perimeters. So it's the theory is that you simplify the process of protecting the data by isolating bits and then putting 'em into little buckets so that you can then create zero trust around them. But again, that, that's almost, that's almost going backwards a little, because we've got used to this open framework where we are sharing data easily. And now we're saying for zero trust, we have to like start to lock things up, but John will explain a bit more about how that can work using a framework.
And then you need to, you know, physically enforce segmentation using physical and virtual security controls, which is where your old fashioned it security controls come in. And again, there's automate the rule and access policies and audit and log all access and change. And of course that's all available in various platforms that you can get, which do all this stuff. But again, as I said, there's no product that does zero trust, but there are plenty of products that can contribute to the road to zero trust. And then you gotta think about your analytics, which is obviously a huge growth area. Now I mentioned data governance and that's, there's more and more bus vendors getting into the business of business and data governance. And a lot of them, as I said, will claim that they can do data, automatic data discovery. They will say that they've got AI and machine learning tools that can do all this much better than any human and so on.
I'll leave you to decide whether that's true, but the, the fact is that you've got to have analytics. If, if you can't have a zero trust in framework, if you haven't got a clue as to how data is being used, how it's being accessed, who's using it, what's being used for. And of course, you know, whether it falls into the wrong hands. So yeah. Talking about vendors, if, if you feel that you need a new solution to identify a vendor that is moving in the same security direction as your organization. Well, that, that's actually a slightly weird phrase, to be honest, because you don't really look for a vendor that's moving in the same security direction as you. What it actually means is you need a vendor that understands what you need, and then you match their capabilities to what you need. So that's a complicated way of saying choose carefully. And of course, you know, Cola, that's what we do all the time. We, we, we evaluate vendors for all our various reports.
So automation actually is, is something that is, that is happening. And particularly in, in my area of privilege access management, which is, as I said, has become a more complicated area and more challenging because of the growth of privilege accounts. But vendors in that space are now automating certain aspects of privilege access management, which is great because that means there is less for humans to do. And I think that's the, the trend of automation. When you move away from the sort of AI and machine learning, sort of marketing speak, there is actually some good stuff being done. And automation simply does mean that the stuff that admins used to have to do is now done for them so they can concentrate on the more complicated areas and translating business process into technology into, I think this is what you, you were talking about earlier. And the, the fundamental thing that we missed on our framework earlier on is actually thinking about what the business needs first. So think about what your business processes are and what business you're in. And then think about what parts you can automate.
I dunno if how many people actually have a, a so or a security operations center within their organization, you do, you do. Okay. So maybe you could give us some, some of, of your own experience, but how easy is it is to do document assessed and test your sock for zero trust? Would, would you like to maybe share no. If you don't have to, that's fine. But anyway, thanks for, but at least one of you have a sock. I would imagine that that would either make things easier or it might make things a lot harder. I don't know, but you, you would need to make sure that what goes on in a SOC would need, would, would marry with zero trust. And that means correlating policies and procedures that you already have. So automation is, is, is a good thing and not just in zero trust, but in security and identity management in general. So just to make sure that it actually is real automation, it's actually convenient.
So yeah. How would, how would you identify sensitive data? Anyone had you physically say, go, come in one morning to your office or remote your shed in the garden or wherever you're working and how would you actually sit down and think, right. I need to identify sensitive data. How would you do that? I'm I'm I'm I haven't got the answer. I'm just asking you how yes. I was thinking, what about making your data less sensitive? And then you don't have to build up this expensive zero trust. So for example, in, in health, you could remove some of the identifiers for patients are health personal, and then the, the, the data becomes less sensitive and you have to protect them less. That would be cheaper way to, to get security. Yeah. That's where data governance comes in. So that's the problem that you, you have right now, cuz you probably think all your data is important and all of it needs to be secured, which is not really the way to go. Like just a blanket policy that everything is, is, needs to be protected. But again, there aren't, yes, there are tools now available that can help with that. Oh, sorry. I'll just jump.
I mean, I would say for, for the identify sensitive data, the first step to do to go is, is this, is there an external need, which makes this sensitive like GDPR data protection or is there an internal need because this might be my intellectual property or some process or anything, which I consider valuable for my business. And I mean, for the external ones, it's easy because there's a law, you can just read it and then implement the stuff based on what we see here. Right. For the internal data. I mean, there's a lot of discussion needed because is it really that sensitive? Will we be out of business if that gets published or not? And then we need to decide. So I would first, I mean, it's the typical divide and conquer, right. I would say, okay, these are the cluster of the classes and analyze each of them and drill down from that one because it makes stuff easier, different stakeholders. Yeah,
Absolutely. I, I guess the problem is that you, the danger is that you don't know that perhaps that guy has got something on his laptop that would actually come into those classifications, but it it's true that without thinking about the value to the business of that data, whether it's like you say IP or a copyrighted material or, or even pieces of, of code, you can't even begin to start thinking about zero trust. So did you, did you have something else? Yeah, that
Speaker 12 01:17:09 Might be a little bit old fashioned, but I really think like looking into data flows that are incoming or are coming from your system, there are a lot of Rex solutions. So looking for things like sensitive data from the GDPR perspective, like ID numbers and so on. But on the other hand, assuring that you're looking for anomalies because sometimes in the cases of data exfiltration, you know, that there can be access tokens and there can be some, some secrets. So I believe this is the, the very basic that is already there in the market reg and then anomalies.
Thank you. Thanks. It's great comment. Okay. So analytics are important. I think we, we can agree that analytics are pretty important to zero trust and now having introduced John far too early in the first session, I can now introduce John once more, who I hope is now with us in Seattle. And he's going to talk a lot more in depth now about the N architecture and how that applies to everything that we've been talking about so far. So John,
Hey Paul.
Hey, so there you are. Great. Fantastic. I'll hand it over to you.
Okay. How do we do the slide advancements?
Can you do the slides or do you want me,
Let me see if I can
I click it's okay. John, you tell me to click and I'll click.
Okay. Okay. Yeah. Well, so as Paul mentioned, N produced this document, I guess it was probably last summer S P 800 dash 2 0 7 0 trust architecture. I think there's a lot of good material here. So we decided we would try to do an in depth review of that and hope to cover as much as possible in the, in the time allotted here. Just a couple of quick quotes that kind of carry on with some of the things that Paul has already said about, you know, what, what is the purpose of zero trust? And, you know, I wanna drill down a little bit more on the authentication and authorization pieces. You know, often we talk about things like micro segmentation and, and making smaller and smaller parameters. And you know, here at identity conferences, we hear people talk a lot about identity as the new perimeter. So let's, let's combine those things and say that things like moving the policy decision point policy enforcement point, and those are terms we can define more going ahead, you know, closer to the resources that they need to pro to protect. And really, you know, we we've hinted at this several times already, but zero trust is not a product. It's a strategy. It's a framework. It's a way of thinking about the different components of your security architecture and how they can work together. So next slide please.
So taking it from the top, I, I like a lot of what we see here, you know, the, the core tenants of zero trust, according to N you know, all data sources and computing services are considered resources. Those are the things that we have to protect. All communication must be secured, regardless of location. Again, thinking back to earlier days, when, you know, you had the soft inside the perimeter, you may not encrypt everything, but, you know, nowadays we, we do want everything encrypted, all data encrypted at rest and in transit, every, every access needs to be carefully evaluated by any given individual in all the context surrounding that access request. And we can look at that in more detail in a minute, too. Everything needs to be all access needs to be determined by policies. We'll drive into that. And then there's the monitoring component. You know, that's, that's very important as well. There's monitoring that needs to take place to make sure not only policies are being enforced, but the policies are kind of set correctly and that they, they need to may need to change a little bit over time as well.
Resource authorization needs to be dynamic static policies. Again, may work for a while, but then, you know, as business needs change as environments change, the, the policies need to be able to change to reflect that. And then all this really resides on, or, you know, turns on information that the enterprise itself needs to collect and process. Next slide, please. So some more of the assumptions, you know, the network is untrusted and that means any network, even your internal network, you know, there are malicious actors that, that get inside and, and are tempted to take your information. It's also been sort of exacerbated. I think by work from home, you know, a lot of individuals have a lot of important company resources on their laptops. So the, the weakest link in the, the chain might be individual laptops, which may be easier to compromise if they're not inside the corporate network.
Similarly, you know, with B Y O D even prior to the pandemic, we were opening up, you know, many organizations were opening up access. We have guest wifi, you know, that may have had more privileges than it should. You know, you couldn't control the configuration of all the devices that were brought into your network and, and, you know, that can be problematic as well. So don't trust the guest wifi either from the guest perspective, or if, if you're operating a guest wifi network, resources have to be considered untrusted too, files the code, the applications, you know, we've seen this even recently with some of the big it supply chain attacks. We here to four had maybe not had applied zero trust principles to a lot of the infrastructure that we use, but you know, some of the recent incidents show that some of the things that really make businesses run can actually be compromised and have a much greater effect if you're an attacker.
So, you know, decide how to segment even bits of the it supply chain that that might be inherently trusted before. Can't really be considered that way. Now, other infrastructure, obviously there's the cloud, there's the edge that we were talking about earlier. Those are things that most businesses and other organizations depend on today, but those are also things that are generally the infrastructure piece at least is outside of the control of any given organization, many large companies, or even smaller ones today have lots of contractors, you know, that they use different segments of services that are provided to organizations. So you really can't trust contractors that are coming in from, you know, their laptops, their mobile devices, or originating on their network. So, you know, think zero trust when it comes to remote network access. And again, all communications needs to be secured and encrypted next slide.
So I thought, we'd start with this. This is a really nice chart that sort of shows, you know, continuous diagnostics and monitoring system up there in the top left CDM system, industry compliance, threat intelligence, activity, logs. These are kind of inputs to, you know, a hypothetical zero trust infrastructure. And then further, we break it down into the control plane and the data plane. And I think there's really good, you know, definition here. We hear these terms used more and more often, but what we mean on the data plane is actually where the data lives, but then where you enact the controls where you set the policy is the plane. So things like the policy decision point policy enforcement points or the policy engine policy decision point and administration happens outside of the data plane where, you know, the data and the applications live. And it, the part that does go from the control plane that does go inside the data plane is the policy enforcement point.
And that should be used to mediate access from any and all kinds of users or applications and devices. And, and that's what actually controls access to the resources in question. And there's also input provided from, you know, the data access policies, maybe PKI systems, public key infrastructure, your IAM systems and SIM security incident and event management. And so security, orchestration, automation, and response. So we will kind of look at each one of these individually, if you could hit the next arrow, we'll highlight the one we're gonna deal with first. So let's look at the policy control infrastructure, and this is how it fits into the overall big picture. Next slide please.
So when we think about dynamic access policies, you know, I've have a pretty long history with zible and, and authorization. And I still think that that model fits well, you know, the N document calls out Zol two, I've got a few slides in here later about Zol three and why, why that's pertinent. But, you know, every policy needs to examine, you know, four major categories of input the subject, you know, the user, you know, this might include information about the device that the request is originating from as well. This can include attributes. You know, the, there were questions earlier about, you know, intellectual property or the nature of the resource. Those are things that we would consider on the resource side, you know, attributes about the resources themselves. And I think there were good points made about, well, how do you figure out what those are?
You know, there are tools out there, data access governance, a term we haven't heard in a while, but I think it's starting to show up more and more lately is data loss or data leakage prevention. Those tools have been around for 10, 12 plus years. Many of them have capabilities of looking at different kinds of data. And, and now applying, you know, various machine learning techniques to kind of help decide what a given data object is, you know, the nature of it, and then apply metadata attributes based on that. So the resource piece is very important. And then the overall context, you know, where does the request originate from not only to the device, but the network, you know, other contextual bits of information might include, you know, the time and day you could figure out if a request fits sort of a normal pattern of access, or is maybe a, a user trying to access large volumes of data that maybe you're not directly in their purview, does this not fit their baseline? Those are part of the, the environmental context. And then lastly, we've got action. You know, maybe, maybe it's appropriate for lots of different users to be able to have read access, but only a few to have edit or right access. So these are the four major components in an access control decision.
Next slide,
John, hold on. We've gotta have, have a quick question from an audience.
Sure.
Talking when talking about the policy, the policy administration points and the policy information point where all the attributes reside, we implemented this into since 2014 in AB number exactly PDP, the whole set. And the idea was to combine it with format preserving encryption, where you could realtime decide to encrypt part of the data or even part of the data field. But the problem we found was that setting the policies, the business rules that decide who can see what that could be conflicting. If two parties were owning these business rules, for instance, how much can I withdraw from the ATM today? There's a daily limit, but there are several parties in the bank about that. So we added on top of this sort of governance set on owning the, the business rules that translate are translated into the policy administration point as policies. So, and conflicting policies. There could be policies that one rule says, yes, you can do that, but the other rule could be a veto on that. They could conflict, and then you have a problem because then the whole thing doesn't work. So that's, you need a major layer on top of this, for who sets, what policies and what do you do in conflict about it. So there should be a rule based for setting rules.
There should be a rule for setting the rules, John, good point.
Well, you know, I, a
Great question.
Yeah. That's, that's an excellent observation. You know, rules can be very complex. I've got a slide or down from here, we can talk about, you know, ways to address that. And, but there's in many cases, no simple way to do that. It, it can be very complex. I'll try to get to that in a couple of minutes here, but yeah, that's an excellent observation. Any other questions there?
We have another one, hold on, making me run. Now
Speaker 12 01:32:28 This might go a bit into digital, but in the end, how do you come up with a score or criteria? I mean a policy. Yes. That's a business decision, but how do you score something? And is there any orientation what you use or, I mean, is there a scientific way or do you say, well, we have had that many breaches or these breaches usually, or this data at loss would, I don't know, or yeah, what's the guidance. Okay.
Yeah. John, how, how do you actually score that?
Well, you know, if you, you wanna go back to that slide, the previous slide,
Oh, hang on. I've gotta go back up to the front now.
Well, I'll talk while you're en route. So, you know, a lot of this kind of also maps to what we talk about with regard to risk based authentication. So you can use various risk based authentication systems to help you do some of the scoring and then where the policy authoring piece comes in is probably to some degree, a manual decision about what risk level you wanna accept on all these different components. So you can say, well, okay, the subject authentication, you know, seems strong. You know, maybe they're using, you know, multifactor authentication. You know, the action is just a set of reads. The resource is something that's within their purview to look at, but maybe the context is different. Maybe they're coming at this from a location that they've never been in before. So, you know, a risk based authentication system could raise a flag in a situation like that that says, you know, the overall score here is higher and then, you know, yeah, you would have to figure out well, at what point do you want to, you know, maybe take an extra step to determine, is this an appropriate access?
You can introduce other things like maybe an additional, you know, I don't really wanna call it step up authentication event, but you know, some additional authorization action that the user would have to complete, or, you know, what, if it looks like the context is potentially a malicious insider, or even someone who's been able to take over the device of a, a legitimate user, maybe they're trying to read too many files at once. Maybe it looks like it's a, you know, a reconnaissance action and an a P T in that case, you, you want the risk based authentication and authorization system to understand that, and, you know, further elevate the risk score and, and return a deny. But yeah, I think there's, there's always gonna be some degree of manual configuration that's needed, especially after it gets put into place. You'll wind up with some false positives, false negatives, and there's gonna be a little bit of tuning that has to happen, but you know, a lot of, and I'll quit rambling here in a second, but you know, a lot of the, the risk based authentication and authorization systems out there do make pretty good use of machine learning techniques to evaluate a lot of this data.
So that analysts don't have to get down in the details, unless they're in the middle of an investigation to, to make these kinds of decisions. I think we've come a long way in terms of being able to automate a lot of the risk scoring. And once, once that's in place, you know, it may need to be fine tuned occasionally, but there are lots of good controls that are available today that can do this automatically.
Thanks, John. Let's let's, let's let's press on, shall we? So which we, we on this slide. Yeah. Okay. Thanks for your questions, by the way. Thanks.
So, you know, they, in the missed doc, they call out a couple of interesting categories here of criteria versus score based criteria. You know, a set of attributes that has to be extracted. You know, we've kind of covered that confidence scores, that's the risk score, you know, generated for each attribute. You know, each one needs to potentially meet a specific threshold and you can define those waitings in advance. You know, an example I came up with, if you've got a user, you know, this is like subnational security context. If you have a user with proper clearance, they're in the right place, you know, and the request can be verified to be coming from, you know, a controlled device that has, you know, anti malware on it and you know, is appropriately patched. And they're trying to access a, a classified data object with the clearance and classification match.
Then, you know, they should get permission to do that singular versus contextual. I think that's interesting. I think the world is moving to contextual. Singular mode was, you know, every request kind gets evaluated as it comes in. It's just a single yes, no. Then, then, you know, it's not evaluated in light of past actions. Contextual mode is let's look at the last 10 or 20 requests. And see if this request is in line with, what's been asked before and then decide, you know, you can also take the, you can wait the, the, the risk scores from prior decisions and the results, and that can affect the, the current request context as well. The example I've got here is, you know, say you've got an authenticated bank customer they're asking for a high value money transfer, but the transaction may be denied because of the low confidence scores generated by the user behavioral analysis subsystem, you know, in this case, it would be, well, you know, this is not the, a normal payee. It's a huge amount of money. The user's making this request from a location that the we've never seen them in before. So let's go ahead and deny that transaction and follow up with the user to see if that really was what they intended and see. There's a question that's come up here too. Let's
See. It's really hard in making to say that activities abnormal, because the customer may need sudden access to big cash, check historical activities and deny this request will cause bad user experience. Yeah, that's true. You know, to a degree. I mean, I think we, we've all had these experiences where something will happen and with our credit card or with an account, and we get a notification and, you know, even if it's a case where there's inconvenience personally, I feel like, Hey, I'm glad somebody's watching out. And, you know, I can approve it may have to rerun the transaction, but, you know, I think as long as it doesn't become two burdens and there's actually a, a user perception benefit in, in some of these cases, if it, if it does become a burden and it happens a lot or, you know, a user can't make a specific transaction happen quickly enough, I can definitely see frustration arising there, but I think there's also a, a feeling of satisfaction you get when you get a notification from your bank about a transaction that you really didn't authorize and they've shut it down for you. Any other thoughts on that?
No, no, no thoughts. So let's, let's move on.
Okay. So next slide please. You know, like I said, missed calls out exact tu. I think there's some interesting things in three oh that are useful, and they kind of address the complex policy or rule question from a few minutes back, you know, in exact rules at lowest level, then you can assemble them into policies and then you can order those rules within the policy. And then it changes how they're evaluated and therefore eval results in exactly. You've got the basic permit deny, plus there's not applicable. And then in three, there's this interesting indeterminate and indeterminate DMP where it's indeterminate looking like it was gonna deny indeterminate, looking like it may have been a permit. Next slide.
So again, an exact, well there a number of different algorithms, you can see that we've got a couple of different categories here with like deny overrides, meaning if any, any single rule in the policy, you know, again, policy being multiple rules all ordered properly. If any of them returns to deny, then deny. And depending on your use case, maybe you need to say, okay, if any of these rules returns a permit, then permit, then you've got denying less permit, which, you know, slightly different because this brings into play than not applicables in the indeterminate, any rule that evaluates to a permit results in a permit, otherwise deny. And then the, the converse of that, any rule that evaluates deny results in a deny. But I think I got that backwards in any rule that evaluates to deny results in, see, I'm getting confused, sorry about this.
Well, let me go on to first applicable, okay. Here's a case where you can order your rules with the, you know, most restrictive in an order, you know, that suits your particular business conditions. So you'll say first applicable you run the result. Any of 'em that returns permit then would allow the entire policy to be evaluated as a permit. So it just only runs until the first one matches the condition, whatever those conditions may be. Then there's another permutation here of only one applicable. You can have a whole bunch of different rules that say, you know, that may not even necessarily be related to one another, but then you do the evaluation. If any rule happens to match, then that takes precedence over the others. And then there's extended indeterminate, where this is sort of allowing for a longer time of processing. The policy enforcement point will hold onto that indeterminate until maybe, you know, more information comes in. Maybe you set up to do some sort of attribute from another system, rather than having to, you know, run a separate evaluation later. It can hold onto that indeterminate until it gets, you know, more context and then can evaluate, deny or permit based on additional information.
Next slide.
So how do we do dynamic authorization talked a lot about exactly something that's probably hasn't been discussed too much in recent years, but you know, I, I see there are at least six major different kinds of dynamic authorization that's widely in use today. You've got API access using OAuth two, you know, so many different applications are connected these days via APIs. There are a number of different API authentication standards. And OAuth two sort of is one of the, the leading ones out there. You can also use jot tokens, but API to API connectivity for application to application authorization is, you know, probably one of the, the leading use cases here for how authorization happens in the business world.
We also have Federation identity Federation. This is leveraging things like SAML or O OAuth, open ID connect, different users coming from different domains to, you know, the, the domain that hosts the information. We have data access filters. This has come about, you know, in the last eight or 10 years to address situations where you need access by either individuals or applications to databases. This is a case where you come in, let's say you're a user you're you access a web application that runs a backend query. Well, you need to take in the, the context of which user it is. That's asking that this may actually result in either a change in the, the query parameters itself, say you've gotta user that really doesn't have rights to, you know, read the full results from such a query. So you either filter that on the front end or on the back end, when the results are returned, the web application would then take away bits of data that the user would not be able to see because they don't have the appropriate access rights enterprise application using a policy information point. This is sort of offloading a good bit of the authorization process from, from, let's say a big line of business app to an external authorization system,
API gateway, John,
John. Yeah. Can I just interrupt you just quickly for these last two slides are pretty deep stuff. Is this an example where automation would come into play in whatever type of platform you're using that would actually do a lot of this stuff behind the scenes, all these authorization?
Yeah, yeah, I would think so. I mean, again, a lot of this could be handled by your IM system in conjunction with your SIM system. And, you know, a lot of these have UBA user behavior analysis built into them. So it, there is a certain degree of orchestration between UBA I am and your line of business applications that needs to be put into place, but automation is certainly possible.
Thanks. Thanks lot. That's a
Desirable. I, I should say gateways are connecting everything these days. So API gateway can sit in front of multiple applications. You know, this is probably ideal for organizations that are exposing lots of different applications, either, you know, from a consumer facing perspective or in a B2B situation, you can essentially do identity Federation in front of the API and then externalized authorization manager. This is using, you know, a, let's call it an endpoint agent to sit in front of applications, WebEx assess gateways, API gateways, to do the call to the policy decision point. So this is an externalized P P that interacts with the policy decision point on behalf of multiple applications.
So you've, you've put a, a quick exercise there. John, can you think of any other patterns and I'd actually any interest of time? I think maybe we should move along because there's still quite a lot to get through. So let's not worry about that particular one if that's okay, John.
Okay.
Yeah.
So we'll go back to the top here. And if you hit the next button, we'll look at the continuous diagnostics and monitoring. You know, I, when I read this, I thought this is very closely aligned with SIM's security incident and event monitoring. But I think what they're implying is that we need to take this to the next level. This, you know, CDM needs to encompass not only looking at what's going on in an environment from a pure operational way, but also to sort of judge the health and effectiveness of policies at runtime as well. And, and I think where they're going with this is that we need additional intelligent automation capabilities to help organizations fine tune their policies. So that take in data from the operational environment and, and see how that's performing, you know, against policies that make suggestions probably suggestions at first to administrators about how policies may need to be tweaked. But then, you know, eventually I think what we want to get to is sort of a self tuning system, but we're pretty far away from that today. We have some more slides about that later, but the notion of continuous diagnostics and monitoring, I think is a key piece of zero trust. It's not just about, you know, the authentication and the micro segmentation, but being able to make adjustments as time goes forward.
Next slide please. So yeah, I wanted to kind of drill down a little bit more into this, what I mean by SIM. And so I think, you know, continuous diagnostics and monitoring really needs SIM in the middle of it all. You can put the arrows back in there, Paul in the interest of time. So you've got all the, your infrastructure, your cloud infrastructure, whether it's infrastructure is or CS I am and endpoint all feeding into SIM next button SIM being then the primary data source for, so the security orchestration, automation and response, that's the additional intelligence layer. I mean, I think, you know, eventually we're gonna see SIM and soar grow closer to one another as SIM's become more intelligent and sores grow to encompass more SIM like functions, next button that has to be informed by CTI cyber threat intelligence. That's looking at, you know, what's going on in the landscape indicators of compromise, other risks, compromise, credential, intelligence, things like that.
And then, you know, soar being able to pass information or commands in many cases back to downstream systems, the infrastructure, the endpoint I am, and cloud elements as well. So this gives you not only a sense of how information needs to flow in actions taken upon it, but then, you know, flow back out in terms of remediative activities that can happen as a result of Analyst engagement with so slide, this does mention that there are needs for different kinds of industry compliance, but they don't really dive into too much of what that might be. It's probably hard to foresee the different kinds of compliance environments that companies are operating in, but I thought we'd take a look at, you know, some of the most common ones. You know, we talk a lot about privacy, GDPR, but there are lots of other regulations around the world, the California and the new revised California regulation. But, you know, Canada had Paeda for a long time, Singapore, Australia, lots of different privacy regulations. And as you know, they're not, they're not completely harmonized. So
John, one second, we have a, a quick question
Sure.
On the number on the, on the number two, I think a very important one is the anti-money laundering the AML for the European union, because it's all about identity onboarding and identity verification. That's that's core
And, and that's quite recent, isn't it? AML
Been existing, but it's upgraded all
The time. Ah, okay. Yeah. See, I don't, I dunno about European union. You see?
Yeah. That's a good point. I
Is a very good point.
AML D six is out now, AML D five has a lot of interesting and necessary ID proofing requirements that aligns with the E KYC, know your customer initiatives and yeah, that, that definitely has a, a need for strong identity assurance. I should add that in. Thank you. But yeah, there's besides privacy finance healthcare, healthcare records are also covered by various privacy regulations and different healthcare related regulations. Then you look at things like export control laws. You know what, you know, if you're in one country, what can be exported. And this is not just in terms of physical goods, but information itself can have an export classification and can be subject to export control regulations. And if you disclose a piece of export control data to a person from a country that's not authorized, then you can wind up in a lot of trouble fines or worse national security classification to clearance mapping. That's pretty straightforward intellectual property that came up earlier, you know, here in the us there's uniform trade secrets act. But the there's not a lot of explicit regulations around trade secrets, but at the federal level, their state level. And I'm, I'm sure that's the case around the world, but I think companies in general know it's in their best interest to protect their intellectual property as best they can, because not protecting it could be seriously disadvantage.
And then there are different industry trade associations with collaboration, frameworks, any other regulations that come to mind that we might want to think about with regard to zero trust?
Well, we've already had the, the one I've already forgotten
AML.
Yeah. Any others from the floor that we no. Okay. John let's, let's move to the next slide.
Okay. Threat intelligence, you know, on the CTI piece, cyber threat intelligence, I just thought I'd give a few examples of what this can be. You know, there are third party services out there. There's also a lot of open source stuff. Much of it can be duplicated and you know, it's very time limited in its value. So you can see things like bad IP addresses or entire IP ranges, bad URLs domains. There are MD five hashes of known malicious files. There are lists of various properties, libraries, and files that that need to be considered. There are strings within the files that sometimes can give indication that they are malicious malware can make registry entries and changes. There are traffic pattern known, known malicious traffic patterns. And then there are ya rules that are essentially like intrusion detection system rules that are traded around both an open source and, you know, from third party subscriptions that can help you secure your network devices.
Next slide. So back at the top here, can you highlight the next section for us? Let's look at PKI and these closely associated IM next well, this doesn't look very readable on the small screen. I'll have to say, but this is our co call IM reference architecture. You know, we call out administration audit and analytics authentication and authorization since it's not, not so easily readable on screen here, I guess we'll kind of quickly move past that. And I, I will say we're happy to, to take questions about this slides will be available after the workshop. And if anyone has any questions, get back in touch with us and we can discuss it.
Yeah, for sure. That's really there for the download so you can digestively to,
Yeah, it all seems a bit blur and then it should same with this one, you know, it could be. And Cole, we've got this concept of the identity fabric. Again, this is hard to read, but I'll kind of give you a quick flavor of it. You know, in years past IM systems tended to be pretty monolithic. They were very focused on the enterprise. They were suited to workforce use cases around authentication, you know, and then within the last 10 or so years, there's been a real move to not only address B2C or B2B, you know, business to business use cases, but also consumer use cases. And we've seen the rise of things like consumer identity, access management, that, that take a different approach to identity, both from the registration side, the governance side, how they're authenticated. And there's less of a notion of access management in many cases than there is, you know, marketing and personalization.
But with the identity fabric, the concept that we're trying to express is that there are core elements that can be segmented into microservices that can serve a wide variety of use cases. So, you know, you may not necessarily need to buy, you know, an IM system and a different CIM system. Many of the functions are the same. They can be expressed differently, packaged differently. And as long as we adhere to the architecture of an identity fabric where, you know, let's say discrete authentication, discrete identity proofing services, to go back to the AML point, as well as authorization as we've been diving into here, those services themselves can behave the same and can be packaged differently depending on the use cases they need to serve. And we believe in identity fabric can help make it, you know, more efficient, more effective for customers to deploy this type of an IAM solution than say necessarily going out and buying multiple IAM solutions just to address specific use cases. See, there's a question.
Sorry. I went back. You have a question online, John.
Yeah.
Must be a long one.
Yeah. I'm not really sure how to interpret it. We'll come back to it.
Okay. No worries.
So next slide please. So going back to the, the main control data plane graph, can you highlight the, the last section here we're gonna address, let's go back and look at SIM and activity logs and how that again, sort of plays into continuous diagnostics and monitoring next slide. So, you know, looking at what I think their vision, this that is their vision for continuous diagnostics and monitoring. I think that we see, you know, a five phase evolution of taking in information and intelligently transforming it and winding up at the point where we have the ability for security and IM systems to operate autonomously. You know, the data correlation piece that's pretty well known. We're most organizations are doing things like this today, collecting logs, you know, your E P D R endpoint protection detection, response network detection. XDR, that's another term we hear a lot about these days, which is sort of conation of E P D R NDR, and a variety of other security tools, user behavioral analysis, the integration of cyber threat, Intel being able to do risk based authentication and flowing all this into SIM for, you know, correlation when needed the next layer ups decision support.
This is to be able to help Analyst do forensic investigations, to do threat hunting, you know, taking it apart and looking at malware analysis and being able to do things like proactive maintenance, improving productivity of security operation center. And this is where I see solar security, orchestration automation and response tools, being able to help take it this to the next level and also do intelligent automation. One of the main goals of store is to help mitigate threats faster. We see that, you know, attacks, especially ransomware attacks can, can happen very, very quickly. You know, in some cases, other cases, the attackers behave more like a P T state actors where they'll get inside a system, siphon out important information, leave ransomware behind and detonate it. But even so when that detonation event comes, it tends to take organizations by surprise. So if you've got a SIM and a sore that can look at early warning signs of that and shut it down before it becomes catastrophic, I think that's where there's a lot of value in, in SIM and soar today.
This can also help with things like robotic process automation and helping to mitigate DDoS attacks. Next layer up is cognitive processing. There are some solutions that are out there that do like fishing detection, business, email compromise, analyzing attack patterns, and then actually making informed business risk analytics and helping with the security policy optimization that we've been mentioning. Not, not as many have made it to this level in terms of products, but there are a few. And the end goal, I think is autonomous AI, automated self maintenance, instant threat mitigation self-learning security systems, and, you know, being able to mitigate even AI related threats. There are attackers that are using ML and AI just as well as practitioners and security vendors. So this is where we expect to see a lot of work in the next three to five years is moving a little farther up the chain. Any thoughts on where you think most of the products are?
Any thoughts in the room? Okay. Let's let's move. Move on, John.
Okay. Next slide. There are three variations that they call out three variations on the, the overall theme of zero trust, IGA identity, governments, governance, and administration. This adds attribute accuracy. This is something that as you probably know, is, is sorely needed in many cases, just because the person was authorized a year ago, doesn't mean that they are part of the same group or need the same level of access micro segmentation. This is a common theme within zero trust. It's, you know, essentially putting policy enforcement points at all the acts egress points to your network down at the VLAN level on switches and routers some suggest using NextGen firewalls between enclaves and then even segmenting based on resource activity. So we, you know, for many years, many organizations have done, especially the latter, although build out secure enclaves, you put a firewall in front of it, SDN software, defined networking. That's taking it a little bit more granularly, you know, putting this down at the actual network level, this is works well for the cloud, both infrastructure and software as a service and the SDN approach is especially good for hybrid architectures. Next slide.
Okay.
So they call out and S P eight hundred two oh seven four major deployment models. These are methods to build environments with agents of gateways, the secure enclaves. I was just mentioning resource portals and application sandboxing. So let's take a look at each one of these briefly. Next slide. Again, this is adapted from the document itself. This shows, you know, an agent or a gateway model, you know, this is probably familiar to many of you. This has been, you know, very similar model to what's been used in, let's say, IM systems and, you know, placing agents on, on key resources, you know, for 15 or 20 years where you will embed an agent or a gateway directly within, you know, alongside an application or alongside, you know, a gateway to, you know, let's say a file repository or some collaboration system. And then any user that tries to get access to it, they go through this gateway or this agent, the agent mediates it and says, Hey, wait a minute.
I need to ask the policy administrator policy decision point is this appropriate? It goes out and maybe on the backend checks for, you know, verifies your identity information, you know, does the look up in L D to see if you're, you know, match the policy will pull the policy itself from L D and then, you know, if, if all the, the various policy components say yes, then you can get access. If not, then, then not. But this is a pretty traditional agent or gateway architecture and use probably in millions and millions of places around the world today.
Next slide. Here's a little bit more about the secure enclave. This is again, you know, taking a one step farther to separate the, the data and the, perhaps the owning applications from the outside world, put a firewall up around it, or, you know, segmented off on the V a again, you've got a gateway that's sort of mediating access. A user comes in, tries to get to, you know, some resource within the secure enclave. They may need to go through, you know, what you call a jump box, get access to it, you know, so that might require authenticating separately using privileged account or privileges attached to the user account to be able to get into the enclave and then additional layer of authorization once inside the enclave. And you could see this would be particularly useful in cases where you've got highly sensitive data, whether it's, you know, PII, or maybe these are trade secrets, or, you know, company financials, you really wanna limit this and make sure that it doesn't fall into the wrong hands.
You would go, you know, to this level to protect very, very sensitive data. And again, this is a model that isn't really new, many organizations are doing this very thing today. And I, I would imagine this will continue well into the future. Next slide here, we have a resource Porwal model. Again, I think this is pretty common too. This is a way of, I think of it. Not only does it increase security, but it's a way of making it easier for users. Let's say you've got a contractor or set of contractors. You don't wanna necessarily bring them directly into your network. You don't wanna give a VPN access. You put up a web Porwal on the web. Porwal will have a list of let's say all the URLs that a, a contractor is allowed to get access to. And then you've got controlled access from the Porwal into those applications.
It's able to evaluate identity information, you know, so you can adhere to access control policies, you know, at the resource level, but you can also make it so that they don't have the ability to walk around the network. They're constrained to only what they can get to from the Porwal next slide, please, here in the application sandbox, I think this is probably a little less common. This is where you've got a situation where you really don't trust the device that may be sharing an application. So you, you put trust, trusted apps within a sandbox. This probably involves a hypervisor. In most case, you would wanna virtualize this. Then you have the trusted app refer to an external policy enforcement point to get access, to allow users to have access or not to the applications within the sandbox. Next slide. So these are the four major deployment models that missed calls out in their document. Can anyone think of any others, any others that you've come up against in the real world?
Sure of hands. No, John, we have nothing here, so,
Okay. Next next.
So zero trusted the network layer, you know, thinking back to you don't own everything. B Y O D they may not be under enterprise control, which means you can't control the security posture. You don't know. And some cases are the devices that are trying to attach to your network patched. You don't know if they've got antivirus on 'em or if it's up to date, and you don't know if the device itself has had any security policies enforced on it. So these are considerations that, that you have to think about to put tools in place to enable that then traffic visibility, the enterprise must be able to observe all traffic. Interestingly, it doesn't specify decrypting the traffic, which is good because that in itself, I think is a security risk. In many ways, an ETA encrypted traffic analysis. There are many tools out there in the MDR network detection response, real that do a good job of encrypted traffic analysis.
There are methods that you can use there that don't require decrypting traffic to figure out whether or not it's malicious or inappropriate. We could go into that in more detail. If you've got questions about that, we can, we can talk about that one offline, but you can't have visibility into the traffic and make good guesses about whether or not it's legit or not. Without having to decrypt it, deny overrides kind of pointing back to the exact piece. No enterprise enterprise resource should be reachable unless it's mediated by a P E P you know, unless you've got, you know, public domain information that you happen to be hosting, everything needs to be controlled via policy.
And then we've seen that graphic about the control plane, the data plane. I think that's a good concept to keep in mind, controls need to live outside of where the data does. And in many cases can include even things like separate virtual and, and physical network interfaces, where in places where you really need that level of security, the control plane should be separate from the ordinary user interaction area. Availability is a concern. We'll talk about that more in a couple of minutes, but all the pieces of your policy infrastructure infrastructure need to be reachable at all times. Next slide, please.
Again, thinking about the control of data, plane, only policy Infor enforcement points should be able to access policy administration points. This will prevent unauthorized or malicious users from changing the policies so that they can get access. Excuse me, to things that they shouldn't remote assets do not need to traverse enterprise infrastructure. You know, I think we're reaching the point where VPNs will still be used, you know, into the future. But, you know, let's say in a contractor case, you don't necessarily need to grant a contractor wide network access via VPN to get their jobs done. So everything that, you know, enterprise and non-enterprise users might need to do within your environment, again, needs to be mediated by a, a P E P zero trust architecture needs to be scalable, and that's not only for normal loads, but for peak loads, a lot of organizations have, you know, maybe a couple of days a year that are big sales days or, you know, big delivery days.
You need to plan for your policy enforcement and zero trust architecture to be able to handle the P loads, not just the average load policy enforcement points may have limited scope and range. Some may be constrained to cover special environments. You know, I think this is a really interesting one too, because, you know, as you build out separate environments that maybe, you know, customer facing on this side, or maybe you've got a specific customer, you know, with different service level agreements that you've created several different environments, you wouldn't wanna replicate and keep policy up that covers the entirety, the enterprise for each specific environment. So keep the policies that only pertain to that environment in the PPPs PDPs that govern those environments. This can help with, you know, geographic distribution latency. If you're not pointing back to some very, very remote policy decision point helps out with performance and load load scaling and availability. Next slide please.
One, one second, John, we have a quick question
In this slide, I missed the P I P the, the PIP, the policy information point, which holds the attribute, which are calculated by the policies and roles and these change a lot of value. So if you change the value of one of the parameters that is looked at by the P or, and then the pep, then you have access. So they should be here in the list as well. And there are often sources throughout the whole business because you don't know what type of information should be taken. It could be the fraud detector giving you information, or just a business system with customer date or whatever. And, well, I think that's one of the, the other very secure part that you need because it's also deciding on access, but that's how it should be listed here. I think
Point John.
Yeah. And excellent point. I mean, I would put that up there in the first, first square about you need policy information points need to be secured and, and segmented off from the rest of the world as well. So that users malicious or otherwise can't get in and make changes to user information attributes as well as the policies and the policy administration point. Anything else?
No more questions. Nope. Oh,
Okay. Next slide. So miss calls out five common use cases. We'll kind of go through these quickly in the interest of time, satellite offices, you know, this came out early in the pandemic. I mean, what about work from home? I think we need to consider work from home as well over NPLS shared office spaces. So yeah, zero trust definitely works for that. Multi-cloud this is something we've heard quite a bit about at EIC this year, the need for multi-cloud multi-cloud IAM, you know, you've got different resources that may all work together may be, you know, set up redundantly to withstand infrastructure failures and you need the notion of zero trust across that, which means authentication and authorization that can work well between multi-cloud contractors and guest access have mentioned that a few times already, you know, not only contractors for services, visitors, campuses, conference centers, there are lots of different kinds of business models where you've got people, you know, routinely coming into conference centers say, and they need short-term access to only, you know, a very specific subset of what can be gotten on the network.
Cross enterprise collaboration. This really relies heavily on Federation for both authentication and authorization. This can be shared locations. It can be, you know, more often than not these days using the cloud for collaboration, but maybe internal enterprise resources. So you might wind up with some sort of a hybrid collaboration space. And then lastly, you know, B to C and G to C you know, business to consumer government to citizen, you might need to be able to distinguish between unauthenticated users read only consumers, customers of different kinds, citizens from different countries. You need to be able to support a wide range of authentication methods and mechanisms. You know, if you're looking at how to handle smartphones, there are probably lots of, there are lots of good authentication mechanisms that work on a smartphone, but maybe not everybody in all these different contexts has access to that. So B2C GDC can present very complex use cases that require lots of different identity proofing, authentication technology requirements. Next, I think it's a question. Can you think of any beyond these?
I think actually John, we still have quite a way to go, so let's, let's move on to, to the next section if that's okay with you.
Okay.
Yeah. If that's okay with everyone here. Yeah. Okay.
Okay. So, you know, one of the best things I think that is in the next document is it lists these specific threats to zero trust architecture. And so they've, they've started the threat modeling process for us. So number one, subversion of the zero trust architecture decision decision process. And this means, you know, as you were alluded to earlier in the question, we need to secure policy enforcement points, decision points, administration points, information points. And by secure, we mean, you know, cover them with all the other tools that we would normally use in the environment, endpoint protection EDR, make sure you segment the control plane and encrypt the databases, encrypt your user databases and all communications next up denial of service. That's why there was an emphasis on availability. This is a good place where you might wanna deploy next gen firewalls or web application firewalls to protect the various components of the architecture use NDR network detection in response to help determine whether or not there are any malicious traffic flows, stolen credentials, insider threat as always use least privilege to assign roles, attributes, and entitlements. Keep your IGA up to date. Access or reconciliation is not a pleasant task, but it's definitely a necessary task. And, you know, any changes to the overall ZT architecture should involve Pam. No, no administrators should be able to make changes to any component of zero trust architecture without going through Pam, you know, using privilege credentials, next
Network visibility, as we've said before, you need access to what's going on within the infrastructure, use a good NDR tool, keep everything encrypted storage of system and network information. You know, I think this was a really interesting point too information about what's going on within the overall zero. Trust architecture itself is valuable and can become a target of attack. If an attacker is looking at how you know, they might be able to compromise your system first, they wanna know how to turn off all the monitoring, how to subvert the, you know, the access control policies and access control infrastructure. So you, you need this to be encrypted. You need access controls, even on the data about the data.
They also mentioned proprietary solutions, you know, with zero trust. I don't think this is such a big deal because you can't buy a zero trust package that covers everything. They're really about trying to tell us to watch out for vendor lock in here with this one. Lastly, here, I think this one's pretty forward thinking use of non-person entities in zero trust administration. This is, you know, using chat bots chat bots are starting to become common in some organizations as a way of say, you know, a new user interacting to request access to additional resources. Don't let the AI chat bots, the non-person entities become a vector of attack. Next slide. This is just another, here's the list they gave us. Can anybody think of any other threats that we might wanna consider
Any other threats from the floor? I don't mean literally just threats to zero trust. No, sorry, John. Okay.
Next.
Speaker 15 02:28:14 Maybe on the mobile front, maybe. So if you have kind of mobile policies you can't trust because of maybe someone has GPS faking on their mobiles or what would you do? Let's say about WIPs that are very mobile and want to access some high profile applications from conferences and so on and you can cut them off. And I think it's more of a cultural threat then.
Good point. Yeah.
Yeah. That's an interesting point. I mean, business would probably say you have to make exceptions for lots of different scenarios, but there are also times and resources that explicitly need to be protected and, you know, disabling mobile access for certain kinds of resources is probably one of those scenarios.
Okay. Thanks. Let's. Yeah,
Speaker 15 02:29:15 But the enforcement is hard when, when your post is like calling in from, from yeah. I see. Or whatever, and ask for access or, or complaints about you can't access some resources they need. So I think it's a very good concept at all, but it's mainly a cultural problem that you at some point open up some things too.
Yeah.
Okay. Thanks for that. Thanks for your comment. Oh, we have a, a break scheduled now. I'm just thinking that perhaps given that we're we need to finish about half past 12 that maybe just push on John. Is that okay?
Yeah. How much material do you need to cover?
I've got a few slides at the end. Have you, what have you, have you got left to do some more?
Yeah. Let's let's take five minutes now. And then, you know, I, I will edit this down a little bit so that I can finish more quickly. Okay. So why don't we take five minutes right now?
Okay. Let's take a quick five minute break, cuz that's pretty intense and see you back here in five minutes. Thanks everyone.
Thank you, Paul. Are you still there,
John? I'm here. Yeah. Yeah.
This can you advance through here? Let me,
Do you want me to go through the slides quickly? Yeah.
Yeah. I mean, I think I must have been editing another set because this is not what I was just working on.
Oh.
So let me, let me see where,
Where we are because I was actually expecting a break a bit earlier and on the set that I, so I thought perhaps you deleted that break.
No, no. This is an older copy. I'm trying to look at where I'm at
One second, John, hang on a sec. What? Okay.
Speaker 16 02:31:37 On screen as well. If wants to
John, you can share on screen. Apparently if you just wanna use the slide you have in front of you.
Okay. Well how much, how much time? 30 minutes after everyone gets back, how much time do you want to? Well,
The slides I have are pretty much a re just a, like a, a recap. I can just whizz through those because I think people have, you know, it's, it's, it's, it is been a long week. So I don't think maybe we'll just go through your last slides. See how much time there is left and then I'll wrap it up.
Okay. Yeah. I'm looking at what I've got here. I think I've got maybe, maybe 10, 15 minutes.
That's that sounds perfect. Yeah. Okay. So, so if you do those, share your screen and then I'll take over from here. Okay. So when you finish, stop sharing your screen and then I'll go back to the main presentation.
Okay.
Yeah,
Yeah. That should work.
Perfect. Okay. I'll I'll see you in about five minutes. I'm just gonna take a break myself.
Yep. Me too. I'll be right.
Thanks John.
So I'm back.
Speaker 15 02:33:14 May I ask a question in the meantime, John?
Sure.
Speaker 15 02:33:19 I'm coming from the perspective of change and configuration management from and insider access. So, and I'm to this, to this actually. So, but how is zero trust being applicable or applied to insider record changes from this? I think you called it policy information points. So your trusted systems, your inside systems for trusted records. So how can they rely on the record changes or changes to the records are also trusted, so like controlled by approvals and orders, ticket machines, ticketing engines that give them the trust that these changes to each and every record of where their policy information policy execution points deriv that the rule sets and the access from is, is in short. Is this somehow understandable?
Yeah. Yeah. I think, I think definitely that's a piece that has to be protected. I think that pertains to one of the earlier questions around, you know, how to protect the policy information point itself, you know, any place where the user records are kept the attributes upon which other access control decisions are made, that you need this layer of, you know, zero trust, authentication and authorization on top of that, even so that you make sure that unauthorized users can't come in and, and change access permissions or group memberships or entitlements, you know, for groups and make it so, or
Speaker 15 02:34:59 Even authorized ones, it could the authorized ones without having an order to do so. Right, right. So you have to track the tickets that give them the order and approval.
You know, there's another interesting notion in a lot of Pam products too, that it's about like, kind of like turning on recording. So, you know, there's a record of any changes that were made at the administrative level. You know, let's say there are a couple of different kinds of use cases too, around like, well, there's what we used to call, break the glass where maybe somebody really doesn't have authorization, but it's an emergency. So you've got the ability to, to sort of give them temporary powers, but that's all logged and audit as soon as possible.
Yep. John, sorry to interrupt that discussion. I think we're ready to go now for the next section. So you're gonna share your screen, I believe.
Yeah. Can you see what I've got here?
Not yet.
How about now?
Not quite, should I do something here? Okay. You're on. Okay. You got your email up, so
Speaker 17 02:36:20 Has to switch you.
You need to switch to view.
There
We go. That's it.
Okay. So yeah, I'll try to get through these last few slides as quickly as I can. This is comes to sort of an adjunct document from the S D O D zero trust reference architecture. It's building on what the N document has to say. And I think it had some really interesting points. So I wanted to call these out too comply to connect number one, you know, enforce patching and hardening as requirements for access. So, you know, depending on what kind of organization you are, maybe you could get away with that. You know, an enterprise might be able to say, okay, as a contractor, I won't let you in unless can guarantee that your laptop or your mobile devices are running the latest OS patches that they're running security software. And they're hardened. This obviously won't work for consumer facing enterprises, but this is something to consider for organizations where you can enforce comply to connect.
And we were just talking about Pam least privilege, privilege revocation when not needed macro and micro segmentation. You know, I like to think of this as, you know, aback at the network level, not necessarily doing away with VPNs, but making it much, much more granular hierarchical policy, decision points, resource resource policy decision points can point to enterprise PDPs. We were kind of alluding to that earlier, too. About if you have different customer facing environments, maybe with different service level agreements, then you only replicate the right amount of policy that pertains to that environment, to those specific PDPs, which then point back to enterprise PDPs. And you can have application specific PDPs data specific PDPs and application delivery control. This is using that resource Porwal method that was called out earlier in the, the MIS document.
Secondly, dev SecOps, you know, agile has become the way most everybody does. Software development. SecOps has become, I mean, dev has become the way it's deployed, but security needs to be involved, you know, upfront Dr. DRM IRM. We continue to hit on the encryption piece because encryption is, is a necessity, both at rest trans. There are interesting methods that allow you to do even working on files that are encrypted too data tagging, adding attribute data. We've mentioned that a few times, this is something, you know, you not only need to add the attribute data, but you need to maintain it just like we were talking about with information about users, keeping that fresh access reconciliation. You need a similar approach with data because the attribute and metadata tags can become outdated after, you know, not too long of a time. In some cases, the other pieces are parts of the architecture that we've discussed already, sore security, orchestration, automation, and response, EDR endpoint detection, and response. That's just one piece. You know, you also need to cover network and that's evolving to XDR extended detection, response, UBA, or user in user and entity behavioral analysis, the risk engine. This is kind of putting it all together. And I've said that DLP data leakage prevention can work in conjunction with data, access governance to help you do things like data tagging attribute, placement on data objects and refreshing that over time.
So I know there's a lot to see here probably best not to go into too much detail, but the source is listed down below. So yes, this, by the way, we got a question earlier, will the slides be available afterwards? Yes, we'll, we'll have the slides for everyone to, to download. And you can look at some of these complex charts and more detail then, but the zero trust pillars kind of cuts across user device, network, application, data visibility, and analytics, and then orchestration and automation. And what this is showing is, you know, different layers of capabilities and the different components, like on the user side, there's authentication authorization and Pam, some of that could be extended to device as well, authentication authorization and compliance data, you know, data tagging, DLP, DRM, and then things like on visibility and analytics. That's where SIM. And so come into play wrapping up here on this part.
What I like about this slide is this shows kind of the zero trust maturity model, you know, and at the very beginning, it starts with assessment and discovery, you know, figuring out where you are on the zero trust journey, what kind of tools and your overall security architecture can help you get there. And then, you know, the, the, the data asset apps and services that you have within your environment, you need to understand the data flows. Going back to that earlier comment, which I think was very, very pertinent. You really need to understand not only the day that you have, but the data and how it moves across your organization. You need, you know, an up-to-date user and device inventory, be able to identify your privileged account, log the traffic. And then after that, you've really got three layers or three levels of maturity baseline, intermediate, and advanced won't dwell too much on these at this point, but you can see that, you know, a lot of organizations are still kind of doing the baseline background noise.
Good Lord. I'm not sure what that was. If someone's online, could they perhaps mute their microphone? Thank you.
So, so baseline, you know, this starts with let's do the network segmentation, micro segmentation, put denial all into place, permit by exception, make sure MFA is used, start doing your data, tagging doing assessments of the data and start making sure that encryption is available both in, in transit and at rest then intermediate, you know, that's moving up a little bit. That's using things like UBA using DLP and DRM, starting to, you know, do the next layer up of micro segmentation and, you know, user identity starting to enhance your cybersecurity policies based on fine grain user and device attributes. And then lastly, on the advanced side, this is where we hope to get with, you know, things like just in time policy, just enough access policies, autonomous AI, making changes to policy in response to that continuous diagnostics and monitoring and making adjustments, you know, as needed with hopefully great accuracy and not as much human intervention.
So last two slides here, they call out some of the standards that are commonly used in zero trust. I thought I'd put these kind of in a, you know, what the, the functions are. So we see things like X 5 0 9 FIPs 1 41 40 dash three. Now is the latest encryption standard TLS one, three supersedes one, two more and more traffic on the internet. And within organizations is now TLS one, three that adds some challenges for NDR tools that may not be able to understand TLS one, three, cuz even the handshakes are very little outside of the handshake is not encrypted. So it makes it a little bit difficult to analyze. Then you have radius SAML, ERO, Fido OAuth, two O I D C or authentication protocols. Many of which could also be used for authorization exact we've talked about for authorization explicitly. And then lastly, IP sec, DNS sec, SSH are encryption protocols for the network. LDAP and SQL are data standards that even though they're old are still in use and will probably be in use for a long time to come with that. I'll turn it back over to Paul
John. Thanks so much. And thank you for grappling with unknown noises at the, at the same time. Well wonder what that was. So thanks John. See you soon if we'll go back now to the main presentation,
Well just whiz through this. We're not gonna do all that again. So I realized that it's been a, quite a long session and it was an awful lot to take in, in that last section. But of course, as John said, everything will be downloadable, but I just do a, you know, a quick recap of some things that we've been talking about. So obviously zero trust is trusting, but verify. And most importantly, zero trust is a concept and architecture model. So just I'm, I'm not gonna go into great detail, but identity and access management is, you know, one of the main tools that you have for achieving some kind of zero trust and any IAM systems should have these four things, least privilege, centralized control, be dynamic and adaptive.
And why is it important? Well, because it obviously manages access. It also can help you with your compliance and security and efficiency. All of those things are important, but of course, going right back to where we were this morning, the efficiency is the business enabler as is the access. And in between that we have the compliance and security and IAM can do all that for you. Again, there are different deployment choices for identity and access management, particularly in today's hybrid environment. So as I said, some people still like to have stuff on premises. Some people might want to as, as a service and in, in the cloud. And then that's just an illustration of how I am sits in those various deployments. I'm rushing through this a bit because there's some stuff at the end I want to get to, there is a cat there on the, on the, the screen.
So that's, John's cat trying to get access to John's computer. So, and again, we we've seen all this, another one of our reference architectures you can look at at your leisure, if that's your idea of leisure or, or you can just look at it when, when you're back at the office, it's a good one to have on the screen actually looks very good, but more importantly. So getting started, think about your desired outcome. It's like it's true of any, any deployment you need to think about the outcome and the business outcome. So starts thinking about the applications, the services, the databases, all the other components that you want to be connected and think about the types of users that you have when thinking about zero trust, think about your legacy architecture, what you've got, the clouds, devices, endpoints, everything that's there, including your new architectures and you, you need to talk to your stakeholders.
So you need to talk about to other people, the heads of lines of business, et cetera, and managers, and make them understand I am back. Why I am is a good thing and how it'll help them for the business and think about, you know, designing the design. Sorry, think about how you're gonna design this and then prepare a roadmap. Really. I dunno if people do that, but it actually is quite a good exercise to actually put down markers of where you want to be and what you hope to achieve at a certain point in the future. So define those steps to, to get to that outcome. So there are, although I said that we don't quantify the zero trust market, but there is a market of products that will help you on find, sorry to, to, to, to achieve zero trust. It's, it's a hugely diverse market.
It's, it's, it's getting wider all the time in involves obviously identity access management, privilege, access management. But now we're seeing newer products, C I E M not to be confused with cm. So that's cloud infrastructure, entitlement management. There are now a, a number of products that call themselves C, C I E M, which also will help with zero trust. So we wouldn't have identity as a service. We wouldn't have cloud access, security brokers and secure access surveyed, sorry, or sassy platforms. So it's, it's a confusing market. And as John, as you saw in John's section, it's, it gets very complicated very quickly, but we are sort of here to help just some stuff to think about again, when you get back. So take a look at these, what kind of data protection solutions do you currently have? How ubiquitous is things like encryption and what is your current investments in, in network security, etcetera.
So you'll be pleased to know we're not gonna do an exercise now, cuz I realize it's almost lunchtime and I'm sure that, but if you could just think to yourself, is there one thing that you got from today? I hope there was at least one big lesson. I think for me it's it was the different planes consider, which I thought simplified the whole zero trust. And hopefully you feel a bit more confident about zero trust. Now we obviously welcome your feedback to, so you can directly email me. You can directly email John or you can directly email Kuppinger Cole. So we're always interested in whether we're doing the right thing. And finally we do have all sorts of resources online. So again, when you get the slides, you can check these out and these go into more technical and granular detail about zero trust. And all of that is available on our website. If you don't have a subscription, you can have a month's free trial. So you can download as much as you like in a month and then hopefully you could carry on the subscription, but it's all there for you online. And that's it. So I, I really appreciate your time this morning and I, I know it was quite hard, heavy going in some respects, but, and thank you so much for, for, you know, joining in. So really appreciate that. And with that, I think it's time for lunch. Okay. Thank you.
Thanks everyone.
