Event Recording

Demystifying Zero Trust

Log in and watch the full video!

“It’s about the journey, not the destination” they said. “It’s basically just Don’t Trust But Check, what’s the real difference?” they said. “ What’s the big deal?” They said.

Zero trust has been the panacea to everyone’s security problems, for a really long time now, and yet we are still talking about it, and not just doing it. It’s no surprise that there is a certain level of cynicism then that zero trust was all marketing and no trousers.

If 2021 brought us anything though, it was finally some clarity that zero trust really does have a role to play in the enterprise, just not by itself. Various vendors and enterprises have finally conceded that while it is important, it is just one part of the puzzle to help organisations manage their ever changing, digitally transformed, hybrid working, flexible, work from home environments.

Everything changed with zero trust, and now it is actually helping us to change again. In this talk, learn from;

Where zero trust came from, and where it is now
What the new working paradigm means for CISOs…
… and how zero trust environments and working models can help, not hinder, even without a final destination

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So super excited to be here at least like virtually, hopefully at one point we'll do it also in person and be able to join. So yeah. I wanna talk to you about our favorite topic these days, zero trust and looking into like a little bit demystifying all day claims and discussions around it, essentially next slide. And pretty much like what I wanna do is like par separate it in two buckets of discussion. First, just level set, talking about the fundamentals of zero trust, where it comes from, what are the benefits and then looking into from a programmatic perspective, like how do you actually think about moving into a zero trust security model? Next slide. One of the things that is important to understand, like probably like what were the changes that made us look into adopting or looking into a new security model in first place?
And from my perspective, there are around like five big innovation areas or changes in the industry, changes in the it world that drove a lot of thinking in terms of security architecture and how we should be thinking about it from a user identity perspective, years back, it only cared about user identities for their employees today with B2B B2C identity identities provided to partners, applications, even contractors, customers, and so on. And so on the landscape or the amount of identities that it is managing has exponentially grown. Similar thing happened on the endpoint side. It used to care deeply about managed endpoints about these machines that are always in the office. However, with B Y O D T type devices, mobile devices, this again shifted. And now we are looking into supporting an environment that is very much diverse. You talk about different operating system, different form factors and also different security requirements.
Similar thing happen on the application layer side, particularly like what happened with during COVID and the lockdown in many countries, a lot of applications that security professionals or different application will say, oh, you could never move them into the cloud, had to be moved or in the cloud overnight, very often in order to support business continuity during the lockdown. And now these applications are running in the cloud and we need to figure out like, how do we secure the, the data that's stored? How do we secure the access and so on? So there was, again, a shift in terms of like the applications that we are responsible for. And then ultimately like on the network side, it was like in the security space was all about network pyramid based security model, where we will try to secure as much as possible, everything that is happening inside the corporate network with all these traditional models and technologies, IDs, firewalls, and so on.
But reality, particularly with the three things that I was mentioning before there has been a shift, right? It's no longer just about the corporate network. It's no longer just about what's happening inside corporate offices. So we, we start need to think about the security implications and requirements. When you look into securing assets, not just in the office, but for employees that work virtually from anywhere in the world. And with all that, what we start seeing from a security standpoint was that a lot of the technologies that we had invested in, in terms of like data analytics, data platforms, and so on no longer scale, right? So we, we reached to a point that these technologies that were aiding us in the security room no longer provided the scalability, the flexibility that we needed in this new world that we are in today. Next slide. So the question became like, okay, like, what's next in terms of like the evolution of the security architecture for many organizations.
And then at one point, this whole buzz came around in the industry around zero trust. Zero trust itself is nothing new. Zero trust comes from the back from the military world where frankly speaking a lot of the things that we do in cybersecurity, we adapt it from the military space, right? So it's the concept of never trust, always verify, assume breach and verify explicitly. What does really mean is that we no longer trust and endpoint and identity by default, everything needs to be validated. Everything is assumed to be breached, right? When you authenticate to an application, we are first assuming that you might be compromised and you need to prove otherwise. So a couple of years ago, when one of the lead Analyst at Forester then came up with this paper on zero trust, there was a lot of emphasis on really understanding like, okay, how do we actually get a company from moving to a parameter based security model, into a state where they can continuously verify the trust relationship between different entities in order to make just in time decision, next slide.
And if you think about it, like why it is so important, right? It goes back to the paradigm shift, right? If you think about like cloud services inside an organization, if you think about the mobile workers in many organizations, right? They start to represent a critical mass, or they are already a critical mass. So we needed a way in order to secure these premises in order to help secure the assets that are out there that no longer are in control or benefit from parameter based security models. Right. And that's why one interesting research was like, in terms of like how many companies are already looking into zero trust. So there was a study made a global one where 42% of the response said, yep, like we are planning and moving into a zero trust model. They have a zero trust strategy in place. And they're at the moment in process of migrating over next slide.
So in order to visually explain a little bit more like the differences let's look into a legacy perimeter based security model. Of course, like this is a architecture that's very much like simplified, but the way to look at it, like from left to, right, right. Historically majority of enterprises, you have your employees, you got your partners, you got some level of devices like windows, computers, maybe some iPhones and stuff like that. And they're all one thing in common. They go to the campus, they go to the office and from the office, they leverage a corporate network. And we, from there, they're now moving into connecting to untrusted sources, public cloud service solutions, SaaS applications that are enable by the it team or directly to the internet. The way we would secure this historically, or for many organizations today is through static policies, right? Like preventative measurements, parameter defenses, essentially putting walls in between.
Now the problem with that was that the paradigm shifted, right? So the, the way employees connect was different, working from anywhere became a thing. So we needed a different model and attackers start leveraging until now the benefits from their perspective on the legacy perimeter based security model, next slide, because what they realized, and like, if you think about like 99% of all attacks today, based on a legacy architecture that an enterprise has, the endpoint, the identity has a trust relationship. By default as an example, the, the CFO's computer has static permissions to access probably all financial documents, data share locations and so on. And so on. That means that if an attacker compromise that asset, they have also the same level of access and they can easily move around. Right. And it helps an attacker to move laterally and essentially reach their ankle fairly easily because they benefit from this predefined trust relationship between the asset. It can be an endpoint and identity or both with the different sources, right? So again, a big change for us because we were looking into like, how do we actually make it more difficult for the attacker to move laterally? Next slide.
So when a lot of smart people came into, let's say into the room and looked into like the zero trust model looked into what Forrester back then published, we're looking into, okay, how, how can we actually secure the new normal, like the new environment, that many organizations, both from a people perspective, from a process perspective, and from a technology perspective, need to be able to support. We still have our employees. We still have our partners, all the different devices, what might be new for many, for some organization, our cloud workloads. So we need to understand also like data address data and transit security there. But basically a big shift was like, well, not everybody connects to the campus or not everybody visits the campus. There are no hybrid and remote workers, right? And even for many organizations that were in lockdown that went fully remote, many of them are saying, Hey, my employees can remain being remote or have flexible models where their employees come in like two or three times a week to the office.
So now we have this new paradigm and we need to support it from a security perspective. So what we are seeing here with zero trust, and that's like, where technologies like ZT a and sassy and so on play in right, is like, rather than focusing on the corporate network, we are looking into adoption of VPN or zero trust network access technologies that connect through the cloud edge. And then it connects us to the relevant services. The big shift here is essentially that we are now talking about not static security policies. We're talking about dynamic policies. Essentially. We are talking about the fact that no asset is trusted by default on a high level, we are saying only trusted identities with healthy endpoints can connect to corporate resources and services. And if there's any suspicion on the endpoint or on the identity level, we need to make sure that we provide mechanisms in real time to block our limit the access to these services.
Next slide. So the question becomes like, what is the difference from an attack perspective, right? With a zero trust security model. Now, again, there is no inherent trust relationship that is there by default trust needs to be continuous to verified. So that means like on a simply speaking, when an endpoint, for example gets compromised, the, the risk score of this endpoint will change. And this endpoint will no longer have access to certain corporate resources and services. So it will slow down as a nice side effect, certain attacks. Right? So when the attacker is trying to access resources, Z T a for example, might be able to, to block certain activities or because of the change in terms of like the endpoints security level, certain preventative measurements might be enabled and all this happening in real time. Next time. Yeah. So the question is like, then, like, if you think about like the fundamentals of zero trust, it becomes the question like, okay, like how do we actually get there?
Right. And what is important to understand? Like, and I think as an industry, we need to do better here because we, we start seeing like a lot of vendors claiming it's like, oh yeah, if you just buy this technology, you have zero trust. If you just do this, you have zero trust, but really moving into a zero trust security model. Isn't just something you can do overnight. It's, it's not something you can buy. And you're done with it by installing an agent, moving into a zero trust security model is very often for many organizations, a multi-year journey, right? Because you're fundamentally changing your security architecture, moving from a legacy perimeter is security model into a zero trust security model. Next slide. So when you think about it, like how, how, how, how do you wanna approach it? One of the things you can look into is like the, the building blocks of a zero trust security model, right?
The first step is identifying your protect surface, right? So understanding actually, what are the assets that you want to protect? Right? So this goes back to like, historically, we were looking into the attack surface, like, what are the things we need to the vulnerabilities, the exploits, and what whatnot that attackers might leverage, like to get into my environment. Now we are actually saying, Hey, what about if we look into what are the, actually the assets, the corporate resources and services we need to protect because when we know that we can next step, identify and map the transaction flows to understand like, what is legitimate interaction traffics from these surfaces. And then we can build or architect the relevant security frameworks for the environment. We can build the zero trust, security policies, identify like interfaces groups inside the organization where you step by step, roll out, try it out and then improve the security policies and then ultimately move to a stage where you monitor and maintain the zero trust, security model of your organization.
Next one. So what are the building blocks? And then from a zero trust perspective, right? Like on a, like the foundation of zero trust from my perspective is about visibility, analytics and automation. Right? And the reason for that is if you think about a lot of the things that I talk about, it's all real time, it's dynamic and access requests are happening very, very often, very, very fast. And like humans alone, we, we can't like have people monitoring access requests and then deny or approve them, right? Like, let's say again, the CFO accessing earning report documents. Like you don't wanna have that request pending in a queue from help desk for a couple of hours till someone is available in order to say yes or no for, for the request you need to able to do just in time access request and the management of that.
So in order to achieve something like that, you first need the visibility, right? You need to understand what is happening in the environment, how it is happening once you know that like, once you have that data, you need the analytics capabilities, right? So you need to be able to say like how likely it is that something is malicious or suspicious or legitimate. And once you have that, you need to have the automation capability in order to essentially do these decision processes, right. You to decide, is it approved? Is it denied in particular, like from an access three perspective, right? And then essentially you're looking into this aspect across endpoint, cloud workload identity and the network side. Next slide. One of the things that I always recommend is like a white paper from CS. A because in the CS, a white paper, they talk about the maturity level, right?
Like a zero trust maturity level. And this is something like, I always recommend folks like to look up to read through it because it helps you practically understand, like, what are the building blocks for me in order to move to a complete zero trust security model, right? Because again, it's not like something you will do overnight. It's a pro process. You need to have, you know, what you're doing when you're gonna bring it to the organization, but at the bottom, essentially again, right? The building blocks for size, also visibility, analytics and automation. It starts with a traditional enterprise. It looks into like identity endpoint network and cloud workload. And within their, it basically gives suggestions in terms of processes, as well as technology that you might wanna like look into, like goes without saying like the starting point in identity is MFA on the network side, macro segmentation on a workload side access based on local authentication.
Right. And then essentially when you almost like check mark these areas, you move into the advanced stage, right? Compliance enforcement on the endpoint, some level of analytics capabilities on the, on the network side. And then ultimately you move into the optimal state where essentially across all these, you have continuous validation, real time dynamic analysis on the identity, on the endpoint layer and so on and so on. Right. And again, this is great because this gives you like a practical thing where you're like, okay, now I know how do we get into zero trust? Like, what are the starting points for it? And what are the things that I should be prioritizing inside my organization, as I'm thinking of moving from a legacy pyramid based security model into a zero trust security model. Next slide. So with that, I wanna thank you so much and I'd be happy to open for Q and a in case there are some questions.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Unify Identity and Security to Block Identity-Based Cyber Attacks

Join security and identity experts from KuppingerCole Analysts and ARCON as they discuss the importance of securing enterprise credentials, explain why a unified identity security approach in line with Zero Trust principles improve security and efficiency, and describe how to combine…

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00