KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you very much and good afternoon, everybody present. Unfortunately, I'm attending virtually today, but hopefully excited to be there in person next year today, I wanted to talk about really what supports zero trust in the enterprise and a little bit of what I mean about that. So supporting zero trust, we talk a lot about managing authentication and authorization paradigms, managing device context, but scaling this out to our business partners, perhaps the people that are not even necessarily the most technical, how do we do this?
Really in mass is been the problem that I've been trying to solve at Yahoo for a few years now. And I wanted to share really some strategies around how to do this with it, it, and it service methodologies. Talk a little bit about how we can simplify the business that we do really in cybersecurity in order to help better support those that rely on us for security and really at the end of the day, rely on us for service. So our objectives for zero trust, it's, it's all about, you know, positioning security and service offerings to protect access to resources, to data.
At the end of the day, I've in a number of speaking engagements. I have really kind of driven home in the past how I really see identity as a service offering almost first or, or at least completely in tandem with a security offering.
Yes, we're providing all of those zero trust paradigms for access to the correct access with the correct privileges. And only for as long as that access is required.
But to the average application owner, running an app, an HR application, for instance, again, who might not be the most technical, how do you translate that message in terms of the policies that you're applying to their platforms and how do you work with them to position their platform or any development they might be doing inside of if it's an application, especially if it's something that's been built by their team or by an HR technology group, as we have in Yahoo, how do you help them position their application for zero trust?
We want to implement identity proofing again, authentication and authorization obviously is a must. We're again, communicating with them to lessen their historical dependence on the network as a single reliable trust, anger.
Again, the paradigm bad actors are already on the network presume that the network has been compromised. And then we want to implement access control policies, which understand various contexts about the person that's going to be authenticating to those services, adaptive authentication, device context, geographical location. Those things are important again, how do we work with the business in order to be able to understand that? And then how do we extend that same understanding to service identities, which historically, I, I think have been the root of a lot of problems across identity.
When we look at attacks that have occurred throughout the industry. So then again, how do we support an organization moving to zero trust? And simply the answer is simplicity. If you're an enterprise worker, you have all these things about you in the enterprise, all these artifacts, you have your attributes from your various sources of record, generally from HR, often abstracted across directory platforms and services.
You have associations about what role you, what role or roles you have in the various entitlements or privileges and rights at the end of the day that you receive for access to data. You have devices which have enrollment flows that need to be understood.
And, and I think enrollment flows is really the critical pain point for a lot of those things.
When you're working with the business in order to help them help guide them on their security policies, or at least how they interact with your security policies, you have various credential factors, password, of course, which we're, we're doing everything we can these days to get away from, but multifactor authentication 5 0 2 web them, all, all of these utilities that we can use to better prove within that instant before we're renting an access token that this person is who they say they are geography of course network. Well, yes, we're trying, we're presuming that the network is compromised.
It is still an important piece of data and context that we need to translate on behalf of the business at the end of the day. And all of these things are going to really at the, really at the, at the end of the day dictate policies for who's going to be able to access which data resources and for how long.
So again, we should be working to reimagine identity as a service, wherever possible, these things they do need to be understood by our business that, that same a HR technology owner, they need to understand at the very least at a high level, how to integrate with your authentication, your, your identity provider in the exact same way that the person in finance who's doing it. Because one of the things obviously that we're concerned about is really lateral movement.
There are, I wouldn't necessarily call it, shadow it, but there could be implicit interactions between applications that the identity provider might not be aware of. So making those business owners aware of these things is really kind of our critical mission here.
So methodology, you know, referring to how an organization operates depending on the resources that you want to protect, that there are some questions that I want to be like, be always asking myself when I'm working with a new business owner in the company and really just getting them into a place where they can better support their business. So I'm always checking, are we, are we aligned on our authentication protocols now at Yahoo?
We're, we're very large on open ID connect. OTU, we're moving away from Sam very quickly, but really is your organization aligned on those authentication protocols and when you use them and under what contexts and for as far as when you use them for us, that's really just our effort to move away from SAML.
We are, are narrowing individually at Yahoo. We're narrowing our use cases down on SAML so that we're not using it as heavily. And we're trying to move forward with open ID wherever possible. As we talk about it, service management are your identity service offerings aligned with application software development. We have a platform in house that helps drive a lot of our it provisioning and a lot of our workflows. And we need to meet make sure that the life cycle of how we improve that platform, how we onboard new services onto that platform, which does require some development.
We need to make sure that our software development lifecycle is in line with the business. This is just one of those ways that we can help better work with our business application owners or business owners in order to be able to ensure that we're providing them the right services, cuz for at Yahoo, we've built it provisioning. And just in time provisioning into a lot of the, the service offerings that we provide.
And, and also is also a prerequisite for leveraging any of our identity provider service offerings as far as authentication. So obviously that drives them into the pipeline. Everybody wants to be able to use single sign on. Everybody wants to be able to take advantage of these security policies if for no other reason, then it security told them that they had to during their security review when they either purchased or built their application. But are we providing our service really at the right cadence in order to be able to do that.
And along with that, is, are your security reviews conducted in relation to zero trust? So this has been an area where historically I'll admit that we struggled a little bit where a business owner purchases an application that I, I wouldn't say is inherently insecure, but I would say is challenging from a zero trust perspective, just because it's maybe possibly a more legacy application or it's a very simple application that hadn't thought through many of these use cases for implementing something like open ID connect.
And then at that point, you're working with the business to be able to get more creative. If you were able to catch that during the security review process, could you have possibly gone with a different vendor? Could you have possibly built the application differently? Do your identity governance, operations, respo responsibly support the business? So I identity is kind of again, right in the middle of the cyber security needs that we have as an industry and also our service offerings.
It would be of course, very tempting to be able to build the most aggressive policies on earth all the time in order to be constantly protecting the data and resources that we're asking people to access responsibly. But those policies obviously need to be grounded in reality and allow for people to be able to work within the context that they're going to work.
And I think remote work and everything that we've gone through with the COVID pandemic really kind of really stressed that for us as an industry and definitely as a security organization in Yahoo, asking yourself at all times, are, are your application owners, are, are the stakeholders that you work with aware of the why behind zero trust, depending on where you're looking at across their technical understanding, they may be fully aware or they might not understand at all.
And really how you communicate that and how you communicate zero trust within your it service offerings goes a long way as a business to creating a more cybersecurity minded culture and then continual service improvements. Do they take security into scope? Identity has a user experience component at the end of the day, failing to appropriately manage that user experience within continual service improvement leads to shadow it. It leads to people working around identity offerings and, and it's just something to keep in mind as we're considering those efforts and initiatives.
But the most important question for me is, are at all times, are your application owners, your resource owners, your data owners empowered to be able to make the correct decisions for implementing an application with, without your assistance in, in a self-service context, if possible, that that's, that's really at the end of the day, the goal we run enterprise identity for Yahoo. We don't want to be hands on configuring every single team's identity application.
And we need to be able to trust at some level that the service offerings that we're providing, the policies that we're providing, the technology that we support is being used in a responsible manner. So infrastructure is the next area where we can simplify other than just how we frame cybersecurity and identity as a service. The infrastructure of your identity ecosystem has to be able to protect the data that you're looking to protect it.
But again, it has to be managed in a particular way that everybody can understand it and really open standards is, is the best way I've found to be able to do this. If it's able, if it's able to be easily documented and provided, it makes the most sense.
Of course, the open standard has to be a good one, but common implementation patterns, really at the end of the day, consistency in, in those implementations. And for us, again, it's very much open ID connect driven at Yahoo, but consistency in how we do that. Simplifies our auditing procedures, Yahoo it not unlike most businesses is under a lot of various regulatory scopes in the media business.
We need to be ensuring that many of our applications are, are able to responsibly manage their audits and that our auditors are able to responsibly get access to that data, which requires policy controls, control, layers, and processes on top of everything that we're doing, just enabling Yahoo workers to be able to access that information to begin with. And then of course, we need to be able to do this in a lower overhead environment.
You can't create barriers to entry so high that people don't want to implement your procedures, cuz again, they'll work around it or they'll create more work for themselves in manual reporting and auditing. That's just going to slow everything down for the business.
It, it impacts the service that you provide or at the very least the perception of the service that you provide. Again, it leads to shadow it and it's just a drain on the business if you're not aligned in this, in this manner.
So on, on the diagram here I have on the right, just kind of breaking this down as an example, how does this hypothetical cloud finance application consistently leverage or, or integrate authentication, authentic user life cycle management, all or our identity governance service offerings such as certification.
And as you're moving into zero trust as a business owner and, and communicating that with those stakeholders, I think we, what we really want is to ensure that those service offerings are aligned at all times so that if two business owners are integrating with you, they're having the same experience. So we talked a little bit about service identities, service identities is one of those areas where I think, again, we we've struggled.
It's, it's challenging to, I identify humans under context. It's almost tempting, I think to ignore service identities in terms of context, but how we manage how we manage credentials in particular, how we rotate those credentials has to be secure and we want them to be, we want them to be against least privileged. Sure. But with service identities, it's, it's a little bit of, of an individual challenge because so many of the platforms that your application owners might be building or buying in many cases have their own paradigm for how to manage a service identity.
So how you federate to those is, is definitely key. Again, it's something that we would wanna stress in terms of security review, making sure that you're buying or building platforms or at least guiding the, the buying and building of platforms for the business that help better work with those service identities and are again, you're guiding the business in terms of how those can be managed more consistently. What does all that noise mean?
Really at the end of the day, now, all everything I have on these slides assumes that you are the owner of the, the universe and that you're the one who gets to unilaterally, make all of these decisions for, for me, this is, this is more of just a general guidance and a framework. I understand that that's not necessarily reality.
You don't own the purchasing or buying decisions, but as a voice of the company, as a voice of your enterprise and your information and your cybersecurity practices, that's, that's really where you want to be able to really evangelize zero trust is across all across it, methodology across infrastructure and across devices. Again, you likely don't own the world, but how do we, how do we simplify how devices work for application owners within your identity ecosystem?
You're, you're going to always be dealing with this concept of flexibility versus control usability versus security, bring your own device. We talk about bringing your own device as though it's an option. Sometimes I, I, I had a conversation recently, internally where at Yahoo, where I was kind of almost taken aback myself where it wasn't just, should we be doing this?
It's like, it's real, it's already happened. Bring your own device. Is this driving force within the industry that a lot of application owners, even within cybersecurity aren't necessarily ready for. And it comes with trade offs for not so much security posture, but more, how do you manage these devices responsibly? How do you ensure that you're able to at the very least cutoff access to devices under certain context, usually when an enterprise worker leaves the company.
And again, all we're trying to do here is simplify as we guide our business and our enterprise through supporting zero trust.
All we're trying to do is work with business owners, work with stakeholders to ensure that they understand how a user accesses their platform, how they, how, how the identity platform works with device certificates, how it can do hips checks, how it can be aware of the operating systems in place, whether or not those devices really at the end of the day are in compliance and any multifactor offerings that are bound to those devices in the event of origin, binding 5 0 2, et cetera. So again, breaking down that complexity for the business is I almost feel myself talking in circles about it.
It gets a little it's challenging. So obviously documentation communication, and really building a security minded culture is really so much the driving force there.
And as I, if you, if you run an enterprise and you're going through a zero trust initiative, you're, you're taking on this program, you're taking on really this life cycle and this manner of being, these are the questions that I would be asking yourself constantly, is, are you doing these things well, or at the very least as we talk about it, service management and continual service improvement, are you improving these things at a constant cadence and at a constant rate?
So as an identity practitioner, as a, a cybersecurity evangelist, really it's our responsibility to be effective partners for zero trust. We get into the technology often, but we don't necessarily think through what this, what this means for the stakeholders at, at large, that need to integrate with these products. And for me, when I was thinking about just what I wanted to discuss here, president at EIC, it's really this problem. It's to a lot of people that I still talk to.
And it, it, it kills me a little bit inside. Whenever I hear it. Zero trust is still a buzzword and I I'm doing everything I can as an industry practitioner to be really pushing against that and showing that this isn't just about this, isn't just about making their lives more difficult as an application owner, trying to integrate with an enterprise resource like our identity provider, it's about providing a service and it's about making their lives easier. At the end of the day, through a strong security strategy, that's as much rooted in it, service management, as it is security.
And that, that requires understanding your business, of course, but it also understand involves communicating it heavily as well. At the end of the day, your resource owners, the people that own the data in your business are the customers and custodians of zero trust. Even more than you are, because if they find your diff, if they find your security offerings difficult to work with, they're going to work around them.
And that's when you're going to get into lateral movement type use cases, that's where you're going to get into service credentials that might not be rotated frequently because no one knows that they exist. Maybe if maybe they weren't detected by any detection platforms that you have in place or threat or alert monitoring platforms, just because we weren't, we didn't know what exactly we were supposed to be looking for or at.
So, yeah, that's, that's my primary conclusion here is just as a business, something that we always need to be keeping in mind and working through. Thank you very much. Okay. Thank you very much, Brian.
