Event Recording

Panel | Best Practices for Implementing Zero Trust


Log in and watch the full video!

The “zero trust” approach to cybersecurity has been gaining momentum in recent years, as both corporations and government agencies have struggled with how to enhance security given the de-emphasis on the network perimeter. For the most part, the zero trust movement has remained rooted in network principals. However, in the last two years, much of the world was forced to interact exclusively online, creating a sense of urgency around zero trust security and the “never trust, always verify” philosophy behind it reached a new level of importance.

In this panel, you’ll hear from security leaders who have approached and implemented zero trust with an identity-first philosophy, considering it a transformative way of reducing friction for users, while addressing the increasingly challenging risk environment. They believe a true zero trust environment requires a strong identity and access management framework. 

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
As Chris mentioned my name's Julie Smith and I'm the executive director of the identity defined security Alliance. And I wanna thank you for joining our session today this evening. So morning for some of us and, and evening for others, for you all in the room before we get started today, I just wanted to introduce you to the identity defined security Alliance or IDSA. We're a nonprofit that provides leadership expertise and practical guidance thought leadership expertise and practical guidance on securing digital identities. The IDSA provides vendor neutral research education, and best practices that help organizations reduce the risk of an identity related attack. A membership is open to identity and security vendors, as well as end user companies and practitioners who are committed to the vision of an identity centric approach to security. We host identity management day on the second Tuesday of April every year in partnership with the national cybersecurity Alliance.
And we are approved ISC squared to submit our partner, which means all of our content and events as well as participation in the organization are eligible for C S S P CPE credits. I encourage you to check out the website IDs alliance.org to access our content and learn more about membership. So let's get started. We have a great panel discussion today. Zero trust approach to cyber security has been gaining momentum in recent years, as both corporations and government agencies have struggled with how to enhance security, given the de-emphasis on the network perimeter, for the most part, the zero trust movement has remained rooted in network principles. However, in the last two years, a sense of urgency around zero trust security and the never trust, always verify philosophy behind it has reached a new level of importance. So a few of the folks today have approached and implemented zero trust with an identity for its philosophy.
They consider it a transformative way of reducing friction for users while addressing the increasingly challenging risk environment. And you'll hear more about that here shortly. You'll get some advice and lessons learned from them, and we'll talk about why a true zero trust environment requires a strong identity and excess management framework. As Chris mentioned, if you have any questions for the panelists, please let us know. And hopefully for Rio and Frank can help help us moderate those as well as Chris. So let's start with this introductions of this fantastic panel at den. I will start with you.
Thanks Julie. Hey, good afternoon, everyone. Soden Jones. I'm the chief security officer at Banian security and prior to Banian, I was the director of enterprise security at both Cisco and Adobe.
Great. Welcome Dan Josephina.
Hi, my name is Joseph Fernandez and I am the senior director now responsible for enterprise security at Cisco.
And so let's move to the room in Berlin. Forio
Hello, everyone. I'm F Ricardo. I'm the head of product infrastructure security exc before G was in few financial companies like gig German stock exchange or insurance, and Cleman startup and O also security advisor for some of some of the companies.
Great. Good to see you FIO Frank
And I'm Frank Small. I am the Amir channel for interest and I'm looking after our identity and zero trust platforms.
Excellent. So let's get started. So recently I, I mentioned that we are host of identity management day and during our identity management day conference, we took a poll and asked participants, what is zero trust to you? Right? That's the question. I think that comes up quite a bit. And so the, a responses were an architecture, which was about a third of their responses, a product 3%, a mindset, 56% and nothing, but excuse me, nothing but hype was 5%. So I'm curious to get everybody's perspective and maybe there's an answer that wasn't included in the ones we asked our participants in the conference, but Frank, why don't you kick us off and give us your perspective on exactly what is zero trust.
Thanks, Julie. Thanks, Julie. I suppose yes. Mindset. I tend to agree with that and I suppose, and, and architecture, I suppose I tend to agree with that as well. Not sure about product, to be honest, I'm not sure about product or, or certification, you know, for that matter. I see more, well, I see more as a security framework, a, a security model based on the old, you know, trust, nothing, verify everything, you know, validate control, protect. So validate the users, the identities machines, devices that are trying to connect are trying to come into your, into your network, then control, control the access, control the access by, by enforcing granular policies. And I suppose the last step would be to protect encrypt all the data transactions that is a, in a very high level overview of what I would see as a, as a zero trust, please.
Jen, what do you think? Do you have anything to add to that different perspective?
Yeah, the one, the one thing that wasn't mentioned there is strategy. I think some people have used that term quite a few times over the years, which is it's a strategy. And actually, and I totally believe it's marketing hype more, you know, it's more marketing, hype and more confusion by vendors than anything else.
Anybody else wanna jump in for VTO? Joseph, what are your thoughts on zero trust?
Well, I feel definitely is an abuse word nowadays, so probably somehow hype, but I also agree with gang is so is an architecture, but where architecture is more in a more, let's say bigger sense. So it's a, strategy's a design is a solution. And I want to say that least a security piece only it's more like is more overall the touch, several part of gang enterprises, touch finances, touch governance, touch security. And, but again of GGE you want Google, you want to implement cross also to improve gay, overall end user experience. And that's why it become, it becomes a strategy and it becomes an enterprise architecture piece and not a security architecture piece.
Excellent. Josephina,
I think the only, yeah, I think the only thing that I would add to sort of what's already been said, and, and it's little bit how I describe it when I talk to customers is that it's also a journey, right? So, so zero trust is a journey it's and it, it really, you know, you can decide where you wanna start for us. It's a lot about, you know, just rolling out those zero trust principles of, you know, establishing trust with the user as well as a device, but, but really it's, it's a journey. And I think the important thing is to, to start to start on that journey
Start somewhere. Right. Great. So given the tactics being used by our adversaries have changed over the years from exploiting the network to just simply logging in using compromise credentials. How should organizations think about zero trust it's foundation as a network based approach, but how should organizations be thinking about it now? And I was reading an article today in preparation for this and, and the argument was being made that maybe zero trust should be called one to one security, which I thought was kind of an interesting approach. So Forio what, what is your perspective on that?
I'm always feeling like story when I have this question. So I really think, yes. I mean, the foundation is effectively at working. It starts back in 2003 week Jericho project and then expanded to basically to what we know right now. So, and touch is gang 2017, KU thousand 12 paper by, by John about zero cross and Ang crossing, working, but effectively right now you cannot only consider gang work. As we, we knew backing the time there is contract is bring your own device. There is, there is cloud. So effectively restricting only to GK will be limit. Otherwise we going will be not about zero cross, but just base our security Oncor access control. And that will be, be fine. So I think, yeah, evolve and more becoming more a Yankee because a is something that you have it from the moment you join a company independently, if you are an external or, and that you can bring with you independently bag a device ice.
I agree. I agree. And I suppose times have changed times have changed. Not in the least helped of course by the, by the pandemic. And I suppose as a, as a result of that new, new threats or new threat factors have, have, have emerged think of your, you know, your workforce, your, the workforce as well, everywhere these days, you know, at home in the office, again from hotel hotel, lobbies airports, and think, think of your, you know, your data, your data infrastructure, it, it resides in a public cloud, private cloud on premise on premise Lexi applications, perhaps the increase of new devices, external devices, external machines that are trying to connect within your network. So, you know, the, the, the traditional, the traditional per parameter is well and truly gone by now, I suppose. And I suppose it's time that we, that we put identity to the forefront make the new, the new boundary and the new parameter.
Yeah. So the interesting thing to me is, you know, we've, we've been talking about, is it coffee, shop it, I guess this, this concept that users have been remote for a long time, actually, even since before the pandemic hit. And so I, you know, that that need to sit in a coffee shop or an access securely has kind of been floating around for a long time. Dan, I know you've done some stuff over actually a long period of time at the, the previous two companies you've worked with. Maybe talk a little bit about what was the catalyst for the initiatives that you guys started around zero trust, and maybe it wasn't even necessarily called zero trust when you kicked
It off. Yeah. I mean, the reference we had was Google's beyond Corp and I'll, I'll say a lot of research and academic papers and things of that nature, which in all, all honesty, weren't exactly really helpful for what we were trying to do because we didn't have the money that Google had. And, and we didn't have time to sit there and pontificate. So we, you know, twenty seventeen, twenty eighteen Adobe we'd already, our CIO had already begun the adventure of cloud first. So all new applications and services, they were in the cloud, our workforce was already moving around very, very remotely. So before COVID, you know, we didn't this concept of everyone working from home didn't exist, but, but certainly a lot of people were working from home. So, so it was, it was really born out of improving the user experience as well as improving our security posture.
And for, for us, that man changing how you authenticate. So hiding the first factor, username and password make that disappear make, make accessing applications frictionless. So there's no VPN exchange. You know, you're not, you're not prompted for one application, but then not prompted for other applications that, that becomes very confusing for users. They, they don't know when the VPN in versus when they don't cuz cuz apps are just apps. They don't care. And then for us, you know, the device posture was never included into the authentication thing. The device is an identity. So the reality is for, for us, that became a really important piece of this puzzle was let's do a posture check on the device, a minimum bar, make sure we knew what kind of devices were accessing apps and services, as opposed to, if you look at like the signs top 20, you'd sit there and say, what devices are on my network.
You know, that was very geared to what's on my network. It's like, well, a lot of things, aren't on my network apps, aren't on my network users, aren't my network. So, so we twisted, you know, we twisted that, that journey pretty early on. And, but what was ironic is by the time the pandemic hit our users, weren't using our VPN, you know, 40,000 people weren't using VPN. They, they, they didn't need that for their day job. And they didn't, they didn't know where those apps and services were. So we, we, luckily I would say through some of my smart team members and architects and stuff, not, not this guy smart, the team, you know, got the strategy, got us up and moving and stuff and, and we managed to, to deliver it before the pandemic even hit.
Yeah. And maybe it's those of us that have been in tech for a long time have been, been working in a very remote way. I know I'm guilty of it. Every time I start talking about this concept, I write since the pandemic, you know, everybody's remote moved to working remotely and, and maybe in tech that we've just been used to it, but there's a, a huge, vast number of organizations and industries that just haven't been used to that way of working. So it's been interesting Josephine. I wanna get you jumping in here and talking a little bit about the, the journey you've had at Cisco. So it seems that some of the organizations are still struggling just with basic I am capabilities and we have a research report that we'll be publishing in June. That talks a little bit about how far behind organizations are just with things like MFA or deprovisioning accounts in a timely manner. So can organizations kind of tackle this, getting the identity foundations in place, as well as implementing a zero trust or starting a zero trust strategy? Can they do those things at the same time? Maybe what's your experience with that?
Yeah. So, you know, I'm a firm believer now that the important thing is just to get started doing something, right. I, I think a lot of times, you know, what, what I've seen from, from talking to customers is that they, they look at something like zero trust and say, it's like a, this big monster. I don't even know where to begin. And, and to be honest, you know, I think even here at Cisco, you know, we'd been talking about zero trust for a really long time. We had many people who had lots of opinions on the topic. And, but, but the reality is like, we hadn't really, really gotten serious about it. And yet, because as I mentioned earlier, I really, and we see it as a journey. You know, we, we implemented, you know, MFA in, in 2019, right. And yet, you know, we started our journey, you know, the, the zero trust portion of this journey in 2020.
So I think that definitely there is an opportunity to, to start shoring up some of those capabilities. And, and I would even be an advocate for like chunking things out because there is a, a huge change management aspect to what you're doing. Right. You know, I can definitely publicly share the fact that, you know, we didn't get MFA right. The first time it took us a few tries. You know, I think one of the benefits of that is that it gave time for the organization to understand, you know, for example, what is MFA about, and the fact that it was going to change their, the, the way people worked and the way people were accessing applications. So I would say, you know, the sooner you can start on that and start, you know, using that as an opportunity to, to educate your organization the better and, and not wait for necessarily one big bang approach.
Frank, I see you let's get, get the room involved. I see your head shaking up and down. Unfortunately, let's see CEO, but I can see you. So
I, I, I fully agree with Josefina. I fully agree. And I, I suppose, you know, you get, get, get started, get, get started. And you, you may not know, you may not know you may not have a full visibility or full understanding what the end state should look like, but you know, if you, if you start and, you know, you fill in the piece of the puzzle and then you fill in the blanks as you go along, I suppose you make a, you make, you make a good head start.
Yep. Okay. So let's shift a little bit away from a technical and, and talk about it more from a, a strategy perspective. So before starting down the path, zero trust, you need to get buy in from the leadership team and sometimes even the board. So Dan, what are your recommendations on how to do that?
Yeah, so it is funny. So get it started thing. So Julie will tell, tell folks here I have a podcast, I'll get it started, get it done. And my shame was plug was, it's all about getting started. I mean, the reality is, is, you know, I, I was lucky in Adobe because we, people didn't really understand what zero trust was. We were trying not to talk about zero trust. So I think the important thing when you're trying to struggle for budget and prioritization of something, you're really looking for, what are the big pain points in the organization that resonate very well with the board or the executives. And, and for us, we were fortunate because someone had just done a survey across Adobe that was asking people what, what they liked about working at Adobe and what they didn't. And, and that's a really eye-opening thing.
When you suddenly get back responses where accessing AC accessing things via VPN was in the top five when you're like, holy crap, like people don't like the VPN people don't like passwords and, and logging in. They, they perceived that we're logging in like 55 times a day. Right. And you know, people who deliver are working the identity space, you know, most of us know that that's not really what's happening, but that's what they feel is happening and feeling is more important. So, so we capitalized on that piece of the puzzle and, and, you know, by the time I got to Cisco, I was really fortunate. Look, Cisco's a, a great company that has products and services in this space. So they have great desire to, to wanna like to eat their dog food, drink their champagne. So the reality for us was it didn't take a lot of convincing there, but the challenges were uniquely different there.
And I, I think the big thing is, so you've got the executives, but then you've got the people that are techies in the organization, especially security people that have grown up through the network security background, because what you're really talking about doing is changing how they think about security. And I'll tell you that for me, was pushing rope uphill within my own team in Adobe. And there's Josephine will tell you when I got to Cisco and stuff, and I met Joseph and we're partnering, and she, she led the effort to deliver this in Cisco, but both of us were playing different roles. I'm, I'm trying to message and like triage and, and cut people off before they try and kill the project. And, and Josephine was trying to like lead the team to get it done and, and still like do the change management and stuff. So I think there's two elements. One is upward mobility with the execs and then the other one is actually sideways and downwards to the technical people that you need to deliver. Cause the they'll fight you all the way.
Yeah. You've talked a little bit about it then. F I'm curious on your perspective, you've talked about it in the context of, if you just do zero trust and say, you're gonna do zero trust. Everybody's like, yeah. So what, but if you tie it to a specific business outcome, I guess, to your back to your point about, you know, addressing concerns from the employee survey, that seems to be a much better approach. And, and you're talking about it really more in terms of the business value, as opposed to the, the mindset or the implementation for Rio. Any, any thoughts on that
Perspective? I fully resonate. Actually, we walk. So it's, I, I like to, to, to say that when you approach zero cross, you have, we have two different approaches. One is more strategical and more high level. And another one that is more pragmatic and the pragmatic approach will be probably coming from the business or coming from one initiative like, oh, we want to organize this application. We want to, I go do something on, on our network sector or things like that. But effectively again, you have also to convince the, the high level level and you need to have a stakeholder sponsor. You saying, okay, we cast deck, we go, decking is project XY, Z equals why we go not span in the case of the employees survey. And I I'm, especially recently because my former head of corporate Kwan push for always on VPN. And I said, that's not the modern way. Moreover, we are a startup. We are going to kill the productivity. So I want to, to create something more, more flexible, more open, and also because the people in Kar us, they hate VPN and I can coly understand I can coly relate. I hate VPN myself. So it's I is, is I king VPN is great. No problem, nothing broke. That's great. I, king VPN is great is, but it's is a Swiss knife and you want use a Swiss knife in your business. And therefore, I mean, why, what is the need for that?
Thank you. So let's, let's shift gears a little bit again and talk about the specifics of implementing zero trust. And so, you know, again, just kind of in preparing, I read a bunch of different articles and even just in conversations and, and there seems to be this messaging out there that zero trust is really hard, but I guess the question is, is it, I mean, Dan, you and, and Josephina have both been implementing it in your organizations, but Josephina, what might prevent organizations from making progress? You touched on a little bit, the fact that it's a journey and you just gotta get started, but do you have specific thoughts on, you know, how can organizations make progress and how do you bust through the barriers that might prevent it?
Yeah. You know, I think kind of building on, on what I said earlier around, you know, just kind of getting started. I, I think what worked for us honestly, was coming up with an achievable scope that we could deliver in a relatively short period of time. You know, as I mentioned before, you know, if you start with trying to address all of the different use cases from, from the, from the start, then you'll, you'll get blocked, right? Because, you know, chances are the, technology's not gonna address all the use cases, et cetera. I think, you know, what really made the difference and, and was a great actually learning for me was, Hey, let's give ourselves an aggressive deadline, which, which probably sounds a little bit counterintuitive, but in the end, you know, I I've called it a blessing in disguise because it really forced us to be laser focused.
It also, you know, to the points that den mentioned earlier made it easy to not entertain scope crate because, you know, people will say, oh, Hey, well maybe we can leverage it for this. Or maybe we can, you know, do this use case. And I was like, that all sounds great after I get this first batch out the door, we'll, we'll talk again. Right. So, you know, staying laser focused on a certain set of, of applications to just, you know, test it out and, and prove it out and gain momentum, I think is it definitely is what worked for us. And it's definitely advice that, that I share with customers as well. So I think, you know, trying to break down the problem, not trying to, like I say, solve all the use cases in one go, but, but instead, you know, focus on, on just enough to prove it out and, and get that momentum.
And, you know, it, it's definitely worked for us, you know, I, one, one sort of anecdote that I like to share, and, and this just happened to me the other day is to just so how, how far we've come along. You know, I was trying to access a, a particular application and there was actually a little banner that says, need to be on VPN to access, right. Not zero trust enabled. And I was like, wow, that would not have been there like, you know, two years ago, because now the expectation is that we have, you know, externalized, so many of our apps that people don't need to be on VPN. So that the one time they do need to, they actually feel the need to let users know. So to me that I, you know, I saw that and I just kind of put a smile on my face. It's like, wow, we've, we've really come pretty far.
That's awesome.
Yeah. Frank, you like, you wanna add something here?
Well, yeah, I suppose, you know, in terms of, again, in terms of getting started, I suppose don't forget that, you know, the zero trust is a framework. So organizations, I suppose more often they're not have already, well, a multitude of technologies or platforms already deployed that they can, I suppose, use and reuse building, building their zero trust framework. So, you know, and I suppose this goes, I suppose, also back to your previous questions around getting buying from the, from the board, I suppose they, they see, they can understand that, you know, previous, previously made investments are not going to waste, which I suppose will, will, will get, will get approval internally.
Yeah. I was gonna say, Julie, I have, you know, as I go and talk to people about this one existing investments is a really, really important piece to this. And then your existing team, you already have the team, you already have the other investments. And it really, from an architecture perspective, some of it's just connecting the dots together to make them work in this different way. So it's, it's, it's not hard to get started. And as Joseph has said, picking a really simple set of use cases to begin with with a nice narrow scope, cuz what is really important is just showing business value and getting people excited. So if you can get some of the executives excited by one or two smaller results, but, but that shows that journey is, is viable and shows that you can every month or every quarter incrementally improve. I think that's really key to, to not just getting started, but actually being, being enabled and given the support to continue it.
Hey Dennis. So I'm curious on that script here a little bit. So I'm curious, you know, the executives that you worked with, how open were they to sharing that message with the organization, but it seems to me that, you know, the higher, again, this is back to our research that we'll be publishing shortly, but we asked some questions around the highest level executive within an organization that talked about security.
Yeah, yeah.
To create that culture, right. That I think is so important. It's not just technology, but it really ultimately comes back to people and creating that culture and organization is super important.
Yeah. I mean, I, I think I, I mean, I've, I've been fortunate, right? So the executives that I've worked with have always, you know, thought of security as being vital and, and really wanting to invest in that and put that at the forefront. But, but the reality is, is they're all under pressure to save money and almost always, you know, reduce costs. So you're, you're still struggling to, to, to get, get the prioritization and the budget. And ultimately for me, the, the thing that really tipped it for everybody was this will improve user experience and improve security and reduce operational costs. We got the position at Adobe and Cisco where we, we removed the 90 day password rotation requirement. And instead we're using certificates for the first factor. So passwords run as important. We were using MFA and we're doing some security intelligence to look for anomalous event.
So journal authentication. So from an audit perspective, we could satisfy an audit. But, but the reality is that result that one problem that we solved reduced service desk tickets and thousands of service desk tickets, because in the top 10 of your service desk, tickets is tickets related to password changes. We eliminated that pretty much for the majority of the employees. So the reality is, is, you know, you can, you can take to any executive, a couple of good outcomes. And we had MNAs, we had vendor use cases. We had engineer use cases. We had experience improvements and you can stack that crap up. We, we, I remember one of my architects, 20 benefits, he listed off at the very start before we even done the Adobe journey. He's like, here's 20 benefits. I'm like, yeah, you're not gonna pass anyone's sniff test with 20 benefits. Let's get down to three or five big win bets. And then, then you're not gonna like the exact one gloss over when you see it. So the other thing as well is don't try and oversell the thing, try, try and sell it for things that, you know, the executives and the employee base are gonna really grasp onto. Yeah. And it should just be one or two.
Okay. So the title of our session is around identity being core to zero trust. And we found, again, back to our research, we found about half of organizations are investing in identity and access management as part of their zero trust initiatives. So Frank, what would you say to the organizations that are not investing in identity and not making that a core part of their zero trust initiatives?
Well, I suppose we've mentioned it a few times, but you know, I suppose implementing a zero trust framework might be a, a daunting, a daunting exercise or a daunting idea, you know, at start and well, you know, well, we said it earlier, you know, start start with, with filling in the puzzle, the piece of the puzzle, not knowing the end state, not knowing where, you know, where, where the end will be. And I'll say, you know, you'll be surprised how much technology you have in house that can be used and reused and, you know, and, and be, be, be aware that you're, that you're not starting from scratch. You always, you always start from a, from a higher level. And I suppose, you know, there's, there's this, this American sports band that say, just do it. And I, I suppose I'll, I'll agree with that
For BTO. What advice would you give to those that maybe aren't focusing on identity as part of their zero trust journey?
I will take in a little bit different way. So when I was looking for the, let's say blocks for zero, cross a give again, two classes non-technical and technical and technical. One of blocks that I found was maturity. And probably because the company says not enough investing enough in again, Kiki, or because they have different AKI provider, like we were talking with Cisco earlier and they said, oh, we have geese and geese. And I'm like, okay, again, I'm thinking about some, some, some of gig breaches that happen that because GA emerging acquisition integrate the systems into, into one single system. So I, I really think is you have to investing AKI and the benefits are multiple. And I was laughing a little bit when I was not laughing, smiling when gang was talking. Cause one of the reason, one of the selling point was actually, yes, we have to reduce the, we have to fix the Kiki because effectively what he will do, it will do a lack of cascade of positive effect. And one of that will be reduction of Keke. Cause I said that this morning, cause when you join a company, you have to spend two up, up to four months or five months K access to all the systems you need and gets unacceptable. And it's unacceptable from productivity perspective is unacceptable from the user experience perspective. And so, so fixing again, Kiki and is also one of the stepping stone for, for zero cross for zero cross journey or implementation is effectively where company needs to focus.
Yes, absolutely. The, the topic of our discussion today. So we have looks about six minutes left. I wanna go to the room. Are there any questions for the panel, from the room itself?
Maybe I jump in, you can hear me. Hopefully I will jump in. So question to the audience here onsite. Is there any question the guys, the girls can answer to you remotely? We have some questions so onsite. I cannot see if there's anything, just raise your hand. So Julie online, we, we received the question. It's not really identity focused, but it's an interesting one. You've already spoken about it, but there is a problem to reflect the advantages of your trust over VPN to the sea level. How can one respond to that?
I can gauge. So, I mean, calling a Goldlock so it's so you, you, I think VPN is, as I said, something a cool that you want to use it, but you want to use for some specific use case. You want to get touch a bit from, from gig usage of VPN and you, you, you want to do gig because VPN is not currently unstable and during pandemic. Okay. I was lucky. So we didn't suffer enough from, from basically from G VPN, but I know a lot of companies there increase VPN trigger. So effectively is, is uncap disconnected. So if sometimes you are over network, mobile is not working. So you have to give the possibility to work. And we are coming back to the topic of productivity again of day. You want to do productivity. You want to be a secure productivity and with VPNing yes, it is secure. Definitely. Somehow is it productive? I'm not sure. Cause again, we are different size of companies and ago and scout B, but effectively we suffer the same issues. People hate VPN. Well, hate is a strong word, but people are not really liking so much VPN. So guess how you can sell VPN topic.
And can I, can I quickly add to that cuz I, I would say VPN is not secure and you know, the, and that's a bit of a controversial statement. I've got a white paper we're gonna publish in the next week or two on this topic because most of VPN implementations for full-time employees allow full access into your network, unrestricted access to your network because that was the easiest thing to do. Well, what Josephine and I have done. And, and the team at Adobe done was you're publishing applications to the, to the internet so that you're not allowing full VPN access to your network. If a device is compromised, it can go to thousands of machines and launch attacks and seconds. So I got, I got a lot of thoughts on that. One. People can hit me up offline for sure. Cause we don't have time here.
Yeah, absolutely. Julie, anything else from you? And otherwise I would have another question from the audience if this is okay.
No, I, I think let's take another question from the audience. Yeah. Let's let's keep going on that path.
Yeah. Perfect. So the other one is, it's like a statement we heard here often. It's always verifies an important aspect of the serial trust concept, but is it even always feasible? How do you deal with legacy systems that can, can't do that technically? Where do you cut the line? That's a good one.
I will take as well. So yes. I like to code, well, we start, I discuss about legacy during my presentation this morning, there are several ways you can tackle the legacy application. So you can have again where firewall, you can have microsegmentation using hypervisor and king like that. So it really goes by different use cases and work you have enabled. I mean, there is definitely some issues and I'm not saying it's easy to do, but you can effectively log everything or log as much as you can.
Anyone else want to add something here? No. So truly what is your plan? Maybe a final statement from all of you.
Yes. Yeah. That's what I was gonna suggest, Chris. Thanks is just, you know, obviously it's always good to take one thing, at least one thing from every session you attend. So what's one last piece of advice for a successful zero trust journey and I'll start with the SIO.
Thank you. So my advice is, think about on the longer term and think about the strategy and a pragmatic approach. So click it to, and when you go pragmatic, have a just few people three or four maximum that comes from different discipline tackle. Some of the most cumbersome issues. It can be VPN, it can be access code application, it can be Suning. So that will be, let's say the pragmatic approach and get we get, you can make a use case. You can make a escapement where you can get support from gig for the longer term approach and get from our, the more strategic approach.
Great. Let's stay in the room with Frank one last piece of advice.
My last piece of advice is slightly shorter and Forio and I suppose it'll go back to what I said earlier is, well, you know, don't be afraid and just do it. Just go ahead,
Dan.
Yeah. Josephine mentioned earlier, find a really nice small use case and show some quick win and some progress and you're gonna use what you've got.
Josephina will close it out with you.
Sure. You know, I would say we touched on it a little bit. I think getting that executive buy-in to me is, is the starting point. If you have that executive, buy-in it, it paves the way for getting the resources that you need have get the priority that you need. And I think with both of those, then it's, it's pretty much you can just focus on, on getting it done. I, I think that's where a lot of times teams struggle is that you don't have that support from the highest level. And so you're having to struggle to get resources, get prioritization. So I would say definitely secure that and you know, for the rest, hopefully you've got, everyone's got really smart people in the room who can solve the technical parts
For sure. Great. Well, thanks to the panelists and thanks Chris for hosting the panel and with that, have a great evening.
So thank you very much, truly for guiding us through this really great and interesting panel. Thank you very much. Josephina Fabricio Dan and Frank for participating, answering and sharing your knowledge, your thoughts, your best practices here. Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00