Enabling the Power of Digitalization with Identity-Based Access Privileges

Hey, you can tell by my German access on Max accent. I'm not from here. I came in from Houston, Texas. I've got the global responsibility for the, the operational technology business at, at colo. And my group PRI primarily focuses on industrial clients, which I'll touch a little bit on. It's not a Nitish business by any means. I'll go into some of the, the folks that actually have, you know, created their lines of business, their revenue streams, the valuations of their company based on automation technologies.

I'm gonna call that a little bit out today because of the, the challenge I wanted to go over, which was getting started on a common sense zero trust lease, privileged journey, zero trust. Obviously not a product, but we can give you some ideas on how to get things started in, in your initiatives. And the industrial side is unique because it has a lot of impediments, which we'll touch on. My background is 32 years of voice and security.

Started out in modem security, federal government way back, for those of you that knew that there was modems moved over into IT security with companies like Cisco, Palo Alto Networks, and then eventually came into the, the venture world and did a bunch of startups in the space. And, you know, what we're, we're addressing now is how to connect verified identities to applications versus users to networks.

I'm gonna show you a little bit of how either you can get started on your own by working with integrators and other software developers to at least get things going so you can achieve the benefits of digitalization. Big word, a lot of people throw it around. Very few people have got an idea of how to get, get things started. We'll touch about on some of the impediments, industry 4.0, which is now already 5.0 where cyber physical is connecting to physical things. And we'll move into how to start.

And then maybe a checklist on, based on, based on experience, a checklist of of, of how to get rolling in iden, modernizing your identity, which is just a step in a journey that, that really never ends. Show of hands, how many CISOs are in the room?

Any CISOs, any it managers, consultants, advising clients? You don't count, you develop the auth.

You, I'm just kidding. It's a big name by the way.

Good to, good to hear you before again, just get a sense of the room and, and speak to that. And then we'll wrap it up here. I know we only have a few minutes, but some of the, some of the impediments that, that we see, and it's not just in industrials with multi-vendor, multi-generational type networks and deployments. It's also in some of the larger enterprises that you service or you consult for legacy systems such as legacy networks, legacy applications that still require, you know, username and password and things like that.

They're, they're not going anywhere. And that's an impediment because it's a certain aspect of your estate that you can't migrate quickly. We'll show you a little way, a couple ways on how to do that. Organizational cultural resistance. People don't wanna change.

And again, it's just not in the industrial space. And then also people want to get their work done. So if something's complex, they'll figure a way to engineer around it. We'll touch on that impediment a little bit. And then lack of skillset. Just anybody run into that piece with their clients or their, their their own company?

You do, yeah. Yeah. For the consultants in the room, a lot of you are prescribing solutions for folks and they might have a Windows person, you know, or they might have a, a networking person, but they don't have a privilege access management guru. They might not have a authentication person, they might not have the staff to pull this off. And we'll show you how the market is kind of converging a lot of these techniques into one easy to use prescription. This is the challenge that we have. Architectures, this is, could be one customer of, of mine.

They could be, have a cloud connected component of their, their business. They could be somewhat averse, begrudgingly refactoring some applications to the cloud and then a totally isolated component of their business as well. Could be a, a retailer, let's say like a Tesco or a Walmart, that, that's a Tesco or a Walmart, even though they're retailers, they have semi offline or offline components for transportation, robotics and other things like that. So this is a challenge, the different types of estates for moving an identity program forward, right?

You, you, most identity products and solutions need all the brand new networking components. They need the segmentation now they need the identity infrastructure and it's just not there in many cases. So what happens? People freeze up like a goat and they fall over and they say, Hey, we can't, we can't start the project until the big lift actually happens. There's actually a way to do that without having to lift everything up at the application level. We'll touch on that to see who's connecting.

I don't know if anybody follow the, the 4.0 the industry connectivity, the buzz around everybody connecting to everything. And it's a little hype, but anybody familiar with the the 4.0 trend where, you know, it's the, the fourth revolution so to speak. So we feel that the, and the industry feels that connectivity will drive this next revolution where cyber things will be talking to physical things. Humans will be talking to humans. Everybody talking to everybody from a connectivity standpoint. The first one was, you know, no steam power, no rail systems, right?

First industrial revolution, second one, no reliable electricity, no assembly lines. Third one, no computers, no automation revolution in the sixties. Now we're looking at this cyber physical thing of how automation equipment and devices communicate not just to each other but also as to get information to the enterprise to make better decisions. That's gonna revolve around connectivity. And if we can't get identity of these things connecting, none of these big areas will, will make the industrial 4.0 revolution happen.

Some of them are connecting a lot of people that I had to convince our board to make an investment in OT 'cause they thought it might've been a, a Nitish type of business, a Nitish business. And over 200 of the Fortune five companies in the US make their profits report to Wall Street based on how efficient their automation and OT technologies make products, right? So it's not just this little air gapped security thing that that happens on the side. It's it is the buying center, it is the enterprise is a cost center that to them.

So they're all connecting 18 of the top 20 revenue generating companies. It's just not Saudi Aramco and Exxon. It's a whole bunch of other ones in there that you really would never think of that all make money off connectivity in very isolated scenarios. And why I bring that up is these isolated scenarios have typically not have identities tied to them. It's usually shared passwords. It's usually older credential type systems and they, their biggest vulnerability is they're mindlessly connecting users that aren't authorized to networks versus authorized users to application.

You can see the addressable market around, you know, the connectivity on 4.0, I won't read it out loud. I spend most of my time here in the industrials mostly oil, gas, paper, pulp, things like that.

Nuclear, where we're connecting older networks to have an identity source where they can trust that that person is who they say they are. They have access to the application when they have, when they, when they're allowed to have it. And that's not using VPN and things like that to connect mindlessly why it's a safety issue for sure. It's also a, a financial issue as well. Lemme cruise through this here real quick. How many folks have deployed MFA in their, in their enterprises or CL clients? So a good portion of it, right?

So roughly 40% still ha I mean 60% of enterprises still haven't deployed MFA for authentication. Yeah, big, big journey ahead right now you might don't get confused to FA with MFA, but you, it's, it's literally 38% to 40% have deployed MFA in the networks. You feel free to look that up if you want. I wouldn't make that statement if it wasn't true. So basically, and it's even worse in the industrial space where they're still using username and password on most everything. So what we're trying to do is connect users, right?

With verified identities using modern techniques such as authentication device posture, location geolocation and time of day kind of things into an application versus a user to a network. 'cause once you're in your network, what happens? What can you do when you get into a network? Go anywhere, right? Pretty much so, and again, I'm not, this isn't just a, a product pitch.

This is, you can do this with a lot of things today, right? But taking that first step and getting people to authenticate where you're verifying that user is who they say they are, even if it is to a network, that's, that's a good step. But getting them to connect to an application is even a better step. There's also a convergence going on of tool sets. So MFA is just 1, 1 1 tool set. Can I help you sir? Alright.

The, there's also a movement on converging tool sets, whether use it with one tool set and or can I help you sir? Can I help you? No sir. There's also a, a movement on converging tool sets, right? I can either use mul multiple products or we can try to find a singular project product, right? But what we're doing is we're connecting or we're actually converging multiple user tool sets into one easy to use to verify that human is who they say they are, right? Versus just using one. So we can combine authentication with supervision, with credential access tools.

We can record all those things and give that human a very easy experience to an application. So they get what they use, what they see, and that's it. They don't get to go and roam the network. So we've got access controls, we've got timing controls and things like that that we can utilize.

And again, you can do this with one unified tool or you can look at the marketplace and try to find some best of breed where you can get going on your journeys and not have to wait till the, the network gets upgraded. So some of the things that you can do, I, I equate this to the door when somebody's in the house and then what can they do when they're in the house, right? We have access controls. These are all things that you probably already know of, right? Multifactor authentication, single sign on password vault device posturing as well as identity federations, right?

These are all access areas that you can, you can deploy today and in isolation and some people do that. You can also connect things using connectivity controls and the associated access controls to get a little bit Leal, a better level of, of maturity, right? What is that? I'm letting the person in the house with the access controls nothing new, right?

VPNs, you can do that and stuff, but now when they're in the house, what can I actually, can I prevent them to go and use my restroom, get, can I keep them outta my refrigerator? That's where you have, while they're, they're in, you've got persist persistent connectivity controls where I can allow them to do certain things when they're in an application. Can they upload it? Can they transfer it? Can they download things? What can they do when they're in my, in my house?

And if I don't like what they're doing, if they're risky behaviors, I can terminate that or I can tell a firewall or something else to terminate a session. Lot, lot more connectivity controls these days. And when you in, when you use that with access controls and connectivity controls, your level of maturity goes way up. Then you have more of a, a pro a privilege access management type flare of a application control these days with better oversights. Can I usher the, the, the application user in? Can I record them? Can I terminate them? Can I watch what they're doing?

Can I collaborate with them online? You can get this now in all one application. Depends on what your, your posture is. Or you can look at different best of breeds to get each one of the control systems or control segments down.

Again, trying to move your security of from left to right without having to wait for the big lifts. Right now that application level access and security is here, there's multiple vendors out there. You can now begin your maturity projects a lot faster instead of having to wait again for the big lifts. Does anybody run into that challenge in either deploying or consulting with anybody?

Like they, they want to mature, they want to create some authentication and or move out of yesteryear into the, the modernized identity era and they're just stuck behind a big project. Has anybody seen that?

You have, you have, may I ask, what was the big, a lack of, what was the big constipator, if you will? What was the big blockage of why they couldn't move to identity? Anything specific? No Support from the organization. That microphone.

Yeah, but it's not on, it's, there you go. The, the organization didn't give it any support and they stopped a complete heavy pump project six years ago and still don't have it. Right.

And again, that's kind of, people were shocked that the M FFA percentage, that's one of the reasons why other than MFA can be hacked 12 different ways there. And it's very risky to, to deploy in the beginning.

It's, it's that kind of thing that they had to wait for the infrastructure, not just the network infrastructure, but the identity and directory infrastructure to be upgraded so they can enjoy such a, such a tool yourself. Yeah. Bringing people together on the same goal. Yeah. Bringing teams together, different opinions. Can you repeat Because Yeah, he was saying it was bringing people together with different opinions and competing maybe ideologies of what should get done. Priorities maybe. Yeah. Both are very ownership.

Ownership that It's all the time I think about Martin's presentation about ownership. Yeah. If it's in a low level it backyard, you're never going to do anything that is company wide. Yeah. And really making impact that, That is a, an incredible point. And you must have been reading my slides because the, the ownership component is a challenge, right? Most cyber people don't own the network, Right? Correct. And the active directory is always part of the workspace guys, which is not part of security or Yeah. Yeah.

And if you look at, if you, if you look at the one slide that I had back a few, few slides back where you had the hybrid, you had Yes sir, go ahead. Before I start, I I Don't have a big yet.

We, we even, even my three minutes, That's it. Oh Wow. My sonically say that, that there's always some tendency to, to keep the, the silos up and running.

So, so, so when I look at things like, like ss e it's realistically seen a bit about conserving the old world of network security in, in the separate island instead of thinking about how can we get rid of it. And I think at the end of the day, to my opinion, the best thing would be if we can solve that, we can access from a system, from an endpoint securely a service and we expose everything as a cloud service. Even the things that run in our data center there, just cloud service.

If we can secure that from there on, we can go, go become better when we say this is less of generic, but then we have solved the fundamental problem. And this is, I think when you say, and that would require that we say, okay, we have a secure communication from A to B or from from endpoint to service. And if this is the, the axiom we have, then we don't need to care that much about things like network security anymore, Right? Radical thing I agree a hundred percent. You're you're spot on Virtual layer in between the two.

And it's not S world the virtual layer, it's not SDM because this is very old school. I we agree a hundred percent, but give him APIs.

No, no, he's right spot on. 'cause that's what we're, we're we're moving to that level now where the, the network level is what it is, right?

They, things can communicate on there, but now that we're connecting an identity to an application directly or multiple applications, we really don't care how old the network really is. We don't care if it's multi-vendor, multi-generational and perpetuity anymore. 'cause we have the technologies now to shim over the top or that virtual layer to get users again to ownership piece in every one of these. Somebody owns it differently, right? Like in in the industrial sector, MySpace, the, the security people can't change an IP address. They're just not gonna be able to do it, right?

And so how, if you have to do some network security, how do you do network security? If you don't have control to your point or ownership of that network, you can't. So what we're doing is we're allowing the cyber people to come over the top of the network.

And again, strong identities to applications based on policy regardless what, what is underneath there. I I'm getting the hook here. So I'm gonna go to the summary slide.

The, so we're, we're, we're talking over one big point, which is credentials. If you're to ask your vendors, one simple question is can you set yourself up as a user in my network? Don't ask 'em if they want to or not, but can they? 'cause they'll say we, we won't, we don't want to. No. But can they? And if they do, then they have your credentials. And we all know that credential theft is a big thing. It emanates many of the breaches today.

But ask, you know, who's who's got my credentials, right? And, and you know, your cloud provider does, right? Second piece is, is start with the biggest risk first. Do you have a connection to China? Do you have a connection to Russia? If you're in coal, you do. If you have something in aluminum, you absolutely are talking to China. It's nothing illegal, but there might be a risk there. Do you have a department of employees that you know are leading edge that have the keys to your cabinet? Maybe you wanna, maybe you wanna provide that as your highest risk and start that project there.

The, the, I mentioned the controls before, access controls, connectivity, controls and supervisory controls. They can now all be blended together. One vendor or multiple vendors.

But I, I would definitely start with the, the highest risk connection, even if it's just one connection to a, a plant a partner. Third party's our biggest use case these days. Third party contractor access.

It's, it's an incredible place to start. The ROI is there, the risk is there.

And we're, you're definitely gonna have a successful project. 'cause that perimeter, that edge is, is, has holes in it. And as you close that perimeter with one tool or a few more tool, you, you'll be getting the, the return on investment with that for sure.

And then, like I mentioned, it shrinks that attack surface and at the same time saves you a lot of money to spend on some other projects. So anyway, you can get there from, from, you can, as they say, you can get there from here. Now you can transcend above the network level to create an identity modernization program that, that, that ups your overall security game. Either in your own business or in your client's business. Thank you very much. Thank you.