Creating the Identity Driven Cybersecurity Mesh Architecture

As John mentioned, I'm the chief information Security Officer and also responsible for our cybersecurity business within Coping a Call. So welcome first of all to all the people. So it's really a pleasure to have so many people here on site after almost three years moderating online and stuff like that. So let's jump into the topic. We heard a lot about zero trust and all these challenges and I will try to explain you how to get a grip on that, how to be able to create your identity driven cybersecurity mesh architecture. Honestly, the time is a little bit tough, so if you have any kind of questions, we have some minutes at the end and otherwise just come to me and ask you a question afterwards at a Casey bus or wherever you can find me also on LinkedIn. That's fine. So first of all, let's start with a really short recap.
Maybe you saw this slide multiple times during this conference, during previous conferences, but just to get you all on the same level, the idea behind zero trusts, you have five core disciplines where the user, the device, the network system and app and the data is relevant. And the idea behind it is you never trust, you always verify. And how would you do that? Something like a policy decision point, something like a policy enforcement point in the middle. So some central system that is taking care whether you have access from your device, maybe from your mobile phone, maybe from your computer or notebook to a specific application due to your specific network. Maybe in the network here at the E I see accessing maybe confidential data, maybe just looking for the lunch plan, lunch plan next week. And this is all done by and central policy decision and enforcement point.
That's the really rough on or the concrete idea of having something like conce trust architecture and having something centrally. This sounds a little bit like a fabric concept, does it? So you might have heard about the identity fabric. That's a very common thing. Coping recall is sharing since, I don't know, 15 years probably. And to be extended identity fabric also in the direction for the whole cybersecurity stuff to be able to implement paradigms like zero trust. The ideas probably are almost the same. You have identities, you have devices, you have data application systems and networks. You need some governance managed layer around it. You need protect capabilities, you need respond capabilities, you need detect and recover capabilities. So you need to be able to deliver really good data and information to have something like a policy decision and enforcement point. But this was honestly a little bit abstract and may maybe too high level.
The idea today is to go through a little example. So this is a really average company. It's based on some real customer project that we had. You have a typical organization on the, it's your left side on the slide where you have some computers, you have a database, you have service, you have a firewall, you haven't dm, set, something like that. And you have people that work offsite maybe here at the conference, maybe at the main station, maybe at the airport that work with their computer. Then you have the public internet and you have maybe in this example we took M 365 but potentially could be everything else where infrastructure is running, where software as a service is running, things like that. And now the as it is stayed very often, still very often or something in between is you have a V P N connection from your offsite device, some tunnel to your internal system if you want to access the public internet. And honestly that's not very efficient. I mean you have the option to centrally ensure or wireless specific web applications, specific websites, but ask the administrators maybe most if some of you is responsible for something like that, that's really a mess. You have so much challenges here and you never get a good state.
It's a bit bit dry here. The air, sorry. Okay, so what do we want to have? The target picture is something like transforming into an zero trust architecture, the paradigm. So we have almost the same picture, but in the center we have zero trust gateway, some policy decision and enforcement point. And you can see the arrows changed a bit. So now you have the option for instance with an setting a client to access from here to the public internet or to Azure or whatever. And the setting a gateway is the policy decision point which decides, okay, so Christopher is at the conference, it is eight o'clock in the morning, he's using his private phone, he wants to access confidential data. Did he ever access that? No. So maybe I forbid it, that could be the idea protecting things maybe on a network layer, maybe combining it take different attributes.
You have to create a decision to take or identify the risk and help to ensure the two security access here. What does this this allow us? Also the onsite stuff, like on the left side in the onsite example also it's a, you are able to access databases maybe directly. So the micro segmentation part, honestly on this slide you could also, if you really dive the full 150% into something like zero trust, you could also remove this domains here more or less because it doesn't matter. You have a micro segmentated network accessing due to an central access point accessing this. So that sounds great, does it? So everybody would say yes, I want to have that. But the challenge is really how do I go there? And coming back to the central approach, again, something like the cybersecurity fabric in the center is a really good idea here.
You need a government managed layer and protection response and recover capabilities here really in the center to get a good level of security and to fulfill for instance, the zero zero trust paradigm. And this is really the challenge. How do I do that? And what we do with our customers in multiple projects is we start with use cases. So maybe going back to that slide here, I told or I shared the example of me trying to access confidential data from this public wireless line. This could be a use case that I want to allow the CSO access to confidential data from here or maybe some external access to the lunch plan, something like that. Or I don't want to have a separation between my people on site and working remotely, which which is a very common use case nowadays. And the first step is really to collect this kind of use cases.
And that's what I did here on that slide. So taking the examples, the example organization I built there and breaking down this on the capability list. So this capability list here is also based on an document from the US government. We have again, the five pillars, user, device, network system and app and data and an additional layer around visibility and analytics. And if I want to fulfill from a capability perspective, what I told you as a use case, I would say you need at least the following things like a user inventory, we have an Microsoft environment. So you need conditional access, multi-factor, some good level of palm is always good and for sure the least privileged access paradigm in your mind. And you need something like an device inventory. So you need to know which devices do you have, can I trust them? What is their patch level, what is their security level, what is their risk?
Same with managing devices like vulnerability management, endpoint management, all that stuff. From a networking perspective, I need an overview of my network, which helps routers, stuff like that. Do I have, I should follow the micro segmentation paradigm. But we all know, especially the onsite stuff, it is not, it is not 100% possible to really micros, segmentate everything. So you might have bigger things, especially legacy area from system and app perspective. For our scenario, you need an application inventory, you need in risk management, you need resource authorization and integration. And then data. I talked about confidential data, but what, what does this mean? So I need some kind of capability, whether it's automatically on a specific metric metric with some AI metric, whatever or the traditional data lay building, at least I need to know what kind of data is this? Is this a lunch lunch plan or is this some strategic document for the next five years and this is something I need to have.
And also some kind of data loss prevention mechanism and some kind of data access control. This is something I need and for sure a lot of traffic information, CM information. So the monitoring stuff and the policy decision point, that's what I draw this result page and some kind of API management, API standard standardization within the organization. The next step is, okay, now I have a list of capabilities and how do I handle them? Our idea is, and this is also derived from our identity reference architecture to bundle those capabilities into something like in service. So if we go back to the the data layer, for instance, data labeling and tagging, just a second, I will switch back. Data loss prevention and data access control could be bundled in, in service around information security. We need some access management capability service, we need some attack service, management service and things like that.
And as you can see here as well, it's structured for protect, detect, respondent, recover layer, and at the bottom the government managed layer. And here the most important thing is, and that's what I realize in every zero trust project, where we start with is the asset management. What is the quality? Quality? Do I have the lifecycle stuff? Do I have some automatic risk metrics, some classification stuff, whatever. This is also a necessary baseline that you need to have. And with those information now it's getting more complex. That is some real cybersecurity fabric for an organization where you have on the left side the list of capabilities. So again, the stuff I shared on the one slide around user inventory and live cycle conditional access. Then we have data labeling, tagging and so on. And this all is bundled to some kind of services, some zero trust network access service, some access management service and all that stuff.
And the clue is now it is not necessarily that one service is fulfilled by one tool, it could be two tools and you could change those tools over time or extend new, new requirements, whatever. But in this example, we would have something like identity governance administration, some CM tools, some zero trust network access tool, some cloud access security brokers, stuff like that. And with all this capabilities bundled to services fulfilled by tools, you can deliver your organization this central layer in the middle. So again, the government managed layer to protect, detect, respond, and recover layer as well. So I would love to talk one hour more about this slide, but I'm happy to do this afterwards. The next challenge is for sure the reality. Okay, so this guy in front of you says, do that. Okay, I talked, I don't know, five important tools, which I usually usually need something like one to five years for implementation.
And the challenge then is really the prioriti prioritized approach here. So what do I do first if I want to go into the direction of something like a centrally managed cybersecurity fabric to fulfill, for instance, the co trust paradigm. So jumping back to that slide and putting or just selecting those relevant items. And now I need to dive deeper into what do I have here? I just selected some examples around it, which is something I need to consider for my scenario. So like information security, maybe I have some kind of information classification in this example, I have something but it's not validated and applied everywhere. Same for your trust network access. Maybe you have some central gateway, whatever, but no policy decision point. And then you need to evaluate in which direction you want to go. Do you want to really have a central policy enforcement point?
Then you need to look for a specific tool. And this takes some time also the implementation then. And for asset management, for instance, the life cycle for assets is needed and the criticality of each asset in this example. And if I don't have that, I need to start with that. And that is basically the outcome of, if you would prioritize this example here, start with cleaning up your asset management. Take care of your access management. So centralized approach, if you read the detail here and then breaking it down step by step. And this is really the most important part and for sure you can or must start things here in parallel, like looking for in zero trusts, network access specific tool to build your cybersecurity fabric. And this is then where the challenge came. And as we always say, if you talk to our customers, if you want to implement something like that, first of all it's a program like identity and access management is a program.
Implementing something like that is something, especially if you're a multinational organization with multi multiple departments and responsible, it takes some time to get this feeling within the organization to get the buy-in from all stakeholders. This is the real challenging part here. And as mentioned, I would love to talk hours about the topic. I'm open to do this with every one of you, but we are already at the end here. So the summary to how to approach and how to build your zero trust strategy with by using the cybersecurity fabric. So first of all, again, know what you want. Build your use cases, define clearly what you want, what you want to achieve. Not every organization is the same. There are some overlaps, but at the end you need to know what you want and then you need to translate this into technical capabilities. What does it mean from a technical perspective?
I need an access management that allows authentication with and second factor, for instance. Or with taking care, which device is used, something like that. Then you bundle this into inservice. Just in structural organ element. You could use the reference architecture, but you could also use any other idea of your understanding how to bundle a service. Then everything ends with the cybersecurity fabric. So the big picture capabilities, services, tools, and the API layer around it. And then you have a target picture. And then the fifth step is the most important. What tools and gaps exist? Do I have quick wins, big wins like cleaning up the asset management, define criticality in categories, things like that. And then go through it with an most of the times and risk based based approach. Approach is really the best. And create the awareness within your organization. Build the organization around the idea of a centrally managed cybersecurity architecture. Thank you.
Thanks Christopher. Does anybody have any questions in the room? Feel free to raise your hand,
Excuse me. In a, in a scenario where you've got multiple user repositories, would you rationalize those before you'd start? Was that TNA or can that TNA cope with multiple user repositories?
I, I didn't get the question 100%. Could you repeat
In your slide you, you talked about user repositories. Yeah. Or user inventory. If you got multiple user inventories, how does that 10 A cope with it or should you strive to get towards a single user inventory?
It? Honestly, this doesn't matter. So this cybersecurity fabric idea would allow multiple repositories. I didn't talk about tools in detail. So the service as mentioned, you have the capability, maybe you have external users, maybe you have specific risk users and other repository, maybe even other IDP or something like that. You bundle this into in service and there could be two tools, two directories in behind that. This the logic behind that. This allows you maybe an additional API layer, maybe an identification. Yep. Any further question? Otherwise, as mentioned, if you have any kind of question, I'm around here at the Casey bus, would be happy to talk about that. Okay. Then back to John for introducing the next speaker.