KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Zero Trust starts with Identity. It ends with authorization. And it is centered around policy-based controls for authentication, access, and more. IAM is ubiquitous in Zero Trust. Thus, every Zero Trust implementation must follow an identity-first approach.
In this session, we look at the intersection of IAM and Zero Trust, and provide a mapping of IAM capabilities to Zero Trust requirements. We also look at the need for modern IAM, from adaptive, passwordless authentication to continuous authentication, ITPR (Identity Threat Detection and Response), PBAM (Policy Based Access Management), but also Data Governance and the intersection of IAM and Code Security. This will help you in aligning your IAM and ZT strategies and give you a concrete understanding of technologies you will need (or not).
Zero Trust starts with Identity. It ends with authorization. And it is centered around policy-based controls for authentication, access, and more. IAM is ubiquitous in Zero Trust. Thus, every Zero Trust implementation must follow an identity-first approach.
In this session, we look at the intersection of IAM and Zero Trust, and provide a mapping of IAM capabilities to Zero Trust requirements. We also look at the need for modern IAM, from adaptive, passwordless authentication to continuous authentication, ITPR (Identity Threat Detection and Response), PBAM (Policy Based Access Management), but also Data Governance and the intersection of IAM and Code Security. This will help you in aligning your IAM and ZT strategies and give you a concrete understanding of technologies you will need (or not).
So I have this, this presentation here being assigned with this a bit stinking word in between, which is zero trust. So I I, I'm quite confident that that many of you can't hear this term anymore. And I think a lot of people have been speaking too much, including myself, about zero trust. And I wanna hint on the, on the third line of the title and maybe also the first line. And these lines are about implementation and about, I think architecting. I think this is what we do We have an echo here? I feel that I have an echo or is it just me? Okay. It's okay then, then it's fine.
So it's really about going to reality. Now I think this is the, the central point. We have heard a lot about zero trust and when, when I start, I, I wanna wanna bring up some, some numbers. Some of them I'll touch later on in a separate talk about study we've made and this is all of that. But I think what, what is very important when we talk about identity first, zero trust implementations, that identity nowadays is primarily understood as something that is delivering to the security push of organizations. This is the bigger part of 61% part.
So organizations understand identity is at the core of security, it's part of it. Zero trust remains a major driver also for what we do in identity management. So a lot of things we do around authentication, passwordless, et cetera, has to do with zero trust. It's something why people in west, because it's a top identity security topic, not just a security topic, zero trust. So we need to look at zero trust from an identity perspective.
But, and this is I think the point we, we, we must underestimate concept phase or we think about zero trust, 65%. We do something concretely, 19% or 16 saying, okay, I gave up or whatever. So I think the point with zero address is that there's a lot of talk, but we need to become more concrete here. So when we look at a graphic in that case, it's from a public source, from the us, different types of elements. So we have the user, the device, the network, the system and application, the data and some other elements.
And I just highlighted in green the areas where at minimum, and we could probably define some of the other areas as well as identity related, but what is about identity? So when you look at this sort of zero trust building block picture than identities, ubiquitous identities everywhere. And when we look at it more from a flu perspective On the left hand side, this core pillar user, that's the identity part. That's where it starts.
So when we talk about identity first, I think it's very essential or identify zero address to understand that there is no zero trust without identity and no zero trust without starting with the identity. By the way, there's also not, I think maybe trust, look at the pillars that I think everyone, except a few winners have understood it very well. There's not a silver bullet, not a single tool for zero trust. Zero trust is a complex thing.
It's more, more a paradigm, a methodology to follow. But we, we need to understand, yes, it starts with the user. And I think one, one of the things is, and this is a bit, you know, when we, when we look at this, a lot of building blocks, when we look at this a ton of building blocks, you can depict it that way or that way. It's complex. What we need to do is we need to bring a structure into the entire thing. And what you need to do when you want really to move forward with zero dress is create your, your, your reference architecture.
Understand the elements that are most relevant to you, whom, whom of you has been in this morning workshop yesterday around identity, fabrics, roadmap, et cetera. A couple of you. So basically everything you've learned there, if you learn something, hopefully we manage that, you learn something.
But every, if everything you heard there more or less is something you can apply in a similar manner to the broader zero trust exercise. So here, here's one of the slides with building blocks. We had one just before. You can do it the same way. Understand where you stand, what is priority for you, what is the gap. So you can walk through it in a structured manner, you can do a similar exercise. And for the ones who hadn't the, the chance to, to attend our workshop yesterday in the morning, this as all the sessions is recorded.
So if you have some spare four hours, you can then look at the recording of this workshop, which was a very intense workshop and that is exactly what you need to do. So build your structure. So if you want to, to do it and walk through that.
And again, identity in this case it's a bit different perspective because we don't go from user to device, et cetera, not in that direction. But we go from to detect, to respond to recover. But at the end it's building blocks and it's about understanding which of these blocks are how relevant for you and how to put them together to decide on where, where do you start your investments step by step to, to do it. And again, it starts with the identity because at the end we are always about authentication, authenticating, verifying the user.
There will be one session you should not miss, which is tomorrow from 11 to 1120 in room B zero nine, where my colleague Christopher will talk about creating the identity driven cybersecurity mesh architecture. I picked some of his slides here in small, you'll, you'll see all them, all these slides in that other session as well.
But this, this helps us to, to walk through the different stages or phases of creating such an identity driven identity, first serial zero trust architecture. Because these phases are not different to anything else you do. So what, what you find in this presentation are at least two examples of what are the building blocks. What you then need to do is look at the use cases, look at how your world looks, what do you need to protect?
And what I always recommend is sort of if you have a complex problem in security and everywhere else, complex problems are best solved by first deconstructing the problem. So don't try to say, how will zero trust look for my entire global organization?
But say, okay, I understand what zero trust is. And I start with saying, okay, there's a production use case, there's this use case for these types of workers, this is that use case, et cetera. So here's the branch office access use case. Here's that. So deconstruct the problem, solve it, solve the small problems and construct it again. Then you come up with your bigger picture. So these pictures help you, but you will be, you will be way more successful with this deconstruction solution construction approach, which then ends up in a, in a unified solution.
And, and if you do it well, then you end up with what, end up with whatever, eight use cases, eight solutions, but very homogeneous approach over time. So you need to, to do this, you then can define your requirements. You can then also map requirements between different use cases. Put this together in services. So what do you need in services? Which building blocks? This brings us back to the slides I've been showing you before.
So what, what are the relevant things? How will this work together in your cybersecurity fabric, in your zero trust architecture, where are you gaps? And I think this gap thing is also a very important point. Understand on one hand, where are you? So what is the priority? Where's the gap? But also look at what is doable fast. So where can you have faster success? What are things you, you must do immediately? What are things that will take probably a way longer time? So balance these things, prioritize and move forward. It's a journey.
So like identity management, it's not that you do an identity management project and you're done forever. It's an I am program and this is zero trust program. It's a journey. But at the end you should ideally end up with something which is a very consistent integrated approach. You can call it a cybersecurity fabric, which looks at all the different pieces, all the different components here and brings the things together again that you have been so to speak, deconstructing in the steps before.
So my key takeaways here are zero trust, even while the term might be have been overly used, it's a very important concept because at the end it's about multilayered security, it's about continual, maybe not continuous, but at least continual verification. It's a good principle to follow. So I think it makes a lot of se sense to stick with that. To understand it starts with identity, but it also includes devices, networks, other areas. Then identity comes back with the access part, identity and access. This is then around who can do what with switch service, et cetera.
And then as usual, sort of slice the elephant into pieces, deconstructed and solve smaller problems to be successful. And a good starting point always is strong path, but less MFA because this is where everything begins. Without that anyway, you shouldn't talk about the zero trust solution if you don't have strong path, but less mfa, you are definitely not there yet. Thank you.
