KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Yep. So I wanna, I wanna discuss really what zero trust is for your enterprise and a little bit about what it, isn't some things to consider when assessing your posture as a business, as a company culture, as a team, even in, in terms of your ability to really start this journey. I wanna talk a little bit about technology.
Of course, I don't believe that there's going to be any enhancement for a particular organization. That's looking to protect their workforce and their enterprise with zero trust principles without technology investment, but it, it's definitely not all technology. And then just kind of some high level conclusions that we can come together to achieve this goal. So what is zero trust for your enterprise? And I mentioned it zero trust is a lot of things to a lot of people. I have a lot of contacts in cybersecurity in the cybersecurity world in identity, of course.
And the one thing that I constantly find myself defending and pushing against is the concept that zero trust is essentially just a marketing buzzword. It's frustrating because there are so many great principles that can be adapted when you're considering taking on zero trust. I would say it's also true that it can be a marketing buzzword in terms of technology. And I don't believe that it it's a, a one size that there's a one size fits all product or technology out there. That's just going to do this all for you. But what zero trust is for me in our organization is it's a strategy.
It's I believe that the way you think about zero trust architecture affects the way you implement it. If you convince yourself that zero trust is a project that you and your team can complete, then it's a project. But I don't think you're going to see the benefits that you want to see out of it. If you just consider it something with a finite end date, we see it as a strategy and it is really based around common zero trust principles. One assume that the network is compromised, bad actors already have a foothold. This may not be true.
This may be true, but if you assume it, you are now able to protect against it across various layers. If you're thinking in terms of like the OSI model, the second bullet point that rings home for me is that workers and really anybody accessing your, your services and systems must receive the correct access to the correct resources. And only for the amount of time that they actually require that access. And last but not least identities are really now the perimeter it's, it's not even layer seven, it's almost layer eight.
If you want to think of it that way, it's, it's the human interaction and the context behind that interaction, that's really driving a lot, lot of where we see security going again. I believe that zero trust is not a project or even really a program. It's really our paradigm for continual service improvement and security improvement. And it's really only as strong as the sum of its parts.
If you look at the diagram on the right, this is kind of the problem that the standard resource, if you want to think of it, in terms of that, or an application has to deal with, typically, you're, let's say you're dealing with an application and that application is being accessed by somebody.
If that application, even if it's connected to an identity provider, that's in charge of single sign on and has two-factor authentication kind of federated to that identity provider and the identity, provider's just relaying that resource is still in a zero trust sense, responsible for understanding what attributes the user has that are coming across, what device that user may be using, where that user is in the world, what network that user is on. And this, the things in the center here of this diagram are not exhaustive.
There's more things that an application or a resource would have to understand in order to be able to more securely provide authentication and authorization to rights and privileges within a particular app. No application is built to support that has the scaffolding or support and infrastructure inside of itself to support that entire inter interaction. And it's gonna be more than even just one piece of technology. That's able to do that either.
I don't believe that a typical resource is going to be able to establish this context, to be able to make a sound security decision about whether or not they should let an enterprise worker in or out if they have to do it on their own, especially not at scale. So what is zero trust then for your enterprise? It's really down to context.
It's having the technology in place to develop strong policies about who can access a resource and under what circumstances, and those policies are informed by several things they're informed by directories HR management systems, sources of record that provide strong attributes that can help lend itself to just a high level idea of what an enterprise worker should or should not have. You have roles and inside of roles, you do, you have things like individual fine grained entitlements. Those roles can be provided dynamically as a result of being, having certain HR or it attributes.
They can be managed through access requests. They could be managed through approval flows. They could be administratively controlled by other members of the system that have the rights and privileges to grant that role to others.
But those roles are just a piece of that policy and a piece of at the end of the day, providing that context, then you have devices and that this is really kind of the hot area right now for zero trust for me is seeing what's going on really with device management, with adaptive authentication, with those contextual points that indicates is this device, the same device that John Smith uses every single time. And he tries to access this application. You have credentials of course, password and two a have become pretty ubiquitous though.
MFA adoption continues to struggle in the sense that I do not believe it's 100% across the entire world when I really believe it should be. And geography, geography is getting extremely important.
We, we see obviously the geopolitical events that are going on across the world, geography can provide just one additional piece of context to help provide a stronger security policy. Although it's obviously not completely foolproof, it's just one additional piece of the puzzle. And then there is network.
Yes, we assume as kind of like that primary bullet point of zero trust that the bad actors are already on the network. That doesn't mean we ignore layer security. We're not looking to throw layer three security technologies out in, in lieu of layer seven. It's really about ensuring that we have defense in depth so that if any, one of these anchors to zero trust breaks, the others are still supporting.
And so you combine all of that into various technologies within your identity provider, within your network security infrastructure, within your even like access tokens, you establish those policies based on really the context that you're getting and that context provides what type of token or session length or rights and privileges that a user has to a particular resource regardless of its network endpoint, whether it's on your local network or whether it's out in the cloud.
So that's really kind of how I see zero trust is how many different anchors can we apply to establishing enough knowledge for a policy to be able to make an informed decision. So assessing your posture, this list is again, not completely exhaustive, but these are some of the things I, that we thought of back when we were oath when Yahoo and AOL first merged into the company oath. These were many of the points that we thought of.
We had various types of workers, both through employees and various types of contingent workforce that had different user life cycles that added a challenge in and of itself in terms of onboarding certain technologies that we needed to support us. And then we were thinking about, as we went through this list, kind of all the things that we, we needed to establish strong policy points. We definitely spent a lot of time talking about geolocation, even security culture for workforce is an interesting one.
What is your organization's propensity for change that matters at it might not matter where you end up, it might matter how much, how fast you get there, because if you have a very change averse culture, that is something that you need to consider. You don't want to upset everybody in your organization, or you lose security, engagement, devices, and hardware. We support most of the major operating systems at Yahoo, which on a technology side actually makes it a little bit difficult.
Well, more difficult, particularly on the device context side of things, to be able to establish strong anchors, to be able to make those policy decisions, but what devices you support and how you support them matters in terms of your device, any device management software or software distribution cycle that you have, whether or not you support or bring your own device policy or not, and whether and where you expect devices across the world to be connecting from, to your resources, you of course have to consider what technologies you have today.
And the good news is for anybody that's thinking about engaging on a zero trust adventure, you already have some of the tools, most likely that you need. These would include, of course, single sign on services. Identity providers directories are obviously a huge core piece of any identity ecosystem.
And, and it's gonna be crucial in order to establish strong attributes for, for most of the policy based context that you're looking to apply. You're also looking to understand and ensure that you have a strong handle on authorization and access control, managing the fine grain per permissions that somebody is using through either role based attribute based or policy based access control is going to be a challenge without strong access control solutions. Cause you're not going to just be able to go live with any one of these things and have every single entitlement and role managed.
All of these things are going to require a life cycle. So technology to support that is an additional context point is going to be crucial and then policies and governance. You have to be, be aware of what compliance requirements and governance requirements that you have to achieve. This is also going to inform your priority list. As you look to protect areas of your enterprise with zero trust principles, things like whether or not you're beholden the GDPR, which most of us are CPA Sox, PCI, HIPAA, all, all of these governance frameworks out there.
They help provide you again, your priority list in terms of what you have to be protecting and how quickly you need to be protecting it. Re-certification periods, audit periods, et cetera. And then last but not least, I kind of talk about this every single time I discuss zero trust is relationships. Do you have the relationships inside of your organization necessary in order to be able to engage on this effort quickly?
So when you're assessing your posture, the cool thing about most of these is if you have covered enough of these points, as you're beginning to plan your strategy, you actually begin to establish your policies. So we have a policy, we definitely have policies that would fit this intersection. Each one of these can kind of work as an intersection. We have policies that cover employees in particular geolocations remote. Obviously we've been remote work for quite some time. Now since the start of the pandemic.
And I don't believe that a hybrid or remote workforce in terms of the industry is going to be going away ever. It's it's not going to happen. No one is going to be back in the office. 100% across the entire world, that bell has been rung, whether or not you're connecting from a Mac like I am right now, whether or not you support B Y O D or the device was provided in a, B Y O D context, you might have both, do you require single sign on or two FFA for certain interactions.
You look at these intersections and if you've covered all of these posture points, you actually begin to create your policies. And then you just have to decide what you want those policies to be in terms of token length session length, how often you have to reauthorize, et cetera. So by understanding your posture, you can understand what services really as an identity provider and as a security professional, you still have to deliver we're we're worried about security.
Yes, but none of this works for anybody. If we're not providing the service or providing access to the resource that we've agreed that we're supposed to do. And by understanding those services, you can understand the policy intersections. You're really looking to focus. So some points about technology, really the only true requirement is that the technology you implement has to be able to support the policies you're looking to.
You're looking to go live with, as you begin to govern the interactions between workers, accessing your resources, they have to be able to in authenticate users to individual resources and I mean individual.
So one, one token for one application, you can't create an identity ecosystem that allows the user to move laterally between other systems, just because they've authenticated really once now, that's not saying they have to put in their password every single time, but that's saying that their security posture needs to be checked for every single resource that they are accessing the security services.
You implement have to have a way to understand that policies and that, and those policies in that context, that would include strong identity provider integrations with device management, resources, with devices, themselves certificates. These things are going to be required in order to do this effectively short lived access tokens are a must. You need to have your identity provider in terms of a resource constantly rechecking and reauthorizing the user to ensure that they are still who they say they are and under.
And they are still continuing to connect under the context that they connected with. Originally, if I authenticate to my works SSO, to Yahoo's SSO and I all of a sudden authenticate to Yahoo's SSO from a place on the other side of the world, that's a concern. And that's why short lived access tokens are so crucial. And you have the ability to appropriately authorize users and understand the rights that they have through various means of access control, whether it's policy role based or attribute, excuse me, attribute based. So some additional considerations, not all access is created equal.
You will have a concept of privileged accounts, administrative accounts. You're going to have this idea that certain roles like let's say finance roles are far more important than access to maybe a learning management system. And that's okay. We are still dealing with age old. It resource issues. Everybody is you have a finite amount of dollars to spend on solving a particular problem, dollars or time. And you have to decide what to protect and how strong you can protect it.
You're not going to be able to have unlimited investment towards protecting all of the things with the equal level, with an equal level of strength and security. You're not gonna ask somebody to authenticate every five minutes to gain access to that learning management system. There are platforms that you have that you might have a five minute long access token for that's okay.
If, if it's under a particular context and for a particular reason, but you're not going to implement a one size fits all policy in terms of a access control, you have to consider how service identities, access resources. We are working in a, in, in an aggressively, more automated world every day. And this is going to require API token service accounts. These things need to be rotated regularly. These things are part of your zero trust infrastructure check, checking on the context of how these things connect and manage your automated workloads is critical.
If you're going to do this successfully, cuz these things are targets for bad actors, security and monitoring and alerting are always crucial in any, in any it environment. This will of course be maintained through zero trust. This is how you really check your work and the access control and governance framework you have should support auditable approvals. You want proof that somebody did approve the access.
If it is something that you have designed to be approved by a human and that access is regularly recertified to ensure that just because somebody should have had access to something last quarter, doesn't mean they should have it this quarter. So in, in conclusion, you are ready to begin. And like I said, if you have any of these technologies in place today, you are already on your journey.
If you, you choose to be, it does zero trust though does not replace defense and depth strategies. It's really across again, the entire OSI model. The more you simplify your policies, the more successful you're going to be. And security, engagement and culture continues to be important to hear your success and just treat zero trust as your north star, where you're really looking to where you're really looking to be. Thank you very much for your time. Any questions.
