So starting us off, is that a panel discussion on why segmentation must be an essential part of your zero trust program? Now, segmentation is increasingly seen as a way of, of high as an effective way of controlling lateral movement. And for those of you who are in the ransom work workshop yesterday, we'll have heard how the lateral movement is, is really an important part of that. So we need to improve impede that lateral movement. And so I'm gonna ask the panelists today to introduce themselves, just give a brief statement and we'll go from there and let's start with
RA. Thank you very much, Warwick. It's great. Great to be here and hello to everyone. Who's in the room and also online. I'm running on the Kamara. I'm one of the fieldy toes at IIO, which means that I spend a lot of my time talking to prospects, talking to customers, speaking events like this, about the importance of zero trust, the importance of segmentation, and really how segmentation is a critical control now for organizations to mitigate the threats, ransomware, to impede the progress of attacks and ultimately read to protect crown jewels. And why is micro segmentation so important as part of a zero trust strategy? Well, zero trust is about least privilege access at every, at every step, whether it's at the connection level, whether it's identity, whether it's even at the execution of programs. So from that perspective, segmentation provides that control at the connectivity level level, there three layer, four identity to, to better allow us to protect assets and limit and contain ransomware amongst other things.
And then joining us online is Thomas Thomas, give us your introduction and your opening statement,
Please, to meet you. I'm Thomas Vara from Mondi group Mondi group is a company that produces paper and packaging. So we are producing. Baly something that you hold in your hands right now, probably copy paper, Amazon packages, stuff like that. I'm responsible for communication, networking Monia. And the part of my responsibility is the micro segmentation that we've introduced to get Lu in the last two years. I think micro segmentation is the only currently available to that, that lets you gain back control in a increasingly complex cloud connected application. Landscape security comes now in all shapes and sizes and it's like a Swiss stack of Swiss cheese slices. Yeah. So each slice of Swiss cheese has one hole or several holes, you know, and I think this is a very thick slice of Swiss cheese that has hardly any holes in it and leaves very little attack surface remaining to any possible attacker that'll get through. It's not perfect. Nothing is perfect, but it's a very, very good slice and a very, very able tool in your toolkit against other attacks.
Okay. That's great. Well, both of you have touched on this topic, but I'd like to just get a common understanding of what we actually mean by segmentation and why you think it's such an effective control Rago. You mentioned a little bit in your introduction, but sure. You know, what, what's your kind of, if somebody comes to you and says, I believe you into the segmentation thing, what is that?
Sure. Okay. So segmentation very simply is really a method by which we limit the ability for around sort of lateral movement. What do you mean bilateral movement? The ability to connect between workloads within, within an organization within your data center, from your end points into your, into your data center estate. So segmentation is a, a way by which we limit this ability to control limit disability, to connect, which has then has the effect. As Thomas mentioned about reducing the attack surface, it gives the attack a less to work with for that attack to propagate
Thomas, have you got anything to add to that?
What you also gain by doing micro segmentation is something that we found very useful is a very deep insight into what your applications are doing. What is required for keeping this application working and also for what people do out of slop as laziness or lack of organization in the cores of, of, of, of time. I think microsegmentation is on one side, a fabulous security tool and the added value that you will get as a free combo package without any additional side effects, is that you will receive a very good insight and a very good application hygiene in your data centers, cloud environments, and whatnot. You, so you will be in a situation that is much better with regards to documentation overview and transparency on what is a desired application, what is a desired process in your system and what is a desired yeah. Configuration in your environment.
So now we talk, we talk quite a lot about micro segmentation and identity based segmentation. Are these terms interchangeable? How do they relate to?
Yeah, absolutely. So it's kind of more generically if we talk about segmentation and then if we talk about identity based segmentation, micro segmentation, really, why is it different to traditional sort of, let's say network zoning that we are familiar with, that we've been doing for, for, for decades now using network constructs, like route ACLS or firewalls, et cetera. So the, the evolution here with, with segmentation is that we are using properties of the workload in order to then go and define policy. Right? So that, that properties of that workload could be like, what application is it running? Right? What function does it perform as part of that application, if you wanna move more higher up the stack, what identity is that, is that device providing some kind of cryptographic identity that identifies it uniquely is there is a user tied to it. So segmentation really is not just about that typical five couple description of a connection, but really it's, it's about sort of elevating that to really talking about the context of a connection.
So when we talk about identity, really what we mean is context and context allows us to really understand connectivity based on what is the relationship, what is sort of the business relationship between these workloads. And that allows us to talk about whether that is actually a relevant relationship. And thus, if we're talking about zero trust, whether it's a relationship we want to allow and hence we construct a policy to allow that relationship, or if it is a relationship that shouldn't exist, which is why sort of segmentation, when you really kind of, as you continue to evolve it and, and build sort of those policies that are continued more granular, you can really take that approach where two workloads that may look the same, that, but provide essentially this different context as different identity can have completely different policies. So really your sort of, as Thomas was alluding to earlier, you're really uplifting your security posture and providing a granularity and flexibility to your control, that a typical sort of network based approach segmentation doesn't give you.
That's great. And I'm hearing what I'm, I'm liking what I'm hearing about context. And that's great in when we're talking about the context of ransomware, whereas we were saying earlier, but Thomas, how easy is this to implement? It sounds great. So how easy is it to implement and maintain? Because, you know, if you, if you're putting all these conditions on things and, and, and checks everywhere, isn't that unmanageable or, you know, how did you find it?
I guess it depends on the tool. We we've just how shall say after long evaluation decided to go for Lumi cause of its features for analysis, traffics policy, generation, and their abilities of doing these things enables us to do this as a, as a side job, besides our daily business of managing around 180 sites in our network of roughly here 20,000 users. Yeah. Meaning that our staff is not overloaded. Yeah. The policy changes are relatively easy to maintain. The introduction is up to a certain degree, self explanatory. Yeah. And even if we go for an application that nobody knows anything about and start implementing a policy, normally in two to three weeks, we are finished with the policy and have the workloads in enforcement. And that's something that's hardly imaginable doing this on an ordinary file or in the same speed. You get to know your applications, you get to know your, your environment very well.
Yeah. And you get a very good feel of the quality of suppliers and consultants that implement certain applications in your environment, having a certain impact as well on, on stuff like, like your SLA management and your contract negotiations. Yeah. So we've learned a lot and we've seen a lot of good things through IIA. Yeah. And the tools that IIA offers as an integrated part of the package is phenomenal above and beyond anything that we've seen up to now in this segment. Yeah. So net is tools to enable you creating the policy and creating the, managing the policy. Yeah. Make life relatively easy and, and, and, and make, keep it manageable. Even after two years of operation with a few hundred workloads.
So I just wanna follow on from what Thomas said. I think what is important to remember is that you, there is the capabilities that you have. So we talked about sort of micro segmentation about sort of context based or identity based, whatever those in my mind, those terms are all interchangeable identity and context. So on one side, it's the capabilities that you could do so that there is the possibilities of what you could do are, are large, right. But when you come to an implementation, so as an organization, every organization will have certain security sort of outcomes that they wish to achieve. Right? One organization's outcome, initial outcome may be, I wanna be able to production from non-production. Another organization may have an outcome where they have identified a set of high value assets. They want to protect, and they're able to identify those. So the, the outcome determines the amount of context, the amount of sort of a priority information that you need in order to go and build that policy. So it's definitely not the case that you need to start with this sort of hundred different ways that you can describe a workload and use all of those to go and describe policy, right? You identify what is the actual context that I need and use those data points to go and build the policy to affect the security outcome that you wish to. And when you take, think of it that way, it is a very manageable sort of capability that it can be deployed at scale.
Okay. So from what you are describing, I'm seeing how this could be an essential part of zero trust. But what I'm curious to know from both of you, starting with you, Thomas, is why would you say that segmentation is a useful way to get into zero trust? Why is it a useful entry point?
Well, zero trust mainly consists of, for us of, of three parts. One is identity. That's something yeah. That you will need to solve by in a sort of IAM or similar system. Second part is the access. You know, the access means that you will have to define a way into your organization that gives people access to certain applications. The third layer is how do you define those applications? How do you find out what applications you have at all? Yeah. And microsegmentation is that tool for finding out what applications people need access to. And I guess as the classical firewall is not bad, but I should I say, start smelling foul already. This is the only way of finding out what application and what part of your application people actually need access to. They don't need access to the whole server, probably need access to one or two servers on the whole server.
And all the rest is running on the server is non-user interaction only required for keeping the system operational, et cetera. Yeah. So you will learn a lot about how many services are there some cases, hundreds on server and how many are actually used by user. And this is normally two to three services that are actually used by user. Yeah. And by micro segmenting, this off, you will prevent any thought of, of spraying attacks against ports that are there. You will prevent the ports that are there from being abused to interact with other workloads, which you don't want them to have an interaction with. Yeah. And you, especially on windows workloads, or even able to, to segment it down to level where you can say, okay, this, this segmented down to the actual service that's used. So port 80 is no longer open for a server, but port 80 is open for Apache and now other application. And if somebody tries to do a bot big via port 80, or tries to infect you via both virus via port 80, this will not work, you know, because the application will just not respond.
Okay. Unfortunately we're kind of rapidly running out of time. So I don't know. Have you got anything you specifically want to add to that? If not? Well, if you have, that's fine. But then I'd also like to move on to the, the question of what are the sort of short term and long term benefits of segmentation and how can that help sort of from a compliance side. So we've spoken a bit about zero trust, but you know, there is also a compliance component.
So I'll add one thing to, to what Thomas has said, right. That if you think about sort of, if you're on that zero trust journey and you look at some of the stuff that Forester have published on the back of that initial sort of paper on, on that defined zero trust, and they talk about a zero trust maturity model where you start off by essentially assessing the state of your control, right? You identify where your biggest gap is. And, and hence where investment at this point in time will result in the, in the significant return on investment, the best sort of increase in your security posture. And typically in the majority of organizations, there are two areas that, that often come up as the areas that need significant work. And that is the essentially the, the openness of connectivity, hence aligning to aligning, to segmentation as kind of an effective way of mitigating that, and also a requirement to improve identity access management, which is why you see kind of that focus.
When people talk about zero trust, they often talk about segmentation as being one of the key controls and identity access management as, as typically being the other one. So going to your question around sort of compliance right already you, you can see that a number of kind of prominent whether it's industry bodies, whether it's regulatory bodies have been talking about segmentation zero trust. They're not necessarily specifying those, those terms, but obviously there's the executive order from president Biden a few months ago that explicitly called out to federal and state authorities about adopting zero trust controls. So we can expect that zero trust as a term will now crop up increasingly in sort of in compliance requirements, in regulatory requirements, from both the private and the public sector. But also if, if you think about it, right, what is zero trust? Well, zero trust is really taking a shift from saying, trying to stop what is bad to identifying what is good and only allowing that.
And often it is far easier to list the things that you want to allow. So if you think about that from a compliance perspective, it's easy to, it's much easier to write statements saying, allow X, Y, Z deny everything else rather than deny X deny, Y deny Z deny B, C, D et cetera. Right? So if you think about it from that perspective, adoption of zero trust should actually simplify some of the compliance frameworks that we have and allow us to audit our controls in a much more effective manner. So I think that's kind of, we'll see that as one of the knock on effects of the increased adoption of zero trust is that auditing and compliance becomes significantly easier.
Okay. That's great. Now, before I ask our, our two panelists to wrap up, I just wanna stop there and just check. Is there anyone in the room who has a question? I don't see anything online from, from anybody who's joining us virtually, but I just wanted to, before I, I asked them to start wrapping up, I just wondered whether there was you'd come today with any particular question in mind around segmentation that you'd like to ask either Ragu or Thomas. Yeah. Let me just grab a mic and I'll take it through to you so that everyone can hear the question, including those of us online. Hello.
I wonder how is threat detection and respond addressed by micro segmentation?
Yeah, it's a, it's a great question. Right? So if you think about micro segmentation as being a proactive, preventative control, right, then again, it goes back to, I identify what is good and I'm, and I'm permitting that. So already from a detection response perspective, I have a picture of what I want to allow, right? So what I want to allow. So anything that deviates from that, that allow list already gets me thinking, I need to investigate what this is. So again, if you flip that around, just to, if I'm saying I'm only gonna try and block what is bad, then I have to have a complete picture of what is bad. So it helps detection response from that perspective, and that you have a very clear picture of what good is. And, and hence, it allows you to go and identify anything that doesn't match your picture of good, but again, right. Documentation on its own is not sort of a, that the medicine that is gonna cure that is gonna cure everything. It is a capability that is part of a larger detection response framework, but it does provide very valuable telemetry to allow you to improve your detection capabilities.
So the time is clipped by really, really quickly, but I just want to quickly check whether there's anybody else in the room. Who's got a question, if not then. Oh yes. Quick,
Quick question. About the big picture. Is your application in capable of sharing the information with other systems? Is it possible to influence your system from other systems?
Yeah, I mean, absolutely every single capability within our product, within the Lumia core platform, we expose all of that functionality through our rest API. So you are able to integrate that, whether it's upstream, downstream, you're able to integrate with that and, and either take the data out of it to then leverage in some other system, or be able to use those APIs to go and program programmatically interact with our, with our product.
Okay. So is there anything you wanted to add to that Thomas cuz we we've we've come up against our, our limit basically.
Yeah. Basically it's not an viable project in the beginning. Like we approached it. Yeah. It's exercise and application hygiene and a learning exercise for all the application ORs. Yeah. And it's a complete change of working for all the infrastructure operators in your organization regarding the integration with other tools. I've got, say that the API that's provided is giving you integration into next to any possible tool. Yeah. And the locks that you can draw out of it is, are perfectly integrable into any cm system or similar solution where you aggregate locks and into threat hunting, threat detection, cetera. Yeah. So what is provided into and out of this tool is giving you a dramatic improvement over whatever any firewall vendor will be able to provide to you.
Okay. 30 seconds or less, your, your takeaway, your key
Takeaway, right. Zero trust is, is achievable. Keep zero trust as a strategy. It's kind of what you're looking to achieve in order to achieve it. Take small steps that you can continuously sort of validate the progress on before you move on to the next thing, rather than trying to boil the ocean and either failing spectacularly or only seeing success in sort of five years time. Right. Take small steps and you'll see incremental progress in previous screen posture.
Okay, great. Thanks. You Thomas.
Completely agree. Take small steps, take chunks that you can really bite through. Yeah. It will be hygiene exercise. As I said multiple times already in the beginning, you will find out a lot about all your, your standard management applications from backup to administrator access. Yeah. And once you've got, those are restricted, it makes sense to start working on the, on the, on the application landscapes themselves and take one application landscape at a time and you can't go wrong with it. Yeah.
You, Jeff. The advantage of the system is that you can go step by step and don't have to take a one big chunk at one time at all.
Yeah. Okay. That's great. Thanks Thomas. Thanks gentlemen. Very much. I'm sorry. 20 minutes goes really, really quickly, but please gimme a enjoyment and gimme a hand.