Analyst Chat
Analyst Chat #117: Practical Zero Trust
This time Alexei Balaganski and Matthias look at practical approaches to actually implementing Zero Trust for specific, real-life use cases. On this occasion, they also finally unveil the connections between Zero Trust and Feng Shui.
Matthias
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm an Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Alexei Balaganksi. He is a Lead Analyst with KuppingerCole Analysts. And he's mainly covering cybersecurity, but many topics beyond. Hi, Alexei. Good to see you.
Hello Matthias. Great to see you again. Thanks for having me.
Great to have you. And we want to talk about a topic where I think almost everybody has already talked about it. We have talked about it as part of this podcast, but it is still a topic where there is still very much uncertainty how to do it, actually. We want to talk about Zero Trust. We want to talk about practical Zero Trust. And practical means actually doing it. If you would, if you would like to talk to some recommendations to make people understand better, what would be the first useful steps towards a Zero Trust architecture, towards a Zero Trust approach?
Well, Matthias. I guess the biggest challenge for many people is still not understanding, like why they need Zero Trust? Everybody knows that Zero Trust is great, hooray. We have established that as a universal truth a couple of years ago at least. But still, for some people, the biggest challenge is like, where do I even start? Do I have to replace my entire network or even my entire IT infrastructure? Do I have to buy something? Do I have to make a big initial investment? And my answer to all those questions would be, no, you don't have to. And in fact, for me, practical Zero Trust essentially means, okay, how do I reuse as many of my existing IT investment as possible? How do I recombine the existing tools? How do I minimize new infrastructure and new software investment and still achieve some quick wins, obviously, and some longer-term strategic goals? And I think something that came to an idea how to compare Zero Trust, what to compare it to and you've probably heard about this ancient Chinese art of bringing harmony to your house, which is called feng shui, for example. And essentially, it's just kind of to bring you to bring harmony to your house. You don't have to build a new house from scratch, probably don't even need to buy new furniture. You just have to walk around, apply a few very simple basic rules about flaws of the wind, water, the chi energy. And then suddenly you just sort of reach harmony and everything becomes instantly better. And I believe in a way we can apply the same rules to Zero Trust as well. Because Zero Trust, again, it's not a product. It's not even a combination of tools. It's basically a set of simple rules. And if you follow these rules, if you recombine some of your existing infrastructure and tools, and to make sure that they work in accord, well, then you will at least make great strides towards the final journey, or the final goal of the journey, so you will achieve Zero Trust. Is much less effort and fewer investment than you probably expected.
Right. So what would be typical components of existing infrastructure that you can easily reuse to get to a first, as you said, quick win, the first set of quick wins regarding Zero Trust implementation, practical Zero Trust?
Well, if you remember the biggest, or the first tenet of Zero Trust is, trust no one. Or another, do not leave any places in your infrastructure where the trust will be implicit. So obviously your infrastructure, your IT within and outside of your company, in the cloud for example, should never have any spots where you blindly trust anyone or anything. And to me, the most obvious place to start getting rid of is your LAN, your local area network. I mean, for two years you have been forced to work from home remotely. So for two years, for many IT people and business people, there was simply no chance to work in the LAN, in the always trusting completely open place where all your IT resources reside. Let's keep it that way. Let's just even when people start returning back to their offices, do not allow them to connect their laptops directly to their servers, for example. Okay, I do understand that for some people, that would still mean working with a VPN solution, an old school connectivity tool, but even that is at least one step closer to Zero Trust than not having any kind of access control within your LAN. So basically, again, Zero Trust always starts with your identity management and access management. So as long as you have a proper mature IAM system in place, whether it's old school Active Directory on-prem or modern cloud-native solution from a third party vendor, like Okta, Microsoft or any other, you are already on your way to Zero Trust, you just have to probably change a few settings and apply a few corporate policies, saying, Yes, from now on there is no LAN, we trust no one, not even each other for people who are located in the same room and suddenly and magically you are already getting tangible benefits from Zero Trust
Right. If you say, Don't trust but verify, and this verification process is of importance, then I would assume that that moving towards multi-factor authentication, strong authentication, that would be also an important building block that can be easily achieved and can be easily even tackled separately because you need to do it anyways.
Absolutely. And again, when we are talking about multi-factor authentication, we are not talking about one-time password sent via SMS, that's not proper MFA anymore. We are probably even talking just about issuing a YUBIKEY for every employee. Again, it's better than nothing, but it's not really modern multi-factor authentication anymore. A modern MFA platform is expected to be, a) open and flexible so that you could adapt it easily to different requirements, different platforms, different types of use and so on, b) it should be extensible obviously, and c) if you will, or probably like the most important key, I think it has to be continuous. You can no longer just verify a user identity once and then assume that it's still the same user for hours or days as long as he's connected. Something might have happened to their endpoint device, it might be affected by malware. Maybe just the user has left the room and somebody else is typing on that keyboard. A proper modern multifactor authentication has to be able to account for that, and obviously it has to be able to reach towards the end user's device. So another crucial step towards Zero Trust is taking your end user's devices under control. When we are talking about laptops and desktop computers, whether they are within the office or at home or somewhere else, well, there has to be probably some kind of an agent deployed to that device. You probably already have that agent. It might be, let's say, an antivirus or an EDR solution from a multitude of popular vendors, be it Microsoft, SentinelOne, anybody else. I just cannot name all of those vendors. But I am pretty sure that almost all of those vendors already offer, if not their own Zero Trust solution based on the same technology, but at least a native integration with your existing identity and access management platform. And as soon as you combine your existing IAM and your existing, let's say EDR, you get Zero Trust, just like that. You don't even have to buy anything because you already probably have those tools.
Right. One discussion that I'm leaded in from time to time is this dichotomy between Zero Trust on the one hand and controlling the device and the trend towards bring-your-own-device approaches, especially for organizations where they are in the situation that many of us are now working from home. How would you counter that? Is there a dichotomy between bring-your-own-device and Zero Trust, or is there a way out of this?
Well, it's not a dichotomy because you can absolutely have both. But you have to understand that you should not probably apply the same security policies towards your corporate owned devices and your BYOD devices. Because obviously, if you want to let your user access something really, really sensitive, your finance application, your sensitive intellectual property, whatever. Well, you should be able to let them do it from corporate owned device where you know for sure that nothing bad has happened. But probably you should not let your users do that from their private iPhones, obviously. So yes, you still have to kind of maintain a baseline and review across all the devices. And of course, from a BYOD device, there will be less telemetry available, but you have to account for that in your security policy. And again, you probably already have those components separately. You just have to make sure that your MDM platform either is able to talk to your IAM platform [...] or maybe consider switching to a platform which does both and there are vendors on the market now which actually do both. And on top of that, they would offer you unified traceability and unified alerting when something bad happens either on your own device or within your own application or on a BYOD device. Yeah, as long as you have this common visibility, you have much better control. And again, remember, it's actually explicitly one of the other tenets of Zero Trust. You have to monitor all your assets and you have to take the results of that monitoring into account for every access decision. So if something is compromised, it's absolutely out of question that access should be terminated, ideally in real time. And you can only do it when you have this visibility.
Absolutely. We've talked now about the traditional corporate network and its replacement through something else. But if organizations apply a risk based approach and start where they think security can be much more improved than it is as of now, are there other starting points for moving towards Zero Trust, maybe at the factory floor, in the cloud, somewhere else? Could that also be a starting point for Zero Trust, apart from the traditional approach that we just described "traditional", of course?
Well, first of all, again, you have to understand that Zero Trust is not something in the air. Zero Trust is basically a set of rules which can be applied to different aspects of your IT infrastructure. Basically, you can think of Zero Trust for applications, for example, or Zero Trust for your databases, or Zero Trust for your cloud workloads or Zero Trust for IoT or whatever. And even if some of those terms are not yet appearing on the market as turnkey solutions, they already exist as tools. And again, you might even have one of those tools already. Most obvious solutions, like, for example, Zero Trust network access, if your primary concern at the moment is how do you let your remote workers or your partners access your business applications securely, you might opt one of those solutions. And again, you don't need to build a data center, you don't need to buy any hardware, you just bring your credit cards to a SaaS based ZTNA (Zero Trust Network Access) vendor and they will deploy a virtual software defined network for your company. And then you would start onboarding your existing application to that network, it might take a day for one application and a week for another 50, but it's completely manageable and you can even do it in parallel with your existing VPN solutions, for example. And there are vendors which offer both, like if you have a VPN solution from one of the vendors, again, I probably won't name them, but there are quite a few popular solutions out there in the market which already offer you this seamless upgrade path towards like from the virtual Zero Trust, if you will, to the real tangible Zero Trust with the same technology. It's only up to you to understand, Is this your top priority or maybe your top priority is securing your customer data in a database for whatever reason. Maybe you are operating in the highly regulated industry and you actually have to go to, let's say, Oracle or IBM or another data security vendor and ask for their Zero Trust solution. And the game, you probably already have an Oracle database and all the security controls already built into the database. You just have to know how to set them up accordingly. And of course, vendors are going to support you with that. And of course, analysts and independent consultancies will also be ready to help you with that. One thing you have to keep in mind is always, there are always quick wins, the point solutions and there is a larger goal in the future. You just have to make sure that all those quick wins align towards that goal. But again, it's kind of like feng shui. You just have to rearrange your existing furniture and put a few flowers there and a vase with water in that corner, and then you would have harmony. And in the same way you would have Zero Trust
Right, that sounds promising, but the most important take away that I have is that it's really not that much to do but just to start properly and to move in the right direction and taking one step after the other. And there's of course, lots more to talk about with regards to that topic. And depending on when the audience listens to this podcast episode, we can either make them take part in our upcoming KCLive Event. That will be from the time of this recording, will be in a few days, and if they watch it later, they can catch up with what happened. Can you tell me a bit more about this KCLive event?
Absolutely. Well, two days after this podcast goes live, on March 23rd, I believe we will have this event which is called Zeroing In On Zero Trust. And this is exactly the same topic, if you will, we no longer have to tell people why they need Zero Trust. But we want to help them understand how to get to Zero Trust as quickly as possible and reusing their existing investment as much as possible. You don't have to wait for anything to start doing Zero Trust. And even more, you're probably already doing it, you just never thought about it with this label. Just look at this whole topic from a slightly different angle. Understand what your quick wins are and start doing it today. That's our message.
Absolutely. So recommendation for the end of this episode is go to kuppingercole.com, sign up for this virtual event. It's free. Just register either afterwards or if you can take part and to be part of the community even better and get the information. Learn more from you, Alexei. And from other industry experts regarding that topic. And I would highly recommend it. I will do it. So I think this is really one good starting point for moving to a much more tangible, realistic Zero Trust architecture rather than reading another article about the buzzword bingo all around.
Correct. Absolutely. And of course, I will be there introducing this whole event and there will be a number of industry practitioners giving you practical, useful advice and in the end we will even have interactive discussion rooms on different aspects of implementing Zero Trust. So see you there, I guess.
Absolutely. See you there. Thank you very much, Alexei, for giving an insight into how things can really be done, for introducing the event, for being part of the event. And I'm really looking forward to that event and to having you again as a guest at my podcast very soon. Thanks again, Alexei.
Great. Thank you.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm an Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Alexei Balaganksi. He is a Lead Analyst with KuppingerCole Analysts. And he's mainly covering cybersecurity, but many topics beyond. Hi, Alexei. Good to see you.
Hello Matthias. Great to see you again. Thanks for having me.
Great to have you. And we want to talk about a topic where I think almost everybody has already talked about it. We have talked about it as part of this podcast, but it is still a topic where there is still very much uncertainty how to do it, actually. We want to talk about Zero Trust. We want to talk about practical Zero Trust. And practical means actually doing it. If you would, if you would like to talk to some recommendations to make people understand better, what would be the first useful steps towards a Zero Trust architecture, towards a Zero Trust approach?
Well, Matthias. I guess the biggest challenge for many people is still not understanding, like why they need Zero Trust? Everybody knows that Zero Trust is great, hooray. We have established that as a universal truth a couple of years ago at least. But still, for some people, the biggest challenge is like, where do I even start? Do I have to replace my entire network or even my entire IT infrastructure? Do I have to buy something? Do I have to make a big initial investment? And my answer to all those questions would be, no, you don't have to. And in fact, for me, practical Zero Trust essentially means, okay, how do I reuse as many of my existing IT investment as possible? How do I recombine the existing tools? How do I minimize new infrastructure and new software investment and still achieve some quick wins, obviously, and some longer-term strategic goals? And I think something that came to an idea how to compare Zero Trust, what to compare it to and you've probably heard about this ancient Chinese art of bringing harmony to your house, which is called feng shui, for example. And essentially, it's just kind of to bring you to bring harmony to your house. You don't have to build a new house from scratch, probably don't even need to buy new furniture. You just have to walk around, apply a few very simple basic rules about flaws of the wind, water, the chi energy. And then suddenly you just sort of reach harmony and everything becomes instantly better. And I believe in a way we can apply the same rules to Zero Trust as well. Because Zero Trust, again, it's not a product. It's not even a combination of tools. It's basically a set of simple rules. And if you follow these rules, if you recombine some of your existing infrastructure and tools, and to make sure that they work in accord, well, then you will at least make great strides towards the final journey, or the final goal of the journey, so you will achieve Zero Trust. Is much less effort and fewer investment than you probably expected.
Right. So what would be typical components of existing infrastructure that you can easily reuse to get to a first, as you said, quick win, the first set of quick wins regarding Zero Trust implementation, practical Zero Trust?
Well, if you remember the biggest, or the first tenet of Zero Trust is, trust no one. Or another, do not leave any places in your infrastructure where the trust will be implicit. So obviously your infrastructure, your IT within and outside of your company, in the cloud for example, should never have any spots where you blindly trust anyone or anything. And to me, the most obvious place to start getting rid of is your LAN, your local area network. I mean, for two years you have been forced to work from home remotely. So for two years, for many IT people and business people, there was simply no chance to work in the LAN, in the always trusting completely open place where all your IT resources reside. Let's keep it that way. Let's just even when people start returning back to their offices, do not allow them to connect their laptops directly to their servers, for example. Okay, I do understand that for some people, that would still mean working with a VPN solution, an old school connectivity tool, but even that is at least one step closer to Zero Trust than not having any kind of access control within your LAN. So basically, again, Zero Trust always starts with your identity management and access management. So as long as you have a proper mature IAM system in place, whether it's old school Active Directory on-prem or modern cloud-native solution from a third party vendor, like Okta, Microsoft or any other, you are already on your way to Zero Trust, you just have to probably change a few settings and apply a few corporate policies, saying, Yes, from now on there is no LAN, we trust no one, not even each other for people who are located in the same room and suddenly and magically you are already getting tangible benefits from Zero Trust
Right. If you say, Don't trust but verify, and this verification process is of importance, then I would assume that that moving towards multi-factor authentication, strong authentication, that would be also an important building block that can be easily achieved and can be easily even tackled separately because you need to do it anyways.
Absolutely. And again, when we are talking about multi-factor authentication, we are not talking about one-time password sent via SMS, that's not proper MFA anymore. We are probably even talking just about issuing a YUBIKEY for every employee. Again, it's better than nothing, but it's not really modern multi-factor authentication anymore. A modern MFA platform is expected to be, a) open and flexible so that you could adapt it easily to different requirements, different platforms, different types of use and so on, b) it should be extensible obviously, and c) if you will, or probably like the most important key, I think it has to be continuous. You can no longer just verify a user identity once and then assume that it's still the same user for hours or days as long as he's connected. Something might have happened to their endpoint device, it might be affected by malware. Maybe just the user has left the room and somebody else is typing on that keyboard. A proper modern multifactor authentication has to be able to account for that, and obviously it has to be able to reach towards the end user's device. So another crucial step towards Zero Trust is taking your end user's devices under control. When we are talking about laptops and desktop computers, whether they are within the office or at home or somewhere else, well, there has to be probably some kind of an agent deployed to that device. You probably already have that agent. It might be, let's say, an antivirus or an EDR solution from a multitude of popular vendors, be it Microsoft, SentinelOne, anybody else. I just cannot name all of those vendors. But I am pretty sure that almost all of those vendors already offer, if not their own Zero Trust solution based on the same technology, but at least a native integration with your existing identity and access management platform. And as soon as you combine your existing IAM and your existing, let's say EDR, you get Zero Trust, just like that. You don't even have to buy anything because you already probably have those tools.
Right. One discussion that I'm leaded in from time to time is this dichotomy between Zero Trust on the one hand and controlling the device and the trend towards bring-your-own-device approaches, especially for organizations where they are in the situation that many of us are now working from home. How would you counter that? Is there a dichotomy between bring-your-own-device and Zero Trust, or is there a way out of this?
Well, it's not a dichotomy because you can absolutely have both. But you have to understand that you should not probably apply the same security policies towards your corporate owned devices and your BYOD devices. Because obviously, if you want to let your user access something really, really sensitive, your finance application, your sensitive intellectual property, whatever. Well, you should be able to let them do it from corporate owned device where you know for sure that nothing bad has happened. But probably you should not let your users do that from their private iPhones, obviously. So yes, you still have to kind of maintain a baseline and review across all the devices. And of course, from a BYOD device, there will be less telemetry available, but you have to account for that in your security policy. And again, you probably already have those components separately. You just have to make sure that your MDM platform either is able to talk to your IAM platform [...] or maybe consider switching to a platform which does both and there are vendors on the market now which actually do both. And on top of that, they would offer you unified traceability and unified alerting when something bad happens either on your own device or within your own application or on a BYOD device. Yeah, as long as you have this common visibility, you have much better control. And again, remember, it's actually explicitly one of the other tenets of Zero Trust. You have to monitor all your assets and you have to take the results of that monitoring into account for every access decision. So if something is compromised, it's absolutely out of question that access should be terminated, ideally in real time. And you can only do it when you have this visibility.
Absolutely. We've talked now about the traditional corporate network and its replacement through something else. But if organizations apply a risk based approach and start where they think security can be much more improved than it is as of now, are there other starting points for moving towards Zero Trust, maybe at the factory floor, in the cloud, somewhere else? Could that also be a starting point for Zero Trust, apart from the traditional approach that we just described "traditional", of course?
Well, first of all, again, you have to understand that Zero Trust is not something in the air. Zero Trust is basically a set of rules which can be applied to different aspects of your IT infrastructure. Basically, you can think of Zero Trust for applications, for example, or Zero Trust for your databases, or Zero Trust for your cloud workloads or Zero Trust for IoT or whatever. And even if some of those terms are not yet appearing on the market as turnkey solutions, they already exist as tools. And again, you might even have one of those tools already. Most obvious solutions, like, for example, Zero Trust network access, if your primary concern at the moment is how do you let your remote workers or your partners access your business applications securely, you might opt one of those solutions. And again, you don't need to build a data center, you don't need to buy any hardware, you just bring your credit cards to a SaaS based ZTNA (Zero Trust Network Access) vendor and they will deploy a virtual software defined network for your company. And then you would start onboarding your existing application to that network, it might take a day for one application and a week for another 50, but it's completely manageable and you can even do it in parallel with your existing VPN solutions, for example. And there are vendors which offer both, like if you have a VPN solution from one of the vendors, again, I probably won't name them, but there are quite a few popular solutions out there in the market which already offer you this seamless upgrade path towards like from the virtual Zero Trust, if you will, to the real tangible Zero Trust with the same technology. It's only up to you to understand, Is this your top priority or maybe your top priority is securing your customer data in a database for whatever reason. Maybe you are operating in the highly regulated industry and you actually have to go to, let's say, Oracle or IBM or another data security vendor and ask for their Zero Trust solution. And the game, you probably already have an Oracle database and all the security controls already built into the database. You just have to know how to set them up accordingly. And of course, vendors are going to support you with that. And of course, analysts and independent consultancies will also be ready to help you with that. One thing you have to keep in mind is always, there are always quick wins, the point solutions and there is a larger goal in the future. You just have to make sure that all those quick wins align towards that goal. But again, it's kind of like feng shui. You just have to rearrange your existing furniture and put a few flowers there and a vase with water in that corner, and then you would have harmony. And in the same way you would have Zero Trust
Right, that sounds promising, but the most important take away that I have is that it's really not that much to do but just to start properly and to move in the right direction and taking one step after the other. And there's of course, lots more to talk about with regards to that topic. And depending on when the audience listens to this podcast episode, we can either make them take part in our upcoming KCLive Event. That will be from the time of this recording, will be in a few days, and if they watch it later, they can catch up with what happened. Can you tell me a bit more about this KCLive event?
Absolutely. Well, two days after this podcast goes live, on March 23rd, I believe we will have this event which is called Zeroing In On Zero Trust. And this is exactly the same topic, if you will, we no longer have to tell people why they need Zero Trust. But we want to help them understand how to get to Zero Trust as quickly as possible and reusing their existing investment as much as possible. You don't have to wait for anything to start doing Zero Trust. And even more, you're probably already doing it, you just never thought about it with this label. Just look at this whole topic from a slightly different angle. Understand what your quick wins are and start doing it today. That's our message.
Absolutely. So recommendation for the end of this episode is go to kuppingercole.com, sign up for this virtual event. It's free. Just register either afterwards or if you can take part and to be part of the community even better and get the information. Learn more from you, Alexei. And from other industry experts regarding that topic. And I would highly recommend it. I will do it. So I think this is really one good starting point for moving to a much more tangible, realistic Zero Trust architecture rather than reading another article about the buzzword bingo all around.
Correct. Absolutely. And of course, I will be there introducing this whole event and there will be a number of industry practitioners giving you practical, useful advice and in the end we will even have interactive discussion rooms on different aspects of implementing Zero Trust. So see you there, I guess.
Absolutely. See you there. Thank you very much, Alexei, for giving an insight into how things can really be done, for introducing the event, for being part of the event. And I'm really looking forward to that event and to having you again as a guest at my podcast very soon. Thanks again, Alexei.
Great. Thank you.
Video Links
Stay Connected
Related Videos
How can we help you