Analyst Chat
Analyst Chat #56: The Project Road Towards Zero Trust - What to Do and Where to Start
This podcast has already looked at the Zero Trust concept as a challenging architectural paradigm for security and an important component of modern and future-oriented security architectures from various angles. This time Christopher and Matthias focus on a phased project approach towards implementing Zero Trust in a well-paced, phased, "one-bite-at-a-time" manner.
Come to the KuppingerCole chat. I'm your host. My name is Matthias. I'm an analyst and advisor at KuppingerCole analysts. My guest today is Christopher Schuetze and he is the director practice cybersecurity. He had KuppingerCole working out from stood guard. Hi, Christopher. Hi Matthias. Haven't talked to you for awhile. Nice to be back.
Good to have you back. And we want to connect directly to the episode that we did last week. Aren't it together with our colleague Alexei. And we've talked about the obstacles towards zero trust. What keeps organizations from implementing zero trust? Why is there not enough? Zero trust from an analyst perspective already within the organizations. And we want to catch up here and you asked the director of the cyber security practice here at KuppingerCole. Maybe we can talk a bit about what should be done, what could be done? What are the right first steps for organizations aiming at zero trust? Where to start? What would be your starting point when it comes to implementing several trusts in the real life?
Yeah. Thank you for that introduction. I also heard what Alex say explained last week and it was, it was really interesting when starting zero trust. Um, the first thing you need to realize is that zero trust is not a single tool. It is a combination of several tools. So it is having something like an identity management, something like an excess management, something for network transparency and things like that. This is really the first thing you need to understand before you start. And then zero trust is something more or less like a process. Um, zero trust is often mentioned with, uh, trust nobody. And this is honestly not true. It just means trust. Nobody was out verification. And this is the idea behind. And just think if you take for instance and risk management approach here, um, what, where would you start? You would start with identifying your assets, your things, your user, your data, your digital, crown jewels.
This is really the first thing you need to find. And this is where your trust starts, identify your assets, your user, and your data. And then, um, assume there is something like a threat. Somebody is trying to steal your crown tools, somebody trying to steal your user, your data, whatever. And this is the first assumption and how to protect your data. Then here, this is quite simple. Uh, theoretically at least you have to define policies which restrict the access to your assets, to your crown jewels. And these policies are not only covering our authentication, uh, on an identity level. They also cover the network transparency. As I mentioned before, they might also cover data, excess governance topics. So are you as a person allowed to access this and combining various metrics from various sources allows you to define really fine granular policies to restrict access to your crown jewels, and therefore allow only people who are potentially allowed to access your crown jewels excess. And this is, um, honesty, something like, um, uh, like a circle and every circle has a part where you verify and monitor your actions. So start with identification of your assets. Then assume that someone is trying to steal your information, your data, define policies against it, and then verify your policies and monitor what is happening to really improve it step by step in the second inclination or things like that. This is the idea behind zero trust.
Okay. That sounds for me as an identity guy, very much like a dynamic risk-based authentication. So we have identities on the one hand, we have strong identities because we need them. We have understood what our assets are, where we want to have access to. Uh, we know that the environment is hostile. Uh, so we need to protect, uh, to the left and to the right and make sure that nobody can interfere with us. And we verify constantly what's going on within the network. So we have identity context, access, um, access policies who have identified where I want to go to where I'm allowed to go to. So this seems to be something that identity people should be used,
So, right. Yeah, you're absolutely right. Mathias. Um, risk-based authentication is really essential here and, uh, an important part to achieve a high level of trust against the person who is trying to access something, but it is not the only thing which is important. So on the one hand, for sure, we have the identity, but we also have, um, the device a user is using. So for instance, currently, most of us are working from home. Some of us use their own device. Um, they use their own network at home. Um, maybe a wireless network was an, a router or things like that. And this is also a thing which is an part of a zero trust. So the device which devices to use or using, can I trust the device? Is there potentially malware installed that, uh, high checks, his accountant tries to get access to my data.
This is also possible, or can I trust the network in general, which the user is using and this combined, maybe with a simple example, the user, uh, is in vacation, um, and tries to get excess from somewhere like China, uh, and never did this before. So this is potentially a strange behavior. You'll have the information from the network. You have the information from your HR department, you have the vacation information and the behavior, and here you can detect something it's uncommon. I don't give the user access, or maybe I combined it, uh, with a multifactor authentication, asked for a second factor. In that case, this is something you can really do. And this is also the most complex thing here, really to define good policies, which cover all the contextual information. So we have in a way that you are able to maintain the policy, but on the other hand, you have effective ones. And this is, as I mentioned before, the circle of zero trust where verify monitoring is an important part of,
Right. So from a project perspective, from a, from a planning perspective, I understand that additionally to the, I am a strong IAM and strong authentication and strong risk-based authentication. We need to look at on the one hand multifactor authentication. And on the other hand, you've mentioned device management are these also important components to have at hand when going zero trust,
Especially the device, uh, is important as mentioned working from home, maybe because your own device, or just checking while you're on the road, uh, your business mails with your mobile device with your private mobile device might be a risk because you potentially access critical data, critical assets of your organization. And therefore an important part of an zero trust strategy must be something like, um, endpoint protection or endpoint protection detection, and response really have the option or idea to understand the level of security of the device. The user is using, trying to access your digital assets. And this is an important thing too. Yes.
You've mentioned that we're working from home, many are working with their own personal devices. How good is, and point protection when it comes to personally owned devices, not managed device?
Yeah, that's a good question. Um, because if it's your own device, um, nobody can force you to install something like an ma where a scanner and Bioscan, well, things like that and nobody's which apps are installed, which applications are installed. And here is a high level of limitation possible. Um, what is also possible in that case that for instance, you do not allow access to really critical data within your organization from such devices. So maybe you implement something like, and level of excess for your data. So for instance, critical data can only be accessed from an company on device and accessing an internal portal was information about the organization. It's not that critical. Um, and this might be accessible via your personal device. And having a level of criticality of your data allows you to handle also unsecure devices to access data. On the other hand, you could, uh, work with things like, uh, virtual machines, virtual desktops, to access critical data via and virtualization layer in between. This can also be an option.
So now that I understand that we have strong identities, we have ideally strong authentication. We have quite proper knowledge about the device, depending on whether it's a personally owned one or a corporate owned device. And we know very much about the resources, the assets to protect what is the most in danger, the most difficult to grasp part in the, in the equation?
Yeah, the most critical thing here is, and I mentioned this before, is it's the network at the end. So working from home, working from any cafe is dangerous because you don't know the network, you don't know the router, you don't know the wireless land, you don't know how it is protected and whether traffic is monitored or not. And this is dangerous, even if you have, um, an encryption with your data. Uh, the network is when talking about an a zero trust organization or strategy, the most critical thing, because currently, uh, we don't have a perfect solution how to handle this so we can encrypt data in transit. Um, we can ensure that the device has, um, a certain level of security or we deny access in the worst case. Uh, we have, uh, authentication for sure, but the network is critical and here is, uh, happening a lot. Uh, there are strategies towards, uh, combining endpoint protection detection response with the networks or something like XDR, um, really to allow the detection of uncommon behavior, uh, in the network to also have some metric about the level of security of the use network, but this is something, um, where are currently working on in the industry. And, but this will come very soon and improve the level of Sievert trust a bit more.
Okay. If we think of CRO trust as a means for a user to use a device, to move across the network, to access individual resources, um, no matter where they are in the cloud, on prem, wherever we need to think of the following components, we need to think of identity and access management. We need to think of course of the applications properly, secured and properly safeguarded. We need to think of, uh, the device properly managed and, uh, network protection. You've mentioned XDR as the upcoming, um, set of products to be in the right position to protect also the network. So when we're looking from a project perspective, um, and do you ask the advisor here, where would you start once somebody has an, a proper IAM in place? So that's assumed that,
Uh, if one has, has a proper IRM in place, um, as mentioned really at the beginning, um, start was identify your crown tools, start with identifying your digital assets. This is really the first seat on an process level, and then decide, uh, maybe going more in the direction of risk based authentication in the first step. Um, use things like the use device, uh, use things like the time, the behavior, so general context to improve the authentication, make an ism. And then in an further phase, uh, go towards endpoint protection detection and response, um, to understand how secure the use device is. Uh, you can also add an layer of data, access governance on, so access governance on data level, and then, uh, followed by XDR or advanced network detection and response,
Right? So in the end, like every it project, it's a journey. You've mentioned that before and Alex, I said that, and John said that with whom I've talked about zero trust as well. So we will not start with a big bang and have the complete mash of connections within our organizations protected by zero trust. We will start, as you said, with identified high value, highly critical assets, the crown jewels you've mentioned, and then move forward, a starting from them to a more sophisticated overall zero trust approach, not saying network, because that is really the, the end goal here. Um, when it comes to, um, resources that our audience can have a look at. Um, we've mentioned that before there is quite some research available at KuppingerCole something special you would recommend.
Yeah. And really interesting starting point is having a look at our block, uh, maybe your search for the term zero trust, and then you find lot of interesting content
Maybe from me, maybe from Alex, say maybe from John too. And there are also some references towards our research documents.
Right? Perfect. And if you want to get in touch with us and talk about your individual journey towards zero trust, we would be happy to, to respond to your questions, just send a mail, um, just get in touch anyway, on Twitter, wherever you can find us. Thank you very much, Christopher, for being my guest today and, uh, looking forward to having you in a further episode soon.
Thank you. .
Good to have you back. And we want to connect directly to the episode that we did last week. Aren't it together with our colleague Alexei. And we've talked about the obstacles towards zero trust. What keeps organizations from implementing zero trust? Why is there not enough? Zero trust from an analyst perspective already within the organizations. And we want to catch up here and you asked the director of the cyber security practice here at KuppingerCole. Maybe we can talk a bit about what should be done, what could be done? What are the right first steps for organizations aiming at zero trust? Where to start? What would be your starting point when it comes to implementing several trusts in the real life?
Yeah. Thank you for that introduction. I also heard what Alex say explained last week and it was, it was really interesting when starting zero trust. Um, the first thing you need to realize is that zero trust is not a single tool. It is a combination of several tools. So it is having something like an identity management, something like an excess management, something for network transparency and things like that. This is really the first thing you need to understand before you start. And then zero trust is something more or less like a process. Um, zero trust is often mentioned with, uh, trust nobody. And this is honestly not true. It just means trust. Nobody was out verification. And this is the idea behind. And just think if you take for instance and risk management approach here, um, what, where would you start? You would start with identifying your assets, your things, your user, your data, your digital, crown jewels.
This is really the first thing you need to find. And this is where your trust starts, identify your assets, your user, and your data. And then, um, assume there is something like a threat. Somebody is trying to steal your crown tools, somebody trying to steal your user, your data, whatever. And this is the first assumption and how to protect your data. Then here, this is quite simple. Uh, theoretically at least you have to define policies which restrict the access to your assets, to your crown jewels. And these policies are not only covering our authentication, uh, on an identity level. They also cover the network transparency. As I mentioned before, they might also cover data, excess governance topics. So are you as a person allowed to access this and combining various metrics from various sources allows you to define really fine granular policies to restrict access to your crown jewels, and therefore allow only people who are potentially allowed to access your crown jewels excess. And this is, um, honesty, something like, um, uh, like a circle and every circle has a part where you verify and monitor your actions. So start with identification of your assets. Then assume that someone is trying to steal your information, your data, define policies against it, and then verify your policies and monitor what is happening to really improve it step by step in the second inclination or things like that. This is the idea behind zero trust.
Okay. That sounds for me as an identity guy, very much like a dynamic risk-based authentication. So we have identities on the one hand, we have strong identities because we need them. We have understood what our assets are, where we want to have access to. Uh, we know that the environment is hostile. Uh, so we need to protect, uh, to the left and to the right and make sure that nobody can interfere with us. And we verify constantly what's going on within the network. So we have identity context, access, um, access policies who have identified where I want to go to where I'm allowed to go to. So this seems to be something that identity people should be used,
So, right. Yeah, you're absolutely right. Mathias. Um, risk-based authentication is really essential here and, uh, an important part to achieve a high level of trust against the person who is trying to access something, but it is not the only thing which is important. So on the one hand, for sure, we have the identity, but we also have, um, the device a user is using. So for instance, currently, most of us are working from home. Some of us use their own device. Um, they use their own network at home. Um, maybe a wireless network was an, a router or things like that. And this is also a thing which is an part of a zero trust. So the device which devices to use or using, can I trust the device? Is there potentially malware installed that, uh, high checks, his accountant tries to get access to my data.
This is also possible, or can I trust the network in general, which the user is using and this combined, maybe with a simple example, the user, uh, is in vacation, um, and tries to get excess from somewhere like China, uh, and never did this before. So this is potentially a strange behavior. You'll have the information from the network. You have the information from your HR department, you have the vacation information and the behavior, and here you can detect something it's uncommon. I don't give the user access, or maybe I combined it, uh, with a multifactor authentication, asked for a second factor. In that case, this is something you can really do. And this is also the most complex thing here, really to define good policies, which cover all the contextual information. So we have in a way that you are able to maintain the policy, but on the other hand, you have effective ones. And this is, as I mentioned before, the circle of zero trust where verify monitoring is an important part of,
Right. So from a project perspective, from a, from a planning perspective, I understand that additionally to the, I am a strong IAM and strong authentication and strong risk-based authentication. We need to look at on the one hand multifactor authentication. And on the other hand, you've mentioned device management are these also important components to have at hand when going zero trust,
Especially the device, uh, is important as mentioned working from home, maybe because your own device, or just checking while you're on the road, uh, your business mails with your mobile device with your private mobile device might be a risk because you potentially access critical data, critical assets of your organization. And therefore an important part of an zero trust strategy must be something like, um, endpoint protection or endpoint protection detection, and response really have the option or idea to understand the level of security of the device. The user is using, trying to access your digital assets. And this is an important thing too. Yes.
You've mentioned that we're working from home, many are working with their own personal devices. How good is, and point protection when it comes to personally owned devices, not managed device?
Yeah, that's a good question. Um, because if it's your own device, um, nobody can force you to install something like an ma where a scanner and Bioscan, well, things like that and nobody's which apps are installed, which applications are installed. And here is a high level of limitation possible. Um, what is also possible in that case that for instance, you do not allow access to really critical data within your organization from such devices. So maybe you implement something like, and level of excess for your data. So for instance, critical data can only be accessed from an company on device and accessing an internal portal was information about the organization. It's not that critical. Um, and this might be accessible via your personal device. And having a level of criticality of your data allows you to handle also unsecure devices to access data. On the other hand, you could, uh, work with things like, uh, virtual machines, virtual desktops, to access critical data via and virtualization layer in between. This can also be an option.
So now that I understand that we have strong identities, we have ideally strong authentication. We have quite proper knowledge about the device, depending on whether it's a personally owned one or a corporate owned device. And we know very much about the resources, the assets to protect what is the most in danger, the most difficult to grasp part in the, in the equation?
Yeah, the most critical thing here is, and I mentioned this before, is it's the network at the end. So working from home, working from any cafe is dangerous because you don't know the network, you don't know the router, you don't know the wireless land, you don't know how it is protected and whether traffic is monitored or not. And this is dangerous, even if you have, um, an encryption with your data. Uh, the network is when talking about an a zero trust organization or strategy, the most critical thing, because currently, uh, we don't have a perfect solution how to handle this so we can encrypt data in transit. Um, we can ensure that the device has, um, a certain level of security or we deny access in the worst case. Uh, we have, uh, authentication for sure, but the network is critical and here is, uh, happening a lot. Uh, there are strategies towards, uh, combining endpoint protection detection response with the networks or something like XDR, um, really to allow the detection of uncommon behavior, uh, in the network to also have some metric about the level of security of the use network, but this is something, um, where are currently working on in the industry. And, but this will come very soon and improve the level of Sievert trust a bit more.
Okay. If we think of CRO trust as a means for a user to use a device, to move across the network, to access individual resources, um, no matter where they are in the cloud, on prem, wherever we need to think of the following components, we need to think of identity and access management. We need to think of course of the applications properly, secured and properly safeguarded. We need to think of, uh, the device properly managed and, uh, network protection. You've mentioned XDR as the upcoming, um, set of products to be in the right position to protect also the network. So when we're looking from a project perspective, um, and do you ask the advisor here, where would you start once somebody has an, a proper IAM in place? So that's assumed that,
Uh, if one has, has a proper IRM in place, um, as mentioned really at the beginning, um, start was identify your crown tools, start with identifying your digital assets. This is really the first seat on an process level, and then decide, uh, maybe going more in the direction of risk based authentication in the first step. Um, use things like the use device, uh, use things like the time, the behavior, so general context to improve the authentication, make an ism. And then in an further phase, uh, go towards endpoint protection detection and response, um, to understand how secure the use device is. Uh, you can also add an layer of data, access governance on, so access governance on data level, and then, uh, followed by XDR or advanced network detection and response,
Right? So in the end, like every it project, it's a journey. You've mentioned that before and Alex, I said that, and John said that with whom I've talked about zero trust as well. So we will not start with a big bang and have the complete mash of connections within our organizations protected by zero trust. We will start, as you said, with identified high value, highly critical assets, the crown jewels you've mentioned, and then move forward, a starting from them to a more sophisticated overall zero trust approach, not saying network, because that is really the, the end goal here. Um, when it comes to, um, resources that our audience can have a look at. Um, we've mentioned that before there is quite some research available at KuppingerCole something special you would recommend.
Yeah. And really interesting starting point is having a look at our block, uh, maybe your search for the term zero trust, and then you find lot of interesting content
Maybe from me, maybe from Alex, say maybe from John too. And there are also some references towards our research documents.
Right? Perfect. And if you want to get in touch with us and talk about your individual journey towards zero trust, we would be happy to, to respond to your questions, just send a mail, um, just get in touch anyway, on Twitter, wherever you can find us. Thank you very much, Christopher, for being my guest today and, uh, looking forward to having you in a further episode soon.
Thank you.
Video Links
Stay Connected
Related Videos
How can we help you