Trust No One: Zero Trust Strategy and Design

Welcome everyone to our equipping, a call webinar trust, no one zero trust strategy and design speakers today are Komi with associate vice persistent systems, Midland Patel, who is product M IBM and me Martin, our and principle Analyst at co call Analyst. This webinar is supported by persistent systems. Before we start some quick information about housekeeping and our upcoming European I identity conference. And after that, we'll directly dive into this subject of today's webinar. So September 13th, to third 16th, we will run our European identity and cloud conference in Munich.

It is a fully hybrid one, so you can participate online or you can with the end in Munich versus possible, it'll be packed by sessions. So we have run run about 180 sessions, so event and networking opportunities, as I've said, boost in an online and in an onsite format combined. And we hope to see you there for the webinar itself. We are doing a recording, so we are recording the webinar. We will make the podcast of the recording, and we will also make the Slidex available for download short term.

We will have a Q and a session by the end of the webinar, and you can enter questions at any time. The more questions we have, the more likely the Q and a session is. So don't miss to enter the questions you have to the experts talking in this webinar, and last and least we will run a few polls during the webinar and discuss the results during the Q and a for the agendas split into three, or maybe we could say four parts today.

In the first part, I'll give a very, very brief perspective on the past and future evolution of zero trust in the second part, then Milan Patel first, and the man will talk about their, their perspectives on zero trust, discussing importance of a roadmap and other practical particular approaches to zero trust. So how to make zero trust, really a reality. This is what Milan andand will talk about. And then in the third part, we will have our Q and a session.

And as I've said, the more questions we have, the better it is before I start my presentation, let's start first poll, which is a very simple question to answer CS or no, which is, have you already considered zero trust. So zero trust strategy for your organization. I give you some, some seconds to answer. And so please do the poll. Give your perspective, where are you with zero trust? Is it already something you're working on? I would say we do another 10 to 15 seconds. Okay. So let's close the poll. Thank you very much. And that is where I don't start was my part of the presentation.

Zero trust. It is a term we have heard a lot of times in the past years, it's relatively old, so that I think it's already past the 10th and anniversary, but it, it really became popular.

I, I would say starting with the pandemic, because that really changed the way organizations had to run their it with work from home, with a lot of need for agility and the digital business and the evolution of organizations from traditional to digital business, etcetera, zero trust at the end of the day is a paradigm. It is a sort of a concept of philosophy.

However, you'd like to phrase it. And it's about a simple thing, which is don't trust in the sense of don't trust single system, but always verify. So it started when we go back to the, the, the roots of zero trust started with saying, don't trust the security have for the parameter, like the firewall. And then think if someone has passed that if someone is in your internal network, then it's safe because there's the lateral movement. There are things like that.

So zero trust the principle for doing cyber security, right, and avoiding traditional pitfalls that come from that arise from depending on a system that then turns out to be not as secure as you have hoped. It's also very important today because it's about a security for an open world, a world where the traditional parameter doesn't play that major role anymore more. It did many years ago. And I think this is just reality today.

We are, people are working from everywhere. Services are running everywhere, and that's what it's about. Enabling everyone to work from everywhere is every device using every service, regardless of where service runs. So this is, this is really the, the, the Quin sense. And so you address is nothing where you say, okay, I go out, this is the one stop shopping, and I buy that tool. And then I have it, because again, then you would say, this is the one tool I addressed in, and exactly this is not for you doing, you need to understand that there are different elements.

And so, so in my perspective, there are a couple of, of, of main building blocks or main areas to look at. So to have a sort of a layered security, because CR trust is very much, really about layered security and identity management, by the way, is a very important thing. And when we look at what is happening, so a user is coming in with a device over whatever type of network or whatever series of networks to systems and applications. So the user at the end is, is, is doing something he's using a service that runs on a system that runs in the cloud wherever.

And then there's also data involved that is at the end, what we have. And so we can relatively easily get a grip on the user. Authentication is something we, we do anyway. So we authenticate user. We can make it probably more secure. So MFA is the first thing always to do. If you doesn't have it in place yet, the device is more tricky because a lot of these devices at the end are not corporate own devices. So managing them is more complex. And that's why, why I didn't go for a green buddy or yellow light here.

The networks maybe are the most complicated area, unless you go back to something where you say, oh, I trust that root everyone. Why was the VPN into my network? And then they are secure anymore. But apparently it's apparent that this is not, it's obvious. It is not zero trust anymore. If you say, I trust the VPN, then you're doing the exact opposite of it. And by the way, rooting everything to your own network. Doesn't really work in today's world of mobile users, work from home cloud services.

Etcetera, doesn't make much sense. Then you have the, the systems on the applications that is something you, you have some control about sometimes more, sometimes less. So sometimes some workloads you, you have a good crib on, on OS maybe, maybe to a lesser extent. So it's also lot about, and we have a ton of recordings and reports about the responsibility split between tenants and providers, when you, when you use cloud services, for instance. So there's a lot of thinking behind it, but you can get a good grip on that. And then there's data at the end of the day.

And zero trust means that you look at where, where do you need to implement controls? Where do you need to implement security at which levels? And it's a lot of that. And it goes even beyond that, because zero trust is evolving. And when we look at this evolution at the beginning, there was the network. So zero trust started with zero trust networks. And this is at the end of the day, something which is relatively hard to control compared for instance, to okay, device sometimes easy, but to the user smart application or the data.

So it evolves from the network to the perspective on device and systems and applications, then the user, and then the data is the evolution. And it's not the end yet. So from zero trust, it is going beyond that to a perspective, which also looks at the comprehensive zero trust and what we need to add. And this is what I put at the top here. We also need to look at, can we trust software? Can we trust the services?

So, so we, we, you might trust have heard about this power shell or power automation, I think vulnerability or, or power BI. I have to look it up. This trust came up this morning.

So, so there just one of these vulnerabilities in more in the zero in the zero, in the no code, low code environments, too much, zero in depth. And, and it means, can you trust, for instance, the platform you're building your, your no-code low-code solutions on, can you address the software you get? We remember the, the solo win attack and, and others CAA. So what can you address? And we need to even further extend it to, to software.

And, and also to, to which extent can we address environments? We are, we are building, we are running our workloads on.

So we, we really need to understand zero dust doesn't stop, but it continues to evolve. And this is not an architecture. And I put architecture into, into the dust. It is really just a picture which shows there are many, many technical solutions you can use within your zero trust model. You will not use all of them. You need to understand which of them are really irrelevant to you, but it's really a, a broad set of technologies, which help you to implement a layered security to implement something where you don't trust a single entity, but where you have a lot of points of verification.

What you need to do is really to understand your risks first, what is really at risk your requirements. So what do you need then look at your architecture. So how does your, your secure trust architecture layer security look like? What do you have already? What is there, what is missing? And then you can go into the prioritization and implement the most important parts around it. As I've said, starting with MFA, for instance is always a good idea.

Before I hand over to Milan, I quickly want to launch the second poll here, which the question here is, do you already have an approach for implementing a comprehensive zero trust model defined? So the one thing that's looking at zero trust the other is do you look already look at an multi-layered approach for that? Or is it something very more at the zero trust network level? Give you again, a couple of seconds to answer this question. Let's give you, give you, so come on some 10 more seconds. Okay. Looks perfect. So with that back to the agenda.

So after this very high level intro and perspective, as I said, I'd like to hand over to Milan Patel who will of IBM, who will talk about his perspectives on the scene and I'll make him de moderator. So Milan it's your term. Thanks Martin. And thanks everyone again for joining this webinar. What I wanted to cover now was a perspective of what we as IBM are looking to drive. When we think about zero trust, as Martin mentioned in the beginning of the call, I am the product manager for our IBM security verify SAS solution or IDAs that we have in market today.

And what I want to talk about is the approaches that we're talking and we're seeing as part of a business driven outcome in driving and starting with a zero trust posture in terms of entry points and being able to drive that. So when we think about zero trust, and when we think about what our customers are asking us, it really starts with understanding the motivations and aligning them to business centric approaches.

Now, when we think about zero trust in the context of business driven approaches, we really see four starting points. When we think about this from a end to end perspective, the first is around privacy and preserving customer privacy. So this is around when we think about zero trust, we think about it in the context of traditional enterprise workforce use cases, but zero trust postures and zero trust approaches from a business perspective can also be applied to consumers and customers, right?

So this is around how you simplify the onboarding and registration of users allow users to manage their privacy and consent, and then enforce specific privacy regulations and controls as it relates to a proper zero trust, posture, and enrolling and rolling out things to make it seamless from a multi-factor and management preference perspective. Although traditionally zero trust has been looked at in the context of enterprise. We see a business pattern where preserving that customer privacy is critical and equipping end users with the ability to protect their experiences.

Their accounts is critical. The second one that we see as we move to the right is around protecting the hybrid cloud. And I think this is something that all of us can understand and appreciate be complexities associated with how the modernization of legacy applications moving to cloud, moving to different deployments in clouds and having that full visibility of control of how to manage users, access to that, how to control all the access associated with that, and being able to monitor the activity and update real time, the configurations needed to ensure a proper zero trust posture.

As I introduce this, I, I, I wanna talk about these four and then I'm gonna dive into one specifically. This next one is around reducing the risk of insider threat. So this is where there's a pattern of identifying the scenarios for enforcing least privileged access, understanding user behavior and anomalies integrated with existing systems to be able to identify threat and then trigger the proper remediation that's needed in the context of an enterprise.

And then the last one, which is one that we're gonna be diving a little bit deeper into as part of a specific use case and a scenario and starting point that we even in IBM are starting on relative to our transformation is around securing the hybrid workforce. So this is around how you, how we look to enable bring your own devices as part of secure managed and unmanaged devices, how to enroll and provide a rollout of multifactor and even go passwordless.

But also how you put all these into context to then understand adaptive risk scores associated with how users are accessing based on the notion of this remote workforce, where employees may be accessing systems from different locations and being able to not compromise the security, but also provide a seamless experience to increase productivity is another area that we've looked at as part of business drivers and business centric outcomes as part of aligning to a zero trust approach. Now, as I mentioned, securing the hybrid workforce is a blueprint, right?

The, the four items that I mentioned earlier are considered blueprints of how a comprehensive zero trust approach can be identified and aligned to address a, a use case end-to-end oriented outcome.

Now, when we think about this in the context of securing the hybrid workforce, putting on the lens from an identity and access management standpoint, which is what I live and breathe every day, this is where we think about how we allow remote workers, office workers, to access various secure resources that are high level high transaction oriented in terms of the value that it is to the enterprise, whether it's internal, external collaboration suites, whether it's access to firewalls, whether it's access to the data center infrastructure platform, as well as key business applications.

What we see in terms of the need from an identity and access management standpoint, which are the items that you see in, in the purple squares is around doing as, as Martin mentioned, multifactor authentication, which is a starting point, but enabling that such it has integration points into devices so that you can do and provide conditional based based on users coming in for managed or unmanaged devices, as well as rolling out a risk based score to identify risky behavior through adaptive access.

Now, again, these are just the, the blueprints from an IBM perspective that we see critical as evaluating and then aligning in the context of a proper zero trust business outcome driven approach, specifically around securing the hybrid workforce. And what you'll see is our view in using these blueprints across the other entry points that we've indicated as part of the business outcomes, but really wanted to focus on and evaluate and articulate sort of what we're doing in the context of securing the hybrid workforce.

So with that, what I do wanna share is a story of what we've been doing internally at IBM, our goal, and this is actually something that we've been evaluating before COVID, but we wanted to provide a proper rollout for a digital transformation for all IBM employees, 600,000 plus user population, both contractors and regular employees as part of modernizing how productivity is done while also providing a secure means of interacting with workforce oriented use cases and workforce oriented workflows.

Now, as we think about this, this really lends itself to securing the hybrid workforce and even so going into the notion, when we think about the hybrid workforce, the, the remote workforce now over the two year period, there were a sec a set of goals and criteria that we set out the first is a, what the first was around how we modernize the applications and security frameworks.

A lot of applications were non standard applications or older applications as part of business processes that we modernize to more microservices oriented architectures, as well as using these standards based approaches for security. So that enrolling and enabling things like multifactor risk based became easier using standards based open ID connect and SAML. But the other notion here was there were some applications that needed to remain on premises due to regulatory requirements.

And part of that was how do we enable those applications to be protected from the cloud to allow for that agility while also remaining compliant to some of those aspects in the context of business requirements. As I mentioned, this protection of the remote workforce started out with the securing the hybrid workforce, where we rolled out MFA to all 600,000 employees. The rollout of that consists of two methods of MSA MFA, as well as the ability to go passwordless across all the applications that IBM employees interface with.

And then the last thing that was important for us was as part of that data residency requirements, a lot of the user information registries needed to remain on premises and doing so without having to re-architect or open up the network firewalls. And this is what from an IBM solution standpoint with verify, allowed them to seem allowed IBM to seamlessly move those applications and do the authentication with those users that were remained on premises and starting to onboard and move those applications to the cloud and still preserve that authentication experience.

But what that also allowed was the ability to then add on the advanced capabilities for multifactor and adaptive access. And this also takes into account in, into account that all of our devices that we get are managed with our mobile device endpoint solution, as well as bring your own devices are enabled as well as part of this.

And again, putting this in the context of how to secure the remote hybrid workforce and ensuring that proper zero trust posture, again, starting out with the IAM portion in the hybrid workforce scenario now on the right, you'll see our login experiences as IBM employees, where you can see that I can log in with my traditional credentials, username and password in which it would prompt an MFA, or I can do things around QR code or even Fido as I've enrolled as an employee in IBM as part of the rollout that, and the transformation that we're doing.

But the main message here is the journey helps as part of zero trust. And as part of securing the hybrid workforce was a business outcome in driving the modernization, as well as securing the user experience and enabling how employees are become more productive in terms of their, their workflows and their experiences. So with that, what I did wanted to also mention was the, the solution and the platform that was used IBM security verify SaaS for those that don't know is a comprehensive Ida platform.

And as part of that Ida platform, we offer a rich set of capabilities as part of the identity as a service that include things around single sign on multifactor risk based authentication in terms of an access oriented solution. But we also are bringing key governance capabilities that are in market today as part of our solution, as part of our identity governance capabilities that are all available through the identity as a service offered by IBM security verify.

Now, the items in purple underneath each of these use cases that we offer as part of our SaaS platform today are the things that the IBM transformation took advantage of as part of enabling the use cases for securing the hybrid workforce. But all of what I've described in the previous slide was enabled by IBM security, verify SAS as the IDAs that delivered that value to customers, not only from an IBM perspective, but also other customers that we've been working with.

For example, a local city department of education was able to migrate their users and do go into a remote work remote learning experience that would typically take six months and condense that into two weeks and using verify SAS. They were able to accelerate that remote learning experiences for parents, teachers, and students when COVID struck.

And again, verify SAS was used to enable and facilitate those that transformation. Now with that, the last thing that I wanna end on before I hand it over to Schumann is the, the blueprints that we described are something that we use, as I mentioned, as the starter to drive for that business driven outcome, we share that blueprint related to securing the hybrid workforce, which you'll see on the bottom, right?

But there's other blueprints that we have that we use in conversations with customers, partners in how we can then map that to not only the journey that customers want as part of their zero trust approach, but also then aligning that to then the key capabilities and platform requirements to do that, whether it's using something that is provided from, you know, IBM security or being interoperable and extensible into existing investments, as part of enabling a proper zero trust approach.

And I think that's a key, key, key item here, knowing that organizations tend to practice some, some aspects of geo trust today, but a lot of it is formalizing it in the context where you have that end to end business driven outcome approach.

And that's really sort of the perspective and the value that we bring as part of not only from a alignment perspective, but also from an enabling technology perspective to help accelerate zero trust adoption across all the, the, the, across all the use cases within an enterprise that an enterprise can see now with that, what I wanted to end was how, how folks can start with zero trust in terms of learning, getting started and improving that posture.

I know this is a set of links to just get started, but this is really sort of in, in more detail articulating some of the things that we offer as part of enabling and starting that zero trust transformation, really bridging off of, you know, again, the use cases and the success stories that we've seen, not only internally in IBM, but outside with customers that we're working with. And with that, I'm going to pass it off, stop sharing first, and then hand it off to anima. Thank you, Milan. And I'm handing over to Anand making him the moderator. So Anand it's your turn. Thank you, Martin.

Thank you, Milan. Really appreciate everyone joining, coming together to hear about our short St about zero trust. One R is not enough, but from persistent, my name Isman go. I look after the global security services business for persistent based out of New Jersey, I would, you have heard about the context, why zero trust and how to some extent with, from Milan, I'm going to throw some more colors about our experience and experience with our client base. And zero trust is a journey. Martin has alluded to, to it, But a decent ecosystem prevails within a lot of mature clients.

The profiles that we manage, where we have client base has invested, but that's not enough. I, I would like to talk a little bit about why zero trust in the first place in 2009, an Analyst from Forster introduce this concept. It's not to yield zero trust within employees or customers or supplies, but what it yields more towards implementing the design principles, where we cannot trust any data feed, any device, any users, behaviors, and Martin alluded beautifully on that front.

I would like to draw your attention to recent recent breach reports, Verizon Verizon's data breach investigation report that came out earlier this year. It's leading action varieties in breaches constitute fishing. Second is ransomware. Third top of the list is misconfigurations and the list goes on, but these are fundamental shifts that we are seeing post pandemic.

If, if we can consider that we are in the post era, but organization today, gaining grounds from security investments, it's not all dark and grim, 2015, some stats say one third of the attacks were successful, but later some of the researchers alluded about one eighth of the attacks are successful. So there is a shift. We are making some progress, but there are too much to do a very interesting read, caught my eyes only recently, while preparing for this presentation from crib zone security, a blog, very renowned personality in the security ecosystem it's published in August 19th, 2021.

It's not very old, very unique use case is emerging disgruntled employees to deploy ransomware, just pause and think for a minute, he goes and stating criminal hackers, emailing employees directly to unleash malware inside a profitable enterprise network for a profit sharing model. Just pause. Very interesting finding and read. I would highly recommend whoever is participating in this webinar, go and take a look at this entire experience which came out in its blog. Very interesting.

So the criminal intent and are emerging and are emerging in good creativity is from not only criminal enterprises, but nation states. That's, that's probably the fundamental shift. This COVID pandemic has propelled these businesses to drive towards digital. And the nuances of convolutions of the digital proliferation of transformations are creating the undulations of attack surfaces.

APDs are, I mean, you wouldn't realize that you are already reached. So these are some of the stats. Our friends in Gartner has published around in March. The 30% of enterprise locations will only use van connectivity from 15% in 2020, 30%, 2024 would use secure web gateway CASB, Z T a.

So these, these, these stats gives an indication, but I think we are at a point where these stats are overridden by acceleration from our client base. Some of the pillars that rationalizes, why we embrace zero trust, remote work, and working in where I, I think this concept is, and, and both Martin and million alluded towards some of the use cases they are experiencing and promoting.

I, I think this is the foundation of, of the shift shift in the architecture shift, in the architecture requirements that enterprises need to start thinking where to start. It's not that they have not started or invested yet, but with the kind of working anywhere, cloud adoption momentum network and security are controls are conversing, and there is a need to do that. And I will, I will speak towards that in the subsequent areas. Zero trust edge edge computing is where the data sources are getting close to the users.

The compute power is moving, shifting towards users, Talking about the building blocks of zero trust component framework. We are seeing a traditional parameter based network oriented security architecture is shifting to continuous verification of trust approach to deliver outcomes could be numerous on a pragmatic approach is to just like any other portfolio of programs. You are outlined the various work streams and outcomes of your journey. That's easy to say than are.

Most of our clients have invested in platforms addressing various key tenants of security functions, but this new norms of delivering business from a hybrid of on-prem and cloud requires a new architecture and a mindset of processes and ownerships. It's not technology alone that needs to be factored in the roadmap stitching components. As you can observe using automation, layers, bring efficiency to cast the bad guys, continuous monitoring and verifying trust. I think new log feeds are emerging.

As we are strengthening the security information and event management, whole architecture of security operations layered by the so automation blocking the bad guys from moving laterally, using micro and macro segmentations. Those are some of the themes that our clients are struggling. What's the starting point, how we can help. When we work with our client base, we assess and build the requirements to define current investments of hardware and software using missed CSF or CIS benchmarking capabilities create a practical and pragmatic approach to define business case in a phased approach.

No one vendor will provide full stack of function, and that's really let's stay for an example, data security functions, this several data security functions that needs to be considered during the early stages of your program. Design data discovery, data classification within data classification, data classification of structured data, semi-structured data, unstructured data, very few partners provide all these capabilities today. Data office data archival. Very interesting point came came up when we were talking to a financial organization, financial client of ours, he said, I have CPDR.

I got hit by ransomware. One day's loss of transactions will hit me badly. I need point in time recovery. Can you bring that? Which partner on the planet brings that capability? So lessons learned data, privacy, data diligence. And if you are operating out of Europe, you know, well known GDPR requirements. So these are some of the nuances which you have already invested probably, but need to stitch in, into the new architecture, the new teams, what we are looking through a different lens today, the traditional security domains standalone domains are never relevant today.

I cannot say I have all infrastructure security network security and cloud security controls in place. Do I have identity and access management and IGA principles threading these perimeter security application security and data security and even governance, risk and compliance. So it needs to be seen from preventive approach and a reactive approach. So all these towers, as you can observe, as you breach and contain, you are assuming you are already breached. So this mayor theme itself lends you to define a preventive control so that if you are to design, you are assuming you are breached.

What all controls do you need? So we try to articulate the portfolio of projects and transitioning them to operations in a phased manner, but integrating across security domains today, integration of security domains is the key to leverage the strengths of zero trust. If I have to define these steps to start for a zero trust, I would do a discovery of assets, do a threat modeling mapping, transaction flows, data flows and process flows create a business case for, for stakeholders.

Buy-in, that's super critical. And this has resulted in creating this zero trust governance and operating model where business it ownership is extremely crucial to deliver a business resilience office. One of the CSOs asked me, I have a risk office. I have a engineering office. Why do I need another office? Us risk office engineering office is very it centric today. We need to think through more with a broader stroke of business resilience instead of it resilience. And that's what we had put together.

This framework of creating roles of architecture, creating roles of different domains that are relevant for zero trust governance and rolling out this operating model. So with that, I think we can go on and on the, we would like to discuss later on the challenges, what these programs will bring to the table, but security access and service edge is the backbone and zero trust network access is the mindset with that said, I will pass on this thread to Martin. Okay. Thank you. And shaman. So the next part of our agenda is to Q a and also unmute Milan.

So Milan and LAN, we right now then can pick the, or deliver the answers to the questions we already have received. So we have a couple of questions here and I'm, I'm happy for the attendees to enter photo questions. The more we have the better it is. And I'd like to start, start with a, on one hand, simple on the other hand, probably very complex to answer question here, maybe to, to answer mine first and then Milan, which is how long does it take to implement zero? Trust It, may I take that? Yes. Go ahead. I'm showing you so it's a journey.

So it depends on the maturity of the ecosystem. Of course. And as I have alluded earlier in 2009, after Forrester came out with this concept, we review our client ecosystem. It's we have already invested in different technologies, different processes. It's extremely dependent on the assessment outcome of your current security investments and current security posture. Right? It can be some of our clients, we have established roadmap from 18 to 24 months, right. But it's right after 24 months, you cannot say I'm, I'm zero trust. Okay. Enabled it's a continuous process.

As I have mentioned earlier, you need to continuously monitor and validate your trust. And, and I like the answer shaman because I think that very well to that.

So, so you can have some, some level of zero trust very quickly and you never will be ready in some way, because also the, I would say the concept as I've I've talked about is evolving. There are new things to look at. So we learned the hard way in the past 12 months that looking at software, not trusting software is very essential because we have to serve party software risks, and there will be other things we will learn over time.

So it's, it's a journey. And also the way we do it is evolving. And I think this is the point. And I think it's important to understand, to understand zero trust is an important principle, which means when, when you do something, is it because you then feel, oh, this thing makes me secure, which is critical, or because you do it because it helps you to add another layer, another element to your security model to have more verification. I think this is, this is the point mil. Do you also want to add something to that question before we move on to the next one?

Yeah, I, I think, yeah, I think the, the general comment is mileage may vary and I, that may be ambiguous, but what I do want to give is, you know, the data points and reiterating what I mentioned earlier, right? So we, we had a city department of education come to us and COVID hit earlier in 2020. Right. And they needed to immediately move to remote workforce and remote learning. And that was a typical six month period that we accelerated at two weeks. Now that part of that was because they already had the foundation in place. Right.

And part of that was that enabling MFA, enabling all the tablets that they needed for those that didn't have internet connection or access to internet, things of that nature. But the other one was, you know, us as IBM, we, we were on a two year journey, but a lot of that was because of, you know, population number of applications and just rolling out.

But as, as Countryman mentioned, it's, it's a journey, right? And part of that is starting with a journey that delivers an outcome and then sort of working with the existing constructs.

I, I don't think it is practical to say, we need to rip and replace everything because there are maybe end point solutions that organizations have invested in there. There's IM solutions that organizations invested in part of that is aligning to what is existing and allowing that modularity and plugability to then drive these business outcomes. So mileage may vary, but I think it's, it's part of aligning and evaluating what exists today and then defining sort of that roadmap. Because as I mentioned, it could be just extending on top of what is there.

It just requires a, a view into sort of an end to end evaluation and, and business driver and value. Yeah. Okay. Thank you. And maybe then move to the next question. I think it's an interesting one, which at the end, I shorten it a little is, is zero trust, not just yet another password.

So I, I have a very, very clear perspective on that. And I think zero trust has evolved from, from a password to something which is very real, very helpful as a paradigm as a, as a concept, to, to structure what you do and what you focus on in security Milan. And andand, what's your perspective on that? Yeah.

I can go as, as I mentioned, and as you mentioned, Martin and zero trust for us is a, is a, an existing framework of a posture that organizations need to really, really, really look at and evaluate because the conversations in zero trust, although it may seem like a buzzword, but when you look at it from the blueprint perspective, it really looks at putting a seamless flow of how data, how identities, how information is all streamlined and aligned so that you have that commonality and barrier and visibility into everything that happens. Right.

When you think about this concentric circle of servers to then applications, to users, like all of that needs to be in a aligned manner so that you have that control and visibility, right? So although zero trust is the word that captures that it's really the then driving force that requires the silos to be broken down across the interactions in what an enterprise has as part of, you know, their resources, their users, their applications, and their data.

Martin, would you mind, would you mind repeating the question once again? Yeah. At the end, the question was it's zero trust, not trust yet another password. It could be turned as another, another phrase in industry, but essentially risk is the problem. Security is the solution, right? So if you look at through that lens where I think we are converging with the new emergence of the new norms of working remotely and moving into cloud and increasing SaaS behaviors in the employees, customers and supply chains, I think foundationally authentication and authorization is bringing that trust.

So stringing that authentication and authorization across different domains of security and not only security, I would say it needs to be strong through the it ecosystem. And it needs to go into the business processes. And that's where business is driven by digitalization or digital transformation because of this pandemic. And if you look into the history of pandemic, 1918 was first influencer still today, we, we give flu vaccine, right? So this is going to stay COVID is going to stay our experience. Probably the window.

We are shortening with the advancements of using AI ML into the, into our live stream. The window of experience of coming out of C's impact will shrink, but it's not shrinking within next five years or 10 years, if a hundred years is previous influencers impact, right? So this digital transformation is going to stay and business is going to evolve more and more using digital strength to deliver changes in human behaviors. So taking that trust is the basic requirement, which needs to be there at every level, whatever we do.

And I think it's coined it accurately and appropriately, and it's not laid, I would say. Okay.

And, and maybe that's a good point to look at the polar results of the first poll first, and then the second of the polls and the first poll. I think that, that trust very clearly that I would dare to say that we are beyond the password stage. So 85% of the participants that they, they already are considering zero trust for the organization. So it's really something which is in focus of most organizations that aligns with other service. We did recently when we then look at the, the second element or the second question, the second poll, and there's a slightly different, but also related.

And I would dare to say, that's surprising result. So it is that the numbers for, do you, do you really look at a multi-layered approach for zero trust? That number is lower than we are looking at zero trust. So it's still an evolution within zero trust towards this broader perspective where zero trust has evolved well beyond zero trust networks, but it is something which is real, which is in an implementation in a conceptual state, in, at various levels in organizations, from what we see, what we observe in the market. And I think that that fits quite well to what we just said about Buster.

So having a very few minutes left, I I'd like to ask Aman you first and then Milan for, for short statement about what are, from your perspective, the main challenges, or maybe what is the main challenge and implementing a zero trust approach.

And Jamal, I can go on and on for a hour on that, but to some sum it up, I think discovering your assets and doing a threat modeling is the key for your program plan or the portfolio plan towards accomplishing zero trust objectives, and setting up your business stakeholders and setting that business resilience office structure or framework within your organization and getting all the business application owners and data owners having one leg into that office is I think, paramount for your success.

Otherwise the frictions and the business case rationalizing effort will jeopardize your progress. I, I think, I mean, hun Truman mentioned it it's around understanding and realizing the investments there exist in the enterprise. The other thing that I'll mention is, you know, I think we see a lot of entry points and how folks look at zero trust, right?

They, they, they wanna do it in the context of, you know, a, a regulation. They wanna do it in the context of a specific solution. They wanna do it in the context of, you know, a platform based approach. But what we've seen success in is aligning it to a business goal. And part of that is that evaluation that needs to be done in where the organization wants to move as part of a modernization or digital transformation roadmap. And then aligning that to an outcome of how zero trust can help fortify, accelerate and provide a more secure approach to doing that.

Whether it's shifting to a remote workforce, whether it's moving applications to the cloud, whether it's addressing consumer use cases, right? Those are the things that we see as business outcomes, and then really aligning that roadmap to how you would embed zero trust in that context would be either existing investments that organizations have or investments that need to be made to align and ensure that zero trust approach.

Okay, Perfect. Milan, thank you very much.

We are, unfortunately already at the end of the time, I think as essentially know that we can probably spend a couple of hours discussing field trust, but right now it's time to say thank you to all the attendants of scoping call webinar, hope to have you sued back in one of our webinars or at the IC conference and our high performance being online or in Munich. Thank you very much. And Milan for your input and talk to you soon again. Thank you, Martin.