So my name is Fado. I work with PWC in Netherland as a information security architect, specialize with digital identity s management and, and also, you know, heavily working on the zero trust in establishing our zero trust.
Also how, how we do zero trust in pwc. So with that, I would like to start on why even there is a zero trust. And I will start with, you know, once upon a time there was this gentleman called Bill Cheswick, who in 1990 advise on the way we do cybersecurity is our, is is kind of a, sort of a crunchy shell around the soft chewy center. That's how he described how we do, how we should be doing cybersecurity in 1990.
Now, I don't need to tell you that this wasn't a good idea, or at least it was a good idea in the beginning, but then soon after when data started getting out of this shell into the cloud, we kind of lost control of, of, of the data and this control around the chewy center.
No, in fact, in, in a PWC survey, we've, we, we, we have results. 92% of organization today operate on multi-cloud environment. At the same time as security professionals, we are always focusing on attacks and vulnerabilities and always trying to chase these things as they happen.
And again, the same survey shows that attacks is increasing and will be increasing in the future as well, especially in ransomware, cloud attacks and operational technology. So what does this tell us?
Well, first we are often o focusing on things we cannot control, such as, again, attacks and vulnerabilities for example. And we are also as, as cybersecurity professionals, we're seen as we are also slowing down business instead of running it smoothly.
I mean, one example for this is like there is this enthusiastic person business department coming to you and it's like, we want to publish this in your application and what do we do?
Wait a second, we need to pen test it. We need to try it, we need to integrate it, we need to do all of this.
So, you know, we are kind of slowing down business at the end of the day as well. Lastly, we are also because of, we are always again focusing on the tax and the vulnerabilities. We are kind of trying always to contain these incidents instead of really resolving the root cause of the problem itself. So the issue here is, is our trust model or how we, again used to architect our security solutions. So how do we, how do we actually fix this trust model at the end of the day? Well first by removing trust, and this is what's all about zero trust.
Second is about shifting our paradigm to explicit rather than simplicity. So in in, in I am world, we always used to think about we are going to keep the, the bad people out of our organization.
Here we are. And this is simplicity. Ity is changing all of this mythology into I'm not going to let anyone in unless they approve to be trustworthy.
In, in network world, when we used to architect our firewalls, we used to say we will let everything in apart from this malicious activities. Now we're going to say we're not going to let anyone in or any transaction happen unless I know the transaction. Third is also about focusing on the root cause of the problem and trying to resolve it. And this is what zero trust is about. I'm not going to contain attacks. I'm going actually to, even if a tax is going to happen, I don't care.
I, I trust my, my infrastructure, I'm going to secure my infrastructure. So it's really about the root cause Here I'm not about the incident. And we do that by focusing on what we control and what do we control.
Again, is our assets, our identity, our network, our applications. This is what we are going to concentrate instead of concentrating on on the outside.
And again, from an IM perspective also by changing the culture behind giving permissions. I mean we, we do have clients that we, we often see is like, well, I'm a director, I need, I need to have all of these permissions.
Well, we need to change this culture and we only give permissions to what's actually needed to do the job that we need to do.
And lastly, it's not about I am or it's not about network, it's not about endpoints, about actually orchestrating all of these controls, all of these pillars together and automating them in a way to make decision to, to make decisions in an easy way. So currently around the world, starting with Europe, we have regulations coming up.
Like for example, we have health sector in Germany, we have Dora for financial sector and suppliers, we have NIST two, although they don't enforce it, but they do recommend it to do zero trust at the same time in the US you have the memo from President Biden enforcing zero trust for all the federal agencies and also in nsa you have all sector as well enforcing zero trust. So again, it was something and now it's being regulated and it's being a force around the world.
So that's all nice, but what is it actually? What what is zero trust? So zero trust.
We see it as a strategy to secure your assets and keep business running smoothly. So at the end of the day is really the way or the the, the journey that you need to get into to move you from where we are right now into where we want to be from. Moving from, again, from simplicity into explicit, from moving from I'm going to give permissions to everyone into, I'm going to give permissions only to what's actually needed into how can we orchestrate all of these different controls and let them all work together for easier decision making.
So we keep talking about these assets, but which assets we are actually referring to in this case. So we talk about overall governance and in this case we're talking about the people basically. So about security awareness campaigns, about performance management, about about monitoring. All of this is something that we need also to cover in zero trust identity. And in this case we're not talking about human identity, but also about machine identity, about service accounts, about application to applications and all of these kind of identities as well about data.
And in this case we're talking about data labeling, mapping data protection and all of this when we talk about application workloads and here we're talking about how do we develop our application, how we test our application, how do we ensure application security, vulnerability management and all of that from network and infrastructure.
We're talking about cloud security, but also physical security, like how do we do security in our building, in our HQ or wherever because this is all cool, but if someone will actually walk into the room with a phone and acting like I'm walking, just open the door for me and eventually they end up in data center, that's then all of these fancy things will just like, you're going to bypass it.
So physical security is an important part here as well.
Endpoint, and again here we're talking about mobile devices, work stations, iot as well. So all of these will work together, will orchestrate all of this together to make decision making at the end of the day.
So how does this work? So to to to to show you, I just, we just have this use case and, and there's this person called Ted. Ted worked in a company and the company called Chip, they make chips and, and, and in the old way on how we used to do security, Ted is decided to work today in, in a coffee shop.
So he will log into his computer in a coffee shop and then the, the system will recognize that Ted is actually an employee in this company and he will log in. He's trying to access an application called chip and the application will recognize that TED is an employee and I'll let him in. That's it. The zero trust way is a little bit different because Ted will do login, same thing. Ted will be recognized as an employee, but that's not it. We are going to do more controls.
We're going to see which device is he logging from, is it managed, is it unmanaged, is it, does it have vulnerabilities or not? Does it have certificate or not? And all of these controls, where we going to check which application is he using and how sensitive the data inside the application is, is it mission critical? And all of that we're going to see if is he accessing from a public wifi, from a secure wifi, from a malicious IP from and all of this. And at the end of the day, we're going to look into all of these context and put them in, in and and make decision.
We're going to decide if we're going to let TED in or not. In this case, we might just say, okay, well that's okay, but maybe I need to ask for MFA and if everything is fine, I'm going to let Ted log in.
Now let's imagine that Ted received a malicious email and he clicked and his credential get compromised. The hacker in this case is going to log in using TED credentials and the system will recognize Ted asked Ted the employee again and accessing chip and that's it. He's the hackers in and get this information in the zero trusts way.
Hacker will do log in and will still be recognized instead because he's using his credential. So that's already passing, that's not good, but the device the hacker is using is unmanaged and will raise some concerns here. At the same time. This ha this stead hacker is also trying to access sensitive data. He's also accessing from foreign country that this specific company does not operate and is also using network analyzer.
So when we going to put all of this into our metrics, into our, to check this to make decision, there's a lot of red flags in here and eventually we're going to decide to stop access. We're going to not let hacker log in. So this is zero trust. This is how you see all of this information is getting into somewhere. We call it a decision point and we're going to decide of what, what we are going to do with this information and take decision after that.
So we just simulated like social engineering attack basically because someone steal their credentials, but other, other attacks here in this case a third party compromise this again, it'll be stopped through the risk based access control, which which we just saw, how we actually look into different context and decide on it. So it's risk based. Social engineering is the same thing. Other attack like ransomware for example, again will be prevented by zero trust because there is also the network controls and the micro documentation that zero trust offer. Same time cloud data exposure.
We, we, I mean unfortunately still today there are some organizations that when they go to cloud they think, okay, that's it. Cloud will take care of it or cloud is out of the wall, out of my wall. Zero trust actually ensure that whatever you do in the cloud, cloud is another asset that I need to protect.
So it's another control that I need to apply. So it's within my environment. Lateral movement, again, it's just like ransomware where it's going to move from one PC to the other. Lateral movement will be stopped through micro segmentation, insider threats.
Insider threats is going to be prevented because as I said in the beginning, it's about permission. So if I'm going to give least privileged permissions or just enough permission for everyone to do what they need to do, then we're, I'm going to limit the damage in this case. And even if I'm going to give this specific permissions, then I'm going actually actively checking the session to see if there's any malicious activity happening. And if case of, of something happened, then we are going to revoke the session.
So this is all cool, but actually how do we do it?
So to zero trust, I mean of course in 20 minutes that will be a little bit complex, but I can give you some tips about what we've learned about how do we reduce zero trust. So first of all, it's not a technology, it's not something that you take and you implement or, or a platform you buy and implement. It's really about people, about processes, about business, about understanding what's actually how does the organization might make money and try to protect these kind of areas.
You know, you've got to start some somewhere you need to, you're going to change your process or simplify it even.
So you need to take a holistic approach. In this case you need to look into all of these areas together and instead of, of looking at it as only technology implementation. Second is a strategy and is a strategy about orchestrating these different security pillars. And it's not a product that we need to deploy. So you need to about orchestration journey.
Third, we really recommend of course, I mean you partner with a specialist because, because these, they have a lot of lesson learned from different organizations, sizes, sectors that you can actually tap into and learn from as well. Third, and I think this is the most important tip I have is like Mac does it just do it. What do you mean by this? You need to start somewhere and we recommend starting with non-critical applications, non-critical environment because you're going to make mistakes.
But, so it's better to make mistakes and the non-critical assets learn from these mistakes and then slowly move into the crown jewels and, and do zero trust there as well.
So how do we do it? We always start with the vision and the vision. We mean by what, what we mean by vision is by understanding the risks the organization face and what challenges the organization currently has. From there we design a vision or where does the organization need to reach out to? And when we mean by vision, we're not talking about just vision, but we're going to look into their identity.
What is your vision for identity? What is your vision for endpoints? How will endpoint look like? Do you want bring your own device or only manage devices from data? How does your data labeling should look like from endpoints, from from network physical security and all of this. What is the vision here? Then we start by assessing the current situation. What is actually in the organization right now?
What's, what's happening in each of these areas? Where are you at from there? We are going to compare the vision with the current situation and see where are the gaps. Once these gaps identified, then this is your trust, this is the journey, this is the strategy, this is the point. You're going to move from point A to point B from the current to the future and and vision.
Thank you very much.
Thank you. Does anybody have any questions in the room? I don't see any online yet. Just raise your hand.
Sorry to make you walk.
Have you found, you mentioned the different industries doing it different ways have you found from either your or PWC perspective, one industry's better at it than another? Or is diving in with both feet faster than another?
Yeah, I mean, I mean I think to be quite honest with you, I mean now from regulation point of view, I mean you see that the, the heavily regulated industry, they're really looking at it like more than the other. So for example, I mentioned Dora, so you see the financial sector and suppliers are really looking heavily into this health sector in Germany is another example. They want to do, they need to do it before 2028. So they are really in the US is, is is becoming really a big deal because you know they need to do it as quick as possible as well.
So again, unfortunately once it's regulated then we need to start doing it and and rush around it.
Thank you.
You're welcome.
I think we have time for one more question.
Maybe one one. Hmm. Easy question.
Well, is it easy? Do you know a really good starting point to begin with your journey? Is it always like a gap or can you start like at any department which is actually asking to do something in the right direction?
Yeah, I mean actually this is a very good question because it's always, it's always about your priorities. No. So that's why in the previous slide I mentioned about understanding your challenges. So when we do assessment, for example, we look at assessment from identity perspective, from endpoint perspective, from all of these pillars I mentioned. And one point may be where you are weak at, so maybe you are weak in endpoint, but you are really good in identity or vice versa.
So of course we're going to start with the weak points first, but also it can be that we want to protect our crown jewels first and then look at the other things. So it's really about your priorities. At the end of the day, if, if you have the time, then we really recommend starting with the noncritical and then move to the important stuff. But it depends. Maybe an organization just get attacked and you want to cover that specific area first.
Great. Well thank you. That's great. Introduction to zero trust, good discussion. Thank
You.
And, and by the, sorry by the way, if interested, there is also white paper that we just published. I mean explaining all of this. So in this QR code you can access it as well.
Thanks again.