The Zero Trust concept comes with the promise to adequately secure our modern, hybrid IT world at any time and any place. Manufacturers, consultants and even analysts agree as rarely as they do that this changed architectural paradigm is an important component of modern and future-oriented security architectures. Alexei and Matthias address the question why in practice only a few powerful zero trust architectures deliver on this promise. They try to answer the question what organizations need to consider in order to get off to a good start.
Oh, first of all, hello Matthias. I'm also glad to be on your podcast again. Thanks for having me. And yeah, you have the right. We have talked about zero trust. So many times talked on written and published reports and videos, and everybody agrees that zero trust is the future. Trust is a great concept, great architectural or design, which supposed to dramatically decrease the complexity of your it infrastructure. So it's supposed to be easier and more manageable, more convenient for you. Those particular it's nearly perfect in every regard. And yet, so few companies actually managed to implement it. And the question is, yeah, what are the challenges or what are the obstacles on this journey? Because we have talked so many times again, that the zero trust is a journey. It's not a product, it's not a rip and replace thing. You just buy and deploy.
Once you have to approach it strategically step by step. But why are so many companies not even making the first step on the journey? Obviously, if there is something wrong in there, it postures, I would say the question is what, and I would argue that obviously there are some things which are related to technology that drive your technical debt. Everyone is talking about. So if your company has some legacy mainframes or decade old technologies, or especially if, uh, if it's focused on like manufacturing processes or maybe embedded devices, or just some really old stuff in your basement, yeah, those are unable to be adapted to the zero trust model directly though, this is obviously a challenge, but is it a challenge which cannot be solved? Probably not. I mean, we have seen so many solutions which basically implement or an identity aware wrapper around any type of networking devices and they control the traffic.
They encrypt the traffic for the device. If it cannot do it itself, they enforce identity related policies. It's, it's workable, it's it's possible to implement. So that's probably not the biggest challenge. Well, if they can't think I've actually find slightly amusing myself, because I've heard it discussed a few times that there are some technologies, which are basically, I would say some technological trends, which go directly against the zero trust model that is ever seen decentralized. You've probably talked a lot about decentralized identity is decentralized networking, like peer to peer protocols or service meshes in microservice architecture and so on. And allegedly, if it's decentralized, there should not be a central policy enforcement in such that for network. So it goes against the grain for zero trust architectures. Again, I'm not sure I am buying this argument because you don't have to make everything decentralized. Right.
And of course, on top of IRA, let's say networking layer. You can build another layer because I mean, even though decade old networks already comprise like seven, how many layers do we have in the OSI model? Why not add another one to solve the problem? So my argument would be that it's actually the digital information itself. That is to blame. There are simply too many things. A modern business has to worry about cloud adoption. Mobile devices will work from home, this whole pandemic challenges. So for those businesses kind of adopting a completely new architecture becomes a very low priority, right? And of course the further children just like who is supposed to drive this adoption,
I think that is one of the most important things. But to go back to your, to your latter point, I would also agree that this is not really a, a application protocol application communication issue, as you said, um, we are, we try to secure the interconnectivity between devices and services, the kind of service that runs on top of this should not have, at least in my opinion, should not have any influence on the actual security of the underlying infrastructure. I don't think that is an unsolvable problem. What you've mentioned right now, that is what I think is really important. We need to have a clear ownership within an organization and maybe also within the group of organizations to, to move forward towards zero trust. And that goes hand in hand, I think with a phased approach, you've mentioned that digitalization, so many of the customers, many of our workforce are currently working from an unsecured network.
So this is actually the reason why we do have CRO trust infrastructure in place because we are working across untrusted, potentially hostile networks. And we need to make sure that the actual connection, the interconnectivity and on top of that, the access is, is well maintained. So there is a good reason to start there, for example. So the digital transformation when it's done right, might be a driver in that situation. And then you can grow from that into the enterprise network and really get rid of that in the end, but having a phase two approach, having a clear ownership for this process, I think that is key. Would you agree?
Well, this is exactly the problem there is, or I would say in most companies nowadays, there is no single point of partnership. What is called the trust. And again, the problem is that different teams, different stakeholders, totally different understanding of what zero trust actually means. Yes, if you just mentioned working from a hostile network and we are basically all locked at home, especially, uh, at least here in Georgia, when you have this whole, uh, month of lockdown, the all working from an untrusted network. So if there is a small cancellation, well, this whole pandemic, uh, story and that, ER, more people now understand the problem. And more people understand that they have to invest more. They have to focus more on the quote unquote zero trust networking issue. The problem with that zero trust networking is not zero trust and the whole right. It's just one component of the, of the big picture.
And even if you manage through, let's say persuade your network security team. If you have a relatively large company, you probably have a dedicated network security team or at least a security team in general, if you manage to persuade them that this is an important thing to implement now, or you are still have to deal with, I don't know, like developers who have totally different priorities, you have to talk to a line of business or manufacturing teams, probably they absolutely different priorities. And they are not really interested in what our ripping and replacing their existing OT network with some suspicious new technology. How do you make those teams talk to each other? How do you make them agree on this phased approach? Because everyone would have their own ideas. So although you have to have a keen, you have to have a general, so to say a single person with appropriate business and operational privileges, if you will, with the frites executive power to make this happen.
Yeah, I think that is an issue that is actually not only are not really a real trust issue, but that is really getting to adequate organizational paradigms within larger organizations and making sure that you have the right level of control, is that a king, a master of all, uh, on the other hand, we need to have the right amount of autonomy for the individual teams while things stay well aligned and well-communicated, and following this central paradigm. And this is something that we see in many areas just right now. We see it when we work in, in larger projects, think cyber security, I think identity and access management. But we also see that when it comes to terms like the digital transformation, which also means something different depending on whom you talk to within an organization and zero trust is no exception from the rule here. So there needs to be on the one hand control policies, rules, guidelines across the board. And on the other hand, there needs to be a way to, to have a phased approach, to have autonomy within the individual organizational units to get together towards a common goal, but every department, every organizational unit, every line of business at their own pace,
Oh, that's exactly the challenge because autonomy only works properly in the bigger company if it's coordinated across all different teams, right? So even if you have our benevolent masters who does not enforce any, uh, centrally managed policies, it still has to be a centrally managed strategy. If you will, guidance and architectural design. And within that central guidance, individual teams with individual requirements and technologists and applications, techs, and whatever you name that would have the autonomy to work towards the same goal. And unfortunately, as we can see, or while in theory, this is how democracy is supposed to work in reality, it doesn't. So there has to be some kind of a balance between the quote unquote free markets of it and business goals and the again, quote unquote, government oversight and intervention.
We as analysts, we as tech guys, we, we tend to see the option or the opportunity that technology can help solving problems that society's slash organizations cannot solve. Um, as we are talking about zero trust, we understand that this is not just a single technology, it's a paradigm, but independent of that, can we think of standards of products of, um, overall architecture concepts that can help in getting there? So is there a standardization, a category of products that is available and can help in integrating in, in unifying and getting to integrated solutions so that there is a natural way by technology, by standards avoiding the organizational and the political and the yeah, the human factor.
There are some technologists, I will say there are some existing and almost traditional security focused technologies, which can quickly help you adopt your tasks in our somewhat kind of unexpected way. For example, very few companies would probably start thinking about zero trust in terms of data and uterus, right? Because one is talking about zero trust or for networking. Everyone is talking about zero trust for policy enforcement, which is all paramountly important as October, you have to start a little bit smaller, you cannot protect what you do not see, right? I mean, there's like an energy which has been repeated thousands of times. So you have to start with knowing what kind of sensitive data you have and where, so data discovery and classification should be like the step number zero in any zero trust journey, you have to deal with your identities. So if you do not have a reliable identity management in place, which not only covers your employees, but also the external contractors partners, it may be customers. If they are involved somehow in your business processes, with all those basics, you won't be able to even begin your zero trust journey.
Right. I would fully agree. And, um, on the other hand, as you said, data centric security is really an important factor because then you protect what actually needs to be protected. So it's data on the other hand, I think integration and standardization and getting to a holistic approach by including also most of what is already there. So think of VPNs firewall, the MF, a tool that you have already in place, the device management, whatever you already have using that, leveraging that for getting to a first incarnation of a zero trust architecture, an organization, at least for specific aspects within the organization. I think that is something that on the one hand builds upon existing infrastructure, but adds additional value when it comes to adding this zero trust paradigm to existing security infrastructure. If we think of this NIST picture defining policies and enforcing them afterwards, I think for every organization, it would be also a good starting point to leave technology aside and think policies to think of how access actually should look like. So making the groundwork, the homework first.
Yeah, absolutely. And of course, type of policy, you do not start with the technology. You start with the actual meaning behind it, whether it's a business purpose or a compliance requirement or security control and policies always start as escalate writings on paper. And only then you can start thinking about those writings into it related controls. And so you might even have some of those controls already in place. Like if you have a privileged access management solution for your admins, you can absolutely use the same technology. Just expand it to other types of users because your CFO might now be much more privileged person in your company than any route or domain administrator, because that CFO has the power to drain your company. Bank account is a single mouse click, right? So if you expand the privileged access management to your CFO, it might not even any of those technologists might not even mention zero rotor, often their names or descriptions, but it would be a huge step towards the same goal,
Right? And then this leads us at the end of our discussion to three aspects that I think are really worth thinking of. You've mentioned, we have to discover and identify and classify what we want to protect. So this is data. We talked about policies and how we can write down in words, how access actually should look like and how it should be governed. And we've talked about standards and existing technologies to be integrated into a bigger picture of security. So in the end, this all leads all of us and all organizations back to yeah. Defining first of all, what you actually want to have. And in the end, it's in the end, it's all risk management. Don't you think?
Well, yes. I mean, it's not only a risk management, but yeah. You start with your business goal even, and kind of continue with an inventory of what you actually have to protect in whom do you already have to implement this protection, for example, and then you start, continue by or identifying your risks or, and, uh, assigning tasks to your people. So I'll just say, and again, you have to have someone on top to oversee this whole process because unfortunately in real life, the psychology doesn't work. You have to enforce those regulations from a single point of responsibility, if you will. Right?
Yeah. I would fully agree. So our organization would be another dimension to add to the list that I just mentioned before. So this was a more philosophical episode of this podcast. If people want to learn more about this shiny new concept of zero trust, and you've mentioned that, that we have already put out some material, what would be your recommendations to start with when visiting KuppingerCole dot com, what to read when it comes to having zero trust as that shiny new goal to implement, to protect the crown jewels of your organizations? Well, uh,
To be honest, I probably won't be able to name you the exact numbers and our research papers are out of the top of my head now. But one important thing is to whether you visit our website or needs to website or any other resource on the internet, we should not focus on technologists. You should focus on organizational challenges, architectural approaches, concepts, and so on. Again, zero trust is not a product you don't trust is not a tool. It's not even the goal, right? It's basically, uh, the way how you organize your team to work together towards a relevant business goal. And you have to formulate the business goal for you first because that alone defines your further steps on the journey,
Right? And if you, as the audience are interested in learning more about that, you've mentioned Alexi, the zero trust architecture. That is a good starting point. If you want to start that journey at KuppingerCole dot com, it's really just that simple that you type in zero trust into our search engine on the start page of our website, KuppingerCole dot com and to continue from there. And if there are any open questions regarding organization, regarding requirements regarding support in defining your policies, your policy framework, and prioritizing your requirements and changing over time, your security portfolio, please don't hesitate to get in touch with Alex or me, or just info at KuppingerCole dot com. We are happy to help and lead our first discussion just by phone. So get in touch. So that's it for today. That was a really interesting one. I'd say thank you very much for being here today.
Well, thank you much for inviting me. I'm looking forward to potential next episode together,
Right. And maybe even more philosophical than this one. Thank you again. And bye. Bye bye-bye.
How can we help you