Good afternoon. My name is Paul Simmonds. I'm a fellow analyst at KuppingerCole and welcome to this KuppingerCole webinar, zero trust for the workforce. What does it mean for your business? I'm really pleased this afternoon to have Richard Archdeacon from Duo Security here with me. Richard is an advisory CSO for the EMEA region previously with DXC, which was obviously the HP enterprise, where he was chief technologist in the security practice. And Richard's been working for many years with clients all across all industries and all regions. And prior to that, which is where I first met Richard. He worked for Symantec, he's been involved in all sorts of initiatives around the industry from the ISP, the Institute for information security professionals, contributed to the world economic forum, et cetera, et cetera. So it gives me a great pleasure to have Richard with us, as we start this afternoon, he says, it's always nice when my slides advance.
That's let's try that. There we go. So just a reminder for those of you who are EIC regulars with KuppingerCole normally in may, it has been moved to for obvious reasons. We'll try and avoid using the word this afternoon as much as possible, but it's been moved to September. Here are the dates for next year in 2021. And we hope to see you all in Munich next year, September. So just to tell you how this works, we're centrally muted, recording and slides. Yes, we will be recording this and there will be a podcast available. So there is no need to take copious notes of either Richards or my slides and Q and a please. You should find a control panel on your go to webinar. So if you would like to put your questions in on there, I can see them and we will be putting those to Richard a little later in the, in, in the present.
So here's how this is going to run. I'm going to give a very brief overview of zero trust. The history Richard is then going to talk about the business aspects of it and give you the benefit of his experience, which I'm truly looking for. So zero trust probably worth starting off with a timeline for zero trust so that we can understand a little bit about what zero trust is and more importantly, where it came from. So originally, as we all know, for those of us who have been in this industry for an awful lot of time, 1990s, we were all into firewalls, deep packet, inspection, antivirus, et cetera, et cetera, sort of traditional security around 2003. These guys, I was involved with the Jericho forum as was Richard back back then talking about deep parameterization and the original perimeter and highlighting the fact that actually the PR the perimeter was getting less and less useful from a business point of view.
And actually it was starting to inhibit the business 2007. We started discussing this thing, co which we originally, we called computing outside of your perimeter. So this is if there is no perimeter, what then happens. And the answer is, well, you start doing computing outside your perimeter, which the industry eventually called cloud computing. And one of the things Jericho did, if you want to go and Google for it is a thing called the cloud cube, which is how you visualize your architecture in the cloud. Something I thoroughly recommend you go and Google for 2000 million to cloud security came along the cloud security Alliance. If we're going to do this thing called cloud, wouldn't it be a really good idea. If we all came together and put together guidance on industry best practice. And on that point, all the work that Jericho had done had been thrown into the CSA guidance document.
Then 2010, a guy called John kinda Vick working at that point for Forrester research came along and coined this term called zero trust network architecture. And he presented the document. I was actually there when he presented it in Boston and he presented a document called zero trust, networking, art, or network architecture. And as part of that, what he proposed was segmenting and paralyzed and centralized internal networks. In other words, we don't trust the network, the flat network. So what do we do on our internal networks to make that more secure? And then finally, 2012 along came Jericho again with this thing called the Jericho forum identity commandments. And the final two bits of work that Jericho did was actually, if you don't trust your network and your computing is outside of your network, you are left with two major challenges, which is how do you consume identity? And in, in an environment you do not control. And how do you protect your data in an environment you do not control. And those are some of the big challenges that we still face today. When we're talking about zero trust.
So zero trust, what is it? Is it just hype or is it something real? And this is, this is the challenge as we go forward. So all I did here was this was a simple put zero trust in inverted commerce, into Google and see what it throws up. And so there isn't anything particularly scientific about this list, but if you look at the list of vendors here, you will notice there is a whole bunch of vendors and what they're selling you is totally different. Yeah, they've all got the zero trust Monica on them. They've all been branded by their marketing departments or something to do with zero trust. But actually then most of them are nothing to do with each other. So the first thing I'm going to contribute to this discussion, it is really important that you select your zero trust products and solutions with care. Yeah, many of them out there will be a really good fit for your business, but probably just as many will not be a good fit for your business. So it is, and I'm hoping that when we get onto the discussion, you'll, you'll hear this more, but it's about strategic direction. It is about a good fit with your business and how you support your businesses strategy and how zero trust and a zero trust architecture, because that's what we're going to be talking about, supports your business.
So zero trust as a concept has morphed over time. So the original concept of, of proposed concept by John of segmented, paralyzed and centralized internal networks is probably so far removed from what people are doing today, as it could, as it could be. So what is it now? What, what do people think of when we talk about zero trust? It's this it's, it's how you, don't how you deliver your business solutions, flexibly in a welder disparate solutions. And it's taking into account everything we did today from on-premise all types of cloud, remote, working, et cetera. The question we need to answer going forward is if we don't trust the internal network, then what do we replace that trust with? And on the left-hand side is my, is, is my drawing of what the sort of modern network looks like for most people. And if you can't see it, the little picture in the middle of that is actually Hong Kong.
And if you've ever been to Hong Kong at night, it's open for business. All these vendors out there, your network is open for business. The old network was very binary and we trusted it because it was on our internal network. Tomorrow's zero trust architecture should not be binary in any way. It's I trust it to this extent based on these factors, based on what they're trying to do. And we call this thing entitlement and to implement entitlement, and I'll just flip the remaining bits to implement entitlement. We need to be able to gather those sources of trust and evaluate them and apply the output to the technology to enable or maybe, or bar or restrict what that particular entity is trying to do on our network, off our network with our data. And I'm going to argue with you today that the very reason Jericho add in 2012, looked at identity as the key component of the work. The deeper amatorization work is that identity and your identity strategy is going to be at the heart of any zero trust architectural solution.
So let's separate some facts if you like from marketing hype. And why do I have a glass with an olive it on the left-hand side? Well, so zero trust solutions have often been referred to as a martini network or a martini solution. And if you remember the old advert that used to go any time, any place, anywhere, there's a wonderful place you can share. I'm not going to sing it to you. That was the tagline for martini back in the day. And that is ultimately where most people want to get to with the zero trust solutions. Can I share anything I need to, from a business point of view, anywhere with anyone? So again, it's zero trust is a security architecture that needs to be aligned with a business strategy. Yeah. So it's not going to be an off the shelf product or a product solution you can buy, or it's an it only project.
Or actually it's not going to be a one-off project. It's unlikely to be about eliminating your network or your intranet, but it could be, you never know. There are lots of companies out there who are happily existing without an actual physical network. They call their own what is zero trust. It is going to be about a set of products that allow your business to function more effectively, faster with less friction that enable your business to deliver better its business strategy. And for us as it professionals, it is about an architectural state of mind, but it is a journey with some quick wins, as well as long-term strategy. It is about aligning business strategy and security architecture, and it strategy to make sure that the entire lot links up and ultimately, and I used to have in one of my previous jobs as a CTO that used to be CTO for one of our business sectors who used to use us his argument.
He said, could I go out? And he was British. So British telecom buy a raw internet connection socket from British telecom and put that one of those on every single desk and every single home of all my workers. And would it work just as well and just a securely. And I sort of keep that in mind when I think about zero trust. In other words, can we function just as effectively any place we connect and the end effect of how I work should be exactly the same. And if we can get to that in my book, that's a pretty good zero trust implementation.
So yeah, obviously a no, no webinar really today at the moment would be complete without a mention of COVID-19. But actually for zero trust revenue, it's especially relevant. Many business out there out of necessity have moved some faster than others to operating their entire business outside their corporate networks. Yeah. Others have accelerated plans for moving to a deeper motorized state and probably the others are operating some kind of sticking plaster or bandaid solution to enable their people to work. I noticed that, you know, just, just trying to use other people's services, personally, those companies that had an internalized voiceover IP core system for their help desks, boy, were they struggling back in March this year to get something that sort of worked because actually putting all your, your end user help desk staff on the end of voice, over IP, over, over a VPN strained, their networks, big time, such that actually they weren't working at all. Well. So especially, especially relevant as we go forwards and Harris, you know, here are some of the quotes, as you can see, I won't read them out on the screen, but particularly our just highlight the Microsoft one, two years' worth of digital transformation. They reckon I would have said looking at what we've seen out there, that's pretty close to the truth.
So in conclusion, yeah, any correctly implemented zero trust strategy does all of these things, it is about aligning security and it architecture to deliver the needs of business. It is about allowing security particularly to say yes to the business. Yeah. Yes. We are going to be more secure doing this because actually once the bad guys get inside your internal network, they have a field day, as we all know to our cost. Yes. We can easily migrate to some or all systems to the cloud. Yeah. If you have a zero trust architecture that you don't care where it sits, it's easy to say, well, we'll just do this in the cloud, whatever this is. And whether that's office 365, or whether that's platform as a service or infrastructure as a service, zero trust and a zero trust architecture just makes it easier. It is about saying, yes, we can offer greater flexibility for staff, which obviously, you know, a lot of companies out there at the moment are saying in 2021, we don't think we're going to go back to a full office based scenario at best.
We're going to operate some kind of hybrid scenario. And we might actually stay working as homeworking for at least the first quarter, if not the first half of 2021. And again, those zero trust solutions that have been put in are going to be ever so important in making that happen. Yes, we can enable easier access for third parties and our joint venture partners, because that's really important as we look at better ways and more flexible ways of working as a business because very few businesses are just standalone networks where everything is done in house business just does not operate that way anymore. And yes, really importantly, we can support foster initiatives and fast implementation of new business initiatives out there, new business strategies. So when the business comes to you and say, yep, we want to do this security and it can turn round and say, yeah, that's easy.
We can enable that tomorrow because we've got this wonderful architecture out there for me, the architectures that I've been involved in personally, it provides a major reduction in complexity and most security staff out there will tell you that complexity is the enemy of good security. If you make it complex, people don't understand how it works. The bad guys can find chinks. And more importantly, your staff when it's too complex, find workarounds. So ultimately if you can make your, your architectures simpler and easier and more frictionless for your workers, the better your security is. And finally, can we deliver an overall return on investments? So if you invest on this and if you want to go and see the poster child for zero trust initiatives, you go and look at the Google beyond Corp. So beyond Corp is, is what you need to put into a search engine. And they they've actually published a lot of what Google did in terms of their zero trust initiative. And there are some papers out there on what they reckon, the security improvements and the savings and the return on investment of what they did.
So that's hopefully is a good introduction to, to zero trust. And it's, it's my pleasure to welcome Richard to, to the table, the virtual table, and Richard hopefully is going to talk to us a little bit about their experience and what they see talking to other you'd like KuppingerCole duo go out and particularly their advisory CSOs go out and talk to a lot of businesses out there. So just a reminder, this is your chance to pick Richard's brain. So I get firing those questions into that chat box, to, to the nastier, the better Richard over to you.
Great. And thank you very much for that offer to all the people here to send nasty questions through to me. I do appreciate that. Well, I really liked your introduction. And I think that going back to the history of the Jericho form is very important because I think it shows that, that the ideas behind zero trust came out of the practical thinking of leading heads of security in some of the biggest companies in Europe. And I think that's always an a point we should remember. I also picked up on a comment, couple of comments you you've talked about in terms of controlling identity, which is something I will be referring to. But again, I would also emphasize that what I'll be talking about is how we practically implement during some form of a transformation. And where do we start with with zero trust because many people readily understand the idea, but then they suddenly say, well, where do I start?
What do I do with it? How do I get it going? And I think that's really one of the first questions we've got to do. We wrote, we have to answer because it is about changing over time. And as you said, it's not just a product, there's more to it than that. It's architecture, it's it's process. And it's how we change the way we think about security. So I think it's a very, very broad change that we have to think about. It's quite a transformational set of activity that we're going to go through. So how have we started to look at it, look at zero trust from a practical point of view. And what I'd just like to do is go on to now we've broken it down into what we call the three W's, because you said it's all about identity and access and, and, and making sure that we have this flexible solution in place.
So we've tried to think of it in three areas. We're not getting practical. What is happening on our heart with our workforce, our users, what is happening with our applications and what's happening with our network access and how we control that. I think you referred back to John kindergarten's earlier expressions around zero trust, which was mainly down at the network layer. How do we segment the Le the, the network and how do we control it? But of course it's changed now, as you said, beyond all belief, because we have this exploded perimeter, this exploded network. And so we have to assume that it goes beyond our own perimeter and whatever we, we work on in terms of a zero trust approach. It has to look at whether we're inside or outside the network it's whether or not accessing the application on our network, or whether that application is in the cloud.
As you mentioned, giving the business full flexibility. So, as I say, we break this down into three areas, the network I've mentioned, which is really looking at the, how that segmented and what devices are on there and how can they be authenticated and how can you have a policy to control what they can access. And then we look at the workforce, which are the users, how can we confirm who the users are and how do we know what they can access? And how can we control that? And again, we then look at applications, see what applications are doing on the network, what they're communicating with, and is that a secure and trusted form of communication? So we're building almost three control planes that are around the access to our resources and our data, a control plane around our network, around our applications and around our users at each stage of access, we have to remember, we're starting from zero trust.
So we don't trust them. We have to build up a level of trust. How do we confirm that that is the correct person, the correct device, the correct application accessing in that, in the correct. So we start to look at access as untrusted to be moved to trusted. We have to make a policy based decision at the point of access. So we now say that the perimeter that we used to have around our networks has disappeared, but in fact, it's disappeared down to the point of access. So it's actually changed dramatically from being around our organization on network firewall down to the point of access, because that's where we start to make a decision around identity around access around who or what is going to access, what resource against policies that we decided against the level of trust we require to access that resource. So that might mean we look at a high risk resources, say a finance application, and we'll put more levels of control around it that against a lower risk application.
So we, we have continually making this very, very low level policies decision about who and what is going to access a particular resource. So what I'm going to concentrate on a little bit more this afternoon is looking at the workforce. And one of the reasons I want to start there is because that's where I'm finding most organizations are starting one because of the necessity for the reasons that you mentioned about the role of change in the last six months, but also, so this has been a change that's been going on for some time, 18 months ago, I was working with an organization who wanted to change their teams from working in the office to remote working, because it was better for the, the, the, the people that are employed. It was a better work-life balance. So there's been many different initiatives that have been driving this change.
And that's been one of the big changes that we've been seeing happening in day. One of the other reasons why I focus on this area is because if you look at any major breach, you'll often see the words compromised credential. And this really is you using the identity of a valid identity, but using it as a hacker or an attacker might use it. So abusing the identity and it's keeping control of that identity, which is critical. I think Verizon say at 80% of all attacks are through compromised credentials. The same figure gets quoted by a number of people. So we have this, this issue around how do we actually secure the identity in particular of users because of the compromised credential threat. And that is one of the big threats we've got to, to, to manage through this control plane. And also, how do we make our business more flexible? How do we react more quickly to change? So that's really why I'm going to focus in on this area.
So if we now just look at it in a little bit more detail, and let's try and look at what we want to sort of controls, we want to put in place. So again, we've broken it down into three different elements. One is the user identity. Am I who I am really when I access an application or a resource, whether inside the network or outside of the network. And for that, we're now seeing a huge growth in the use of multi-factor authentication, where users will have to authenticate at the time of login. So if I go to log into an application, I put in my username and my password. And as we know, that's not really a strong control anymore. That's been compromised because there's too many passwords out there, too many usernames out there. But what I have to then do is authenticate in a parallel environment out of bands, say on my telephone or something like that, to confirm whom I am.
So we're having that, that policy-based decision, which is, you can only log in based on this risk, if you can authenticate who you are. But what if I authenticate? I say who I am, that's perfectly correct. What happens if my device is compromised as well? We have to make sure that we can establish a level of trust around that device because of that has some form of compromise on it. I've been trusted as a user. I go into the resource, I come in with a compromised device, I open up the resource to attack. So how do we manage that as well? And how do we make sure we know what the state of health is of that device? And then how do we then restrict the application to only a particular access to a particular application based on that level of trust. So it's almost a three stage approach, make sure you know who the, the, the user is, give them a level of trust, make sure that the device is okay because you don't want to let in an untrusted device, you must automatically assume compromise and nest test otherwise, and then only restrict access to specific applications.
And in that way, you reduce the risk of a compromised credential leading to access to a network. And then of course the lateral movement across the network, because you're being very specific about where the user can go. So that's really what we're trying to do at the, at the user end, when they're trying to access a resource that three-step approach identity device application.
So if you're starting off the transformation, what are some of the sample principles that you might want to have? What are we trying to achieve with this transformation? What are our goals? So I think I always start off with this, the zero trust idea of every access originates from an untrusted network. So whether it's inside or outside the network, assume it's untrusted. Secondly, make sure that you treat every application in the same way, whether it's inside your network or on a cloud, for example, it could be on, on, on a private cloud or a public cloud, you have to set up the same level of tests, the same level of, of analysis of that access and enable workers to work from untrusted networks. And if we go back to Paul's example of, of an access plug for every user, can they just plug in and use it?
We should work to be able to manage that. So we'd give our workforces complete flexibility that they can work at any time in that martini way at any place anywhere, anytime. And of course, make sure that the access is authorized and authenticated. So as the right person that confirmed you that, and of course you have concur encryption as well, and then make sure that you manage the, the, the right to access that application. So there's a series of principles that you can start to use to design the control plane around access to your environment for resources by users. And this gives us some idea of the direction in which we have to travel in order to achieve a more flexible, more secure type of environment. As you can see, we can bring in flexibility, but at the same time, we're bringing insecurity. So as security people, we're trying to make people's life easier.
So we're going to be now, Mr. Go. Not Mr. No, as it always used to be. So there's some sample principles that we use. So how do we actually go around this? Well, I always like to have stages in a transformation. I always like to know where we're starting and how we go through the stages of the transformation. Also, it's not just a simple implement a piece of technology. It's going to take time and you're going to have to take steps which are going to measure against business benefits in order to achieve just securing your workforce in the correct way. And so, based on our experience over the last five or six years, this is what we see as being the best steps forward or the most preferred steps. It will be different for any organization. And the first is to go through that confirmation of user identity and make sure that you can trust them.
And this brings about some immediate benefits around reducing risk from credential loss and so forth. So you can start to bring in that identification. You can start to get users confirming who they are, and then start to look in the second stage. Once you've got the users rolled out, make sure you can get visibility into devices. And what they're doing this helps you in a number of ways. One is obviously you could start to distinguish between managed and unmanaged devices and you can then start to bring in controls around them. You can then start to drive some form of awareness of where there's a floor at Erin, a device, for example, an operating system, not being up to date, but also you can start to see a better inventory of devices that are accessing your resources and inventory control is always a big issue in organizations.
And certainly we find that when we start to roll out these controls, we find that often the number of devices that are supposed to be on the network suddenly increases rapidly because we'd never seen them before. And then we start to look at how we can bring in what we call contextual access, giving controls over the different types of access, when and where an individual can access the Orkambi, the organizations resources. Then we start to bring in around making sure that users update their devices to a particular level of trust. And then we make sure that we implement this across all of our applications so that we have a segmented approach where the user gets the right to access an application. And only that application. And because we brought in flexibility around working around where they can access their applications from, we start to get a lot more mobility and productivity from this new environment.
So we've got better inventory, we've got better up-to-date devices, we've got better compliance of our devices. We've got a better knowledge of who is accessing our, our resources. So it's a staged approach. And we always recommend going stage 1, 2, 3, 4, 5, not trying to do it all in one go. So that's really how we look at it from a staged approach through to where we want to achieve a more zero trust oriented access by our employees. And I think that this has got a lot of benefits as well, to, for example, making sure if you are in an incident and you know that it's based on a particular vulnerability, you can block access because you don't want users with a, an unpatched or a device that is patched to low level accessing your, your application. So you can say to them, you cannot access your application until you update your browser or your operating system. And in that way, you're bringing it control down to the lowest level, which is the point to the user.
So how do we start with this? And this is something that I've always liked to work on, try and find out a starting point. And we, we, we take the approach that you should always try and assess where you are now because you will all be starting from different points. So we take the five steps and we break them down into three different levels and any organization can do this. And we look at it from the strategic point of view. Do you have a strategy around zero trust? Do you have a clear inventory strategy? Do you have a clear strategy over access to applications? Then we look at the management controls in place, how you manage inventory, how you update your, your, your active directory, for example, and, and you go through all of the different areas of policy that you need to have control.
And then we looked down at the operational level, looking at the number of devices you've got covered, the number of users you've got covered, the number of applications you've got covered, because it's very important. You build up overall coverage, not partial coverage, because if you only cover part of the organization, what will happen is that you will find that an attack might get in through the side, in other words, through the unprotected area. And then what I also like to do is to set up some sample KPIs or measurements as we go. So let's start to look at our operational cause where we're covering, how much we're improving our inventory, what our device status is, especially around operating systems and browsers. The number of applications we've covered are so many can start to build up monthly or quarterly measurements to show progress as we transform.
And also how we are supporting the risk mitigation around our organization. What particular risk aspects might have been called out on our risk register, how we mitigate them, how are we helping with compliance, getting a better view over our end device, end point devices. For example, one interesting measurement, which I came across, working with an educational unit was about user trust and confidence in the security organization. And I think this goes back to one of the points Paul made about user trust and how we have to be able to make any solution as easy as possible. And when we start to work on driving security decisions down to the end point, which is what we're doing. If I authenticate who I am, I'm making a security decision. I'm saying, I am, I am this definite person. I am now secure and able to go ahead to I the user.
And I might be in our marketing team engineering team or finance team. I'm making that security decision. So what we have to do is, is make sure that we make it as easy as possible, and that we make sure that the users are confident and happy with what they have been given to secure our operations. And this becomes especially important as we work more remotely because we don't have the ability to go across the office, speak to somebody at the desk office and say, how do you do this? We are losing that informal support. So it has be really, really easy and gaining user trust and user confidence is one of those important elements around changing the way our security organizations work. So that's why I found this quite an interesting measurement to put in going to use it every quarter and say, how happy, how comfortable are you with the security function and how it's working?
So what I want to do is just to summarize some of the lessons that we've learned, first of all, zero trust is not an, an item. It's not an object. It's a way of thinking about how security deliver is delivered. It's about an architecture. It's about bringing in those control plates. It's about changing people's attitudes towards security. It's about driving a different culture in the organization. So it's, it's very, very much broader than a product implementation. And I believe that it should be taken in stages. It should be taken in a very controlled fashion so that we can manage that change over time, whether it be clearly measured. The second point, I think, is every organization will have a different starting point. Many would already have implemented some form of zero trust solution or approach within their networking area where they've started to bring in micro segmentation, but they might not have looked at it from the application there or from the user.
So we have to start to try and find out where our best starting point is and where we can start to progress most rapidly. And as I've said earlier, I think normally it starting with the workforce to reduce risk, bring in flexibility and agility and benefit the business. If we have a really well constructed framework for checking on users, as they access, it allows the business to roll out new applications a lot easier as an example. So here's a program that takes over time. One of the important things we've found is to engage, especially the business stakeholders and the users. Otherwise you find it starts off and then it stops, but we have to keep the momentum going. So engaging with the different business owners about their application and how they want them access and how they want them. Communicating is really important. And by implementing these kinds of solutions, we start to get better visibility around our, our assets, around our applications, around our devices.
And we find that we get the ability to talk to those stakeholders better because we know more because we can react more. We also see a new change happening around technology integration now, and many organizations are using zero trust as a way to ensure that as they go forward, they bring an integrated technologies to provide that flexibility, because otherwise we're just going to end up with very rigid silos of operational activity. We can't bring together. One of the other impacts that we're seeing is very interesting that here's the change in terms of policy and policy management. And this is actually often under underestimated. But if you think about it, you have to start bringing up policies around each application, but you start to get a much more complex environment that you have to manage from the policy point of view. So that changes enormously. We're doing some research at the moment.
We find that about a third of organizations just have very simplistic policies because they're still learning how to, to change policy. So those are the main points. One final point I'd like to, to bring up is I have my high argue that zero trust is going to become a standard for all of us in security. The reason I say that is because Mr. Come out with their first one, a second lot of draft principles. And in the United Kingdom, the national cyber security center has also come out with that. I think alphabet version of their design principles. These are new. They're not completed. They probably won't be completed for some time, but I give them, I think they give us a direction of where we're going. And I think they give us the opportunity to start to build a proper constructed approach to zero trust. So my advice is start planning zero trust now because in 18 months, time or 24 months time, somebody is going to ask you, what's your zero trust strategy. What's your zero trust architecture. And you'll be in a position to say, well, where we've followed nest and its changes. And this is the approach that we're going on. So make sure that you, you you've got access to those. So Paul that's really what I wanted to cover in terms of our lessons learned. And I hope that's been helpful and of interest.
No, Richard that's been absolutely fantastic. And yeah, very insightful. Just picking up on your last slide about the NIST standards, then absolutely your chance. Not only to read it, but still to comment on it. So we do two, it is worth looking at it and saying, actually, is this what I think zero trust is? Does it feel my business's needs? And if you don't think it does, then it is your chance to comment on it still. So, and they are accepting comments from non us entities, even though it's NIST, they're a nice bunch over there. So just to cover off one audience question here, which was, is this going to be made available? Absolutely this is being recorded. It will be made into something that you can watch offline and download it on the website. So come back and visit the event, this, this event page on the KuppingerCole website, and you'll be able to get it shortly. So, as I said earlier, this is your chance to ask questions. Please feel free to type messages into the, the chat system for GoToMeeting. And we'll, we'll kick off with a few questions for Richard. So first of all, how many organizations out there are actually implementing zero trust? Cause you get around quite a bit in terms of talking to a lot of disparate businesses out there. So, you know, how widely is it being implemented?
I, I think that's an interesting point. I think we're at the beginning of the zero trust implementation story. I think a lot of organizations have started at the workforce end. They're also realizing that they have also got some probably in their, their network environment, but I would probably estimate that only 10% of organizations are really starting with structured zero trust strategies. So it's still very new and that's one of the reasons that I bring up the NIST standard and the NCRC standards because I think we have to start planning. Now, one of the other interesting aspects is that many organizations have brought in very rapid change over the last six months. And what they're doing now is they're suddenly realizing that they have to put a strategic framework around that. And so they're picking up on zero trust to do that. So I think it's very it's early days yet, but it is gaining a lot of momentum. And as I said before in 18 to 24 months, I think we will all have to have zero trust, architecture and strategy in place. So best start sooner rather than later.
Yeah. And how many of those organizations that you speak to are sort of, of doubling up if you like on that cloud strategy and starting to morph that into a zero trust strategy?
Well, I think what we've found very interestingly, we've had a report out recently, which showed that there was quite a substantial increase in the number of people accessing cloud applications through the kind of frameworks we're developing. So I think it's been used by organizations who are shifting to the cloud so that, you know, there is statistical proof of this. But I think the reason for that is once you've got this structured framework of user application device, you can literally switch people from an application inside the network to a cloud application, their access under control. Very simply we can put it through a cloud SSO type environment in which case they could use many different cloud applications having authenticated ones. So I think we're seeing a gradual increase in terms of cloud applications being used, because it just makes it easier.
Yeah. And as you say, if you have a zero trust approach to life and, and security and networking, then actually that, that transition often that people don't even notice that it's happened. I, I do know one company out there who literally catch it over over the weekend and basically their staff saw no difference, which, which I suppose is the ultimate time. That's the ultimate example of a frictionless, isn't it?
Absolutely. It has to be easy for people to use. If you start bringing more barriers, then it becomes a problem for people. As I always say, your, your colleagues at work, go to the, go to work, to do their work, not to do security work. They go there to do their marketing work. They go there to do that engineering work security must make them able to do their jobs more securely, more easily. So ease of use is absolutely critical. And if, for example, you can just drop in a redirection from an application, one application to another, they don't care where it sits. They really don't. They just want to be secure access, easily, click go. I want to do my work. So I think that's a very important part of the design and the transformation.
Yeah. Yeah. And of those people you've been talking to who are sort of further down the line, what, what can you sort of pass on the other people can steal if you like, in terms of how long does this take?
So I think that to, to get the, these, again, looking at the workforce to get that sorted out, to get MFA out, the first stage is probably fairly straightforward and that can be done fairly rapidly. When you start to look at controlling devices or looking at devices that becomes slightly more complicated. Why? Because you start to live a back end processes, for example, back into inventory management teams and into your vulnerability TVM teams who will then tell you what vulnerabilities need to be patched. So you start to become more complex in the process there. And then finally looking at the applications take slightly more time because you have to understand the risks around each application and the policies that you're going to be putting in, which is why we take it. And we think you should adopt this five stage approach towards it. Normally first stage value can be fairly rapid. We've actually seen it. Examples where people have rolled out multi-factor authentication in the middle of incidents just to stop an incident happening. So it can be done very rapidly, but then you progress and that can take months. And then, you know, it could be up to a year before you really make a lot of progress on the, on the application side.
Right. And, and, and in terms of sort of that progress, what are sort of the, the blockers, what are the sort of the key blockers that you see organizations running into?
I think the biggest, biggest blocker is the people side. It's getting that momentum and getting the buy-in from the stakeholders often within security, our technology solutions can be implemented, might be difficult, might be easy, but we can implement them, but it's actually getting the, from the rest of the business, which is critical. It's making sure that your users are happy, which is critical. It's about getting the people onsite. And I think that's the biggest blocker is, is, is making sure that people keep up the momentum. So making sure that any program as well, sponsored that people understand the benefits that it's used to, for example, demonstrate greater agility in the business that I think helped drives it through.
And I mean, in terms of selling this, especially, you know, I totally agree with you. It is it's, it's always the people that are the blockers and the higher you go, the more issues you have, but in terms of, you know, selling this to the business, I mean, we, the security industry, and I'm just as guilty of this as, as anyone else has done a fantastic job, you know, since the nineties of saying it's all about hardening the network, it's all about, you know, you've been pouring all this money into bigger, deep packet inspection, firewalls, and DMZs and all of this stuff so that this network is protected. And now you're telling me that you're just going to throw it away, convince me I'm going to be more secure.
Yeah. I think that we have to, first of all, change our conversations. As you say, if you go to a senior manager and you start telling about the talking about deep packet inspections, their eyes will close very quickly, that they really are not interested. They don't understand and don't care. I think we have to talk in terms of two topics. One is risk and the other is opportunity. So for example, if we adopt these solutions, your people will have the opportunity to work more flexibly, and you'll be able to start to bring in new applications. We will reduce the risk of loss of data, which could cause a reputational damage and brand damage by adopting these solutions. So I think if we start talking about risk and opportunity, and we can then take the operational discussions, which are how many phishing attacks we blocked, where they were coming from, and we can use that with our operational managers, but I think it's senior executives. We have to start talking about risk opportunity. This is the business risk. I do know what we can make you more successful in business, then they'll start to miss it very quickly.
Absolutely. Yeah. The business enablement ROI is, is what is what the board wants to hear about. And yeah, you're quite right. Not about bigger, deep packet inspection and how far my, my deep packet inspection goes because yeah, they glaze over very quickly with those kinds of discussions, just to delve into the weeds a little bit. You mentioned micro segmentation in, in your last slide or one of your last slides, where, where does the whole micro software defined perimeter, sassy, which you know, which is secure access service age, those kind of technologies fit in to your armory when trying to deliver a zero trust architecture?
Well, I, I think they're all interrelated. I think that implementing zero trust is an essential part of, for example, a sassy type solution because you're looking at securing access from the edge and zero trust does that right from the very beginning. And it also enables us to make sure that we can have that segmented approach using software defined networking SDN, if necessary, to, to make our, our access more controlled and reduce that lateral movement aspect that that will movement risk associate. Of course, it goes on to two other elements around network management and making that more effective. But the starting point for me is zero trust. You're going to have to have zero trust, no matter what you do. It's, to me, it's the fundamental basis for any of these new strategies. So first of all, do zero trust and think about anything else.
Yeah, yeah. And use that to leverage. And, and yeah, I mean the kind of discussions I've been having with people that says, you know, things like software defined perimeter are going to be going to be brilliant for, for legacy, but actually it it's just part of your armory. It is not, I like, like all of these solutions as we sit up front, it is just part of the solution. It is not the solution. Yeah.
And you know, first point is to close the front door and make sure who, you know, who's coming in and make sure you know where they're going. So to start off with looking at the front door, that's, that's always my starting point.
And on that note, I think that that is a fantastic sound bite to finish with. So Richard, thank you very much, indeed. It's been an absolute pleasure as always and yeah, hopefully we will. We will be hearing from you again soon on another webinar.
And I look forward to it when I always enjoy our discussions.
No, it's been great. Thank you very much. Just to finish up with, as I said, just to repeat myself, this will be made available on the KuppingerCole website. So if you've missed anything or if you actually, that was good. I want to go and steal that bit of information out of one of those slides feel free. The webinar will be available up on the KuppingerCole website, just to tell you briefly to finish with about a couple of other bits and pieces that KuppingerCole does. This is Casey plus our new content and research platform. There is a 30 day trial. If you, if you haven't found it already again, go find it, go have a poke around inside it. It's a lots of phenomenal information in that if you tuned in late and your regularity. Yeah, I see. In may, it has moved for next year. No guesses, why it will be in September in 2021. So those are the dates you need to reserve in your diary.
Digital advisory. Another thing from us, again, you get expert knowledge in all bits of identity, access management, cybersecurity, and more so yeah, digital advisory, please talk to her. And finally, KC master classes. So interactive webinars, upstate research certification all day virtual classroom, lots of ways that we are experimenting in delivering valuable content to you in a consumable format for you. And finally, yeah, we aren't related research. So there are some good stuff to go and find within the, the KuppingerCole website. So there's the Analyst Chat as Richard was talking about earlier on this zero trust architecture, there is an Analyst Chat on that. The leadership compass, obviously the executive view on jury security, who you've been hearing from today. And as it said, advisory note firewalls are dead. How to build a resilient defendable network and zero trust as a concept. So lots of information for people to go to go and find. And with that, I would just like to say, thank you very much. I hope this has been a valuable hour of your time to join us and that you have, hopefully got a lot of takeaways that you can apply within your businesses. So thank you very much and goodbye.
