KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Martin Kuppinger and Danna Bethlehem, Director of Product Marketing at Thales discuss their perspectives on the interplay of Zero Trust and Identity and Access Management.
Martin Kuppinger and Danna Bethlehem, Director of Product Marketing at Thales discuss their perspectives on the interplay of Zero Trust and Identity and Access Management.
Matthias Reinwarth and Martin Kuppinger dispel a few myths about Zero Trust.
The path toward a Zero Trust architecture to improve cybersecurity for modern enterprises in a hybrid IT landscape often seems overly complex and burdensome. Alexei Balaganski is this week's chat partner for Matthias and he draws attention to an often overlooked benefit of such an infrastructure. One key idea of Zero Trust is to actually reduce complexity and unnecessary effort and instead focus on what really needs to be protected.
Although companies are constantly increasing their cybersecurity budgets, this does not seem to help much: each day we learn about new large-scale data breaches. Considering that over 80% of hacking-related breaches leverage compromised user credentials, it’s mindboggling why so many organizations are still focusing on securing their network perimeters.
Trust no one, always verify. We know that Zero Trust phrase already. But this principle is rather abstract - how and where exactly should we do that? Martin sits down with Jackson Shaw, Chief Strategy Officer at Clear Skye to discuss one very important part of Zero Trust: Identity and Access Management. Because you can only verify what or who you know - they need an identity to get access.
As organizations take on the digital transformation, trends such as mobility, proliferation of SaaS applications and cloud infrastructure are driving up the number of connected entities and devices increasing the attack surface. With the spate of recent acquisitions in the market looking to change the way we approach security, we need to think beyond the technology and focus on the gaps we need to consider.
There’s lots of hype around Zero Trust Security in the context of our changing mobile and cloud-centric working environments. Moving towards a modern and agile Zero Trust security concept is essential in today's mobile first, work-securely-from-anywhere world.
While the concept of zero-trust networking is nearly a decade old, the last few years have seen its popularity in industry discussions grow exponentially.
As users, devices and application workloads move outside the corporate network, the traditional model of enforcing security at the network perimeter is no longer effective. A Zero Trust model offers an alternative that secures data while ensuring it is accessible to employees, regardless of where they are working. But the path to achieving Zero Trust is unclear for many organizations.
Welcome everyone to our podcast. This is a conversation between Danna Bethlehem, director of product marketing for Thales identity products and me Martin Kuppinger, I'm principal analyst at KuppingerCole. And we'd like to discuss and exchange our perspectives on the interplay between zero trust on one hand, a very popular password these days, and identity and access management on the other side. Welcome Danna. Thank you so much, Martin, glad to be here. So let's directly get started.
So when we look at Zero trust, this has been as a term around for a long, long time, and it looks like it becomes increasingly popular these days and more relevant to businesses. So what has changed from your perspective?
Yeah, you're absolutely right, Martin. I was just doing some research into zero trust recently because I had to discuss it internally with some salespeople. They were getting questions about zero trust and I was very surprised to see is to see that zero trust has been around for 10 years. So 10 year anniversary for zero trust. But I think that we're at a real milestone at this very pointing time where the stars are aligned to give a new, a new life on, on zero trust. And it's an exciting period, especially for identity and access management and zero trust. And then why is it?
So I would say it's partially because
So, so would you share the perspective that these are the reasons why it is You again? I think that when zero trust was first, when, when it was first presented way back when it was mainly conceived as a way for increasing security and, and heavily adopted by network security providers. But at that point in time, the level of cloud expansion and the level of cloud adoption was nowhere near where it is today.
And so, although we began talking way back when about the disintegration of the traditional security perimeter within organizations today, and especially as a result of COVID-19, we can really see it breaking up before our eyes, right? The, the mess move of employees to home means that organizations are provisioning massive cloud solutions to their customers, to sorry to their users in order to enable them to work from home.
And what we've seen is that many of the traditional network security solutions that enabled remote working for maybe a part of employees, either through the VPN or through other gateway type solutions are no longer meeting the needs when everybody is working from home. Yeah. Yeah. And I think that's a good point beyond what I mentioned that the reality today is that we have devices, which are you personally wise is when people use them because it was the only option to work from home sometimes.
And we have this massive adoption of cloud specifically in the past few months I was in the crisis. But even before I think cloud adoption, when looking at the uptake of cloud first strategy is organizations that, that all leads to a higher adoption for theory trust. And I think the model behind it also looks, or is from my perspective, something which is, well, there are a number of good things in that. So there's a logic in more and more organizations adopting zero trust. So when we look at this, what does zero trust really mean in the world of identity management?
So I think that for all organizations, zero trust means that you really need to, that you can't really trust anybody or any entity that is accessing any application or any network route within an enterprise. So it's a trust, no one verify everywhere.
And because organizations no longer have that kind of security gateway at the point of entry to their networks, then that, that precept, that tenant of having to verify everyone everywhere is, is very, very suited to today's reality, where as you just mentioned, users are accessing applications from everywhere, mainly from home at this very specific point in time, but from everywhere in general, from multiple devices. And not only that is that applications are also being delivered from everywhere. So you have a, the way that I see it in my mind is kind of a constellation.
When you look up to the star to the sky at night, you see, you know, millions and millions of stars. And that's the way I kind of see this, see the, the, the, the enterprise environment today. You have hundreds of applications being delivered from many, many places. You have users everywhere and the need to secure those users, the most natural way to secure those users and to secure all your data and all your applications is by making sure that they're protected when log into applications at that very access point.
So in, in my mind, in that respect, the access point, the application access point has really become the front line of security. Yeah, done it. The last very well was it was how I tend to describe it because when we look at what happens is we have a user accessing a device going through whichever titles network to ease or a cloud service or a server. So a system where an application runs and then information, data is accessed. So where do we can get a crib on that? The device might be owned by the user. So we are limited in that.
We don't know which network, it can be every network and the surface kind of reside everywhere. So frequently the SAS service, you don't have to Crip on the server itself. So it's the application at that end of it's user at that end. And at the other end behind the application, it's the data. And then it's about authenticating and it's about access controls at the application level. At the information level, these are the things we, we really can enforce security, and we have, we can implement our trust model.
And that means at the end identity is management exactly comes in where we have to touch points for a future security. Absolutely. And the beauty of the solution is that it's actually, when you think about it, it's network agnostic because implement security for identities and protects applications without, without having to really understand how a user is getting into that application, which network, which underlying network is being used.
And, and another really good thing is that these solutions cloud-based access management solutions are really quite mature today. So these are, these are solutions that can be implemented today to meet today's needs, whereas on the network security side, I think that there's a kind of, that that area is still evolving. Although of course the best policies always to have a multi-layered approach.
So I'm not saying that organizations shouldn't be protecting their networks and, and their, their traffic routes, they should be, but they, the, these solutions should definitely be working together to provide a much more comprehensive solution security solution for a much broader footprint today within the enterprise. Yeah.
And, and I think the point is also, there's not a single w only way to influence your trust, that there are different ways, which also depend on the, the risks on sec, the risk appetite of organizations on what they have an infrastructure, how syncs are working, but clearly the things where it's easy to areas where it's easiest is very identification authentication and where access happened, because this is what we always, the other things like network might vary massively.
So we might have so many different types of access, so many different types of devices, so that it's hard to do it consistent. The one thing I'd like to add, as excuse clearly, when we look at implementation are two things maybe to add the one is, there's not a single tool for zero trust security. So zero trust security is a concept. The paradigm, it's not a tool. So if someone sells, this is the one that only solution for zero trust, it's probably going a little over the top, but if someone says, this helps you in going towards this year across concept, that might make a lot of fun.
The other thing is be careful with layered security. You need layer of security, but be careful not to have too many layers and too many elements of that because that causes our issues here. So that would be a little, little bit of my perspective on that. Yeah. Yep. Ultimately, every, all the solutions have to, sorry, I'm interrupting you ultimately, all the solutions have to fit together and work together. Totally agree there. But just coming back to your earlier question about, you know, why, why is this kind of maybe exaggerating a golden age for zero trust?
And I think it also that we were at a pointing time where many, many organizations and we're hearing it a lot from our customers as well, are looking to see how they can revamp and modernize and replace legacy systems. And there, I think there's, there's probably a void in, you know, what are the next steps? What kind of guidance can CSOs and risk managers take and implement in order to take this next step into the future in order to make their organizations ready and secure for the future where we're going to be much more cloud centric.
And that's why zero trust is, is, is kind of a security scheme for the moment, because it does give very good and practical guidelines as to how organizations can move in a face approach from what they have today and where they want to be tomorrow in terms of securing these kinds of dispersed cloud centric environments. Yeah, it's a sort of, if a then B, if you say a cloud first, then the logic will be is security, must follow concepts around zero, trust the other Ryan's around it.
But at the end, it's a, it's a very logical consequence of cloud first strategies that you need, new modern security concepts of coming close to an end. What would be your, your most important that wise when it comes to zero trust and identity management and depth context? Yeah. So first of all, I think that because of that, we see that this, that organizations are really having to adopt cloud applications really to enable their needs of the moment.
That's a good place to start, you know, really trying to map out which cloud applications you've got and implementing access controls at the access point for your cloud applications. Good. Also to take into account how any kind of access controls do indeed meet zero trust. What we didn't mention actually is the need for continuous validation, continuous with the identity validation, the need to really assess that user who's accessing an application is validated and authorized to do so.
Each time they hop from one application to the next, even though they might be a single sign on session in place, it's incumbent on any solution to really reverify and continuously authenticate users who are accessing applications. And that really meets that verify everywhere. Trust no one approach that is one of the core tenants of zero trust, security, Full agreement. What I would add is understand your risks.
So I understand where the biggest risks are implement adequate measures and try to find a very good balance of verify and to continuously without, and layer security without ending up with a SU of different tools. There's too many of them. You need some yeah, but not too many bene. So thank you very much for this talk. We already spent our time on that. Hopefully this is as interesting and relevant to everyone else, listening to this podcast as it is to us. So thank you very much And thanks for having me great discussion.