Interview
The Interplay between Zero Trust and IAM
Martin Kuppinger and Danna Bethlehem, Director of Product Marketing at Thales discuss their perspectives on the interplay of Zero Trust and Identity and Access Management.
Welcome everyone to our podcast. This is a conversation between Danna Bethlehem, director of product marketing for Thales identity products and me Martin Kuppinger, I'm principal analyst at KuppingerCole. And we'd like to discuss and exchange our perspectives on the interplay between zero trust on one hand, a very popular password these days, and identity and access management on the other side. Welcome Danna.
Thank you so much, Martin, glad to be here.
So let's directly get started. So when we look at Zero trust, this has been as a term around for a long, long time, and it looks like it becomes increasingly popular these days and more relevant to businesses. So what has changed from your perspective?
Yeah, you're absolutely right, Martin. I was just doing some research into zero trust recently because I had to discuss it internally with some salespeople. They were getting questions about zero trust and I was very surprised to see is to see that zero trust has been around for 10 years. So 10 year anniversary for zero trust. But I think that we're at a real milestone at this very pointing time where the stars are aligned to give a new, a new life on, on zero trust. And it's an exciting period, especially for identity and access management and zero trust.
And then why is it? So I would say it's partially because are dressed Metro parks. So it was a concept. Each other was very network centric. And right now we are talking about, see, we're dressed as a fibrotic concept, which is mainly about identity, which is about a lot of other things. And I believe that is probably one of the, the main drivers, the other main driver, from my perspective assembly, we have a challenge. We have different deployment models we have ever increasing attacks. So, so would you share the perspective that these are the reasons why it is
You again? I think that when zero trust was first, when, when it was first presented way back when it was mainly conceived as a way for increasing security and, and heavily adopted by network security providers. But at that point in time, the level of cloud expansion and the level of cloud adoption was nowhere near where it is today. And so, although we began talking way back when about the disintegration of the traditional security perimeter within organizations today, and especially as a result of COVID-19, we can really see it breaking up before our eyes, right? The, the mess move of employees to home means that organizations are provisioning massive cloud solutions to their customers, to sorry to their users in order to enable them to work from home. And what we've seen is that many of the traditional network security solutions that enabled remote working for maybe a part of employees, either through the VPN or through other gateway type solutions are no longer meeting the needs when everybody is working from home.
Yeah. Yeah. And I think that's a good point beyond what I mentioned that the reality today is that we have devices, which are you personally wise is when people use them because it was the only option to work from home sometimes. And we have this massive adoption of cloud specifically in the past few months I was in the crisis. But even before I think cloud adoption, when looking at the uptake of cloud first strategy is organizations that, that all leads to a higher adoption for theory trust. And I think the model behind it also looks, or is from my perspective, something which is, well, there are a number of good things in that. So there's a logic in more and more organizations adopting zero trust. So when we look at this, what does zero trust really mean in the world of identity management?
So I think that for all organizations, zero trust means that you really need to, that you can't really trust anybody or any entity that is accessing any application or any network route within an enterprise. So it's a trust, no one verify everywhere. And because organizations no longer have that kind of security gateway at the point of entry to their networks, then that, that precept, that tenant of having to verify everyone everywhere is, is very, very suited to today's reality, where as you just mentioned, users are accessing applications from everywhere, mainly from home at this very specific point in time, but from everywhere in general, from multiple devices. And not only that is that applications are also being delivered from everywhere. So you have a, the way that I see it in my mind is kind of a constellation. When you look up to the star to the sky at night, you see, you know, millions and millions of stars. And that's the way I kind of see this, see the, the, the, the enterprise environment today. You have hundreds of applications being delivered from many, many places. You have users everywhere and the need to secure those users, the most natural way to secure those users and to secure all your data and all your applications is by making sure that they're protected when log into applications at that very access point. So in, in my mind, in that respect, the access point, the application access point has really become the front line of security.
Yeah, done it. The last very well was it was how I tend to describe it because when we look at what happens is we have a user accessing a device going through whichever titles network to ease or a cloud service or a server. So a system where an application runs and then information, data is accessed. So where do we can get a crib on that? The device might be owned by the user. So we are limited in that. We don't know which network, it can be every network and the surface kind of reside everywhere. So frequently the SAS service, you don't have to Crip on the server itself. So it's the application at that end of it's user at that end. And at the other end behind the application, it's the data. And then it's about authenticating and it's about access controls at the application level. At the information level, these are the things we, we really can enforce security, and we have, we can implement our trust model. And that means at the end identity is management exactly comes in where we have to touch points for a future security.
Absolutely. And the beauty of the solution is that it's actually, when you think about it, it's network agnostic because implement security for identities and protects applications without, without having to really understand how a user is getting into that application, which network, which underlying network is being used. And, and another really good thing is that these solutions cloud-based access management solutions are really quite mature today. So these are, these are solutions that can be implemented today to meet today's needs, whereas on the network security side, I think that there's a kind of, that that area is still evolving. Although of course the best policies always to have a multi-layered approach. So I'm not saying that organizations shouldn't be protecting their networks and, and their, their traffic routes, they should be, but they, the, these solutions should definitely be working together to provide a much more comprehensive solution security solution for a much broader footprint today within the enterprise.
Yeah. And, and I think the point is also, there's not a single w only way to influence your trust, that there are different ways, which also depend on the, the risks on sec, the risk appetite of organizations on what they have an infrastructure, how syncs are working, but clearly the things where it's easy to areas where it's easiest is very identification authentication and where access happened, because this is what we always, the other things like network might vary massively. So we might have so many different types of access, so many different types of devices, so that it's hard to do it consistent. The one thing I'd like to add, as excuse clearly, when we look at implementation are two things maybe to add the one is, there's not a single tool for zero trust security. So zero trust security is a concept. The paradigm, it's not a tool. So if someone sells, this is the one that only solution for zero trust, it's probably going a little over the top, but if someone says, this helps you in going towards this year across concept, that might make a lot of fun. The other thing is be careful with layered security. You need layer of security, but be careful not to have too many layers and too many elements of that because that causes our issues here. So that would be a little, little bit of my perspective on that. Yeah.
Yep. Ultimately, every, all the solutions have to, sorry, I'm interrupting you ultimately, all the solutions have to fit together and work together. Totally agree there. But just coming back to your earlier question about, you know, why, why is this kind of maybe exaggerating a golden age for zero trust? And I think it also that we were at a pointing time where many, many organizations and we're hearing it a lot from our customers as well, are looking to see how they can revamp and modernize and replace legacy systems. And there, I think there's, there's probably a void in, you know, what are the next steps? What kind of guidance can CSOs and risk managers take and implement in order to take this next step into the future in order to make their organizations ready and secure for the future where we're going to be much more cloud centric. And that's why zero trust is, is, is kind of a security scheme for the moment, because it does give very good and practical guidelines as to how organizations can move in a face approach from what they have today and where they want to be tomorrow in terms of securing these kinds of dispersed cloud centric environments.
Yeah, it's a sort of, if a then B, if you say a cloud first, then the logic will be is security, must follow concepts around zero, trust the other Ryan's around it. But at the end, it's a, it's a very logical consequence of cloud first strategies that you need, new modern security concepts of coming close to an end. What would be your, your most important that wise when it comes to zero trust and identity management and depth context? Yeah.
So first of all, I think that because of that, we see that this, that organizations are really having to adopt cloud applications really to enable their needs of the moment. That's a good place to start, you know, really trying to map out which cloud applications you've got and implementing access controls at the access point for your cloud applications. Good. Also to take into account how any kind of access controls do indeed meet zero trust. What we didn't mention actually is the need for continuous validation, continuous with the identity validation, the need to really assess that user who's accessing an application is validated and authorized to do so. Each time they hop from one application to the next, even though they might be a single sign on session in place, it's incumbent on any solution to really reverify and continuously authenticate users who are accessing applications. And that really meets that verify everywhere. Trust no one approach that is one of the core tenants of zero trust, security,
Full agreement. What I would add is understand your risks. So I understand where the biggest risks are implement adequate measures and try to find a very good balance of verify and to continuously without, and layer security without ending up with a SU of different tools. There's too many of them. You need some yeah, but not too many bene. So thank you very much for this talk. We already spent our time on that. Hopefully this is as interesting and relevant to everyone else, listening to this podcast as it is to us. So thank you very much
And thanks for having me great discussion.
Thank you so much, Martin, glad to be here.
So let's directly get started. So when we look at Zero trust, this has been as a term around for a long, long time, and it looks like it becomes increasingly popular these days and more relevant to businesses. So what has changed from your perspective?
Yeah, you're absolutely right, Martin. I was just doing some research into zero trust recently because I had to discuss it internally with some salespeople. They were getting questions about zero trust and I was very surprised to see is to see that zero trust has been around for 10 years. So 10 year anniversary for zero trust. But I think that we're at a real milestone at this very pointing time where the stars are aligned to give a new, a new life on, on zero trust. And it's an exciting period, especially for identity and access management and zero trust.
And then why is it? So I would say it's partially because
You again? I think that when zero trust was first, when, when it was first presented way back when it was mainly conceived as a way for increasing security and, and heavily adopted by network security providers. But at that point in time, the level of cloud expansion and the level of cloud adoption was nowhere near where it is today. And so, although we began talking way back when about the disintegration of the traditional security perimeter within organizations today, and especially as a result of COVID-19, we can really see it breaking up before our eyes, right? The, the mess move of employees to home means that organizations are provisioning massive cloud solutions to their customers, to sorry to their users in order to enable them to work from home. And what we've seen is that many of the traditional network security solutions that enabled remote working for maybe a part of employees, either through the VPN or through other gateway type solutions are no longer meeting the needs when everybody is working from home.
Yeah. Yeah. And I think that's a good point beyond what I mentioned that the reality today is that we have devices, which are you personally wise is when people use them because it was the only option to work from home sometimes. And we have this massive adoption of cloud specifically in the past few months I was in the crisis. But even before I think cloud adoption, when looking at the uptake of cloud first strategy is organizations that, that all leads to a higher adoption for theory trust. And I think the model behind it also looks, or is from my perspective, something which is, well, there are a number of good things in that. So there's a logic in more and more organizations adopting zero trust. So when we look at this, what does zero trust really mean in the world of identity management?
So I think that for all organizations, zero trust means that you really need to, that you can't really trust anybody or any entity that is accessing any application or any network route within an enterprise. So it's a trust, no one verify everywhere. And because organizations no longer have that kind of security gateway at the point of entry to their networks, then that, that precept, that tenant of having to verify everyone everywhere is, is very, very suited to today's reality, where as you just mentioned, users are accessing applications from everywhere, mainly from home at this very specific point in time, but from everywhere in general, from multiple devices. And not only that is that applications are also being delivered from everywhere. So you have a, the way that I see it in my mind is kind of a constellation. When you look up to the star to the sky at night, you see, you know, millions and millions of stars. And that's the way I kind of see this, see the, the, the, the enterprise environment today. You have hundreds of applications being delivered from many, many places. You have users everywhere and the need to secure those users, the most natural way to secure those users and to secure all your data and all your applications is by making sure that they're protected when log into applications at that very access point. So in, in my mind, in that respect, the access point, the application access point has really become the front line of security.
Yeah, done it. The last very well was it was how I tend to describe it because when we look at what happens is we have a user accessing a device going through whichever titles network to ease or a cloud service or a server. So a system where an application runs and then information, data is accessed. So where do we can get a crib on that? The device might be owned by the user. So we are limited in that. We don't know which network, it can be every network and the surface kind of reside everywhere. So frequently the SAS service, you don't have to Crip on the server itself. So it's the application at that end of it's user at that end. And at the other end behind the application, it's the data. And then it's about authenticating and it's about access controls at the application level. At the information level, these are the things we, we really can enforce security, and we have, we can implement our trust model. And that means at the end identity is management exactly comes in where we have to touch points for a future security.
Absolutely. And the beauty of the solution is that it's actually, when you think about it, it's network agnostic because implement security for identities and protects applications without, without having to really understand how a user is getting into that application, which network, which underlying network is being used. And, and another really good thing is that these solutions cloud-based access management solutions are really quite mature today. So these are, these are solutions that can be implemented today to meet today's needs, whereas on the network security side, I think that there's a kind of, that that area is still evolving. Although of course the best policies always to have a multi-layered approach. So I'm not saying that organizations shouldn't be protecting their networks and, and their, their traffic routes, they should be, but they, the, these solutions should definitely be working together to provide a much more comprehensive solution security solution for a much broader footprint today within the enterprise.
Yeah. And, and I think the point is also, there's not a single w only way to influence your trust, that there are different ways, which also depend on the, the risks on sec, the risk appetite of organizations on what they have an infrastructure, how syncs are working, but clearly the things where it's easy to areas where it's easiest is very identification authentication and where access happened, because this is what we always, the other things like network might vary massively. So we might have so many different types of access, so many different types of devices, so that it's hard to do it consistent. The one thing I'd like to add, as excuse clearly, when we look at implementation are two things maybe to add the one is, there's not a single tool for zero trust security. So zero trust security is a concept. The paradigm, it's not a tool. So if someone sells, this is the one that only solution for zero trust, it's probably going a little over the top, but if someone says, this helps you in going towards this year across concept, that might make a lot of fun. The other thing is be careful with layered security. You need layer of security, but be careful not to have too many layers and too many elements of that because that causes our issues here. So that would be a little, little bit of my perspective on that. Yeah.
Yep. Ultimately, every, all the solutions have to, sorry, I'm interrupting you ultimately, all the solutions have to fit together and work together. Totally agree there. But just coming back to your earlier question about, you know, why, why is this kind of maybe exaggerating a golden age for zero trust? And I think it also that we were at a pointing time where many, many organizations and we're hearing it a lot from our customers as well, are looking to see how they can revamp and modernize and replace legacy systems. And there, I think there's, there's probably a void in, you know, what are the next steps? What kind of guidance can CSOs and risk managers take and implement in order to take this next step into the future in order to make their organizations ready and secure for the future where we're going to be much more cloud centric. And that's why zero trust is, is, is kind of a security scheme for the moment, because it does give very good and practical guidelines as to how organizations can move in a face approach from what they have today and where they want to be tomorrow in terms of securing these kinds of dispersed cloud centric environments.
Yeah, it's a sort of, if a then B, if you say a cloud first, then the logic will be is security, must follow concepts around zero, trust the other Ryan's around it. But at the end, it's a, it's a very logical consequence of cloud first strategies that you need, new modern security concepts of coming close to an end. What would be your, your most important that wise when it comes to zero trust and identity management and depth context? Yeah.
So first of all, I think that because of that, we see that this, that organizations are really having to adopt cloud applications really to enable their needs of the moment. That's a good place to start, you know, really trying to map out which cloud applications you've got and implementing access controls at the access point for your cloud applications. Good. Also to take into account how any kind of access controls do indeed meet zero trust. What we didn't mention actually is the need for continuous validation, continuous with the identity validation, the need to really assess that user who's accessing an application is validated and authorized to do so. Each time they hop from one application to the next, even though they might be a single sign on session in place, it's incumbent on any solution to really reverify and continuously authenticate users who are accessing applications. And that really meets that verify everywhere. Trust no one approach that is one of the core tenants of zero trust, security,
Full agreement. What I would add is understand your risks. So I understand where the biggest risks are implement adequate measures and try to find a very good balance of verify and to continuously without, and layer security without ending up with a SU of different tools. There's too many of them. You need some yeah, but not too many bene. So thank you very much for this talk. We already spent our time on that. Hopefully this is as interesting and relevant to everyone else, listening to this podcast as it is to us. So thank you very much
And thanks for having me great discussion.
Video Links
Stay Connected
Related Videos
How can we help you