Event Recording
Roger Halbheer: Zero Trust - Security Through a Clearer Lens
Join us to understand how Zero Trust transforms your security strategy and makes you more resilient to a range of attacks. We will share a roadmap for leaders, architects, and practitioners, as well as talk about some quick wins and incremental progress on this journey.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Thank you very much. And as I said, I mean, listening to Paul was quite insightful. We probably should start to Paul. If you're still on the call, we probably should start to work with each other, you know, to build this product and the visit, you can go through to make a company zero trust, but choke aside, I mean, I'm not gonna give you any introduction anymore, why we need zero trust and what we do, and, and you know why zero trust is what, what we need to have these days. The interesting piece though, is to me, if I'll listen or look at zero trust, it's actually more a reflection of the reality than anything else. You know, Paul said it already, that basically COVID 19 cost, a lot of zero trust discussions. It led to the point where we are working from home office as everybody else.
One of my sons wants told me, then if I, if I, if I ever talk about zero trust again, he's gonna go crazy. So that's just how often companies try to understand what they can do and, and how they can work around zero trust and all these things. So, in my opinion, as I said, it's a re a reflection of today's reality. On the other hand, it's probably one of the most disruptive changes I've seen since I am working in security. And, and it's quite a while. I mean, it's, it's more than 20 years now. And I grew up with all these network controls with firewalls and, you know, IPS is in IDSS and network access controls, and however, you're gonna call them. And now we move into security, zero trust, where we kind of lose uncertain of the controls we've learned or change the way they behave.
And this change to me is something you can easily do on the technology side. But the big change is really when it comes to people and the business. And let me give you a little bit, well, a view of how I look at that. I was at Caesar myself, and when I took over actually to did two things, one is I asked the team, which is the policy, which we have the most exceptions on because I felt this is most likely a policy, which is not fit for purpose in the business. So we looked at that and not surprisingly, it was the network security policy. The other thing was I went in and said, Hey, you know, today's world is all living off zoom breach. And it was an actual thing for me when I came in, but the way it, it was read by certain people of my team was they were hired to keep the bad guys out.
Now, the Newt comes in and said, Hey, we are gonna do a zoom breach as a reflection of today's reality. They heard basically they failed their job, you know, they need, now, now we have to do a zoom breach because they couldn't keep the bad guys out. So there is a lot of, and that's just one example of the changes you have to drive when you work with zero trust. And, you know, the, the changes, which, which have to be implemented not only on a technology side, but on a people side as well. Now, zero trust to me has kind of three layers because it has different meanings to different people in the organization. And I work with basically all the big accounts or the big customers we have around across the German speaking markets and the Netherlands. And we have different discussions on different levels because, and I completely agree with what Paul said before.
We, what we need to have is a sponsor high Okta ranks. And when we talk to a CEO, a CFO, a COO of these big accounts, it's less about zero trust. It's about enabling the digital transformation with acceptable risks. And I'm briefly coming back to that, then you have discussions more on an architectural level. What does it mean from a strategy, from an enterprise strategy, from a priority, and then last but not least, this is where you then typically reach out to Microsoft and have a discussion about the products and the implementation. What does it mean from a technology point of view? But when I work with customers and in this transformation, to me, it is at least as important to have the higher up discussions as it is to have a technology discussion. Even though obviously we live from the products, not the products you trust, but the products which then come really build this architecture.
We were talking of. If you look at the, just briefly at this, you know, digitalization and business strategy, obviously life gets complicated. Obviously we have a lot of modern work use cases. Some of them like the remote work thing, some companies already prepared for remote work in the cloud. And what have you there did during COVID, but those are use cases which they need to drive. On the other hand, this drives security modernization. And one of the reasons why I became CSO quite quite a while back was that they always felt that security has to become a business enabler rather than, you know, this governance function, which says no, anyway, it shall be a business. And to me, zero, trust actually pretty much reflects this architecture going forward. So it's about automated policy enforcement. I mean, you can read yourself, but it's identity and obviously the data, the heart of what we do and how, how we are gonna forward gonna go forward.
And at the end of the day, companies which really implemented such a, such an architecture, they are way faster in really supporting the business, achieving the business goals, but with acceptable risks. So we get more into this, in this, into this dialogue, with the business, how can we make it happen rather than, oh, there are 10 firewalls and that's no joke. I had that case 10 firewalls between the server I want to deploy. And you know, the, the, the customer, and we have to find all these ports and blah, blah, blah, blah. And then you have firewalls with 10,000 rules on, and nobody actually knows what's going on from a component perspective, still on a business level. That's a discussion I'm having often with, with high levels in, in the organization, what you need is having kind of this access control. And you heard that from Siemens before this access control piece, which enforces your policy.
We add user, we add devices, we heard it from Siemens. One component I felt is at least as important as the devices and the information you collect internally is threat intelligence. You consume from outside threat intelligence in the breaths, so that you really understand the broad challenges around the threats, which are running as well as the threat intelligence you have internally. And then you have this access control and security policy C which in our case is conditional access. And I'm briefly coming back to that, maybe in a few minutes, but it's all around the directive directory and, and that entity management. Another thing besides the change in people, I feel which needs to happen is a change in operations because I see a lot of security operating centers, collecting data from their firewalls, their proxy, their WHAS, what, what have you, their, their routers. Now, if you go really during, into direction of zero trust and disease, a journey, it's not something which happens from, from one day to another, you need to adopt your security operations.
You get different signals, which you need to consume, and you probably get more signals than you have before. And in addition, your security operations centered people, all of a sudden need to learn new protocols. My sock was brilliant when it came to T C P I P and routing and all these, these protocols, they were really great. Now you need to step up and learn about Sam and, and, and what have you. So this is not the problem, but you need to think about, then you obviously build the governance around that. You, I mean, hygiene is not gonna go away. Policy is not gonna go go away, but the policy then has to be applied and monitored broader than just your on-prem environments. And at the end of the day, we heard that it's all about asset protection. It's all about, you know, your data.
So this, I mean, that was really in a, in a very small nutshell, but there are a lot of discussions in these directions which happen on a, on a digital transformation on the business level. If you go then more into the strategy, I mean, we, we talked about securities complex. We talked about all the changes around the trusted network. The interesting piece to me coming back to the change management on the people side is when I talk to customers about the implementation of Azure, for example, everybody gets that networking, that trusted network doesn't work anymore. And that there are different ways of leveraging, you know, the internet as your network and all these things that kind of intellectually lands immediately. And then you go into discussions about, let's say, Azure networking, and how do you bring it together? And, and how do you build such an architecture?
People immediately fall back into discussions about firewalls and, and all these different mechanisms. We know since 20, 30, 40 years. So this shows me that in a, in a lot of cases, intellectually, it's easy to grasp that zero trust conversation, but from a, from the heart, from your gut, it's, it's pretty tough thing to do. And that's the reason why I started with the point that you shouldn't underestimate the change management factor when it comes to, to zero trust. It's something where I feel. If you run such a program, you need to think about the people. It leads. If you implement it properly in the it space, it leads to a more productive environment. It needs to better collaboration. I feel that a lot of technologies which come together and architectural con concepts, which come together with zero trust, increase security while increasing productivity. So we kind of hit this holy grail in between.
Now you can do that without the zero cross with classical network per perimeter thing technologies, it just gets harder to do. I think it's, it's one of the things which comes hand in hand going forward. So you'll, it leads to a more productive environment while you explicitly validate trust. We talked about the security operating center, the secure ops already in this area, as you all of a sudden get more signals, get more alerts. You have to drive more automation and, and automatic remediation as well. And then you can take the same concept over into OT and the data center, but with different technology we heard from Siemens before. It's not that easy to give kind of a 10 year old machine, an identity that just doesn't work anymore. So you have to find additional other technologies. The concept still work. If our customers start initiatives, most of them start around user accessing that identity.
That's kind of the heart of the first wave. When they get into zero trust, often it gets kicked off when the cloud migration starts. So when they talk about office 365 in parallel, they immediately add security operations. And then they bring all together like identity devices and the security operations. Those are kind of the three big things they might need to change and touch when they move and OT and IOT and the data center security typically falls a little bit behind from a timing perspective, which makes a lot of sense because let's start to learn and change where the low hanging fruits are. And this is where the cloud is. This is in the technology area where it's easier to handle, and then let's bring OT and IOT and the data center in a little bit later. One of the things I typically try to insist as far as I can, when we start such a program with a customer, is that we agree on the principles first, and these principles shall be held high and, and really pushed through.
And they shall be agreed with the, with the business as well. So one is verify explicitly. I think we we've beaten that horse already. So verify zero trust to us means you don't trust anything until explicit verified. So that kind of makes sense from a user, from a device, maybe even from a service perspective, going forward. The second one, which we try to move in at the same time is everything allows around least privileged access just in time access, just enough access. And again, that's a good area to play with starting with in the cloud, because a lot of the technologies you get the modern technologies allow for these processes already there. You can learn what it means from a, from a perspective of the user, from a perspective of the admin, how you change the processes and then pull those processes back on prem.
There is technology to do that, which can help you does. It's not the silver bullet, but which can help you to get there. But starting in the cloud often makes life way easier. And the last one we talked about, you assume breach a lot of rethinking. I see. When I talk with customers about that, I often talk about the blast radius. How do you make sure that if an account or machine gets compromised, the blast radios kind of stays as small as possible. And there are different technologies to do that. I mean, identity is one of them or everything around identity, but the device, as well as the network plays a role in there.
Now, if we look a little bit into technology and I just want to touch on that briefly, we often see that when it comes to it, identity becomes more important than the network going forward. And that's not, as everybody said, kind of a, something you roll out and then you are done, that's really a transformation. It's a journey. You're gonna go. You OTs the other way around because we can run less or rely less on a working identity. You need more network controls to enforce a zero trust dish thing. And the reason why I say it this way, the concepts still apply the, the, the, the agreement on these three fundamental topics, they still apply, but you have to apply them differently. And then when it comes to data center, that's kind of a mixed bag. It moves from network more to identity at the moment, but we are by far not there yet.
So just one slide I wanna give you, I mean, I can't stop without going into technology. And I just want to touch 30 seconds in that, because it's important to me that from our point of view, the enforcement point where you do zero trust in the identity space is the iden in the it space is identity. You move into use risks, you move into device risks. You add your threat Intel to that, and you have the slides in, in the, in the, the download, but we want automate as much as we can to the point where you have a risk score. And then the key at the end of the day is then the integration into the backend. And obviously your modern environment works pretty well. Legacy gets a little bit juicy depending on the legacy you have, but you can easily move down that road.
And I just wanted to give you an idea, it's I, I agree. It's not the product you're gonna deploy, but there are products which help you on that road. And that's obviously the Microsoft view. I mean, that's what I'm here for, but basically it's an architecture. It's the concept you can put together. And when we talk about, you know, the zero trust journey with a customer, I often start to do this kind of Christmas wishlist thingy, help me understand where you wish would be. How, how not thinking about timelines and budget. How would the perfect world look like? And then let's break it down and let's start on that journey. I'm even hesitant talking about the project. It's a journey. It's a program you have to run through way more than let's do a project. And by the end of 2021, we are zero trust. So that was a really quick and brief run through.
One of my sons wants told me, then if I, if I, if I ever talk about zero trust again, he's gonna go crazy. So that's just how often companies try to understand what they can do and, and how they can work around zero trust and all these things. So, in my opinion, as I said, it's a re a reflection of today's reality. On the other hand, it's probably one of the most disruptive changes I've seen since I am working in security. And, and it's quite a while. I mean, it's, it's more than 20 years now. And I grew up with all these network controls with firewalls and, you know, IPS is in IDSS and network access controls, and however, you're gonna call them. And now we move into security, zero trust, where we kind of lose uncertain of the controls we've learned or change the way they behave.
And this change to me is something you can easily do on the technology side. But the big change is really when it comes to people and the business. And let me give you a little bit, well, a view of how I look at that. I was at Caesar myself, and when I took over actually to did two things, one is I asked the team, which is the policy, which we have the most exceptions on because I felt this is most likely a policy, which is not fit for purpose in the business. So we looked at that and not surprisingly, it was the network security policy. The other thing was I went in and said, Hey, you know, today's world is all living off zoom breach. And it was an actual thing for me when I came in, but the way it, it was read by certain people of my team was they were hired to keep the bad guys out.
Now, the Newt comes in and said, Hey, we are gonna do a zoom breach as a reflection of today's reality. They heard basically they failed their job, you know, they need, now, now we have to do a zoom breach because they couldn't keep the bad guys out. So there is a lot of, and that's just one example of the changes you have to drive when you work with zero trust. And, you know, the, the changes, which, which have to be implemented not only on a technology side, but on a people side as well. Now, zero trust to me has kind of three layers because it has different meanings to different people in the organization. And I work with basically all the big accounts or the big customers we have around across the German speaking markets and the Netherlands. And we have different discussions on different levels because, and I completely agree with what Paul said before.
We, what we need to have is a sponsor high Okta ranks. And when we talk to a CEO, a CFO, a COO of these big accounts, it's less about zero trust. It's about enabling the digital transformation with acceptable risks. And I'm briefly coming back to that, then you have discussions more on an architectural level. What does it mean from a strategy, from an enterprise strategy, from a priority, and then last but not least, this is where you then typically reach out to Microsoft and have a discussion about the products and the implementation. What does it mean from a technology point of view? But when I work with customers and in this transformation, to me, it is at least as important to have the higher up discussions as it is to have a technology discussion. Even though obviously we live from the products, not the products you trust, but the products which then come really build this architecture.
We were talking of. If you look at the, just briefly at this, you know, digitalization and business strategy, obviously life gets complicated. Obviously we have a lot of modern work use cases. Some of them like the remote work thing, some companies already prepared for remote work in the cloud. And what have you there did during COVID, but those are use cases which they need to drive. On the other hand, this drives security modernization. And one of the reasons why I became CSO quite quite a while back was that they always felt that security has to become a business enabler rather than, you know, this governance function, which says no, anyway, it shall be a business. And to me, zero, trust actually pretty much reflects this architecture going forward. So it's about automated policy enforcement. I mean, you can read yourself, but it's identity and obviously the data, the heart of what we do and how, how we are gonna forward gonna go forward.
And at the end of the day, companies which really implemented such a, such an architecture, they are way faster in really supporting the business, achieving the business goals, but with acceptable risks. So we get more into this, in this, into this dialogue, with the business, how can we make it happen rather than, oh, there are 10 firewalls and that's no joke. I had that case 10 firewalls between the server I want to deploy. And you know, the, the, the customer, and we have to find all these ports and blah, blah, blah, blah. And then you have firewalls with 10,000 rules on, and nobody actually knows what's going on from a component perspective, still on a business level. That's a discussion I'm having often with, with high levels in, in the organization, what you need is having kind of this access control. And you heard that from Siemens before this access control piece, which enforces your policy.
We add user, we add devices, we heard it from Siemens. One component I felt is at least as important as the devices and the information you collect internally is threat intelligence. You consume from outside threat intelligence in the breaths, so that you really understand the broad challenges around the threats, which are running as well as the threat intelligence you have internally. And then you have this access control and security policy C which in our case is conditional access. And I'm briefly coming back to that, maybe in a few minutes, but it's all around the directive directory and, and that entity management. Another thing besides the change in people, I feel which needs to happen is a change in operations because I see a lot of security operating centers, collecting data from their firewalls, their proxy, their WHAS, what, what have you, their, their routers. Now, if you go really during, into direction of zero trust and disease, a journey, it's not something which happens from, from one day to another, you need to adopt your security operations.
You get different signals, which you need to consume, and you probably get more signals than you have before. And in addition, your security operations centered people, all of a sudden need to learn new protocols. My sock was brilliant when it came to T C P I P and routing and all these, these protocols, they were really great. Now you need to step up and learn about Sam and, and, and what have you. So this is not the problem, but you need to think about, then you obviously build the governance around that. You, I mean, hygiene is not gonna go away. Policy is not gonna go go away, but the policy then has to be applied and monitored broader than just your on-prem environments. And at the end of the day, we heard that it's all about asset protection. It's all about, you know, your data.
So this, I mean, that was really in a, in a very small nutshell, but there are a lot of discussions in these directions which happen on a, on a digital transformation on the business level. If you go then more into the strategy, I mean, we, we talked about securities complex. We talked about all the changes around the trusted network. The interesting piece to me coming back to the change management on the people side is when I talk to customers about the implementation of Azure, for example, everybody gets that networking, that trusted network doesn't work anymore. And that there are different ways of leveraging, you know, the internet as your network and all these things that kind of intellectually lands immediately. And then you go into discussions about, let's say, Azure networking, and how do you bring it together? And, and how do you build such an architecture?
People immediately fall back into discussions about firewalls and, and all these different mechanisms. We know since 20, 30, 40 years. So this shows me that in a, in a lot of cases, intellectually, it's easy to grasp that zero trust conversation, but from a, from the heart, from your gut, it's, it's pretty tough thing to do. And that's the reason why I started with the point that you shouldn't underestimate the change management factor when it comes to, to zero trust. It's something where I feel. If you run such a program, you need to think about the people. It leads. If you implement it properly in the it space, it leads to a more productive environment. It needs to better collaboration. I feel that a lot of technologies which come together and architectural con concepts, which come together with zero trust, increase security while increasing productivity. So we kind of hit this holy grail in between.
Now you can do that without the zero cross with classical network per perimeter thing technologies, it just gets harder to do. I think it's, it's one of the things which comes hand in hand going forward. So you'll, it leads to a more productive environment while you explicitly validate trust. We talked about the security operating center, the secure ops already in this area, as you all of a sudden get more signals, get more alerts. You have to drive more automation and, and automatic remediation as well. And then you can take the same concept over into OT and the data center, but with different technology we heard from Siemens before. It's not that easy to give kind of a 10 year old machine, an identity that just doesn't work anymore. So you have to find additional other technologies. The concept still work. If our customers start initiatives, most of them start around user accessing that identity.
That's kind of the heart of the first wave. When they get into zero trust, often it gets kicked off when the cloud migration starts. So when they talk about office 365 in parallel, they immediately add security operations. And then they bring all together like identity devices and the security operations. Those are kind of the three big things they might need to change and touch when they move and OT and IOT and the data center security typically falls a little bit behind from a timing perspective, which makes a lot of sense because let's start to learn and change where the low hanging fruits are. And this is where the cloud is. This is in the technology area where it's easier to handle, and then let's bring OT and IOT and the data center in a little bit later. One of the things I typically try to insist as far as I can, when we start such a program with a customer, is that we agree on the principles first, and these principles shall be held high and, and really pushed through.
And they shall be agreed with the, with the business as well. So one is verify explicitly. I think we we've beaten that horse already. So verify zero trust to us means you don't trust anything until explicit verified. So that kind of makes sense from a user, from a device, maybe even from a service perspective, going forward. The second one, which we try to move in at the same time is everything allows around least privileged access just in time access, just enough access. And again, that's a good area to play with starting with in the cloud, because a lot of the technologies you get the modern technologies allow for these processes already there. You can learn what it means from a, from a perspective of the user, from a perspective of the admin, how you change the processes and then pull those processes back on prem.
There is technology to do that, which can help you does. It's not the silver bullet, but which can help you to get there. But starting in the cloud often makes life way easier. And the last one we talked about, you assume breach a lot of rethinking. I see. When I talk with customers about that, I often talk about the blast radius. How do you make sure that if an account or machine gets compromised, the blast radios kind of stays as small as possible. And there are different technologies to do that. I mean, identity is one of them or everything around identity, but the device, as well as the network plays a role in there.
Now, if we look a little bit into technology and I just want to touch on that briefly, we often see that when it comes to it, identity becomes more important than the network going forward. And that's not, as everybody said, kind of a, something you roll out and then you are done, that's really a transformation. It's a journey. You're gonna go. You OTs the other way around because we can run less or rely less on a working identity. You need more network controls to enforce a zero trust dish thing. And the reason why I say it this way, the concepts still apply the, the, the, the agreement on these three fundamental topics, they still apply, but you have to apply them differently. And then when it comes to data center, that's kind of a mixed bag. It moves from network more to identity at the moment, but we are by far not there yet.
So just one slide I wanna give you, I mean, I can't stop without going into technology. And I just want to touch 30 seconds in that, because it's important to me that from our point of view, the enforcement point where you do zero trust in the identity space is the iden in the it space is identity. You move into use risks, you move into device risks. You add your threat Intel to that, and you have the slides in, in the, in the, the download, but we want automate as much as we can to the point where you have a risk score. And then the key at the end of the day is then the integration into the backend. And obviously your modern environment works pretty well. Legacy gets a little bit juicy depending on the legacy you have, but you can easily move down that road.
And I just wanted to give you an idea, it's I, I agree. It's not the product you're gonna deploy, but there are products which help you on that road. And that's obviously the Microsoft view. I mean, that's what I'm here for, but basically it's an architecture. It's the concept you can put together. And when we talk about, you know, the zero trust journey with a customer, I often start to do this kind of Christmas wishlist thingy, help me understand where you wish would be. How, how not thinking about timelines and budget. How would the perfect world look like? And then let's break it down and let's start on that journey. I'm even hesitant talking about the project. It's a journey. It's a program you have to run through way more than let's do a project. And by the end of 2021, we are zero trust. So that was a really quick and brief run through.
Stay Connected
Related Videos
How can we help you