Event Recording

Henk Marsman: From Trust to Zero - Lessons from Halfway in a Large Enterprise Environment


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Thank you very much. Yeah. I I'm gonna share some of the lessons that we ran into doing zero trust in the bank as introduced in the panel earlier, I'm responsible for the strategy and direction of access management for our workforce. I do that together, obviously with a team of managers and, and service owners. And if you look at the, the zero trust model, I'd like to start off with a brief discussion on that. I'm not gonna reiterate all the great content that I've already seen today. So a lot of it already passed here about trust, but verify about the people process technology aspects here. I'd like to just highlight that zero trust in some cases triggers the response that you cannot trust anymore. And that is not, not completely right. We still need to have trust because that's what our interactions and our business runs on, but it's changing and it's changing significantly.
So we prefer to use the, the assume breach approach because that more clearly says what it is about. And I will highlight that based on the brief overview that we used to explain what has actually changed, why, why do we need a new approach to access to information security, to cybersecurity? And this is a, a, well, I try to keep it simple, but this image basically tries to say, you know, in on the left hand side, there is a person that wants to make use of some digital service or data, which is perfectly stored in our data center. And so we have applications and data running there. And in the old times, there were two pathways into that data center. And either you were in the office, you would log in with your device and you'd be on the corporate network accessing the data center, or you would be on a public network, would need to set up a VPN connection or secure connection that would connect to your corporate network.
And then you would access applications, data, and services. And based on, on this model, we had a lot of risks, identified controls put in place. So here you would have the VPN that I mentioned, the vis the hardening of systems in the data center, the network zoning and segmentation, if applied here. Now, what changed here is that over the past couple of years we introduced cloud and the first step in cloud was we put the cloud behind our data center, actually. So you would first need to connect to the corporate network where we would do all kinds of checks and balances. And then you could go to the cloud, the cloud based application, and that has then extended into a cloud that you could access directly. So without contacting the corporate network, our employees may use of cloud based applications for business operations. So actually critical day to day operational tasks, but they're not touching the network anymore.
So we are losing a lot of controls that we had in place that we check at the network, the corporate network boundary, that is one aspect. The other aspect is that the, the, the devices have become more varied. And the types of actors that need access have become more varied as well. So there is an increase in complexity and not only in how we place it and access it, but also in the actors that access it. Especially if you factor in devices, which can be machines or robots or IOT devices. So it's no longer only human access, but also system or device access that we need to facilitate. And on top of all this, it, that needs to be secure. We have our business that runs, and that wants to move along in the digital transformation. And, and this picture makes it clear that the world has changed.
It be, has become more complex, but also the interactions have changed. So we need to revisit our security controls and the analysis of that revisitation shows that the approach fundamentally needs to change. Because if you add to this, the fact that media has covered to quite an extent that we should assume some level of bridge, no company is safe. Security can never be a hundred percent. It's about risk managing risk to an acceptable level. That means that in this model, we need to say, okay, now what if something has gone wrong? For example, we say the network location could be breached. So where do we use network location as a trusted indicator? And what happens if we can no longer trust it? What does that mean for our security model? The same thing happens when we say, well, let's assume a workstation or a laptop has been breached or an incoming connection that we, that we trust.
What if that is breached? Because we know from various experiences that things can be breached, even accounts can be taken over. So all these risks factored in means we need to adopt a new mindset, a new approach, because where we used to say, we keep the bad guys out. And once you're inside, it's all safe. Like the castle and Mo principle. We now much more have a, something of a common day village with cars coming in and out, people walking around and the there's no castle and moat approach to that security, that's fundamentally different. And part of that new approach of your trust is that I believe you need to refu all your security controls. As I said before, with that assumption in mind of what if we, we are breached here and if all controls fail that you have now in place, you need still need to start working from the position that something needs to access something as build your set in the panel.
There's still identities that need to access data or functionality on top of data, because that's, that's part of how we do our business and, and that's been translated into it. And in that whole, in zero trust, what we see is that there are two, well, actually three key security controls that you are left with. The first one is identity and access. So identity certainty about the identity of whoever is approaching your it. And your data is critical. The data itself needs to be protected because as you saw in the image, it used to be in the data center, but now it can be on the cloud can be on numerous devices. So it needs to be protected in rest and in transit. And on those two things we need to monitor and intervene where possible, because if you factor in the speed of change and the speed of developments, things are moving at such a pace that you cannot manually control and check whether this identity has access to that data.
If it's secure enough. And if there been enough checks and balances that needs to be automated, and we see that it's also no longer sufficient to do all the checks up front, but with zero trust, we implement more and more on the spot live checks. So that means you need to validate the data at the spot and also be able to respond to that, especially in a cloud environment. And there are automated controls and automated playbooks to response to controls that fill. But that, that is key here. So within the Rabobank, we are moving more to an it immune system as we call it. And that immune system has more of a feeling with saying there are multiple places where well, viruses can enter a body, but there are also multiple mechanisms that a body can trigger to respond to that. And for us key elements in that zero trust or assume breach approach are the identity centric, data access and the data protection, but also other aspects like application layer security, the focus on also behavior patterns and context of identities that want to access adaptive automation.
Anything will go as a surface and the, the one, but last two bullets on standardization and simplification are also critical as a bank. We have a rather large variety of it running in our environment because of all kinds of historical reasons. And it's very difficult. If you have 10 flavors and you want to secure them, because then you might end up with 10 different types of security measures. So standardization gets there by making it easier and simpler. Also being able to standardize your security controls and measures. And what also adds to that is that a simplification of a vendor landscape there. So in our case, we have a lot of vendors that we make use of. Now, if we can make that as simpler does not always mean less vendors, but make it simpler, then it becomes more manageable because with zero trust, you want to gain more insight on what is happening right now, cuz things move so fast and our so dynamic, you need to monitor the identity and the data on the spot.
And with all that, you can still not neglect the traditional security controls. So it's not a move from one thing to the other. It's a step up from one thing to another level where you still maintain the old aspects as well. And it triggered me. Some of you might have seen the Lord of the rings movie series, where it starts off with the quote that I put here of colla that says the world has changed. I feel it in the water and things, things have changed, fundamentally something is coming and that triggered me because this guy could have quoted and it's not his quote, but I could have heard him say, I could almost tasted in the water because that's the kind of direction that, that things are now also taking. And this is all taken from a New York times, article on somebody who tried to mess with the water supply and the chemicals that were added there. Okay. Now I want to zoom in a little bit more on identity.
If we assume that the devices are entrusted, then that applies to end point devices and, and device intern, the last frontier of security, what we see is identity. So what does that mean for us? And it means a number of things. It means that for identities that come in, we need to do strong proofing and binding, but it also means that we need to do that in some cases very quickly because it's, it's dynamic, not all the identities that we serve in the end might come of out of an HR administration or an it administration. And we collaborate with a lot of parties in the market. So that needs to be strong. Those are quick by looking at behavior during use of access. That also means that authentication needs to be continuous and adaptive. So sometimes with a step of authentication and the authorizations are also becoming more dynamic, we use an our back approach in general, but we're now also working on an attribute or policy based access control approach on top of that, to facilitate those environments that require the increased speed. And one thing that, that I also mentioned want to mention here is the identity based network access, where you see that also there, the security controls start to intertwine with each other and network access is not only the device, the signature of the device and the IP address, but now also the identity of the user on top of the device. So it's, it's adding up to each other.
What this all means is that data is becoming critical because you're gonna decide based on the data that you have on identities, on events, on systems. So data quality is very important and the automation and integration, just to keep up with that pace now in our situation, and this, this is a key element for identity and access management within that a bank to do properly. And it requires multiple initiatives in kind of an programmatic approach, moving from a standardized structural landscape towards these functionalities that we offer to, to our it colleagues and business colleagues. One of the things I already mentioned about the intertwining, it requires a collaboration of security functions that in our case sometimes are organized separately in silos. You need to get close to your unit to integrate on user entity and behavior analytics type of activities, to see what is going on in the network and be able to intervene at the spot. One of the aspects that we've also seen here, that if you move to a multi-cloud or a hybrid environment, sometimes local solutions are more native to an, a platform or an environment and work better. So you continually also need to see what do I also manage and enforce centrally and where do I do that in a local manner, but still maintain control from a central perspective, cuz in our case, we're in heavily regulated industry. So we always need to be able to demonstrate that we have managed the risk to an appropriate level.
One of the other initiatives that we're constantly enforcing here and that's not just technology, that's also hearts and minds is working towards standardization. The more we standardize, the faster we can be, the faster we can speed it up. The easier is also to spot deviations. And if you can automate it, we do increase the refuse and the checks and the balances because automation on the one hand is a challenge on the other hand also provides security, the possibility to do AI supported human interventions, for example. So those are, are five bullets on, on tips that we've seen, what is instrumental to, to realizing a zero trust approach approach. And it's an approach. It's a mindset. So there will not be a point in time that, that you can say we're done, but it's a principle that you apply time and time again. So with that, I want to conclude with five lessons learned first lesson, that it's not loss of trust at all.
It's relocating trust. And that ties into the fact that you need to understand how the world has changed, what that means for security and what that means for your approach. And that approach ties into the second one. Culture is really a leading factor in changing this, this mindset and writing a couple of pages, a white paper position paper on what is zero trust and how should we do it as an organization? You can do that in a week, but really gathering the workforce, implementing and executing a zero trust and the assume breach strategy. That's the hard part where you also need to take into account the cultural factors of how does this company work? What are the levers? How can I change it? The efforts are significant. For example, we looked at the network and we said that needs to be segmented. But if you have a corporate network of a bank and you want to segment it, that that has impact.
That is a huge multi-year effort. And you can start small with the low hanging fruit, but, but the assumed breach only works. If you really follow through all the way to the end, because again, any deviation is an, an, an open door into your house that you want to secure. You also need to consider all security domains. So, so find each other work together with network security, application security, identity, and access security monitoring, and signing crypto, make sure that these are, are organized and built the common understanding of what needs to change. And it not only applies to zero trust, but security in general always have a plan of what you would do when you get momentum, because you never know when you're gonna get that momentum. It could be that all of a sudden there's a lot of management attention because things have gone wrong or things have been reported wrong at the competition in media coverage or through some other aspects, but, but be prepared and know what your plan is because security is sometimes still struggling with the fact of being viewed as a cost center and being the department of no, but, and assume breach approach, I think will help security also to be positioned as a way to say it is possible to go really fast, to be really adaptive, to even go passwordless in some cases and still be secure.
And when that momentum comes, present the plans and say, this is how we're gonna do it. This is what we need and elevates that effort. So with that, I want to conclude my brief presentation on assume bridge as I would call it from now.