Event Recording

Bryan Meister: Navigating Enterprise Enablement and Zero Trust


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Very much. So, yes, I'd like to discuss navigating enterprise enablement in terms of it security and zero trust. I want to spend a, a brief moment talking about the past few years for Verizon media, the combination and merger of the AOL and Yahoo ecosystems underneath the Verizon umbrella. Talk a little bit about the process of what it's like assessing for us again, what was 40 years plus worth of combined it infrastructure. Talk about some, just some core pillars of the modern enterprise in terms of identity management, and then go into a little bit about continuous improvement and really the culture of the enterprise and how I see all of the work that we do servicing our end users, our customers, and our colleagues in order to be successful.
So our journey to zero trust, it's a marathon, not a sprint. We are we're ever evolving in 2016, Yahoo. I was a part of the Yahoo organization prior to the merger. Yahoo was purchased by Verizon. They had already owned AOL at that point in, in June of the following year, we were combined from an HR point of view with our colleagues at AOL to form a company named oath. We now call ourselves Verizon media and it was a, a very, very interesting challenge. Obviously again, 40 plus years worth of combined it infrastructure. The fallout obviously elephant in the room from the Yahoo breach. And we're trying to figure out how to service this brand new company that Verizon had put together as an umbrella for all of these various brands and all of these various, both enterprise corporate assets for all of these brands like Yahoo tech crunch flicker at the time, as well as just the product, the product stack as a whole.
And how do we really build this company? My direct involvement had to do with figuring out enterprise identity and how people were going to be interacting with our products. We had 90 days to achieve it. At least the initial tech go live. Of course not everything wasn't completed, not everything's completed now, but we had a tech go live goal that we were challenged with to get HR access to our HR management infrastructure, our workforce productivity suite and our various it ticketing applications. So people could start feeling like they were part of the new company, our objectives outside of just designing this brand new enterprise identity Greenfield environment were first and foremost to facilitate client authentication for services in different network zones, including obviously, and almost most primarily cloud AOL and Yahoo were fairly antiquated in terms of our it management. And with good reason, two of the largest oldest internet firms in their heyday tend to accumulate a lot of tech debt.
So we had a, a job to ensure that we were moving away from a, a layer, a TCP layer security model to zero trust. Really at the end of the day, we wanted to move towards zero trust, ensure that we were really treating people as the perimeter and security at the edge and security and defense in depth across all of our platforms and really kind of bring that culture forward for all of its benefits, including user experience. There was a lot of things we didn't like about, I, I think I can speak from the Yahoo side, the way certain platforms had kind of been designated. We were a very decentralized environment and it was, it was really our opportunity to build wholesale enterprise identity. And it's, if you're going through the journey and everybody's in a slightly different phase of this, if you're going through that journey and you're trying to build that up, it really, really helps to, to centralize what you can as far as identity management assets. Because if the less you have really at the end of the day control over across various stakeholders, which we'll talk about briefly, the more challenging it is at the end of the day to be successful. It's not impossible. You have so many opportunities with managing relationships in working with identity. And it's one of the things that I think fascinates me the most about the field as a whole.
So three years later over, it's actually over a thousand, depending on your definition, enterprise applications migrated from legacy authorization and authentication services. Many of them very isolated that was all done within the first two years. Pretty much everything on the enterprise side now is using hoof two or SAML, which is a very exciting standard to be on from where I think a lot of the things were previously, lot of directory, direct directory, manage services, lots of active directory and LDAP security group management. That was very ad hoc, very, very happy and proud of the team to be able to move away from that. And most importantly, we were positioned at the end of the journey for cloud first. We still have, you know, a lot of older infrastructure. So on-prem deployments, they're still common. We have to be able to support that and moving off of some of that stuff, depending on the product stack inside of it, at the very least, isn't even so much on the roadmap, but it's really about being able to be flexible. And again, we talk about how the past year has been flexibility is really the key. And the further along we found ourselves in this journey, the easier it was from a technology point of view to at least kind of embrace this world around us, that we find ourselves in all of us or at least many of us, I'm sure working from home, we need to have, you know, that, that comfort in being able to leverage our products and feel like at the end of the day, they are secure.
So capability assessment, if you are, if you're about to embark on overhauling identity and moving, making your way towards zero trust relationships are the key. You have many stakeholders across very many departments. I'll talk about that in, in a moment, but I think a very Frank assessment of your relationships with your, with your various colleagues counterparts throughout the company are necessary to be successful. And there may be many more stakeholders than you think, technology, of course, assessing capability maturity across all of your platforms, your directories, your multifactor solutions at all. If you have any at all, at that point, thinking just at the very, you know, forefront, if you were building this from scratch, what would you all need? And making sure that you have all of those pieces in line and, and just being very Frank and understanding where your gaps are. And when we started our journey, we definitely had gaps, access control systems.
That's one area that really shines up to me as far as gaps. Honestly, there was a lot of, you know, ticketed heavily, manually audited processes for access control at, at the very least in Yahoo. And it was, it was kind of a struggle and a pain point for us to be able to do much about. And we really completely leaned in when we had the opportunity to do so and put some really strong access control in a lot of automation in workflows. And just being able to understand how you can service access control at scale, the ability for somebody in your organization to come to you and say, I need access to X, Y, and Z entitlements or roles, and have your systems do the heavy lifting in terms of identifying the appropriate approver, managing that approval work, throw workflow. If there are multiple approvers in chain, including hi, including hiring managers, re-certifying that access on a regular basis and trying to kind of come up with your north star vision of where you want your organization to head.
And of course it needs to be scaled. Operational needs are definitely a concern you're going to, at the end of the day, everything you build has a cost and yeah, there's financial cost. But the one that comes most to mind is time. If you haven't, if you have an enterprise identity environment, it needs to be able to scale with your user's needs. They can't be spending an hour, even an hour a day, working with your products and being able to, you know, get their jobs done in an enterprise environment. It needs to be, excuse me, needs to be faster. It needs to be something that is as light touch as possible, but still allows you to always be re-verifying access in the, in the goal of zero trust. You want to have your products interface well with people and not be a burden to them really at the end of the day and operational maturity.
That's, that's very important because if you just thinking in terms of your help desk, your help desk is better positioned to help people when the products help them help people, you, you don't wanna put everything down on your help desk is manual work. And so organizing your technology in such a fashion where the help desk is improved by the technology and not spending all of their time manually supporting it is, is something that you want to consider. And of course, regulatory, over the past few years, we've seen the adoption of GDPR. We've seen a strong push towards moving towards N recommendations, various other legal statutes here in California. There've, there've also been the, the CCPA act as well. We've been trying to keep up, I think, as an industry with new legal requirements and things that we should be doing, just an honest and Frank assessment at that point of where you are from a regulatory standpoint and for your, for your space as well.
Obviously not all, not all industries and businesses operate under all of those though, especially if you're operating across the, the world, GDPR is a must, but it it's, it's definitely worth, you know, looking at all of these areas, doing a, a Frank capability assessment of where you're at a quick note on relationships, you have a lot of stakeholders and everything in security is of course, a balance between how secure is it and how easy is it to use? What might be easier for your employees might not be good for the asset management team or vice versa. But I think we wouldn't be where we are in Verizon media today, three years plus into this journey without having some of the fantastic relationships that we've built, what draws me to identity, what draws me to security and trying to solve the end goal of keeping, you know, zero trust in mind is how, how rewarding it is to maintain a lot of these relationships.
And it it's, it's worth, you know, kind of keeping in the forefront of your mind at all times that these are the people, but at the end of the day, you're trying to serve all of them. And you're also hoping that they'll be able to help you in return. So when I think of zero trust in the modern enterprise, I think of four key pillars, user life cycle, how users get into and out of your enterprise environment authentication. This is where I think a lot of firms before zero trust have been pretty decent at we're very good at thinking about authentication, how we manage credentials, how passwords lock out a certain period of time after disuse or abuse authentication is where so much has been focused. Not enough, frankly, on user life cycle. Definitely not enough on authorization and device management being the fourth pillar.
I'll step back actually to authorization authorization is the combination of really access control certification processes, always asserting who your user is and for authentication and with authorization, what they should have access to. And when that's been, I, I think are, as far as most firms had been for a long time and then device management, how do we contextually understand who a user is based on the device that they're approaching us from? Is this the device that they're always accessing from? So managing device into the mix is really that fourth pillar is really what's going to get the, the modern enterprise two zero trust. So user life cycle, just some quick things to understand the goal is to manage identities. You want to know who should even be able to operate within your environment. This of course includes onboarding and offboarding attribute management is a big deal though.
We have a very broad scale at Verizon media. We're about 15,000 workers at the end of the day, but our application platform is incredibly broad for that number of workers. It's important for those application owners to be able to receive the attributes of everybody, the worker attributes that is of everybody that's flowing downstream. Obviously we don't wanna be passing all of the sensitive HR information down, but how people gain an understanding of who somebody is. Just for instance, if somebody's last name changes, how easily does that flow to your lowest tier system at the bottom of your technology stack that has to be considered job transfer events. If somebody moves from a contingent role to a full-time employee role, how does that look from an it perspective, access suspension? There are many legitimate reasons to have a suspension flow. I'm proud to say we do have one, just a worker going on leave for an extended period of time.
Maybe your it security team or your security operation center identifies an issue. Having the ability to suspend users in the life cycle without completely eliminating all of the known access is fairly critical mergers and acquisitions, an area we know very well coming from a Yahoo or AOL and divestiture understanding how those impact user life cycle is key to figuring out really at the end of the day, your journey to zero trust authentication, ensuring all enterprise services are able to interact with enterprise data. Again, this is the area I felt like as an industry, we were always very good at. We have known how to manage passwords. The rise in advent of QFA has been incredibly helpful in ensuring we have those things in place, interactive accounts, step up accounts, as they might also be known headless accounts. We know how these things work. These have always been a very strong piece of the puzzle, but again, a, a Frank capability assessment of your identity infrastructure is pretty key there to beginning this journey, authorization, ensuring users have the capabilities they need that access control life cycle, how users flow through your ecosystem in terms of getting access to things and how that access is.
Re-certified on a regular basis really quickly. And I won't walk through this diagram just in the interest of time, but the goal is to always keeping, keep a user in a working state, if they have new needs and they need more access, they make that request or an informed party makes that request on their behalf. They're either approved or re-certified for that access. If they are, they continue to be in their working state where they have everything they need to be successful until eventually they leave the company. And all of that access is removed. Very simple model for thinking about authorization and one that you want to have in place as you begin your journey and then device management. This is the, the part of the journey that we're on right now. Having device management platforms is one thing linking those device management platforms to those other three pillars for context or adaptive authentication, I think is also key ensuring that you're registering and enrolling those devices and that you have risk based policies in place in order to have your users be successful.
Device management is really what brings you here. You might have a single sign on platform, your device management platform, or platforms for multiple operating systems. We certainly operate many a directory, which has credentials, your multifactor authentication solution. Some of these things might even be in the same platform, which helps consolidate and simplify. But at the end of the day, all of these things have policies. As you're walking down your journey through zero, trust it, security deployment, a very, at the end of the day, your, your, you need a very keen understanding as to how all of these policies layer on together to be effective at maintaining. We're always verifying. Who's accessing our client or our service. We're always aware of who and with what device this is happening on, but we also want to be aware of this person here because these policies can be incredibly intrusive to their lives on a regular basis. And we don't want, we don't wanna be causing unnecessary pain or hardship at the end of the day. Once you get to this point, you wanna start thinking about improvement, data monitoring, regular security assessment, and audits, understanding how feedback from those governance, software development, life cycle, your policy and operational guidelines. And then at the end of the day, it's gonna be about a AI and machine learning, an area where I think we'd all like to get in terms of distilling that data and ensuring we're always gathering what we need.
I, when I think of zero trust, I think about enterprise culture. Again, it's with all things in security, balancing user experience and security posture is the most important thing that we do on a regular basis. This opportunity and challenge of embracing work from home has changed. The has changed the game for us permanently. This is table stakes. Now this is no longer an option. And the opportunity for evangelizing zero trust is in building these new expectations, not just with how people interact with your enterprise, but how people interact with all of the products that they use on a regular basis. So that's all I have. I understand that was really quick and just wanted to provide some high level breadcrumbs to reaching that, that state.