First of all, we will have bill Harmer who is CSO and chief evangelist of secure health. And then we have Hank Marman, which is lead product manager, IM at Rabobank. And then for sure, we have again, Annie Richter, who is chief architect at Ian BV. So I'm happy to introduce all of you. Good afternoon.
Good afternoon.
Perfect. So maybe I did a short introduction. Maybe you bill and Hank can also do a short introduction by yourself. Just some few words.
Sure. Happy to bill Harmer, CISO and chief evangelist for scoff currently sitting in a winter storm in Austin, Texas. Hoping that nothing freezes pleasure to be here.
Thank you. It's quite cold for you. I, I heard that it's in, in the news, Hank.
Yeah. Thank you. Yes. My name is Hank marshal. I work at the Rabobank, one of the top three banks in the Netherlands and my role is leading the workforce identity and access management. So the full broad of the spectrum from privileged access to certificate management to, to IGA.
Perfect. And for those who joined for this session, maybe a short introduction too.
Okay. My name's Annie and I'm working at in BW, which is one of the larger energies supplies in Germany and I'm chief architect of the identity and access management at N BW.
Perfect. Thank you. So let's start with a question and again, to the audience, if you have any questions, just put it into the chat form and we will ask this here in the session or we can answer it afterwards. So I think I start with a question to Hank. Why should organizations transition to a zero trust model? Now
I think organizations that haven't start thinking about it should do now because the, there have been some fundamental changes in it. And the use of it I'll have some more details in the, in my presentation later on. But one of the assumptions that we had is that we could keep the bad guys out that has fallen, fallen through the cracks. It no longer holds. And the good news is that that also regular business users who are not that familiar with it, let alone security are picking it up because of all the media coverage on hacks and breaches. But that's the, the, the main thing that you need to start with that now you should have started it with it already. You need to work from an assumed breach starting point.
Okay. Thank
You. And no longer work from the assumption that, that you have a safe network.
That's a good assumption, bill. Your thoughts about that question?
Sure. It it's because we're fundamentally doing things differently today. Even before the pandemic, we were looking at a work from anywhere methodology, the corporate networks that we built, where we were, where we had control were only used at best eight hours a day. But nowadays, especially with the pandemic, the work from home, there is no corporate network left. So all of your users are now sitting in a, in a hostile environment, whether it's my home, your home, a coffee shop, wherever it is. So, you know, to Hank's point, we have to assume breach, not only do we have to assume breach, we have to assume that they're commingled with threat actors out there. So you, you have to be inspecting everything. It has to be a deny and allow as needed, which is really going back to the basics of security,
Definitely led in your presentation. You shared a lot of use cases towards the technological aspect. What are the basic questions corporates need to ask before they start to design this Euro trust approach before they learned what you already shared with us?
Okay. I think the main question is how much risk do you want? How much do you want to go into risk and how much modern architecture applies to your business situation? So where everything is turning into distributed systems, heavily distributed systems and micro segmentation. It's your renting a lot of cloud services. So you got a distributed environment there. You're having you're offering cloud services and the parameter doesn't work anymore. And how much this is enables you to give you. If you get a secure, find a secure way to go into these distributed situations, you wanna can have new business opportunities and you've got to, but they also cost because you've got to add new security measures and others, which are not basically firewalls or whatever. And you've got to find a balance and you've got to make up your mind. How much do you want of this?
Great Hank talked about risk as a foundation or as a base for all. This is this approach. Raba also started, especially as a financial Institute.
Yeah. Risk is always kind of top of mind in a regulated industries, especially in, in banking. We're moving more towards the fact that, that from the costal and Mo principle of risk, being able to manage that by, by having a secure perimeter, it's more of a, a common town nowadays where everybody just runs in and out. So the, the risk approach is fundamental. We need to manage risk on a very high level because people entrust us with their money. On the other hand, we also need to balance that risk in the, in the digitalization, that's ongoing new products and new services being launched, making use of digital developments. And I think that's an ongoing discovery of new threats that are present in the, in the marketplace, new services that we deploy and how we continuously make sure that the risk level matches the risk appetite that we have as a bank. And we're, we're innovative, but on the risk level, we were, were quite risk adverse. So we will not take much risk because of the nature of our business. And you see other types of businesses going towards the other end of the spectrum, taking more risks.
Okay. Thank you, bill. You are talking probably to a lot of customers. What is from your end? What are the key learnings from running a zero trust initiative in those organizations? What can you recommend here?
Oh, buy-in so yeah, zero trust requires the entire organization. It's it. It's not something that can be sort of dealt with in a division or a department easily. So this really has to be a top down fundamental re architecture of not just access methodologies or identity, but of how a company is going to do business to what a lady said about how much risk you want to take. This is, this is really shifting the entire program from the old days of where we talked about how many servers we patched, how many of systems were attacked, those types of things to accepted risk. And, and that is a, a huge mindset shift that we have to get across because when you have accepted risk, you can, you can lose a server because you've accepted the risk of losing that server. You have contingencies built around it. You, you know what happens when that event takes place. That's what takes us to a zero trust world.
Okay. Hank, anything to add?
Yeah. I was still thinking that's, that's exactly the notion that you should manage risk, but the way that it materializes now is completely different. And I think that's one of the, the, the cultural and mindset, mindset, mind shifts, apologies that you need to apply in the workforce because a lot of people are hanging on to the, the method of managing risk, like having a firewall in place or trusting an IP address or a network location. And we kind of need to pull that up to the level saying, you know, that that was how we managed that risk in the past. The world has changed. The risk appetite itself is still consistent, but we need to adapt new ways of managing that, that risk. And that translates itself into basically new, new controls that we need to apply. And, and at the same time, we cannot, the old measures that we have as said in her earlier, talk
Annie from EMB w side, what is your experience about the organizational requirements for setting up and zero trust organization?
Well, it's, it's, you've got to, as we said before, you, there's also a shift in, in the mindset. If you are based on a security model previously, which is mainly inside the good ones outside the bad ones, just keep everything inside and take care that no, no one of the bad ones comes inside. So then you are safe. It's more or less a binary security model. So it's zero trust outside and full trust inside. And we can't, we can't work with that model anymore. It's, it's getting more complex and you've got to put this in the mind of the people. So maybe, maybe we, when people started using to phones and calling each other, they, they had no idea that there could be bad phone calls or threats over the telephone. But today we arrived that they know, okay, if the phone is ringing, it's not always a trustworthy person. On the other side, they've learned that they've learned to adapt that they have a, let's say zero trust situation at the phone call. You don't know who's on the other side and you can't apply much security message, not, not in the private environment. So, so you've got to put this in the minds of the people and that's quite difficult.
Absolutely. So
I've been working with developers and a lot of talking, we are doing a lot of talk about people accessing networks or people accessing services or whatever cloud services, but we've also to keep in mind, we run into a very distributed situation where services are calling other services through internet, through the cloud, where cloud service a is using cloud service BC and so on. And then it's not, not so much a question of the classical identity and access management. It's a question of developers. You've got to work with them, that they have a mindset of applying security into their crowding, into their programs. They're running. If you've got someone who's running lump function in AWS, and you've got to have a heavy talk about with him on security and zero trust security, he's placing something into the internet. Maybe it's only called by another service, but it's a completely different mindset. I mean,
Definitely,
Usually people do not. If they want to have a hacker, they imagine a person, but they don't imagine that a service can be a hacker or can be a threat. That's also very difficult. I think there's the most work to be done.
And this really good describes how big the topic zero trust in general is. And I think this is a good thing that we talk about that bill, when talking about automated access to business, critical informations on the, based on the identity, what do you think about that? Is this a good starting point or what, how to deal here?
Good starting point it's it's, it's, it's a functional requirement for sure. One of the things. So if you're at the nexus, if you're at the new, the sort of the, the new point of launching into a zero trust and rearchitecting, what you do, one of the things we have to remember, and, and I stress this to anybody designing security systems or access or, or functional security that it has to be usable. The one thing we have learned over the years is if we, as security professionals tighten the ratchets and make it harder, make it harder, make it harder, make it more secure. The users will find a way around it and go do something else and punch whole, create these holes. So what we have to do is balance the, the functionality with the security, which is what gets us to an acceptable risk level.
So yes, identity is in my opinion, absolutely key. It's part of the reason I move from Zscaler to secure off, because when you want to enable something like a zero trust, everything starts with that identity, the, the reliance and the risk that you put on identifying the user who typed the password, who punched the accept button, who has initiated that. And it doesn't have to be a person. As a lady said, this could be a non-carbon life form, right? This could be another system out there. It could be an OT device, something wants to access something. And, and it's that relationship that you then have to put a risk association to and say, how much risk is involved in this, something getting to that something. And that's how much friction you put in the way. So when you look at it and say, I know bill is at home, I recognize the device.
It has a certificate. It's sitting at the right patch level. I've seen it before the time the behavior, all of these things are known. My risk level is going down because I do know that this is bill and he's accessing something that's normal. The behavior is correct. I'm gonna go password lists. It's gonna be that easy or suddenly bill looks like he's lugging in from, you know, Belarus. And I've never seen this machine before. And we start ratcheting up because the risk is getting higher. And that's how you start to bring in. That's why to me identity is the absolute key to unlocking zero trust.
Okay. Thank you. So maybe towards Hank, this question, we talked about risk and that this is the foundation for everything, but how to proceed, where do I really start? My zero trust journey after knowing, okay. There is a risk, a potential risk from people using their device.
Yeah. Yeah. I, I prefer the, the functional or use case approach because we, at least in, in my situation, there's a running company and we're keeping the bad guys out at least to the best of our knowledge and to the risk level that we are willing to accept. So that's the starting point. And then you start adding things like moving workloads from the on-prem to the cloud. I think it starts with doing that, that, that use case analysis saying what has changed in the way we work, what has changed in the technology we used and then do a proper risk assessment as you would do any other time, as well saying, no. How can I make use of it outside of the intended purpose of this piece of functionality? And that's the, the starting point. And I also like talking to developers about it, and it usually takes them a while to understand that if they move to the cloud and they're working on a backend production database, it's not that difficult to give it a public IP address.
And from that point on discussing them, what, what is the risk? What could go wrong? Because most of our workforce is geared towards helping customers in the way that that things go. Well, I think that that is the starting point. And, and you need to do that on a holistic level. So usually something like enterprise architecture or the CSO, it gets involved. So, you know, we, we have 100 instances of new types of use and new risks, but these are no longer separate incidents and you need to do the root cause analysis, the problem management almost so to speak and say, you know, this, this requires a fundamentally different approach. And those two things I think need to be together. You can start with either one, but you need both in the end, it needs to happen on, on the, the workflow, as we say, with the engineers and the people working, but also in the architecture and in the approach corporate wide,
Definitely, maybe it's time almost end of the panel. Discussion time is running quite fast. Maybe a question in the other direction, we are not talking about secure trust as a paradigm to protect our assets and our internal it and our external it devices. What about new things, new options, new capabilities we can achieve with using zero trust, L E what are your thoughts about that?
Oh, that's a lot of things which can be achieved first. You can, you can close your office and send all your people home and let them work from home office. It's an untrusted environment, and you can manage this, try this 20 years before completely unbelievable. If that's not possible, you can, you can get people moving around. You can have use cases, or if you want to have a collaboration with partners, customers, other companies, you can build up partly trust and trust their people or their machines, which you can let into your business. So you can cooperate. There are a lot of things which you can do, which you would have said no, in the past, we can't do this a few day. If they adapt them in, they, they will do spying or whatever. And right now we can turn this into a controlled situation and we can, we can use all the benefits of distributed systems and cloud computing and, and ization. If we, if we want to push the digitalization and if we want to use those nice IOT things. And so we have to go into zero trust patterns because we can't control them with the classical security patterns. And if we don't apply a modern security model, we can't go into those modern technologies where we use internet as only present transport layer and where we can fast and flexibility use the fast and flexible interaction with any service out there.
Absolutely
Having a controlled risk situation
For sure. Bill, your thoughts about options or new capabilities if using zero trust.
No, I just to, to sort of move on from what Elaine said is she's absolutely that that's, that's absolutely correct. When you look at just the pandemic alone, being able to respond to it, keep businesses running, still be able to do what we did. We've seen a 48 minute extension in the average work day for the average worker, which executives are gonna love because that's, that's free work. But to us who are working, it gives us flexibility because I think as we progress and as, as we evolve the nine to five, the eight to four work day doesn't work for everybody. So being able to have an hour at the morning to maybe walk my kids to school and drop them off and have an hour in the afternoon to pick them up, to, to visit with, you know, maybe my mother or something like that, the having that flexibility in my day, every day, or as my day changes because we're now being, you know, we're delivering our work on almost more, what it should be, which is task based, not hourly, just are my KPIs, getting run.
Are they getting done? It gives me a better quality of life. So I think we enable not only our employees to have a better quality of life, a better functionality. We also have an AC. We also have access to a larger pool of employees now because how many people have gone through that question of, well, I'd really like that job, but I don't want to move to California, or I don't wanna move to New York. I can't afford to live there. I could now live in Iowa, Wichita or Kansas and have a job in New York, do the job as need be and still have a great quality of life. So we're, I think we're gonna start to see that, that huge shift in demographics as to location. And we're already seeing it here in the United States, a massive Exodus out of New York, a massive Exodus outta California, huge migration here to Texas and other states where quality of life is simply better.
Definitely. And bill, this is a really good conclusion of options and capabilities, which we can achieve with Sierra trust. Hopefully if the pandemic crisis will end as soon as possible. So thank you again to bill, to hang and to NY for joining our panel discussion, just a short hint that bill and Ellen will join the net, the networking chat. You can talk to them afterwards. And now I will say thank you to Hank. He will switch the session here and start a new one because the next presentation is done by him. So thank you very much.
Thank you so much.
