Although companies are constantly increasing their cybersecurity budgets, this does not seem to help much: each day we learn about new large-scale data breaches. Considering that over 80% of hacking-related breaches leverage compromised user credentials, it’s mindboggling why so many organizations are still focusing on securing their network perimeters.
We have three main research area, business areas. The first one being research, we are vending neutral. We stay as current as you ever can in this fast moving world and provide our provider of independent advice events coming up. You are see in a minute, we have our, the premier identity management conference in Europe, EIC, which is coming up very shortly. Talk about that in a second. And we also provide advisory to some very big organizations. So upcoming events, as I said, EIC, 2018, it's the 12th European identity and cloud conference. It is the, the biggest, the best and the premier identity and cloud conference in, in Europe. Still time to register, please join us there. And around the world, consumer identity world happening in September in the us, October in Europe and November in the Asia Pacific region, again, registered there and a series of cybersecurity leadership summits, really interesting summits, round tables for people to get together and discuss, and the next one happening in November.
So a lot going on in the, the KuppingerCole world at the moment. And of course, I really shouldn't need to mention this to anyone who's in this business, but of course, GDPR is just a couple of weeks away, just over a couple of weeks away, 25th of May. I'm sure you are all getting bombarded by emails, galore telling you that you need to consent to continue receiving their spam. And obviously they're legitimate email as well, but again, if you are having problems last minute, panics over GDPR, please contact us. So this is what we are going to be up to today. Part one zero trust, how do we get here? And the approach is to take, so I'm gonna talk it more, more from a theoretical point of view, and then part two, we're gonna have, Torsten talking about solving it and how to go about it a little bit more background from, from their point of view. And then finally, we'll try and leave probably about 10 to 15 minutes for, for Q and a.
So to kick off, why is this happening? Well, the first thing I'd like you to note about this is the, the credit on the bottom and more importantly, the date on the bottom. This was a graph that was drawn by the Jericho forum part of the open group in 2004. And it shows as you can see connectivity over time. And if you are old enough to remember standalone computing, mainframes minis, and the advent of the PC, probably mid eighties, the advent of the PC, and then we start to connecting them together. Islands of, of technology. The first one really in most offices was, was linking together the, the apple computers with their priority technologies. And then we got onto sort of the start of standard local area networks and the, the emergence of ethernet as a standard and depending on, on where you were and what you were doing at the time about 91 92, we started to see the first internet email starting to happen, followed very quickly by sort of nascent, internet connectivity, web email Telenet and FTP the earlier the, for runners of, of what we use today.
And so that was 90 starting about 19 91 92. I think I had my first email address, 91, late 1991. If I remember correctly, PS jet.uk, still, I think the shortest email address I've ever had. And then we started to have external collaboration. So at that point it was private lease lines. Why? Because the businesses we were in required us to collaborate. As simple as that, I was working at the time for a nuclear fusion research organization, and they wanted to share the results with all their fellow scientists around the world. And so we bought a 64 K it's CSK lease line, very expensive, and we put it in so that we could share the results very quickly. We realized that actually putting lots of lease lines in was very expensive. And so we started to go to VPN. And the bottom line of all of that is that we didn't realize it at the time, but probably around about 95, 96 is when the effective perimeter breakdown happened.
We went from having an isolated land to a connected wha and therefore we started to, to put in firewalls in our case, they didn't exist. So we had to write our own from scratch, which today would be probably suicidal from a, from a security point of view. But that's what we did. We then moved on to limited internet based collaboration. I said today that that today remember is 2004. We we're on, on the verge of cheap IP based devices. So at that point in time, 2004 organizations, we're starting to move from buying desktops to laptops. Why? So that people could take them outside of the organization. And we started to see cheap IP based devices happen, obviously then the mobile revolution happened, but this, this picture predates that. So that's your history lesson? Where are we going? Well, we're going to this sort of cloudy future up the top and internet based collaboration and what we call de ized working de parameterization. The fact that your perimeter is breaking down and becoming less valid as a security boundary. And I'm sure that you've all been to conferences and heard the keynote speaker saying, you know, we know the world is becoming de ized. We know the perimeter is breaking down. Well, it's been happening if you didn't realize it since the mid nineties.
So what is zero trust? So if depar station is happening, your perimeter is breaking down, what is zero trust? So the first thing to say is it's an architectural state of mind. It's an understanding that actually it's not a security perimeter. So it's when there is no difference philosophically between your internet and the internet. So to give you an example, I was global chief information security officer in my past for AstraZeneca. And at the point that I worked for AstraZeneca, we had 140,000 IP addresses on our internal network. And that network spanned multiple tens of countries. And the problem is actually, it's very difficult to distinguish today's corporate network from the internet in terms of the amount of stuff, where it goes, how many people connect to it, what kind of devices connect to it and everything else? It is almost your internal network is as much the wild west inside as it is outside.
And we'll see this in a minute. It is a business enabler and, and you'll understand why in a minute. So why would you have an internet? Well, the first one is quality of service. It keeps out the script kit is the denial of service attacks. The lumps. If you like on the internet at the end of the day on your internal network, you want known, defined transit times between your various devices that are operating your business. And so therefore you pay for quite often a very expensive when wide area network to give you that level of quality of service.
If you don't need those kind of transit times, then I would argue with you today. And a lot of companies have decided they don't is why pay for Awan? Why not just connect all your devices to the internet? And if you can get the security model, right, we go back to it's an architectural state of mind, then why not? And that's what you should govern against both in terms of, of cost of what you are paying for your wan and also your security posture. And, and just to reiterate at the end, it is not a security perimeter. So if that's the case and you accept the argument, and I said, feel free to go to the questions and feel free to disagree. I'd love you to do that, but if you accept the argument, then are we going to do about it? Well, this is I'm sure you remember, Ronald Reagan back in 87, signed the, the nuclear treaty with mic Gobi or Russia and his famous phrase.
The one that, that I think he's probably well known for is trust, but verify the, the interesting thing, if you like the irony of this phrase, that actually the origins of trust, but verify, come from a Russian proverb. So to use it against the Russians or to characterize the Russians was really ironic. I'm not sure that Reagan actually realized that, but if you have zero trust, where are, if you, that is your starting point for your network and the devices on your network, then where are you going to get the trust from? And the way you get that is through verification. So, you know, even though he applied this to nuclear weapons, it works just as well in our industry.
So I want to introduce what probably maybe a new word to some of you that is entitlement. And this, this comes from among other places, the cloud security Alliance, this is the security guidance for critical areas of focusing cloud computing. This is the definitive document that sort of UN enshrines everything that CSA does. It comes from version three and it comes from domain 12 and domain 12, when it moved from, from version two to version three, domain 12 got renamed from identity and access management to identity entitlement and access management. So why is entitlement so important? So entitlement is about moving us to making a risk based decision about access to data typically, or systems based on the trusted identity and attributes of all the entities and components in the transaction chain. And we don't talk here about people per se. We talk about entities and entities are people, devices, organizations, code, and agents, and an agent, probably the one that throws most people.
This isn't an identity talk per se about that. So we'll, we'll leave that one for the second, but people, devices, organizations, code, and agents. And if you can understand the transaction chain from one entity at one end to what they are trying to access the data or a system, then the better you can understand that the better you can understand context and the better, therefore you can make a risk based decision about what you want to access because in today's world, trying to manage access by IP address. For example, when you have 140,000 IP addresses inside your organization is really a non-starter.
So here's another way of explaining it. This comes from another source of principles of identity 3.0, you can find it on Wikipedia decisions around identity are taken by the entity that is assuming the risk, not by the it department. So currently, if you think about it, I come into my large corporate organization with, with a decision usually called active directory that says you have a valid username and password that equates to Paul Simmonds or this user account. And I will now based on a set of circumstances, a risk profile defined by it generally pass the fact that you definitely 100% are Paul Simmonds onto 140,000 IP addresses inside your organization. And it's irrelevant where you are going to be accessing the server that contains tomorrow's lunchtime menu, or you're accessing the server that contains the corporate results going to the city at 9:00 AM tomorrow morning, because the risk on access is totally different.
So it's really important to understand, as we move into this brave new zero trust world, that you, you start getting your head around the fact that actually there needs to be risk going on, built into this chain, not just you're on an access list that equates to your IP address. Therefore you can come in and the more that you can understand it says here fully understanding, but the more you can understand the quality and the Providence of the identity of all the pertinent attributes of all the entities in the transaction chain, the better you can take a risk decision for your business and the better actually you can automate a risk decision for your basis.
So we were talking about it briefly before we came on air, and I said, you know, way back in, in 2006, I would, I, I led a team that put in secure wireless access. And here we had an entitlement rule in there that says, if you are on a machine with a valid corporate certificate and you are a valid user in active directory, then let them connect on wireless. Simple as that, a very simple entitlement rule that went into the systems that let people literally lift the little on their machines and they just connected securely, but you can make things and it enables frictionless connectivity and security.
So here's, here's some work and I'm sure everyone's familiar with maturity models from, from sci originally level one, initial the ad hoc, right? The way through to level five and very much so, you know, where are we at the moment on this maturity model? Well, you know, sort of my rough guess is if you are best in class, when it comes to identity entitlement and access management, you are probably scoring mid threes, probably best absolute best in class, probably about a 3.7. And that, you know, is where, where I would. I said we are, which, you know, I think we, we agreed beforehand probably is, means we got a long way to go on this journey. So start it now. So how viable is all this? Well, if you haven't been looking at, at what our friends at Google have been doing Google beyond Corp, and they they've been allowed to talk about it.
So there's quite a lot of, of documentation out and a, and a really nice video if you weren't at RSA last year and heard them speak. And I said, the email@example.com slash beyond Corp, and it took them six years to rearchitect their entire global network and remove every single firewall. So now, as they will tell you themselves, if you are a Google employee with your Google issued laptop, no matter whether it's a, a Mac, a PC, or of course a Chromebook, you can go into the Google campus and open the lid and it just works. And you get access to absolutely everything that you're entitled to. But if you go into Starbucks and open up the lid on your laptop, and it will work exactly the same, there is no logical difference between the two places of work. So whether you're at home, you're at Starbucks, whether you're actually on campus itself, Google does not differentiate from that point of view in terms of what you have access to your access is based by identifying the device, which means, yes, they need a device inventory, database and device identity, and securely identifying the user.
So very tightly coupled into the HR system and depending on who you are, who you work for, which departments and everything else, some access will be automatically provisioned based on where you are in the HR hierarchy and no trust on the network, 8 0 2 0.1 X authentication on wide and wireless. Obviously if you're on premise, but obviously not off premise, and you can adjust the risk profile to certain, very high risk to say, actually, you need to be on premise if you're gonna access the corporate results, for example. So you can, you know, add that to your entitlement model. And one of the challenges they had was actually externalizing every single application that they have. So internet facing access pros and public DNS entries for everything, and ultimately an access control engine on the front of all their devices, which I'm told is common across absolutely everything. Whether it's Google internal, whether it's Gmail or whether it's Google search, it is a common access control engine across absolutely everything they do. And that just goes to reinforce that you need to get this right from an architectural point of view.
So in conclusion, before Torston takes over what's best practice. So should you be developing a zero trust, security architecture, implementation strategy? The answer is absolutely because whether you like it or not, you have been deep parameterized for an awful long time. You maybe just don't realize it. You need to architect therefore for that environment. And you need, you need to design internally with an internet mindset. So if you're gonna put a new system on your internal network, think about it as if it was facing the internet and how therefore, what are you going to do? Your conclusion might be, remember your mileage VA may vary.
But at the end of the day, a lot of organizations who are adopting these kind of strategies are going HTML five delivery by default vulnerability analysis on absolutely everything. So you shouldn't differentiate between your vulnerability analysis on internet facing kit versus internet facing kit, leverage your identity attributes and deliver security via the entitlement that, that magic entitlement word. In other words, put rules in put risk based rules in rather than trying to move people in and out of buckets and rules, which is what we have to do at the moment. There's no getting around it in a lot of cases, but think about how you are going to move in the future to, to risk based entitlement models, rather than role based segment your front end legacy devices, cuz legacy look, you know, legacy is gonna be with us in large corporations for an awful lot of time. So think about, can we put a standard model in front of our legacy systems, which if you like micro parameterization, some people have called it and adopt a fix it once and fix it properly mentality. So yeah. Do it once. Do it properly, whether it's inside or outside.
So what are the business benefits? Yeah, it goes without saying that actually, if you are adopting a, an internet facing mentality, then what the bad guys can do on your network is significantly reduced. So the days of saying, well, if I'm actually an insider threat or I'm managed to, to leapfrog via some kind of jump box that I can jump inside your network, then actually you are going to have exactly the same problems as an attacker. If you're on the internal network, as if you were attacking me from the outside, it eases the migration to the cloud at the end of the day, cloud is, is an internet delivered technology. So if your mentality is actually, we treat everything as if it's the internet, then actually migration to the cloud, whether it's, you know, HTML, five delivered on-prem or H HTML five delivered in the cloud should make no difference whatsoever. Great flexibility for staff. The ability to just say, staff, lift the lid on your laptop and work from anywhere in the world, your staff will love you for it. Enable new ways of working goes without saying, if you can do that, it makes easier access for third parties and joint ventures, because now they don't have to jump through multiple hoops to get through your DMZ.
You get faster implementation of new business initiatives, because again, you don't have to sort of put in sticky, you know, the, the duct tape clues that we currently put in at our borders to put yet another connection through our, our border. You end up with a reduction in complexity, you simplify things enormously. And we all know that actually complexity is the enemy of good security. And overall, if you are eliminating a lot of the, the rubbish that we currently buy at our borders to, to harden them and end up being the boys that like to say no, then you must end up with overall cost savings. Welcome to awesome.
Okay. Let me share the screen here and let's get started here. So thank you, Paul, for laying the foundation. I wanted to follow up what Paul was talking about with a little bit more granular detail about zero trust. So first of all, good news is that companies are kind of trying to address this change in the threat landscape. And they're investing a lot of money into buying it security tools, 86 billion in 2017. This year it's expected to grow to 93 billion. So that's great news, but at the same time, we're waking up every morning and here yet about another data breach. And so you start scratching your head, what's going on. And it's not that simple. It's, it's even worse companies that are getting breached. They're breached on average five or more times. So it's something that really bothers us as security professional. And it's not just the fact that people exfiltrate sensitive data, but as we all know, data breaches have major business impacts.
We're seeing the breaches getting bigger and bigger Equifax and Uber, which are us based companies also had impact on, on the European landscape. There were a lot of European users that were impacted overall. The expenses related the impact related to data breaches has increased to 265 billion across Europe. And we see really rise in cyber crime. It, it really increased five times over a number of years and nobody is, is safe. I have an example here, Clarkson UK based chipping services company. They just got breached last year and immediately after their shares dropped by 3%. So it's, it's really something that we have to deal with and things don't get easier. As, as Paul talked about, we're kind of in the boundaryless world nowadays, and the attack surface is increasing more and more, most organization have moved their it infrastructure into the cloud. A lot of them use enterprise cloud applications.
And then we have the employees bring in their mobile devices, which really creates a challenge for it, security professionals. And then we have the new phenomenon called IOT internet of things, and it's being used in the enterprise. So it's not just something that sits on your nightstand at home, what you call Alexa or Google home or whatever. No O T devices are being used in the enterprise and therefore represent a new attack surface. So if all of this is happening, you are asking people, Hey, what are effective tools? And that's where really security's identity crisis comes in. You look at different surveys from different companies. We even just conducted our own research and found out that CEOs believe that an effective tool to address cyber attacks is model software. But a lot of the times of people are really picking the wrong things. They're not at the core of what really happens when somebody gets attacked course reality is that in 81% of data breaches and weak default or stolen passwords are really the origin of the tech. And in 80% of these breaches, it involves privileged credential misuse. So it's really time to rethink security. And this new threat scape really requires zero trust security, and kinda Paul kind of hinted on that. Zero trust really assumes that that actors already our insight, as well as outside of your network. And if that's the case, if I can no longer trust that my CEO is the right person that wants to access Salesforce data, then I have to remove trust entirely from the equation.
And so that leads us to the core principles of zero trust. Anything where I tried to connect to a network or service or resource access needs to be granted nowadays based on three factors, what we know about the person that tries to access the resource, what we know about their device. And that's very important. Cause if the device itself, if I'm connecting for instance, from a public network, it's obviously a higher risk than I connect from within a protective network and all access must be really authorized. And so we at Centrify really live the mentor of never trust, always verify. So in another zero trust model, that's really what you have to do. You can no longer trust anybody, any device you always have to verify. And how do you do that? There are four pillars of zero trust security. One thing is verifying the users, making sure the right person is trying to access the resources, but they're leveraging devices.
Be the tablet, be the laptop. You also have to take the device itself into account, cause it might carry a risk to access the sensitive information. And then a very essential component of zero trust is a concept that has been around for a long time, which is limiting access and privilege. I really don't want to be giving somebody a privilege UN unlimited, right now I'm on this webinar. Why would I need the access rights to database server if I'm not currently fixing patching that server. So really you're restraining it to only when you need it just in time. Privilege is very important. And then last but not least the fourth pillar is really learning and adapting, making it non-intrusive and, and adapting the policies that you created around these three first pillars. And so let's really dive more into details. So when it comes to verifying the user, the first step to take is really identity consolidation and single sign on.
We all know we are typically ask our RT manager to have different passwords for different applications that we're all human. We forget. We hate the password reset questionnaire and things like that. So what we do as a shortcut is we use the same password across all applications. If the Hecker gets hold of my password, EBIS has the key to the kingdom. So what I want to do is really apply single sign on that really removes the view to the Hecker on my password. It really uses a one time password and therefore makes excess more secure. At the same time. I want to really be accountable and tie in identity to a person that plays specifically a role when it comes to privileged users, super admins, they often share passwords the root password, and if they do so, I don't really know if John DOE or to, and George has accessed the server.
So creating, tying it back to your single identity that resides in active directory is where important for accountability. The second thing is really to apply a multifactor authentication everywhere. And when I say every word is for application access for device access for infrastructure access, as well as across different user audiences. So not just for end users, but also for privileged users. So it's important to have a very holistic view on that. And at last, but at least it's really looking at being as non-intrusive as possible and applying behavior based access controls. So I just traveled a couple weeks ago to a partner in Chicago was the first time I traveled for the company in that region. And so obviously it's an abnormal behavior and therefore I should be challenged more than just giving my password. And that should be triggered by by factors like geolocation, what time I'm trying to access it from what device I'm trying to access the resource.
So it's important to apply that, to really verify the user. So the second pillar was validated device. So one first step is device and application management. These are typically more tied to governance. You wanna set policies? What, what applications can people use using specific devices? Can they turn on wireless or cameras, especially in government, that's very restricted. So that's the first step, but you have to take it beyond that. You have to look at the device context and the security posture. For instance, if I'm trying to access sensitive resources from a device that doesn't have the latest firmware that doesn't have antivirus installed, it represents a higher risk and therefore it should be taken into consideration. When I make that access decision. The third step is really endpoint privilege management. We normally refer privilege management core to servers, but reality is that you laptops that we carry around have admin rights.
And so we also have, have to lock down, apply privilege management to these type of devices. So let's move on to the third pillar, which is really limiting access and privilege kind of Paul hinted on, on guiding off access to particular network elements. We, we call that zone. If I'm a database administrator, I should be the only one that has access to that zone to that database. Nobody else, not our CEO, not our it manager should have access to that. So really applying granular role-based access and limiting lateral movement by creating these zones as a first step. The second thing is really, as I hinted earlier, why would I need access right now to a database if I am on this webinar? So you should limit my access and make it time based. So if I need it now, if I'm getting a call while I'm doing this webinar and it's emergency and I need to fix the database, I should be in a position to request access where workflow engine and it's, it's no longer where you have to wait 72 hours nowadays with mobile technologies, it can pop up on your supervisor's smartphone and they just click a button and you have immediate access to that database.
But it's really important cuz it really restricts lateral movements for hackers that might have compromised your credentials. And the last step is really auditing everything, making sure that there's accountability. So I know exactly towards George locked into database. What type of controls, what type of commands did I use? So I'm wanted to record these sessions, both from a auditing and governance perspective, but more importantly also from a security perspective. And then the fourth pillar really takes all these different data sets and applies machine learning technology to it, to automate the decision process. Should I, based on a risk score that is assigned to this access request, should I automatically block access? Do I trigger multifactor authentication, taking different factors into account? Obviously if I'm currently in our center CLA headquarter office, but five minutes later, there's an excess request coming from London. I don't know yet.
That is quick enough to, to make that trip. So shutting down immediately, any abnormal behavior is very important and providing really people with insight and forensic details that can even go so far that in real time you can trigger alert into your incident response team and they can shoulder shoulder surf and see if the behaviors really acceptable or not and decide if they want to terminate the access. So we heard earlier the example, Google and, and they moved away from too many passwords, too much privilege leveraging zero trust. But when we're on the road, everybody kinda says, yeah, makes a lot of sense. We buy into this new enterprise security strategy, but we're not in Google. We, we can't do everything in, in six years for us, that would be probably 20 years. That's not feasible. The good news is zero. Trust can be implemented step by step.
So establishing first, your identity assurance by using MFA using SSO the first step, second step limiting the later movement by really looking at zoning things off, bringing trusted endpoints in applying conditional access and other things can be the next step. And then moving on the maturity scale and forcing least privilege just in time privilege, just enough privilege doing the life cycle management and then ultimately achieving, auditing everything, analyzing the risk, monitoring the sessions, potentially integrating with SIM systems so that you can trigger alerts. That's the ultimate goal. But again, you can do things step by step and kinda Paul kind of outlined some of the benefits we run a study that was called stopped the breach and it, it applying these best practices really result in 50% risk reduction, tremendous cost saving and, and less technology spend. Cause you can now consulate your vendor selection and really focus on the things that have the biggest impact when it comes to minimizing exposure of falling victim to cyber attack.
So with that set, centrifies one of the leaders in zero trust security through the power of NextGen access, we're serving companies around the world. We have been recognized by many Analyst firms as leader in this market segment. And for us it's really next gen access is about secure and access to applications, secure and access to the infrastructure from trusted endpoints, making sure that they're really trusted and serving not just the end user community or privileged user community, but also looking at outsourced it partners at customers and partners and bring all of this together in a single unified solution for us. That is what really matters today. And so with that, I, I thank you and we will be moving into the Q and a session. I believe on this topic. There are always quite interesting questions. So looking forward to hearing more from you.
Fantastic to thank you very much, indeed. So Q and a. So first question is good one. He says I I'm in this business 40 years, bracket's mainframe distributed computing, web services and cloud fundamental principle of it systems broken by design. Yep. Fun, fundamental objective of Shannon's law, more signal, less noise. Do you agree? Zero trust for identity systems sounds dicey to me brackets by new vendor products. I think it's one for both of us. I think it was a, a digged vendors. I it's usually me. That's having a digged vendors, but I'm glad someone else is doing it. So I'll, I'll give my 2 cents and then a handover to a vendor to comment. So, so the first one is I, I think we are always upgrading systems, so I don't think anyone is saying, and I thought you, hopefully you saw from, from tools and slide there, you can do this on an incremental basis.
We are always upgrading systems. If you think most systems have a three year replacement cycle or a three year major upgrade cycle. So if you have an architecture and a plan based around zero trust, you can literally at that point that you do a major upgrade, say we are now going to implement for this system a zero trust, architectural model or an upgrade that delivers that or move to cloud or whatever. So first of all, I don't think it's a big bang. Google took about four years to rearchitect their entire network and they had lots of money to throw at it. They'll be the first to tell you that. So is it dicey? No, I don't think it is. I think it's, it's buying products that have been around for years that deliver a better outcome that you currently are buying. It is as simple as that.
Do you really want to upgrade your firewalls to the latest great firewalls? When all it's doing is it is stopping you and, and disabling your business. Ultimately maybe you say, well, you know, we put, we put in some, some I equipment at our perimeter to maintain our quality of service, but don't think about it in terms of DMZ and everything else, and then move to something else by micro privatization, one company, actually I, the British petroleum BP way back 10, 15 years ago now experimented by saying we are going to move our common office areas for our workers and our visitors onto what is effectively the internet.
And it made a huge difference to them and actually increased their security posture. So there are lots of ways to, but they just moved the office areas. They didn't move. You know, they obviously front-ended their server rooms and in those days, their server rooms with, with the security that would normally be sitting at the DMZ point and, and the key behind this is if you look at a modern firewall, an modern firewall, a modern firewall has about two and thousand rules in most of which are historic. And no one knows why they're there. And if you put a firewall, an equivalent firewall in front of a website server, the rule in that is very simple Ford port, 84, 43 to this device, this, this single IP address. Now in 10 years time, I can look at that and audit that rule and I can understand it and I probably don't need documented. So, you know, we are actually making things simpler, more robust, more secure. That's my, you know, opinion tossing over to
You. So I, I think the facts speak for itself. So if, if we take a look simply at the numbers and we understand that, that despite all the security spent, we have such high number of data breaches. You have to start rethink and zero trust offers you that opportunity. And obviously zero trust security has different elements, but for us it starts, the foundation is identity or excess management. And it makes a lot of sense. Cause again, I can have a firewall in place. I can have data encryption in place. If an attacker camouflage is, is attack under a legit identity, those tools are not helping. Cause if I'm a legit user and I was granted access to the database, it doesn't matter that there has been data encryption on it. Cause I can see the data cause I'm a legit user supposedly. And so for us, zero trust security is really focusing your efforts, your architecture on things that have the highest return on investment and, and really make you start thinking, how can I really narrow down my technology selections to the ones that have really the big, biggest efficiency levels.
Yeah, fantastic. I, I would agree. So next question with so much outsourcing and partnerships is zero trust, a hard sell. That's an interesting one. I, I would argue the opposite. I think with so much outsourcing and partnerships, zero trust is a really easy sell because it's, it's an enabler. You know, let's, let's be honest here. It, it, security's dirty little secret is that every time we want to bring someone into our organization that is not actually staff on payroll, we create a dummy account for them that we don't manage, that we don't manage very well to the point that I know there is one very large aerospace company out there that at one point had 300,000 people on its identity system of which only a hundred thousand were actual payroll staff. And we all know that actually the only way we take people off our identity system reliably is when we stop paying them, which meant that 200,000 people aren't particularly well managed. And this is a company, you know, in bidding for military and aerospace contracts. So, you know, that's, that's the problem we have out there. If we can do anything to improve the access management and the ease of which JVs and partners can come into our system and make the business life easier while increasing security, then that has to be a phenomenally good sell. And actually the case to the board is that this is security enabling you to do business better rather than the boys who like to say no,
I would completely agree. And also on the partner side, as some recent breaches have shown that they originated on a partner network and a lateral movement made it into the real target company. So even on, on the partner side to convince them to kinda apply your trust model, there, you get a lot of bite in cause they don't want to be in the news either. So it's, it's really something that we have seen over the last probably year that the mind has shifted dramatically. And there's a lot of by in to apply this type of concept.
And, and it's not just lateral movement. I mean, I think the reality is though there was an interesting study done by the FBI that said 3% of people in the population are inherently honest and 3% of the people are inherently dishonest and the rest have their price. And the reality is that if you have a hundred thousand staff and 3% are inherently dishonest, irrespective of the insider threats, espionage and all of that stuff, there are people on your network trying to do you down. So, you know, don't assume that actually it's the outs. It's someone coming in from the outside, although it could be, we actually have to design a set for this zero trust model. We don't trust anyone on our network and we, and we verify what they're doing and where they're trying to go in a simpler way as possible. One final question. I'm just looking and seeing if we've got any more, we've got a few more, we're not gonna have time for all of these. I'm afraid.
Okay. Thanks. Taking my question, FYI. I'm the current of the, our back standard roles don't go away, but we compete with AAC and X back. Yes, absolutely. I think that's a very good place probably to leave the Q and a to say yes at the moment you need to use all of, all of the, the access control standards. But ultimately I think I would argue that the place you probably should be aiming for not today because a lot of what you can't do it today as much, but risk based access control is where I would like personally like to see things heading as we head into the future. But obviously, you know, you've got to design for what you can legitimately achieve today with an eye on the future. So yes.
Okay. With that, it finally remains to say a couple of reminders, our upcoming events don't forget EIC happening in a week's time, still time to register and consumer identity world reminder. I'm sure you don't need this as a reminder, but 25th of May, GDPR comes into force for all my American friends out there who are putting their heads in the sand and, and saying, it does not apply to us. The answer is yes, it does. I had to remind someone the other day, who, when I was in California, who worked for a car dealership and I said, you have never in California, in Silicon valley sold a car to someone who is a European expat. Oh, probably have said. So I said, well, GDPR applies to you then and all your systems. So that was an interesting discussion. But if you are struggling with GDPR, give us, give us a shout. There is related research out of, out of the Analyst analysts on the Centerfi service that you've been hearing about today, three of them and a thing we do called leadership compass, which is a look at all of the, the, the main leaders in this space on, on privilege management. So I thoroughly recommend those to you.
And with that, it just remains for me to say Toten, thank you very much for joining us today. I thoroughly enjoyed your presentation and your insight and to everyone out there. Thank you for tuning in. Thank you for listening. And we hope to see you or hear you to hear us anyway, on a, another cup in webinar very soon. Thank you very much. Thanks Paul. Thanks everyone.
How can we help you