Hello, everyone. Welcome to ER, call webinar zero. Trust is driving the evolution of authorization today.
We, our webinar is supported by ping identity and we have a guest from pig identity, Adam Rush bridge. He's a senior product manager in ping identity and me Oman, a research Analyst from our call Analyst. We are gonna be with you throughout this webinar today. Let me give you general housekeeping information before we start. Your audio is automatically muted, so you don't have to do anything, but once you have a question or something, you can use the webinar control panel and then just put your inputs whenever you wish.
And at the end of when we are getting close at the end of our webinar, we can discuss and try to answer your questions and recordings, and then slides will be available for you. And you can download them at the end of the webinar. And as a coping call tradition, we are gonna have a couple of polls, and then we are expecting you to join and participate in this polls and then answer. And then we also discuss this, discuss the results of this poll at the end of our webinar.
Yes, as I said, we have two poll questions today and starting with the first one. Do you already have an approach for implementing a comprehensive zero trust model defined example, given identity devices and network. So I will give you around 20 seconds to answer this. The answer are pretty easy. Yes or no. So you can take your time now. Sorry.
Okay. Now we have the poll closed. Okay. And then let's take a, let's take a look at the today's agenda. I will start with my part.
I'm gonna try to explain the business and security benefits of policy based access controls, and then how this is how this, this is relate relating to zero trust approach. And, and then we are gonna, at the end of my slide, we are gonna see, how can we actually have this policy based approach contributes to managing the complexities of hybrid or multi-cloud environments. And in the second section, Adam Rush bridge will present the, the main author authorization use cases and what is driving the changes in enterprise architecture teams. And at the end, we are gonna have a Q and a session.
We, we highly encourage you to participate, participate in our Q and a session by the way.
All right. I would like to start with one of the main drivers behind the evolving authorization capabilities. And one of the, one of these capabilities is policy based access controls. And one of these main drivers is definitely zero trust and zero trust is a concept, basically enforces strict identity verification and access controls for every user and device. The core principles of zero trust believes in several criteria.
One of them is like in default, zero, trust denies their access, but access is only given by the policies it's motto always do not trust, but always verify. And zero trust actually requires a unified perspective. And then this span multipl area of your it environment, starting with identity, it goes to devices, network security, application security, and endpoint securities, and overall zero trust establishes a good principle for good and modern cyber security programs. If you plan to have one.
And I think that when we think about the today's increasing amount of customer data and also digital identities and also amount of the data that we retrieve from them, we gather from them and then we store them that needs to be protected. And then organizations are today obliged to secure this data. And I think zero trust is an essential approach to this going with zero trust concept. Where do we, where, where do we see the policies in the zero trust concept? We believe that it's the center of the zero trust concept. And the nest also agrees with us.
They recently published a protocol 800, 207, and this puts policies at the core of everything, which means the core of zero trust. And then in this graphic, we gathered it from missed website.
Also, you can see how they place the policies and policy administration in the core of zero trust.
And here you see that the subject is trying to access or access resources or data. And then it's initially untrusted by the system. And then it has to go through the policy administration and then get a decision based on the policies that we, the organization create. And then the subject can be granted, accepts or denied in a way that it can be trusted or not.
And of course, and we see that always verify, build on policies, always verify is the essential belief of zero trust and the in contrast to standing and static privileges, it's the center of the zero trust concept, as we see, yeah.
Before going into details of policy based access control. I think that we should talk briefly about authorization too. Authorization is granting a user, the access to perform a given action or a specific action to resources and data.
And then here you see our call IM reference architecture authorization is the core, one of the core parts of IAM, according to our reference architecture and then policy based access management is one of the core capabilities of authorization in our belief and authorization is basically required to deal with the sensitive data and assets. And as I mentioned earlier, the amount of data is growing and also the obligations are evolving. So securing data is very important. And then the authorization plays a crucial role in that.
And without authorization, you are actually exposed to vulnerabilities and then data breaches, and most importantly, unauthorize authorized accesses. And with the evolving authorization capabilities like policy based access control authorization is built on basically on builds on basically policies. It simplifies the development of digital services, and then it can also work in the, the leg legacy systems on premises via gateway based. And it is again the cornerstone of the nest. So we can from now on, we can actually switch to policy based access controls now.
Yeah, this is the final topic that I'm going to discuss with you and share my, share our information. We are going to discuss how policy based access control works. What are the business and security benefits, and then how to implement it?
Let's, let's start with the how feedback works. The admin console you see here is the policy administration point, as known as policy administration point centralizes the authorization and manages policies. It can be your vendor providing you policy based access control and policy enforcement point. Here we research requests are received and sent to this policy decision points. And depending on the decision, it passes the decision to response to, to protected resources. So this is the point where the access is granted or denied.
And finally, the decision point is the point where the decision gets evaluated based on your policies, you create your policies and then in the decision point, your feedback determines, and if the access should be given or not, and the information is retrieved by the policy information points, and this can be the, the data or information stored in your directories or databases and why essentially we should adopt policy based access control.
There are several benefits. Some of them are security benefit, security, wise benefits.
And some of them are business wise benefits starting with the security side, it's centralized, centralized your policy management, and then it gives you consistent access control decisions across your organization. And it supports different deployment models like on premises cloud. And in cases, in some cases hybrid hybrid cloud deployments, it gives you real time policy decisions on based on your current data.
And as I said earlier, authorization is evolving and now you have the fine grain access controls together with the context variables organization, comply with regulations, and then they can enforce cons contents and enable zero trust, security, and secure customer data with this way. And one of the last part of the access control is that we have this traditional approaches to access control and then redefine roles. We used to define roles and we have this dynamic work environment.
And then as I said, the regulations are evolving.
So you need to come up with a, a policy that will actually allow you to change the, the roles of your employee, and then in an automatic way, and also make you comply with the regulations throughout your organization. So when you have the policies, you don't have to struggle with human resources, changing roles and et cetera. And the other benefits I would call them business benefits. It gives you flexibility. Administrators can have a greater control over the access and they can add, remove or remove the permissions.
Adaptability policies can address a wide range of dynamic attributes, attributes, and contextual controls such as location, the time of access or cetera. And the final one, observability policies are human readable. And then with the feedback you can actually easily, we have the relationship between identities and resources.
Yeah. And before we finalize, I briefly talk about how we implement it. We first need to plan.
We, we need to come up with, we came up with a four step plan and to implement policy-based access control. The first step is planning, planning. Cross-functional teams can engage for the project planning to ensure the, all the stake holders are aligned. And then the, the, where, where everyone is informed about your strategy throughout your organization.
Second step is building you decide which solution to buy, should it should, should it be an a SA solution or should it be available available for your on premises, depending on your infrastructure, you need to make the procurement decisions and later on, you need to deliver this project. And then all the stakeholders should be involved in this. And then most development environments employ continuous integration and continuous delivery tool sets. And this automates much of the deployment activity, and they keep diverse deployments current. And at the end, you need to be able to run it.
So the run stage operational personal required tools that provide visibility across hybrid and multi-cloud deployments and management interfaces with dashboard features, or to allow continuous monitoring of the feedback environments connection to the enterprise tools like security operations center, or SIM and other security tool integrations are highly just advisable in this step.
Yeah. And finally, I think that we should talk about how policy-based access control can be beneficial while managing the complexities of multi-cloud.
And this is obviously a challenge having a complex it environment is something that we have, we have growing after adopting like more and more service virtual machines and private and public clouds and sub components of these like PCs notebooks, and also the other things that are related like other devices. And we have to deal with them and then we need to be agile and cost efficient and provide enough security and comply with regulations. So this is what we need to think.
And when we are delivering an agility and trying to be cost efficient and also ensuring the security while complying with the regulations, we need to find a sweet spot. And then I think that's, the policies can by automating this process can be really helpful.
Yeah. And how to deliver, deploy, run, and security services. The business needs. Do we need manual administration anymore? We believe no. And then we should not be quoting everything.
So policy based automation can be really helpful here because when we can auto have the automated automated policies, we can also overcome the complexities of it environment. And then also these configurations. And today we, we highly benefit from AI and then the machine learning. So I think that policies can be a really beneficial point when it comes to automating this process. And finally, the common denominators, we have the policies, identities, and resources.
You have lots of users here, the work, your workforce, your partners, your third parties, your supply actors in your supply chain, and then you need to secure their identities, their, the devices, and then the other, other things. And of course you need to provide the network security to your organization and also the applications. And then the other services that you are running. We have the second poll question now, before I finish, and I will give you another 20 seconds to answer this. The question is, where is your organization on the zero trust journey?
And we, we were, we are going to discuss the results also at the end of the advents presentation
From here on, I will hand it over to Adam to make his presentation. Thank you very much for listening to me.
Okay. So first of all, thank you very much for taking the time to join us this Thursday. So I'd like to talk a little bit about our perspective on authorization and how we're seeing zero trust driving this evolution and changing the dynamic across enterprise organizations.
So since it's inception, ping has been primarily focused on authentication, so SSO and MFA and risk, and, and more recently it's, you know, has had some focus on eliminating passwords, but we're starting to see this emphasis shift and asked more questions like now that we've verified a user's identity and establish a session, we want to control what those users do. And so in some ways we can identify two key goals for, for, for the ping platform and for identity and access management.
So first we want to manage the user and there are these activities to the left of this diagram that support that, right.
We might be registering new users, onboarding new employees, et cetera, et cetera. And then we want to protect a resource and that involves authenticating users correctly, but also appropriately managing our risk appetite to different classes of resources. And so when we talk about authorization, we're talking about this activity to the right here and down, the bottom is orchestration.
So this is recognizing that controlling identity and access management is a dynamic and adaptive process. And we need to integrate a variety of internal and external signals into our IAM layer, customizing that authentication and authorization experience for different user communities and orchestrating a variety of best of breed technologies as we do. So. So authorization happens after authentication and at a really high level. Whereas authentication is about getting you in the front door. Authorization is about what happens after that front door.
So it's what users can see and do within the application.
So that might include what features you can use within a page, what data you can see, what transactions you can perform, or what actions you can take. And this is important, right? Because as we think of our role in the identity layer, we want to make sure that we can give appropriate access to resources because who gets access to what is foundational to zero trust, as on, as Osman was describing.
So we'll take a deeper look at this, but the pre the key principle of zero trust is that we don't implicitly trust the user, the network or their device. Instead, we always verify that the user is authorized using the latest up to date and real time information that's available to us.
So at its core, a key problem is that existing authorization approaches fail to satisfy some of these modern requirements.
So historically organizations try and solve, try and solve authorization using role-based access control or RAC, and roles can be a great building block, but at an enterprise level, the approach becomes really challenging. So with RAC, you're either assigned a role or you're not, and this doesn't satisfy some of these modern use cases where you sometimes have access depending on circumstances and the roles that you're assigned can go stale. So as I move around an organization, or as my situation changes, I still have these roles which can mean that I either have too much or too little access.
And secondly, this blunt way of man of maintaining authorization has become hard to manage. So as organizations create more and more roles to represent all the nuanced access that different users need to have, this can lead to what we call role explosion, or they're burying authorization, logic into their applications to deliver the experiences their audiences need.
So dynamic authorization has gained traction as an alternative approach.
So first, when we look at our back roles are defined with static sets of permissions, but these don't match real world scenarios. So we have this role explosion with more roles and identities enterprises having to go through complex at adaptation processes to assert that role assignments are still valid, but instead we can use policy based access control, where we write policies that grant who gets access to what, and under what conditions and policies can pull in realtime context to that decision.
So, for example, we might say, this person is entitled. So they get access based on their role, but here today, their risk level is high. Maybe they're traveling to a different country, so they don't get access because of that risk. So rather than mapping our business requirements to roles, we're using policies to express our business requirements.
Instead, secondly, access management is often too course grained. So as I said, you either have access to all or nothing, and people come over privileged. So think in a healthcare setting, right, we want to have tight controls over what our GP can see versus our physiotherapist or the nurse or the practice staff. And the solution here is fine grain access. So we want to define limits on what different users should be able to access.
But again, those limitations can't be statically asserted. They're gonna change over time. So this might be, as a GP gets assigned to a new set of patients, or as a family member provide provides consent. And when we talk about course grained access, we're really just describing when a user gets access to an application, medium grained we're controlling, which features inside the application, a user can access.
And in technical terms, we're probably talking about whether a user can get access to an API and find grain access is when we're starting to control which actions a user can perform against a particular feature, which actions you can perform on an API or what data you can see.
And finally organizations have this complex architecture and mix of access control requirements, right? So to be able to move towards this zero trust model, we need to have integrations at different layers of the stack at applications, API and data layers, and what we're describing here, right?
It's, it's not worthy that what we're describing here applies to both customer and workforce use cases. So in Siam consumers often don't fit into roles. We might have access arrangements that are based on entitlement.
So, you know, if someone signed up with a trial versus subscription versus a premium subscription, we may have access based on consent or relationships to another user. So think about delegated access scenarios with family members and in workforce, the zero trust is fundamentally changing our approach to access from course to find grained. So we're making access decisions based on information about the user, the action they're performing and the resource they're accessing rather than, you know, perimeter level information. And we also need to think about our extended workforce.
So partners, contractors, third parties, more dynamic fluid roles, and we need to make sure that, that these roles should only have access to what they need and nothing more.
And we see enterprises striving to constant, constantly balance security and friction for their employees and their end users. So we can see here this, this model of adaptive access, right? Fundamentally it's no longer sufficient to say yes or no, right? Instead we maybe want to elevate the trust that we have in individual or reduce the risk.
So when risk is increased, we want to, we decrease our level of trust in, in a user and, and maybe force them to reauthenticate right. To step up with MFA, we seek approval, or we direct a user down a path to, to re-verify who they are before we're taking some or before providing access. But the other way to deal with increased risk is to reduce our risk exposure.
So again, following the principles of least privilege, we limit the amount of data and the actions that are available.
So we might say for this user, and for this use case, we'll strip out this information. They don't need that data or that action. So we remove it from what they can see, right? So we've got two approaches here. One we're elevating our trust in the user. The second is we're reducing risk. Okay. So why does this matter to us all in the IAM domain?
Well, fundamentally we see the market starting to trend towards externalized authorization as an architectural pattern. So 10 years ago, authentication was siloed and disparate across the organization. And now it's been centralized into one control plane, and we can deliver these elegant and graceful and efficient experiences because of that. And authorization is where authentication was maybe 10 years ago. Right. But it's starting to be, become externalized, starting to become centralized for both the customer and the workforce use cases.
Okay.
So onto zero trust, that's a bit of background around authorization. And you know, some of the drivers that, that we are witnessing and have witnessed that, that are, are changing kind of organizational approaches to date, right? So now let's, let's take a, a bit of a closer look at zero trust, right? It's one of those terms that gets used a lot in our industry, but, but it can be difficult to break down. So enterprises across industries are moving to identity centric, security and adopting zero trust.
And, and, you know, if we look at nest Osman was talking about nest it centers on five key principles. So the networks always assume to be hostile, external and internal threats exist on the network at all times, network locality is not sufficient for deciding trust and every device, user and network flow is authenticated and authorized policies must be dynamic and calculated from as many sources of data as possible.
So we can see in this pattern here, right on the left hand side, we have identities who are trying to access some resources on the right hand side and, and they're on devices, right? And we want to, to make some, some decisions around them, right? We have our dynamic authorization authority. That's sitting in the middle that's, that's establishing our risk posture. We're consuming information about the identity, about the device postures, our organizational approach to risk. And essentially this is the model, right?
We are, we are placing some infrastructure in between the identity and their device and the resources that are being protected on the right hand side.
And this here then becomes a passion that, that we are adopting within, within ping, kind of using as a, as a frame of reference to, to discuss zero trust.
And, you know, a lot of organizations that we talk to are team to adopt a zero trust approach, but are unsure how to get started. And many of our discussions with customers, we, we increasingly have conversations about the challenges that, that they face. So some of those challenges are around managing integrations with multiple vendors. Some are around tying together insights from multiple sources to try and make a decision. And then the third is delivering dynamic experiences based on those policy outcomes.
So that's led us to this architecture here, right on the left hand side, we're detecting we're, we're pulling together those signals that, that contextual information from multiple places, we're making a policy based decision based on that.
And then we're directing users down different pathways either to elevate our trust or to reduce risk. Right?
So to, to expand on that further on the left hand side, we've got context to where signals from across the architecture in the middle, we've got our policy based decision based on those signals. And then we might elevate trust, right? We might step them up with MFA. We might require that approval is sought before providing them access. We might verify their identity once again. So if we were to, excuse me, if we were to apply this then to a simple zero trust use case, we could start, for example, just by looking at, at authentication, right?
Here's here's the, the simplest scenario where, where essentially we might integrate more signals into an authentication journey. So on the left hand side, we see the variety of contextual signals that are fed into a decision, right?
So we've got identity signals, maybe the user, their role, we've got identity tokens. All of these things may be valid. It might be information about the resource. So the application being accessed, and then it might be environmental data. So endpoint signals from CrowdStrike, for example, browser signals, agents, et cetera, right?
The network information that we're on and in the middle, we've got our policy decision. So based on this specific identity, accessing this resource with this environmental pro profile, what should we do here?
And again, maybe we permit access. Maybe we increase the level of assurance that we have in the user.
So what does this actually look like in practice? Right. So just to touch on that very briefly, first of all, we have the policies themselves. Okay.
So here, we've got an example of a policy management interface, right? This, the, the intent here is that we can allow collaboration from business stakeholders and it development teams, right. Individuals across the organization can collaborate through through this interface. And this gives the business visibility into exactly what has been implemented, what those policies are, right?
So that, so that they can be, those policies can be audited and monitored over time. We've got agility. We're no longer making author or embedding authorization logic in application code. So we've got agility to make changes quickly, and we've got consistency by reusing these policy building blocks in multiple places. And fundamentally these policies just contain a series of rules. So the goals to let administrators take the checks that business users might write as requirements, and very clearly map these to recognizable rules in our systems using comparable language, right?
So it becomes much more human readable. So the conditions under which a policy is evaluated here, like when, when should we apply this policy, the rules themselves that are evaluated as part of policy and any actions and instructions that, that, that, that might follow from that. And as I've said before, right? Orchestration of data is quite central to this. So decisions can retrieve context from across the business. So at runtime, the, the policy is only pulling in the context that it needs to make that decision, but it's real time, right?
The, the, these engines, these authorized engines are typically stateless. So they just pull in the information in real time as, and when it's needed. So we can pretty much retrieve contextual data from, from across across those enterprise applications and data sources that you may, may well have, right? We're going well beyond identity and roles here and making decisions using real time business, relevant context. And finally, we're essentially returning instructions as part of that decision or as an outcome of that decision that are driving actions in other systems.
So again, going back to our concepts before, maybe we're elevating trust, maybe we're reducing risk. Maybe we're determining what features and functionality can can be displayed in, in inside applications, right? So these instructions that we return become quite central to how we direct users down different pathways.
So here's a second use case then the, the, the, the we see quite often, right, this pattern here is, is more around fine grained, workforce access.
So, and this is one of the most common workforce use use use cases that we see, right, adapt adaptive access to data. So we can imagine a business team at the top who bring along a use case here. I need to manage what my workforce can access. And at the bottom, here's an example of some of the specific rules that might be involved in that policy. So staff can only access records from their branch managers can access records from their region. For example, contractors can only see specific accounts to which they're assigned.
So to support this decision, we need to have access to information like a user's role, but also their branch assignment and their region. Right. But rather than creating roles for each of these different permutations and variables and so on, we can just reach into their user profile, right. And fetch that information about their, their branch assignment or their region, or maybe their branch assignment isn't stored inside the user profile, but instead it's stored inside the HR system. Right.
So again, we can just reach out to that and, and use that information in our access control decisions about what these different classes and categories of users can access.
Okay. I've primarily spoken here around workforce use cases, but I do want to be clear that a large proportion of the clients that, that we have conversations with and that we work with are applying this to cm use cases as well. Okay.
So here, for example, we may have fraud and risk scenario where we need to integrate multiple risk signals or multiple fraud signals into a financial services scenario or a retail application. And, but the pattern remains similar, right? Once again, we're, we're detecting those signals and folding them into our decisions. We're making our decisions based on the policies that we put in place.
And then we're determining how we want to proceed, whether we want to elevate trust or reduce risk for those different actions.
And it's important to note here, you know, I've tried to, to highlight on this, this screen here, that dynamic authorization tools are vendor agnostic. So these, these products, these product offerings can pull in contextual data from different systems across the, the enterprise estate and trigger actions on the right hand side in different systems. Okay. So we can be very flexible. These products as a whole are very flexible in terms of how they integrate into, into your estate. Okay. Excuse me.
So we can see,
We can see then I've, I've tried to summarize here some of the, the key authorization use cases at quite a high level that we are seeing out there in the field right. Central in this slide is zero trust kind of permissions and entitlements. So these are organizations who are looking to move beyond roles or build on top of roles and try and accommodate the, the more nuanced scenarios that they're actually seeing in practice and trying to mitigate some of the challenges of role explosion.
So here, you know, effectively, we're, we're helping organizations model those relationships between users, the resources that they're trying to access and the actions that they're trying to perform. Okay. On the left hand side, we can see scenarios around regulations and data sharing. So the industry as a whole is being encouraged more to, to share data and share information either with users or across organizational boundaries, right?
So we could think of open banking. We could think of the cures act in terms of healthcare. We could think of GDPR in terms of personal data, right.
And we need to, to make sure that, that we have sought consent, but not just at a course grain level, at a fine grain level, to make sure that different audiences have got access to the right level of granularity there. So making sure that that different entities have authorized data access and that we can enforce that and manage it over time in the right way. And thirdly, we can see kind of more real time authorization scenarios.
So when we might want to, to be in the transactional flow, either in retail or financial services scenarios, where we're really analyzing realtime fraud and risk signals to reduce transactional fraud. Okay.
And final slide here. Right.
But there, you know, I just wanted to touch on what we see from customers as, as some of the benefits that they are, are talking about with us. Okay. So first of all, we see benefits around controlled access, how we improve our access controls. So rather than having static authorization models in place, we're, we are improving our posture by, by, by making real time authorization decisions based on contextual attributes, right?
Secondly, we've got centralized controls and enforcement to reduce risks. So, so we can have multiple stakeholders having visibility and consistency across the estate. And this is allowing us to improve our, our security in terms of our workforce and customer access posture. Right. We have agility to act across, across our estate.
Secondly, we've got customized experiences. So, so really we can personalize those experience for different audiences, right? Both in terms of our customer use cases.
So that may be more driven around preferences consents, but for our workforces, we can make more efficient experiences for different classes and categories of users.
So, as I said before, around those contractors around third parties, around different roles and so on, we can make better customized experiences based on different entitlements. And fundamentally we can protect that data to build organizational trust and reputational trust in, in our organizations, right. We hear regularly about threats and attacks and data breaches and so on. And actually often one of the root causes of that is overprivileged access. Instead with policy based access control, we can, we can mitigate against that. The third aspect then is around operational efficiency.
So fundamentally across the estate, we can improve our zero trust posture. We can consolidate that, that policy administration and start reducing and removing some of that duplication of effort.
That's, that's, that's currently happening. We can start revisiting and thinking about some of those at adaptation and compliance processes that we've currently got in place. And fundamentally for some of the more nuanced and fine grain decisions, we can start removing the, the dependency on individual developers, siloed developers who are creating policies for each data source.
Okay. Right. Thank you very much for your time. At this point, I will stop sharing if I can and hand back to Osman.
Yeah. Thank you very much, Adam, for this great presentation.
And I think that we have a lot of question today, but before going to that, would you like to maybe see the, the poll results that we have initially asked? And because I think we have some interesting results today. 44% of our attendees said yes, to having an approach for implementing a comprehensive zero trust model. And 56% of them had said, no, then maybe we can see the second results. And then maybe we can discuss it together because they are related. Yeah. The question was, where is your organization on the zero trust journey?
And then we had the options not started, not applicable and the concept phase and implementation of solution. Yeah. What would you like to say about this, Adam? It is a bit interesting from my side to see that was it 44% of the people had actually
Yeah. Understand
The importance of zero trust, but I think that among them, 77% of the them are in the concept phase. Would you like to say,
Yeah, yeah, no, look, I, I think that this is a fascinating set of results and, and something, I think that, that, that we've seen ourselves across, across industry. Right.
I think that, you know, I think, I think, I think we can see that awareness around zero trust is increasing over time. Right. And we can see that that maturity curve starting to evolve.
So, so I think, I think it's, I think it's great that, that, that, that 44% there are, are responding with yes. But I, I think, I think what we can see, you know, as we saw on the second slide, then, you know, the, the different levels of maturity that we see in, in across different organizations. So often I think one thing that I've seen in, in terms of organizational adoption has been there, there are, I mean, first of all, this is a, a posture and approach and we can have zero trust being applied at different levels of the architecture and, and at, at different levels of the stack, I guess.
Right. So, so one place where I've seen a lot of movement and traction so far has been at the layer of authentication and has been at the network layer as well. Right. And I think maybe where, where we're starting to see kind of more movement has been around those final grained access layers there, right? How do we start kind of pushing inside the applications and start, like, we certainly moved our perimeters or we are moving our perimeters from the network layer to the application layer.
And I think the next step is how do we start moving our security posture from the application layer inside that, to the features that we might be able to see so that we've got good, comprehensive views of the permissions that different users have got access to. And then to the, the data sets and the different kind of role, maybe role level security, or column level security that we might see inside those applications. Right. So I think it's a progressive journey.
And, and perhaps you can see that on that second slide where we, we saw quite a lot of people at the concept phase and fewer at the implementation phase,
Cameron, it's also important that people organizations started to understand the, the importance of zero trust. And then they at least started thinking of a concept and then maybe they will also go to the implementation phase soon. And we have around like nine minutes before we conclude the webinar, I have received many questions and I pick couple of them and then ask you a lot of our in-house developed applications are built on APIs.
How do you apply zero trust controls to APIs as by ones?
Okay. Alright.
That's, that's, that's a great question there, I think, and we can see, we can see increasingly, like, as, as, as the question are asked, right, the number of, of APIs are only increasing. So, so essentially, you know, what, what we can see now is that as these APIs flow through API gateways, then these API gateways start to become an integration hook. So often in terms of authorization, we talk about two different components, right? One is around the decisioning engine and then the other is the enforcement point and APIs are the foundation on top of which applications are built, right?
So, so we suddenly have got an integration hook through APIs and through API gateways where we can start making fine grained decisions about what different users and different audiences should be able to see. So for example, a product like ping one authorized has got out of the box integrations with different API gateways, and we can start making those decisions based on, you know, as I've said, already network information, role information, etcetera, etcetera. And we can both modify the query, right. We can say, should this user be able to access this API?
Yes or no, but we can also start acting upon the responses as well and start performing maybe role level reduction or cell level masking. Right. So we'll just start reducing down the information that gets returned back to our users. So we can really start implementing through an API here, some of those, those fine grain to access controls that that are important for zero trust.
All right. The second question is that we are just starting to review our zero trust position, which will include both authentication and authorization. How do you suggest we get started?
I think you answered some of these, but would you like to add something to it?
Yeah. Yeah.
I mean, I think, I think, I think in, in this scenario here, right? I think it, it, it can be a multi-phase approach. And I think you can probably see that from the survey responses that we had. Right.
And Osman, you were talking about this as well. Right? First of all, there's an appraisal across the organizational landscape where we're looking at our different applications and we're looking at our business requirements. So what mix of, of roles have we got today? What mix of audiences have we got that we are trying to, to put in place? And then we can end up with a higher level model and a higher level architecture there that, that describes both our organizational posture and our authorization posture.
And then, and then we can start, start prioritizing our different segments, right. And essentially moving into our, our proof of concepts that start tackling particular use cases and, and proving that out and scaling out our adoption over time. Right. This is something that I guess at, at, at ping, we are working through with a number of, or many, many organizations of different sizes and scales.
So if there are organizations out there who are at the very beginning of their journey, or maybe who are at the concept phase, then, you know, please do reach out and, and, and we'd love to have a conversation.
Yeah.
Now, from my point, if it's the question only goes for the starting phase, then from my point of the planning and also identifying your needs and requirements, and also aligning all your stakeholders in the, in this procedure is really important. That that's what I believe. Okay. We have lots of questions from Robert, Christopher. I think that I should pick couple of them.
And as, as far as we have time, we answer them, how many policies will an organization generally require to be compliant and to provide fine grain security?
I think I, I think it can depend right on, on the different use cases, excuse me, and the different scenarios that, that, that, that we've got in place. Right. What we can see.
So it's a, it's quite a difficult question to, to, to answer, cuz it depends on the, the, the, the variety of applications or resources being protected. We can model our policies essentially in slightly different ways.
So, so maybe we model our policies overall starting with our classes of users. Right.
So, so maybe we start by having policies that are more driven around permanent staff or around managers or around contractors. Right. And then we've got different rules that are in place for effectively our, our kind of top level roles and we've got elaboration or enhancements on, on those roles. Okay. So that might be one approach. Another approach might be to categorize our applications into, into, into different classes, right? So maybe we've got high risk applications, medium risk, low, low, low risk, and so on. Right.
So, so again, perhaps we, we end up wanting to structure our policies that way. So to some extent, it's a bit dependent on the particular use case, but fundamentally what we see is that we can radically simplify the number of roles that are needed over time and improve our auditability and our understanding of our security landscape.
And maybe this will be the last question because we are almost done.
We, we, we have limited time as you know, it's from Michael's zero trust seen as a panacea in security. Could this cause a false, could this cause us to have a false sense of security? That's kind of an interesting question.
I think that's a great question, isn't it?
You know, I think, you know, I think zero trust has gone through, well, as, as, as you say, right, it's gone through a hype curve and, and I think it would be alarmist to, to, or, or it would be overreaching to say that it's going to be the panacea for everything. What we are seeing is like, as I was describing earlier, we see organizations who are having challenges, managing the number of roles that they have inside their organizations. Right.
We see them wanting to fold in more dynamic, contextual information into their decisions and, and have finer grained control over who gets access to what, right. So we can, we can, we can place different labels on a and, and different waitings and so on. But I think that that notion of detect, decide and direct, right, where we're elevating trust or, or reducing risk that, that almost stands outside.
I guess, some of the, the, the, the phrasing of zero trust. I think, you know, when I think about zero trust, I do see organizations talk about it as a journey. And I think that that's correct. I think we should always be trying to improve our security posture over time. And I'm sure that there will be different, a different mix of solutions that we need to use in order to deliver on that.
Exactly. All right. I think that should wrap it up and thank you for joining us today. We tried to answer as much as questions of yours today.
We had lots of them, sorry, if not answered, but if you still want to get an answer, you can always contact me and Adam on this. And I think thank you very much for your attending today. Thank you very much, Adam. Would you like to say anything? Just
Thank you, Bosman and thank you very much for the time everyone.
Yeah, you're welcome. Yeah. Have a good evening, everyone. Bye-bye.
