IT security is of central importance to companies. There are many requirements that must be met so that users with different roles and rights can use the various computers and networks securely and efficiently.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
IT security is of central importance to companies. There are many requirements that must be met so that users with different roles and rights can use the various computers and networks securely and efficiently.
IT security is of central importance to companies. There are many requirements that must be met so that users with different roles and rights can use the various computers and networks securely and efficiently.
Welcome. Good morning. Good afternoon to our co a call webinar about building a secure future with a flexible it architecture, the security fabric. My name is Christopher Schutze I'm director for the practice, cyber security at co a call. And I'm here today with my colleague Matthias, Ryan Martin, our director for the practice identity and access management. Hello Matthias. Hi Christopher. Good to be here. Thank you.
Before we will start some internal notes and some information on August the sixth, we have our Casey life event about the future of digital identity, self suffering identity, and very credentials. Like you might know, from our previous events, we have high level content and world class speakers, and it is for free and you can attend from home. Also some housekeeping. We have audio control, as you might have noticed, you are centrally muted and we are controlling this feature and there is no need to mute or unmute yourself. We are recording this webinar.
It will be made available short-term and we also will provide the slide text for download there's time for Q and a. At the end of the webinar, you can enter your questions at any time using the go to webinar control panel and a special goodie for today. You can download the leadership brief about the security fabric for free. It is available in the handout section in the go to webinar control panel on the right side of your screen, okay, enough advertisement and our organizational stuff. What we will do today, we will start with threats for your organization.
What are current challenges, organizations have to face with followed by some ideas of how to improve security and the related challenges with that, and last but not least our central approach with the coal security fabric. So let's go the top five challenges for cyber sec security. Imagine your own organization. What you would, you scare most losing data due to data breaches, maybe an unprotected API or some employee with bad intentions. The loss of data, especially customer data like mail password credit card is a very sensitive topic and harm your organization a lot.
Just think about another one. You turn on your computer and you are not able to work. The computer is locked by a software which blocks you from doing your work from accessing your data. Ransomware texts are in 2020, still growing and blackmail less ran some money from your organization, whether you get access back or not after paying is very unclear. Another thing, when did you last change your password? Are you forced to do it every 90 days? Are you using a complex one? Passwords are an annoying thing. I notice by myself and forcing people to change.
It is not always the best idea because people tend to write down or just use some simple rules. So counting a number plus plus one. So we should have some more user friendly ways to access our systems or our data to prove our identity and to maintain also the passwords for service accounts.
And maybe, and this is a challenging question. Maybe we do not need a password anymore in the future. Hacking an organization is always possible. We know that, and it's just a question of how much money it will cost the attacker to hack you to get access to your data and how much profit he expects when he gets access to your data. But nevertheless, traditional hacking is really expensive and it costs usually a lot of time.
And that's why the user, the person behind the computer is more in focus, but social engineering attackers try to force people to download things, maybe to enter their credentials or to give information about relevant things. Often the attackers act like a person, you know, and they use their names or even high check their accounts. And if there is not enough to take care of any kind of things started to connect to our corporate networks or to a fog network, they often connect via an access point and communicate with various protocols to each other.
And potentially all of them can have access to the network, to our corporate network. They can deliver data, but they also can receive data. They can deliver wrong data. And this is a big thing we have to handle with Christopher. I think one of the most striking items that, that is on that slide, that you've just shown is really the 62% of all attacks that occur based on social engineering.
So if we apply a risk based approach and we see that number, I think that is really something that organizations actually really should take care of, making sure that social engineering is made, not that easy. So I, I it's, it's just every time I see that figured really strikes me how, how training, how making your staff aware of what can happen when they do not take care, is that is that is really something that, that organizations just should focus on without having a, a security fabric without going into much detail. This is really something where organizations really should start.
Exactly. And we will see this on the next slide on this slide, after this, that taking care of the, the training of your employee is really essential, right? So we will see this soon, but a good remark. Okay. So what can, so to summarize it in one sentence, what I mentioned it is about data. It is about application. It's about systems. It's about network, it's about endpoints and for sure, the digital identities, okay. And this is a slide I started to talk about it. What you can do to achieve a higher level of security, what are measures to make your organization more secure, changing?
The password does not help you at all. You need some intelligent authentication mechanisms. A good one to start with is for sure, multifactor authentication and ask the user for an second factor. Maybe was an intelligent logic. Not always, maybe based on a risk, maybe on behavior or whatever. This is an important thing you can start with.
You can, or you should enable building endpoint protection mechanisms and extend them in the next step with an overall approach to manage really endpoints in a secure manner. Just think about the many daily devices we have when people work from home, when using people using their mobile phones, there is a lot of threat, and this is something you have to take care of. And this is essential.
And also this is a third point that you should have some, something like an appropriate patch management on all these things and all these devices really to prevent easier attacks maybe by zero days or exploits, which very often also causes ransomware a attacks. And then the point we talked about, and this is the second important thing here, train your people. Social engineering is working well because people are not aware of simple rules, how to identify suspicious males, messages, or links. And this is something you can learn. And this is something you have to teach as an organization.
And this should for sure, be an important part of your security strategy as Matthias mentioned, and then the data protection protect, protecting your data is the most important thing on that slide, especially when we talk about the work from home about private networks, about employees that are forced to send documents via mail attachment to their private accounts, because otherwise they would not be able to work. They have not, no access to the document. Maybe you store something in teams and it is forwarded all that things, and this must be controlled and adequate protected. Okay.
So that sounds nice. But how do I do that? You would ask, we have thousands of devices, thousands of users, and a lot of existing stuff and the simple, but also complex answer is you must have a consistent security architecture. You must have something to achieve consistent architecture and a really well defined approach to achieve that materials. And this is the part I would hand over to you. If you do not have any further remarks to Not right now, you've mentioned there that we should protect all of the above.
You said, application system, data identities, and maybe we should put that into perspective as well. What, there, there, there are current approaches right now that go a bit of a, of a different way. And I think this is something that we need to take care of when, when you present your security fabric later, but just to cover that I would then really start and focused on protecting data. So if you could share the next slide please. Right?
So we, we, the main approach that, that we really have to take care of is to start with data. So protecting data in an insecure world, I think that is really the important point that I would like to start with because there are approaches right now, and many organizations, many vendors that provide security solution are just going that way. So first of all, to, to, to lay the foundation, where are we right now? How does this insecure world look like? First of all, cloud is the new normal. And if we talk to banks, say 3, 4, 5 years ago, they were really reluctant to move towards the cloud.
Today we have 2020, even the very conservative ones have a cloud strategy, have even a cloud first or at least a hybrid strategy when it comes to developing new platforms, developing new architectures. So when we move to the cloud to the right, we say, no network perimeter, of course, that is true. The more you move outside of your existing, old style, old fashioned business data center, the more you get rid of the, or you lose the network perimeter that you can really more or less easily protect, although that is disputable as well.
So another aspect is the mobile workforce, and we don't have to think of the COVID 19 crisis all the time, but of course that contributed, but workforce is getting more and more mobile. And with the disappearing perimeter and a changed working environment, they have to become increasingly mobile. And that even leads to the situation that even when you are working at the department of your organization, you might even be working as if you were mobile, because you're just using your tablet. You're using your mobile computer.
Next trend that we of course have to, I integrate into our security approach is that many organizations are moving to software as a service solution and online collaboration platforms. So whatever you have right now, because you had to move to, to a more modern approach, but many organizations are doing this strategically anyway. So SharePoint online for today for data storage in the cloud or outlook, obviously 65 Dropbox box, whatever you have collaboration in the cloud. So teams or slack or whatever there is, there's so many solutions.
So all the examples are really just one for all, as, as to mention them at a bit, and many organizations really don't want to create their infrastructure in their own data center anymore because it's much quicker, much more efficient, sometimes even cheaper when it comes to deployment models or having not the right staff at hand, they that they're moving full bus business processes into the cloud. So if you think of Salesforce or service now, really moving complete workloads, work packages of your business processes into the cloud.
So Salesforce is an example that really is highly successful service now is another example, but these are just examples. Many organizations are going that way. You've mentioned already. Yep. Maybe some addition here, sorry. This is exactly what I mentioned on the previous slide.
The thing, what happens with a document or with the data, if it's stored in teams or shared in teams, you are not able as an organization to track in detail or in, in standard configuration that someone has downloaded it and stored it on another one. And then you can lose the control about your data, about your documents very fast. And especially when talking about data, which is stored in databases in the cloud like you have in Salesforce, and maybe you have customer data and someone makes a screenshot out of that. You lose the data or someone can steal the data.
And this is something you should be aware of. Right? Exactly.
And, and of of course, malware ransom, where we've mentioned that we've mentioned the 62%, but we have to be honest, this is a business model there. This is really something that professional professionally organized cyber criminals really do on their daily basis with call centers and everything that, that you can think of. And they are targeting you and they are targeting data. So protecting data in an insecure world means also being capable of dealing with malware and ransomware. And finally, we don't have to be naive. There's also industrial espionage.
So really we have to make sure that commercial enterprises and businesses have to make sure that they protect their data even from, from their competitors or by foreign state actors that are really highly professional. They are supported by their intelligence services. So protecting data from industrial espionage to pronounce it correctly is really an important thing. So protecting data in an insecure world is one of the basic starting points.
And if you switch over to the next slide, this, this is something that we use here to look at the protection of data, the protection of information, which is structured data, of course, the information protection life cycle, just very quickly to show that this is really a part of the overall concept that we are talking about today. So this is a life cycle and it starts to the upper left with the acquisition of data. So either we start with this process completely new. So we need to identify where data actually is. So it's on the one hand discover data.
And if you created new, of course create data, but then you really make sure that you understand data, understand what its role is, what its criticality is. Just assess it from its semantics, from its criticality and from its intended user group and apply classification. So acquired assess means adding meta data, making sure that you understand this information. If you move to the right, we come to the active use life of data, and there, we need to make sure that we really handle data over time, as adequately as possible.
We, we need to make sure that we control access, and this is the completely complete game of authenticating users. So we again are at identities at authorization, understanding metadata and the identity to allow access as required and to prevent access when not, and also to govern access, making sure that we understand what's going on is this user really doing what we are expecting from him? We need to secure data secure means in every mode that data can be so that it's in transit, in use and at rest, so that it's protected in every way that data can be processed within your systems.
And that means as examples, encrypt them, tokenize them, mask them, redact them or smize them. So that is really securing data at runtime at storage. And while it's transferred to your device or back, we need to monitor all applications, all systems, network interfaces that we, that we are using to identify all the activities that are there and identify, especially those that we do not want to happen. That's of course important. And at the end also monitor data when it's in use to understand what's going on, you've mentioned and use a behavior analytics already in an earlier slide.
That is an important part here. If something happens and we all as security professionals assume breach, and we assume that there has already something being happening so that you need to make sure when you detect something in monitor and detect that you are capable of containing what's going on and to recover, especially your data when it comes to making sure that you have a business continuity plan in place. So analyze what's going on limit imminent effects and maintain operation.
And that also means recovering maybe even from backups and that's, again, information protection, making sure that you have the backup in place. And of course the, the fun part of course, is deceiving, distracting attackers, luring them away and making sure that you understand how they are actually attacking your systems. And the traditional example would be here, the, the horn part, making sure that they look in the wrong place when the active use life is over, we will identify that data maybe is no longer required.
And the best data that we can pro can protect is data that we do not need anymore because we can delete it. And if it's required that it is for example, financial data or customer data that needs to be stored for a certain amount of time that we archive it as required, which actually means that the cycle continues or restarts because archive data, then again, needs to be, be assessed, needs to be protected during its archive use life cycle. So that all is important here.
And all that we have to the right and all that we have to the left will be something that will, will be covered or needs to be covered in this security fabric infrastructure that, that Christopher will present then later. So I think that is all that we need to take care of. And more of course, and if we think of this, what, what I just presented. So the threats that we have and this information protection life cycle, and if we go to certain vendors, then they will answer with one simple answer with one simple concept. And that is what I want to present very quickly right now. That is.
And if you switch to the next slide is of course the concept of zero trust. So that is really something that looks at many of the aspects that are already presented. So it's really not a product. It's not a solution. It's nothing that you just can buy. It's really a concept and an architecture model that requires several components that we need to make sure that they are in place. So it's a combination of processes. It's a combination of technologies to achieve more secure environment on top of an untrusted insecure network and yeah, a hostile world.
So we need to make sure that we understand our identities so that it is not zero trust. We do trust something. We trust our identities because they are the basis. We need to understand our devices and maybe trust some of them. And we need to understand the context of the user, where they are from where they are, all the context data, for example, the network segment that they're using.
So, and what data is accessed. So we, and, and the zero trust environment, we need to identify assets. So what are we looking at? Or the data, the users, and we need to understand the data that they, that they want to access. We assume threat all the time. So it's really something that we make sure that all processes are capable of working even in a hostile environment, even with a threat actor, maybe even being around. So you need to make sure that this can work. Even then we need to identify and define policies and restrict access.
We need to understand which data is for which users at which time under which context data. And we need to make sure that we verify and monitor actions. So that is the concept of zero trust.
And in, in the first approach, and if you do not want to add something, Christopher, then I would and switch over to my next slide. No, it was very good. I switch over. Okay. Right. So zero trust is really something that is security in practice. So we are focusing on the application and the user requires next generation web access management. So what we do have is we do no longer have segmentation. So this trusted home network, that many organizations are still yeah. Trying to think of that.
They have, it is no longer in existence. There is no intranet where you can build large, huge, strong firewalls around. There is no DM set in the middle, and there are no VPNs anymore that are currently really effective. When we think of this insecure world that I described before, and there is no perimeter anymore. So we cannot rely on segmentation. We cannot rely on perimeter security anymore.
What we have is we have user and application, and that is what counts we need to understand which user needs to have access to which application applications, which is located on which infrastructure that we can then protect, but on an application basis, not protecting the infrastructure because maybe it's not ours, maybe it's, it belongs to, to Amazon, to AWS, to Azure, to IBM, to Google. So it's application and user centric, not infrastructure centric. And of course this is dynamic and evolving. So this is also something that we need to take care of. It's really an agile environment.
We need to make sure that we have policy management in place. And that is an important part of zero trust, which decisions are made at which time needs to be defined in a well defined policy and policy management and continuously taking care of these policies. It's very important. And on the other hand, of course, monitoring that these policies are followed. So that is separate control pain. We have a centralized configuration and policy management and everything that we do is monitored and audited in the application.
And of course, if we have a insecure network, if we have point to point communication from my device, say an iPad, say a computer towards an end point that is a server or a service. We need to make sure that all this traffic is encrypted and it's trusted on both sides. And I like this, this picture to the right, this network, micro segmentation with lots of tiny firewalls. So there's a firewall around my device, there's firewall around the service that I'm approaching. So that means that there is authentication on both sides. I trust the server, the server trusts my device in between.
There is crypto traffic through an hostile network. So we have a software defined perimeter with lots of tiny VPN tunnels in between. So having VPN no longer anymore is not fully true, but it's really these, all these tiny VP internals that we have here.
So, and then maybe a web web access management, which is again, identity aware, which is a proxy makes sure that I get access that I require based on an existing authentication of me, of the service, understanding who I am understanding what I'm allowed to do, and probably all of these components need to be used when we implement a zero trust solution. So that is an approach that many organizations, many vendors currently promote.
And that, that is really also a very valid approach. But the question is, are we done already? That's it? Are we already, yeah, what's this, the, the security fabric as I'm handing over back to Christopher, I assume not.
So, but that's the part where he jump in then again. So, but just to make sure to put zero trust in, in perspective, it's an important aspect. It's an important concept. It's really something that is valuable when it comes to creating such a solution, but there's to come more to come. So I hand over to Christopher back. Thank you, Matthias.
Well, that's it. You would not be surprised if I would say it's not all, not 100%, it's only part of it. And that's why we developed our keeping a call security reference architecture to fulfill all the needs regarding to the requirements of an organization. Based on the threats on the described threats. At the beginning of this webinar, we build it based on the five pillars, govern and manage, protect, detect, respond, and recover. You can see it on the slide on the top is govern and manage effects to all of them.
And then we have protect, detect, respond, and recover security frameworks like N ISO to it, risk management, which is its security controls based on risk assessment and asset classification. So topics from governance to security management are on the top level relevant protection detection of the various data applications, systems, and networks and endpoints.
So again, the important top topics, you can see it here with specific colors, gray, red purple, blue, and green. And there we have for instance, enterprise information protection, which is mainly about the I P C, which materials introduced the I P C lifecycle. We have API management and security as well as access management and then operating system configuration, network security and also ware protections.
And besides that, we have some topics which cover all of those five layers, maybe the things in orange, like threat hunting and security operations center and the concrete incident, response, planning, and process, if you are currently under attack, so you need to respond to something. And then we have for sure, general topics like incident response management, business, continuity management, operational resilience, as part of the pillars, respondent recover.
So we used the idea of an security process and it extended it by go and manage and overall processes and added our longtime experience in advisory projects about that, to really define the security fabric or hear the reference architecture and with the building blocks of this reference architecture, you can start to build your own security fabric and no worries. We also will publish a leadership brief with a more detailed view on the reference architecture. This is a really highly complex topic which cannot be discussed on a full level of detail during this webinar.
It is really only to show you which building blocks are part of cybersecurity, as we understand, and can be part of your specific security fabric. Three years ago, we developed the coping a call identity fabric and introduced it at the EIC. We use it to help, to structure and organize the identity and access management of organization. And that's what we now also build for cybersecurity, a fabric concept to describe a paradigm, how to handle and manage things.
The security fabric fabric, sorry, the security fabric connects everything, identities, devices, structured, and unstructured data, any type of application, any type of system and any type of network from wireless to corporate to internet up to your local work from home network, like in the identity fabric, we have a bundled set of services to fulfill the needed capabilities. And again, here is the overall pillar govern and management.
And before others with protect, detect, respond and recover in the middle, this structure gives you the flexible possibility to handle things in a central, but also loose coupled approach with the option to extend with new capabilities and integrate existing tools. Because usually you do not start with a Greenfield approach. You still have some software which protects your organization, but let's have a more detailed look into a potential security fabric.
Like the one of your organization in the security fabric capabilities are bundled to building blocks based on the co or co reference architecture. Those building blocks and capabilities are bundled to services, maybe like the protection and detection service, maybe like in response service and so on. And especially the topic identity and access management here mentioned as a service is a set of services itself. And therefore we have the well identity fabric concept, but this is really a separate topic.
And we have some research document and somewhere about that, feel free to ask us afterwards, if you need some more information about that topic. So for instance, ware protection and animal lead detection and network security can be bundled to a protection and detection service, which can be consumed by applications. The building blocks of those capabilities are executed in containers via microservices, via APIs, and they can run local and private or public cloud that's.
This is what on the right side, you can see in general, and this is the special thing applications or digital services can use those services via API layer or with standards, support and customer integrations to use that kind of capabilities. Or maybe also, if you think about something like a security operations center to deliver data, because you need to deliver data to an operating system. On the other hand, we have the legacy applications and maybe some legacy security products, which can be integrated by custom connectors or other integrations.
So we have an open architecture for new digital services and a support for existing application and security products. What is the special thing about the cooking, a coal security fabric? What are the essential characteristics? So first it is a unified and overall approach for all types of data systems and identity and all type of digital services or legacy applications. Remember our threats at the beginning of the webinar.
Second, it's a paradigm, an approach for modeling a security organization. It is neither a concrete tool nor a specific service deciding which products fulfill the specific capabilities is usually the last step existing tools are also cons are also considered as well as the need for new or additional tools. This is by the way where our research and leadership composes helps us to find the right tool set for you.
Third, it is flexible because it builds on APIs and microservices. It is scalable for sure, because you use modern approaches and it is flexible and things can be changed, changed, extended or replaced. And this is really an important thing. We don't know what we will have for requirements in 10 years, but we know that we have an must have an architecture, which is open to be extended, and which is open in that way that you can replace things that you can use other tools and not using them takes 10 years to replace it. Like we know from traditional projects in CLA in the classic it history.
So this is a very important thing. And the fourth point, you can start with few default services, you can add capabilities from your existing tools and integrate them, and you can extend the security fabric over time with the new requirements and new functionalities. Because again, we all know it projects take some time and you cannot deliver everything from, from now to tomorrow. And this is an important thing. It helps you to extend and increase the level of security step by step. And last button, not least.
It's a well proven approach of coping a call with the segregation of requirements and use cases where you build the capabilities where you build the services. And then at the end, the techno technology, which helps to find really the perfect fitting set of services for your organization. When you not start with, I have the tool X and it can do the following things, but your business needs some other capabilities. And this is really an essential and core thing here.
So to answer the question at the end of the zero trust part of Matthias, if you build your security in that way, if you use the concept of the security fabric, if you use the building blocks and identify the relevant and most important one for you, you can achieve a high level of security because at the end, security is about to be too expensive, to be hacked, to keep it in simple words, that's it? Right. Okay.
Just, just one addition from my side, because we have more participants than when we did the introduction. Just a short end.
Again, there, if you look at the handout section of the go to webinar panel, there is a, a file for download, which describes the security fabric, and that's a free download for those who are really attending this webinar life. So I just would like to recommend that you get in touch with that file, just, just to mention it because we are more than we were initially. Okay. And while you are at the go to webinar panel, there's of course also the, the question section that we are approaching our Q and a. So if you have additional questions, then just please add them to that section.
For example, one that I have already is this is this sometimes still looks a bit more abstract. What, what can you use this, this, these graphs, these diagrams for what, what would we, what would be an approach to apply this in a real life scenario, Christopher?
So, so in real life, it helps you really to identify your gaps, your needs, and at the end to optimize what you have or what you must buy. So in simple words, you can optimize your portfolio. Usually when we do advisory in projects with that, especially in with the identity fabric, and now with the released security fabric, we start with workshops, we collect requirements from the business. We use our reference architecture to bundle it in the building, blocks in the capabilities, and then really start to prioritize it together with the customers. You can use it to prioritize for sure.
You can use it then to have a look at your existing tools, your tools that your services, you can map it, you can identify gaps. And then at the end, see, really what do you have to change? What is your I investment priorities and all those things. And it helps really good to define an overall architecture, a general architecture as mentioned, it's not a tool, it's an fabric. It's an idea. It is. It helps to structure. And we have really good experiences with the fabric model to help our customers On the one hand, help our customers.
Of course, that is the, is the shameless self plug. But on the other hand, as we are laying this open, as we are document documenting it, as you, as we are giving away the documentation here, this is also really something that we want to hand over to the community, to the, yeah, to the audience that they can use. That if you have, if, if they have questions, they can get in touch with us. But first of all, this is a concept that we think makes perfect sense to use and to apply to an existing infrastructure.
And as you've mentioned also too, to, to identify what you have, what is missing, where you are overpowered with solutions, where solutions are no longer valid, it can be removed. This is really something that really helps in applying that to a real life scenario, because you won't be in a Greenfield approach and create a security. Yeah.
From, from, from, from scratch another question, which is around, I've mentioned that that, that we should not have virtual private networks. And the question is if we, whether we could expand a bit on the road that we see now for VPNs, we have one colleague who has a very, very strong opinion about APNs, but maybe, Maybe we, we share also the idea. If you look in our block from Alexei, a one of our Analyst, the block posts about the topic is it's really valuable to read it. He has a wrote a really good article about VPN and zero trust, sorry, materials. I interrupted your question.
No, no, no. I just really wanted to hand the question over to you because when this crisis started, many organizations stayed at home and had to use their VPN because they were still, or they are still thinking that they are in this traditional perimeter based security. So this VPN drills a hole into your firewall and drills a hole into your security. And when many people do this, that it's not only insecure, it does not work because it does not perform.
So from, from our opinion, VPNs make only limited sense in, in an it environment of, of today. That is really when you have this, this perimeter based security for some of your infrastructure with, with many organizations, almost all really working. As I described that in this challenge with slide, I think the, the, the use and the benefit of VPNs is getting less and less. Exactly. And just think about if your employees have to connect via VPN to your internal network, to then connect to, to an external cloud solution, then something is wrong. That's a simple answer.
And I know this from my girlfriend, she's working for a bigger company. And when they started to work from home, they were not able to connect because thousands of employees tried to connect the VPN on Monday morning at eight o'clock. And this is why the blog post of Alexei a is really good and really valuable and shows really good. The challenges you have, if you focus on such, I would not say legacy, but traditional technologies, in some cases you need VPN, but maybe the idea is to use other paradigms here. Right?
So, and that, that, that's a very good question that that just came up here. So how would you compare it with zero trust?
And that, that is really a question that I would like to hand over to you, Christopher, I presented it as a part of it, but, but how does the security fabric add to that? Yeah, exactly. This is the zero. Trust is part of the security fabric.
You cover topics like VPN, you cover topics like authentication, but you do not cover things like what happens if your file, maybe again, going back to that example, if someone is downloading a file on a team's share and shares it with another, then zero trust is not working because zero trust, trust checks, maybe you are authenticated, but does not track something in the background. And what is also not done by zero trust is active monitoring.
In that case, is there a potential attack pattern, all this modern stuff with online fraud detection, you can have something like fraud detection mechanisms, or an risk index and policies, but it is very limited. And it's really only a small part of the whole thing and all the go governance and all the security management stuff is also not part, part of secure of zero trust. And that's for sure, honestly, the zero trust is that's what we know at the beginning.
It, it is only a part and to have a good level of security, you need something which covers all the other topics, which we introduce in the reference architecture, Right? So it's yeah. This layout approach again. So zero trust is one really, as I've present presented it really a, a valuable contribution to the, to the pool of, of measures that have you have in, in place. And you can choose from the right. You can choose the right weapon to, to, to apply in, in, in the individual use cases.
But we are coming really from the, from, as, as Christopher had mentioned from the requirements, from the use case definition, from the, from the risk management approach to identify what really needs to be done. And if zero trust really helps in that area, then it's a, a, a good weapon to apply here. But if you have other requirements, as again, mentioned, for example, to track access, to documents, to apply rights management, which is identity based, but it is not zero trust based.
Then, then this is something that we need to add. So it's really a multi-layered approach with zero trust, being an important part for that. Okay. Final chance to add a few more questions. So we are happy to answer them right here, right now, for those who are in that webinar alive. If you have further questions, Christopher, you showed the slide where our faces were on, but of course, get in touch with us and ask questions either via LinkedIn or get, get in touch with us by mail. Please look at the leadership brief that is in the download section here right now.
And if there, if there are any further questions here, maybe one more question that is around the extensibility. So you've presented a version one, I assume, of the security fabric that is of course, a system that will continue to evolve slightly. It's quasi stable, but it is capable of, of, of changing over time, right?
Yeah, for sure. And that's what we learned when we developed the identity fabric. For sure. It extends some little things change, but from a general approach, it will for sure stay the same, but it's stable to modify single model modules or ideas or add additional requirements. That's why it's such a good concept. Right. Okay. So that then was the final question. So thank you Christopher, for explaining that to us. Thank you for having me for contributing to that webinar. Do you have anything to add Christopher? No.
I just wanted to say thank you and to all the attendees, have a good day and feel free to write us via LinkedIn or email. Thank you.