KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
As organizations take on the digital transformation, trends such as mobility, proliferation of SaaS applications and cloud infrastructure are driving up the number of connected entities and devices increasing the attack surface. With the spate of recent acquisitions in the market looking to change the way we approach security, we need to think beyond the technology and focus on the gaps we need to consider.
As organizations take on the digital transformation, trends such as mobility, proliferation of SaaS applications and cloud infrastructure are driving up the number of connected entities and devices increasing the attack surface. With the spate of recent acquisitions in the market looking to change the way we approach security, we need to think beyond the technology and focus on the gaps we need to consider.
Good morning. Good afternoon. Good evening. Maybe ladies and gentlemen, welcome to another co call webinar. And our topic for today is buying into zero trust. What you need to consider to be successful. My name is Alexei. I am a lead Analyst at KuppingerCole and today I am joined by Steven mole, who is the director for identity governance and lifecycle at RSA. And before we begin, just give me a minute to explain what could the call, what we are and what we actually do. We are an independent Analyst company based in Germany.
We have been doing this for 14 years now, which is offering user advice, expertise, and thought leadership in all areas around information security, identity, access management, governance, risk management, and compliance, and amount of the things which we do are different events and conferences and webinars like the one we are doing now. But I would like to draw your attention to our upcoming physical world events, which are, are shown on this slide. You just recently missed our, our us based consumer identity world, but we will return with it soon in Amsterdam and late October.
And then in Singapore, in November and later in November, we will have our first pure play cybersecurity leadership summit in Berlin. So you're all very welcome. Zero trust will be one of the topics discussed there and parallel to that. We will have a German language or cyber access summit again in Berlin, same location, same dates. So see you there a few guidelines for the webinar. You are all muted centrally. So you don't have to worry about that. We are recording the webinar and this recording will be published in our website.
So one, you will all get an email with a link. We will be having a Q and a session at the end of the webinar, but please don't hesitate to submit your questions along the, the presentation anytime. And you can use the questions box on the go webinar control panel for that. The agenda for today's webinar is pretty standard.
We, we having three parts first, I would present more or less introductory or review and background of the zero trust approach, what it is and more importantly, what it isn't. And then I will hand over to Steven to dive a little bit deeper into the technical aspects of the zero trust technologies and implementations.
And again, at the end, we will have a Q and a part. And without further ado, let's dive into the zero trust topic. First of all, why zero trust this whole keyboard? This whole term has been gaining popularity really wildly in the recent times. Although, of course, it's not that new. If you think of it, I think it was a Forester Analyst house, which came as the term many, many years ago. Then of course, came Google with a beyond C implementation, which was probably the first large, largely publicized practical implementation of the idea.
And then again, why, why is it what's all about, it's all about the growing complexity of our more today's corporate it infrastructures on this picture, you have a sketch of what 10 or 20 years ago used to look like a castle wall surrounding all of our precious resources and data and applications. Nowadays looks more like patchy and very, very rid with whole whole. There is no longer a hot perimeter surrounding everything.
You would have your resources, your data, your identities, your applications, everywhere in the world, on premises, in the cloud, in some manufacturing plant in a different data center, maybe even at your partner's data center. And of course, anyway, in the world, there are partners, contractors, customers using different types of devices, desktops, or mobiles, or even wearables and smart things to access your data. And of course, the problem in that are for each of those are islands of your right infrastructure.
You have a totally different set of rules, technologies, access policies, products that run those applications and maintain those services and secure them. This is why zero trust is seen as the holy grail, the chance to basically throw away all the legacy, it security infrastructure, and replace it with one single unified approach, which would work the same regardless of location of your data and resources. Unfortunately, there's been a lot of myth and misconceptions surrounding the zero trust term, partially because to shameless marketing, push from different vendors.
And partially of course, because there isn't actually a single authoritative resource who would just say what zero trust. Isn't what it isn't. And on this slide, I try to summarize if you major points. So basically these little trust is a concept and architecture model. It's not a product you cannot buy zero trust. You cannot magically become zero trust compatible, just like you cannot magically become GDPR compliant. That's another hot topic nowadays. It does offer a lot of business opportunities, which go way beyond security alone. And then again, it's a combination of opportunities.
Obviously it promises to reduce or even completely eliminate a later of movement of hackers, which offers greater it security. Again, it offers it promises to reduce your complexity complexity, because you no longer need different implementations of technologies and security stacks for different platforms. And finally it offers your unified experience for your users, meaning that regardless whether they're allocated, they would have the same user experience, the same policies, the same methods of accessing the data, which again, promises, flexibility and productivity improvements.
What zero trust definitely. Isn't it's it's not about trust in no one people use like to throw this trust, but verify or trust no one other memes and quotes around, but it's definitely not. It doesn't mean that you should not trust in one zero. Trust is not equal. No trust it rather. Cause there are no implicit trust, not too much trust and yeah. Distributed trust. If you will. It's definitely not a next generation perimeter and not a next generation VPM. And it's actually goes way beyond just networking and less, the most push you would hear about zero trust nowadays. It's about networking.
And again, it definitely does not end and doesn't even start at networking. It always starts with a strategy before you dive into zero trust. Before you start planning your investments, you really have to come up with a long term multi-step and business driven strategy. And again, I have to stress zero trust is not it driven. It's not security driven. It's always, it should be driven by business relevant enablers.
As I mentioned earlier, reduction of infrastructure, complexity and reduction of costs of maintaining that infrastructure is of course probably the biggest business driver compliance of course, zero trust the properly design zero trust architecture would be naturally hybrid cloud ready because as I mentioned, it offers you a unified access, unified security across any environment. And of course, enterprise mobility, enabling your, your employees, your partners, your customers, to work with your data and your services from anywhere is a big business enabler.
Unfortunately, our replace offer sounds good. Doesn't work simply because there is no single technology or no single solution, which you could replace your old infrastructure. So you would probably have to expect reaching a goal in several steps.
If any, if ever reaching it completely because zero trust that will probably never be a hundred percent, zero trust in your particular company. And of course, let's just go through some of those steps independently before anything else before networking before security, you have to start with discovering your assets and identifying your sensitive data because in the end, it's all about data. It's all abouting using processing secure and governing and ensuring compliance for that sensitive data. So you have to know where your devices are.
You have to know where your applications reside in which environments operate, how the data is stored and how the data flows between those services and silos and applications and users. And you have to ensure that the data stays protected because zero trust doesn't equal compliance. It helps compliance, but it's still your responsibility to ensure that your data is protected anywhere. And you have to know what's going on all the time with your data. So if you will identify and classify and security, your data is the step number zero towards zero trust. The next step is again, not networking.
Its identity zero trust is about trust and trust is always about identities because you have to know who is accessing your data, meaning like which humans, you have to know what they're using to access your data, meaning the device identities. And you have to know how and why they're using the data, meaning that you always have to maintain with three pillars of identity across any business process across any it process across any data flow through your it infrastructure. So you have to use multiple solutions.
You have to use multiple technologies to identify your users, which includes of course, strong authentication behavior analytics and identity governance. You have to inventory and maintain visibility of your devices. And you have to ensure that each device has a trusted identity. You have to protect those devices and protect those identities. And so all the time you have to know who is doing what and how, where they are moving.
So for each of the users Fisher Fisher devices, you have to maintain a constant update at list of attributes, which may be user related device related or just environment related. And some of those attributes may even come from external sources like threat intelligence feeds. And finally, we come to networking.
Yes, networking is important, but it really isn't about what you are often kind of what vendors will try to sell you as a zero trust networking solution. First of all, you have to remember that there is no longer a perimeter. So there is no internet. There is no D the militarized zone anymore. And of course there is no touching VPN access because any access is now no longer infrastructure centric, but it's application and user centric. So you're no longer dealing with IP addresses or subnet segments or firewalls. You have to think in terms of who is accessing what and not how.
And of course, to make it work across a hybrid and disability environment, you have to have a separate control pain to manage those access policies and configuration settings centrally. And you have to enforce authentication authorization. You have to enforce traffic flow security, meaning encryption. And again, you have to monitor each network access centrally and keep the full or trail for compliance reasons. Most importantly, here that the zero trust networking is not just about networking.
It's about if you build a formula would be T C P I P plus identity management, plus security plus compliance. And there is more than one way to implement zero trust networking. And there is actually, if you go and try to shop around for, for this, you would find different vendors coming from different backgrounds.
Some will tell you that the solution for zero trust in this microsegmentation, which is essence, are managing lots of tiny fires across, around every device and asset on your network, or, and others would say there is, there should be a software defined perimeter, which again, in essence is nothing new, just lots of tiny point to point, internals managed and controlled centrally, or it could be some kind of a application level proxy service, which would filter access to your data or to your application on a higher level than any existing network security tool.
But then again, none of this approaches is a silver bullet and you will probably end up using all of them because again, zero trust networking is about centralized configuration management and monitoring, which would never be probably not, at least not in the short term will be available as a tone key solution from a single vendor. So building this is probably still be your own responsibility and looking for the right tools of managing the central to probably still your responsibility as well. Just like this GDPR, the next probably the most important is access management.
So when we're talking about trust, they are actually talking about limiting access to any data or application or other type of asset to the list privilege compared to old school VPN, where logging in once give you, gives you access to the whole subnet. It's like only locking outside door of your office. And then with one key, you could then have automatically access to any computer within the office building. Now it should be about locking down everything.
So a nice analogy for that would be getting an access card, the reception area of an office building, then working into an elevator and finding out there are no buttons because there is only one slot for that access card. And the elevator would automatically bring you right to the room you are supposed to be visiting.
So yeah, this privileged principle is probably in the cornerstone of zero trust access management. Then of course it doesn't end there again, it has to be centrally managed or rather centrally orchestrated across heterogeneous it systems because, or the business would expect to be able to define those access policies, using the same language for the clouds and IOT and on premises and mobile devices, which of course probably still have to be translated into different technologies behind the scenes.
If access management has to be dynamic because one stop authentication is no longer sufficient or you have to opt for what's now called adaptive or even continue authentication where any transaction, any access to any piece of data would have to reevaluate your current security posture. Have you actually moved from a trusted wifi access point to mobile connection, or are you suddenly no longer in Boston, but in Shanghai judging from UT IP address or whatever other things happened, maybe you are your keyboard typing somehow changed.
So it's all about monitoring different attributes of user behavior and device behavior and making a different decision each time something important happens. And of course it has to be adapted. It has to be open because, or you never know what kind of new devices or what kind of new authentication technologies, which will appear tomorrow. You have to design your access management system to be constantly evolving. And finally, we have, we are coming to monitoring audit zero trust again is, is not about trust is about verifying everything.
And to verify everything you have first to monitor everything you have to know at every moment what's happening with your data, what's happening with your users. What's going on on the network. Are the devices suddenly appearing on the network. You knew before our users doing something suspicious, you have to monitor and you have to detect anomalies in. You have to monitor the behavior, have to detect anomalies in behavior. Maybe some of those are harmless. Some of others, maybe an indicator of insider threat or cyber attack.
You have to be able to detect architects and you have to be able to react to them. Of course, you have to audit everything. You have to maintain a full trail of every activity happening on network on, on your data, on your control plane, not just for compliance, but because only a full audit trail will give you the proper governance of a seamless visibility into all the things happening around your company and to, to enable, to do proper risk analysis.
And the result of that analysis along with some operational analysis, cyber threat response, and other things, which happens you to actually improve and adapt your existing infrastructure, to become better, to become more convenient, to become more, less complex. And of course, to become more secure. So it's all about machine learning, automation orchestration.
And again, this is something which you cannot just go out and buy in a store, at least not yet looking forward to it in the future. Of course, now this would probably be my last slide for today or the zero. Trust is not something that just happens. You cannot throw away your existing infrastructure, replace it with a magic bullet. You have to plan for a long journey.
You have to, to think about step by step implementation, reusing existing tools, because if firewall, you probably have on antivirus or some machine learning behavior analytics solution maybe, or every little helps, or if you are able to design your control and monitoring plane to be open and accepting all those existing tools into some kind of a plugable APIs or universal connectors, every little additional context from those tools will help you to make better access decisions and make faster incident responses.
And again, it's not about trust in no one it's about designing your trust strategy to be fully explicit, distributed, always controlled and always minimal. And just again, I have listed all those steps, which I mentioned earlier, which you have to take into account. You have to implement step by step. You have to be able to go back to each step and probably expand and improve. So there is really no end to this journey. You have to really start playing early and expect to, to never achieve the hundred percent zero trust.
Just like you can never achieve hundred percent security, but of course you have to look out for vendors solutions, standards, frameworks, which would probably be better and more helpful by the nature of being open and flexible and accommodating. And this is exactly where I would give control to Steven for his second part of the presentation.
Steven, it's up to you now. Oh, thanks Alexei. So let me share my screen. So thank you very much for that.
And, and I completely agree. I think one of the big things to consider when people kind of hear this buzzword CRA trust and, and think to themselves, wow, that really sounds like something that can kind of solve my problems with regard to securing my business, you know, in the, in the new or modern age that we're moving to with kind of things like digital transformation and other kind of activities going on within your organizations.
It, it, it definitely seems like, you know, people are looking for that, that kind of silver bullet, the thing that's going to, to help them achieve all of the things that they need to achieve. But when you look at kind of the kind of details of kind of what zero trust is, it, it really only kind of solves part of the problem.
And, and it, isn't really kind of a holistic framework that can just guide you on a journey towards where you need to be to be successful. It definitely provides elements, and it definitely gives you kind of insights into it into ways that you can improve your control, but it isn't necessarily gonna provide you with everything that you actually need to be successful.
And so, you know, if we look at the drivers and the organizations have, when they're kind of, when they're thinking about this zero trust approach, the first one as actually mentioned is, is modernization. You know, organizations are moving to the cloud, they're going through digital transformations. They have data in all kinds of different places now.
And, and from that perspective, you know, there's a proliferation and a rapid expansion of applications of users that are accessing that data and devices that they're using one or multiple devices to actually access the information. Also, when you think of users, you can think of all of the different types of users, whether it's humans, whether it's third parties, whether it's bots and all of the different islands of identity. So all of the different places, the, the context and information about those users is held.
When we think about malice, we think about breaches and compromised identity and, and many organizations talk about the ability of zero trust to help in lateral movement of compromised identity. And to some degree there are features and elements there that would absolutely help in that model, but we need to be careful in, in the way that we are doing that, that we don't actually impact and compromise the business.
Because again, from the perspective of modernization, you know, we absolutely need, you know, immediate and unpromised access to data for our business users and the, and the normal day to day running of our organization. Also, when we think about mandates, you, we can think about all of the, all at the same time.
You know, we have regulatory requirements that are being imposed on us. Some regulatory regulations are now becoming mandates, such as PCI, and the burden of proving and insurance assuring compliance is getting more and more complex, particularly when you start adding in third party access and global infrastructure factors. And so from that perspective, exactly as Alexei just talked to, you know, we need to think about strategies and ways that, that we can actually secure the organization and, and the elements in some of the parts of, of zero trust will help in that.
But I think one of the, the biggest factors that we need to consider is not just risk, but also the, the risk, the balance of risk versus trust. And so we, we can gain that understanding of, of trust for technology factors very easily.
And, and I think, you know, that's where zero trust, you know, and the whole concept of it is kind of playing very well for organizations and, and seems to be picking up in, in people's minds as, as a buzz buzzword and a thing that could help them. But we need to understand the, the risk element as well. We need to understand the business context in enabling the right decisions to, to occur. But when we're thinking about managing and controlling, who can access what, from a business perspective, you know, the, the business wants to secure their data.
And they want to ensure that consumers know that their data is secure, that they want data points to show how securities they, they want to kind of talk about that control, you know, outwardly in many situations, a recent study actually showed that 80% of consumers would actually be happy to share their personal data with a company that they trusted and where they saw clear value to them. So trust is definitely a factor in lots of different ways when we kind of think about managing and securing it, securing our information within our organizations when we're building trust.
We're generally also, and, and again, if we think about a lot of the conversations and, and kind of other things I've seen around zero trust it very much considering only the technology factors and, and less around the actual, the business factors of trust as well. So, you know, we're considering things like, you know, is the environment of what's the environment of the user, you know, what's their location, what's their device, you know, from a, from a device perspective, from an environment perspective, you know, we're looking at the, the threat level, you know, are they on the latest patch?
You know, does the, does the device have signs of compromise? And we're also looking at the user's behavior.
And, and again, from that perspective, they can be very strong indicators of trust. So, you know, even where you might have a business trust factor, like the, the person has been in the organization for 20 years, they hold a, you know, responsible position within the organization.
You know, they might be elements of, of business context that show trust, you know, behavior absolutely shows, you know, other potential signs of compromise or, or can potentially reduce your view of how much you might want to trust that user, you know, in, in an access situation also, you know, from an access when you're looking at the access, not just necessarily the appropriateness of that access, but also how much have they used it.
And so again, you know, when we kind of look at these factors, you know, we need to consider, you know, technology, but we also need to consider some of those other broader technology context elements. But even within that, you know, when we look at the business side of things, you know, the business want their users to have easy and convenient access to their data. That's why they move to the cloud. That's why they're, they're deploying, shadow it within their organizations.
You know, they want continuous uninterrupted access to the information. They need to be productive and to move your organization forward.
And, and so, you know, from that perspective, you know, we need to think about, you know, what they're accessing, you know, what's its level of sensitivity versus the level of trust that we have in the user. And, and again, you know, what's the risk level, what risk level does that represent? If that information, if the application was compromised, you know, what level of access do they have?
You know, if they have privileged or administrative access, if they have access to the ability to perform sensitive tasks within the business, you know, we need to, we need to balance those things between that and the level of trust to then understand, you know, whether we want to, whether whatever is occurring is actually acceptable to us. And really it comes down to kind of understanding the risk appetite and the level of risk that's acceptable to the business.
And without kind of, without that balance, without that understanding in those kind of decisions, as you kind of move forward in a strategy like this, you're only gonna ever ask one side of the question, and there's always the potential for kind of impact or compromise because you're not necess or business impact because you're not asking all of the right questions.
And whether that impact is people not accessing information they need, whether that impact is the fact that they're being inconvenienced by asking for lots of different factors of authentication, or only being able to access certain elements of information that they need that compromises, definitely those things are definitely things that could impact your business. If you don't consider them as part of kind of an overall digital risk or the trust strategy.
And so, you know, kind of in doing this, you know, really, I think when you are kind of looking at a strategy and you're looking to mature your organization and the control of access to your systems, applications, and data, you really need to think about providing a more continuous adaptive risk and trust assessment providing a way to balance these things again, in a centralized way in a centralized place. So a couple of kind of examples as kind of food for thought in this.
So, you know, as, as part of the approach of kind of managing and securing access, you're looking to reduce the risk from compromised identity. You know, that's one of the things that we talk about all the time, you know, when people talk about all the time, when they talk about zero trust. So from that perspective, you know, you have a user, you understand their contacts, maybe they're an employee, maybe they're a bot, maybe they're an it device. And you understand typically, you know, a, a level of risk or some level of sensitivity around the application.
So if we take into accountant in this scenario, the technology context of the user, then the user is provided a username and password, but the user's device and location are abnormal. You know, you don't usually see them coming from this place. The user behavior is abnormal. And so from that perspective, you know, you might ask for another factor of authentication, which they can't provide. So immediately you might be considering that, you know, this is something that is a potential threat is a potential issue.
So now, if we look at the risk level of what the user's trying to do, however, you know, we see that the user's attempting to access a help desk application, and the user is also attempted to access an emergency travel page. So again, this might indicate that actually the user is looking to do something that you know, is looking to resolve the issues that they actually have from a trust perspective.
So again, in considering what we want to do in this scenario, we need to think about this and also think about the levels of access and appropriateness of people gaining access to those types of application in this situation. But then if we add in business context, you know, from a business user perspective, this person's the VP of sales. They've been there for a long time, and they're currently traveling internationally again, you know, from a context perspective, that then adds further context, you know, into this kind of hot, to, to help make a decision.
And those are things that typically within a business scenario, you could, you could be made aware of the, the challenge with business context, I think typically is because it's sometimes more difficult to gain people would choose to discount it and they don't add it into their thinking when they think about maturing, these kind of processes and models.
A and then if we think about the last aspect, if we think about the true business risk here, you know, we understand from a business context perspective that, you know, this person's, the VP is working on a, on a big sales deal that, you know, has time sensitivity around it. And other factors that means that actually, you know, they, they seriously need access to systems. And so from this perspective, there are always exceptions to every rule and every policy.
And from a business perspective, you know, we need to balance business risk with trust in the same way that we do in kind of all aspects of, of, of kind of security and in, you know, business processes, digital transformation, technology transformation. So, you know, within this, you know, there isn't necessarily, you know, I'm not trying to say there's a particular policy here. This is what we should do.
Yes or no, there is no yes or no in this scenario, there is only the balance of risk versus trust. A and the understanding from a business perspective as to, you know, what you want to do, what's your level of risk appetite in this scenario to then make the right decisions around, you know, what access people should have. So then if we look at another scenario of securing corporate data, you know, again, we understand the context of the user.
We, in this instance, we understand the classification of the data. And again, you know, those are two things that obviously we need to have to, to begin any kind of decision around this. Realistically, a again, from a maturity perspective, you know, you may want to consider, you know, what you want to do in the scenario where you don't have these elements of data. It is also another factor to consider.
And again, it comes down to the trust versus risk balance within the decisions that you're making. And so in this instance, you know, we have a user, you know, they've provided their username and password. They normal location, their behavior is normal.
The, the user, however, is accessing sensitive sales data and the access has been approved by a business user. So again, you know, there's elements of sensitivity here.
You know, when we look at the technology context, you know, we have some, you know, we have some competing elements, so, you know, the data is sensitive, but we see that the, the user is kind of approved and, and is acting normally. However, if we look at it from a business context perspective, you know, we can see that the user works for a third party that actually has a high level of risk associated with them.
And whilst that user is a, a, a senior manager within that organization, they also provide a help desk function, which prevent potentially presents opportunities for compromise within your, within your, within your business. So again, you know, from a risk perspective, that's potentially adding more risk into, into this scenario or reducing the level of trust in this scenario.
And then finally, if we look at the level of risk, you know, when we kind of look at third parties, you know, we could also, we could also look and see that the third party, actually, the, the service that they provide shouldn't include the, the data that it shouldn't include. The data that this user is accessing. They have no need to access your sensitive sales data.
And again, because the data is highly classified by the business as well, you know, probably with broader context, you then have a very different situation to the, the one that you started with. But again, without kind of, without understanding that business context, the business side of business side of this, and taking into account both risk and trust, you know, you could make very different decisions.
You know, other scenarios like this, such as merger and acquisition activities, you know, major, you know, major organizational shifts or changes, you know, changes of HR data or HR data processes, you know, onboarding obviously of, of significant new cloud infrastructures. All of these things are going to change the, the data that you are potentially working on the levels of risk that you're associating with these things. And in actual fact, the, the business side of this is probably going to be more stable than the technology side in, in those kind of situations.
So it's definitely something that we need to think about more and more as we're, as we're going through this transformation and, and maturing, you know, maturing how we control access to our systems, applications, and data. So really it takes a village, you know, you need to understand, you know, the user, who are they and what can they access. It's not just necessarily about the appropriateness of access that's obviously related to trust.
It's also about the level of access that that user has, because you might have a really low level of really high level of trust about a user, but if they have, you know, really privileged access, you still might want more, more assurance around them before you give them access to something or the ability to do something the same. If you only have a very low level of trust, you know, even if you have a low level of trust, you know, is it someone that's a salesperson that's moving around all the time, their technology changes all the time.
They're always getting the latest phone every three months, but, you know, do you necessarily want to compromise them if they're just accessing, you know, the, in the, the intranet of your organization or some particular sales record that actually doesn't contain any personal information or data. So again, you know, from that perspective, without that balance, you're potentially going to make different or business impacting decisions. Why should I care?
You know, is the rat a risk to my business? And again, you know, you don't understand that without the broader context of business risk, without the broader context of digital risk in understanding, you know, and, and classifying your data, your entitlements, your, your applications, and being able to make that decision.
But also, you know, there's a level of maturity there. You need to make a decision around, you know, what's important, where do I do those things first?
You know, to Alex's point, you're never gonna be finished. So, you know, how do you prioritize those things and ensure that you can do them and doing them successfully where that it's most important to do it.
And so, again, from a strategy perspective, you need to make sure that you're, you are approaching and targeting the right things. You know, the, the, the most high level risk things to, to ensure that you're doing that from the perspective, is there a threat, you know, you definitely need to take into account the technology aspects, obviously of potential threats, whether it's threat detection, obviously monitoring your network and your environment.
And when you find those things, you know, whilst it, whilst it potentially impacts trust, it also impacts or potentially impacts your understanding of the risk level of that user as well. And then from an environment perspective, you know, need to understand and know the, the risks that the user and their device represents.
So again, you know, from that perspective, we need to understand the trust and the, of the environment, as well as the, the individual user. So from a strategy perspective, you know, three key things to kind of think about, you know, you need to think about convenience, you know, that balance of convenience, convenience versus kind of risk and control in this model. If you don't think about convenience, you might end up impacting the business when we kind of add too much security and, and that's, you know, always been the case.
You know, I think it's why the business don't tell security professionals that they're going off and building something in the cloud, cuz they don't wanna be impacted in the speed at which they're going to market. And so, you know, the more we can kind of think about convenience, which will come from the balance of trust versus risk, the more that we will be successful from an intelligence perspective, you know, we need to understand both technology and business context.
When we make decisions from an artificial intelligence perspective, if you only feed AI technology context, then it's only gonna make a con a technology based decision. And realistically, that's only half of the information you need to make the right decision from, from a business context. And the last is pervasive, you know, needs to be centrally managed, but needs to be able to cover your entire organization.
You know, you need to be able to kind of see scale. You need to be able to control your cloud applications as well as your on premise applications.
And, and so as the last slide from me, you know, I'd very much say that, you know, RSA obviously have the, the ability, the knowledge, the expertise, and the maturity within identity, sorry, information security and identity management to provide you with guidance, you know, as, as you, as you deploy and mature the frameworks and zero trust strategies and, and move towards a more continuous adaptive risk and trust assessment model. And so, you know, if you've been interested by this presentation today, I'd, I'd highly recommend that you come and talk to us.
So Alexei, thanks very much. And that's for me. All right.
Well, thanks a lot, Steven, for this very insightful dive into more kind of business specific and specific aspect of zero trust and start our Q and a part, the questions and answers. And let me remind you again, please submit your question through that questions box on the go webinar control panel, and we already have a few. And the first one is if is zero trust for networks or data centers or none, those marketing terms.
Well, you know, this is actually the question, the million dollar one, which we were attempting to address today in this webinar. The problem is that it's, it's, it's none and both. And the same time kind of when Forester came up with that, the term eight years ago or something, I think they were focusing mostly on the network aspect of it. So zero trust networking is about reducing the, the, the risk surface for cyber threats.
And then of course came Google with a beyond coop, which was mostly focusing on access management and then came other companies and introduced their own kind of facets or understanding what belongs to this whole zero trust to the strategy. And the problem is it it's all in there. It's just like, or, I mean, the term itself has become kind of the same generic market in term of cloud. Like whenever a company is trying to your cloud security solution, your first question should be not like, okay, where do I pay? But like what type of cloud are we talking about it, infrastructure as a server?
Or is it SAS or some specific cloud apps or is it private cloud or whatever, you know, the same applies to zero trust as well. Sure. You can always start with any of those aspects. You can start with implementing secure access to your applications for your mobile workers. That would be like a software defined perimeter aspect of zero trust. And it'll be a substantial improvement to your security. But if you kind of focusing point solution, you would miss the whole integration and monitoring and compliance angles of the strategy.
You can always start with some proxy based web access management solutions. We actually existed for decades. And some of those companies would probably try to relabel their 20 years old solution there's zero trust access management.
And again, there is nothing wrong about that technically, but if you want to optimize your investment and prepare your company to be, to remain flexible and efficient, you have to start with a strategy. So zero trust the proper way is always a strategy. And Steven, if you want to add something to that, you're welcome. Yeah.
I, I mean, I absolutely agree. I, I think the term is very broadly used across a number of different technologies and technology areas and the similar, you know, similar exactly as you say to, to cloud, you know, cloud. So what does it mean?
Is it, is it hosted in the cloud? Was it made for the cloud?
You know, is it actually private cloud? Is it public cloud?
I think, you know, they're all parts or potential parts of a digital transformation strategy. And that's the strategy that you think about as a business. And I think this is the same. I think you need to think about what is your, what is your overarching strategy for securing your, your organization? What is your digital risk strategy or digital transformation strategy, and then underlying in that, you know, where do these elements fit?
And, you know, they might be labeled as, as zero trust, but, but they might form different parts and elements of that strategy. And we have a follow up to that question. So where do we start zero trust in an organization?
And again, you start with the strategy, you start with understanding, what are your particular company's business requirements? What are your priorities? What are your limitations in being able to invest in technology or human resources or whatever are you affected by specific industry or geographical compliance regulations, or what are your most burning problems? Your management board is kind of pushing you to fix, is it in your data center? Is it in the cloud?
Whatever, again, so you have to just sit down and write down the list of problems and then kind of try to move them around and decide and priorities just as any other it problem or business problem. We have to start with a strategy.
And again, the next question is, I think for you, Steven, so what is it all about talking about business driven security? So where, where is kind of business driven comes into what you have been describing in your presentation?
Yeah, so, so RSA, I mean, has, has had a, a business driven strategy approach to, and to security for some time. Now, I think from that perspective and kind of going back to your last question, you know, is really the, the business needs the business problems that actually drive what we need to do to secure our, our organizations.
A and so, you know, we need to look at, you know, not, we need to look at what we need to protect, where is it, you know, what is the business value to us in implementing and, and deploying the, the security and controls that, that we're looking to do as part of our strategy. And, and, and they must align, you know, they, they must align together, but also, you know, you can look at where the, where the biggest business value is based on kind of your, your organizations, your, the, the way that your organization is.
So if your organization sees business value and risk reduction and overall kind of securing corporate data and information, then, you know, you can use that as a business driver to justify your strategy and the, and the elements that you, you would like to implement of that if it's cost reduction, or if it's digital transformation, then you know, then those things need to align. And so, you know, business driven security really is about exactly that, Right? The next question is from our experience, what, where are the most of companies stand on zero trust?
Well, from my experience as an Analyst, I would say that most companies are, have only started to discover that such thing exists. They've started kind of hearing to the marketing bus around the world, in the press, in the, when the press releases and publications.
And again, many of those companies are made this fundamental mistake. They kind of, they buy into the buzzwords and they believe that zero trust is something which would immediately solve all of their security and compliance and business, other business problems. And whenever they come to us, I mean, if we are lucky, they come to us first before actually spending money on some products with a zero trust label on top. And then we would start with explaining to them that zero draft is actually little bit more than one technology.
And then immediately we would start talking about specific broading problems for one company that would be mobile workers productivity for the others. That would be just pure old compliance challenges for some others thought would be some really specific it problem like network microsegmentation. And then again, it all starts with it all starts with the buzzwords. And as soon as the companies kind of make the step and start thinking in business challenges, the better in the, the less money they actually lose on some useless or almost useless purchases. What about use Steven? Yep.
No, I completely agree. I think this is not a problem you can solve by kind of implementing individual elements and features and functions.
Again, it goes back to the, the strategy piece. And I think a lot of people have kind of bought into a technology because of, you know, because they kind of hype around the zero trust element of it, but it's only one component of what you need to actually be successful. So it it's limited. I think one of the challenges in organizations today is kind of the siloed nature of kind of the risk and security management professionals within businesses.
It, it, it seems to actually be quite hard to define that kind of overarching strategy. And it seems that it's only kind of more mature organizations that have the kind of capability and functions and, and the communication to do that.
And so, you know, I do think there's also an element of business change here that's needed to actually to actually kind of provide those functions with the, the kind of the framework that they need, that the kind of business framework they need to actually invest in a, in a strategy as opposed to individual technologies. All right. So the term I personally like to use a less way to often is security cargo cart. It's exactly when the company would trust the buzzword and purchase a solution and some would not even bother deploying it actually.
And just honestly thinking that having a box with a sticker zero trust standing somewhere on the shelf would already solve their problems, which unfortunately the world doesn't operate that way. Okay. Fine. The next one, it's a more practical question. So where does this business context come from? What are the typical sources of that information?
Yeah, so, I mean, I think from my perspective, it's actually everywhere. I mean, I think if you look at, particularly, if you look at kind of your GRC systems, your governance risk and compliance systems, you know, you have third party risk elements, you have kind of understanding and auditing around their level of control and, and access.
You have, obviously, you know, from an application perspective, you know, typically people are measuring the kind of level of vulnerability and risk around applications, but also, you know, adding business context to the criticality around those business, continuity is another area where obviously, you know, you are required in many organizations to actually assign levels of sensitivity and kind of other elements around the applications to know their requirements around disaster recovery, which, you know, again, relate to the potential also the potential risk of compromise if you're not doing that specifically.
So there's a number of areas there. And then from the lines of business themselves, you know, you absolutely have the opportunity to go and talk to them.
I think, you know, lines of business right now are getting so much more engaged in these conversations, you know, particularly because of the, the compliance and regulatory requirements, you know, that they're absolutely, you know, they've got a big stake in this, you know, whether it's for, you know, ensuring compliance, but also the, the visibility to the market.
And you know, that level of trust that I talked about earlier with the consumers and people that interact with their business, you know, people are a lot more likely to, to interact with you to provide the information that you want, if they actually trust that you are securing their, your data, their data, Right. Yeah. When it comes to business context, I really like this. I think Steven, you, as a, as a British the person from you should probably know better where it comes from every little helps, right?
On the more sources you can somehow in integr into your kind of policy management and decision making infrastructure, if you will, the better. And sometimes it would probably work automatically through some kind of API or standard based protocol. Sometimes it has to be manual maybe sometimes even just sitting down with your business colleagues and writing down their expert opinions and somehow applying them into writing the actual policies point to that are you get the business context from everywhere? Yep. That's it.
And I think with that, we have just reached the top of the hour and we don't actually have any open questions left. And with that, I can only say thanks a lot for being with us today, looking forward to seeing you in our future webinars.
Thank you, Steven, for your part in this and have a nice day. Thank you very much. Thank you everyone.
