KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In the digital era, a 20th century perimeter-based approach to security is no longer appropriate or effective in securing the modern extended enterprise. Instead, a more flexible, identity-based approach is required that can be implemented at every layer of IT, from devices and networks to applications and data.
In the digital era, a 20th century perimeter-based approach to security is no longer appropriate or effective in securing the modern extended enterprise. Instead, a more flexible, identity-based approach is required that can be implemented at every layer of IT, from devices and networks to applications and data.
Welcome to our KuppingerCole webinar "Maturing a zero trust strategy for the extended enterprises". This webinar is supported by Duo Security and the speakers today are Richard Archdeacon, Advisory CISO at Duo Security and me, Martin Kuppinger, I'm principal analyst at KuppingerCole.
Within the next hour we will talk about the topic in two presentations and a Q&A session, but before we start, some housekeeping information on the quick hint on some of the upcoming rounds of KuppingerCole, it was in the next couple of weeks, we will have a number of KC live events, which are sort of a virtual microconferences, one around SOAR, security, orchestration, automation, and response, one around security for SAP and other business applications. And one around provision access metrics don't list. These are the ones I'm full of interesting speakers.
So definitely something worse to attend di out of thing, before we start, we, the housekeeping slides. So audio control, you are muted, centrally controlled in these features, and there's no need that. You do that to see yourself, we'll make available to slides after the webinar, as well as we will make available the recording. And we will, as I already mentioned, we will have a Q and A session at the end.
And the more questions you enter through the go-to webinar control panel usually the right side of your screen, the more lastly to more interesting to communities that will be an opportunity to talk with and ask Richard than me, the questions you have around zero trust. And all we are touching today is webinars. So I haven't said this a quick look at the agenda because as usual for our communical webinars split into three parts, the first part I'll look a little bit of the zero trust journey from networks to everything.
And how does all relates to this overarching theme of the true transformation of the extended enterprise and the way organizations are changing. And Richard Archdeacon will take some of more practical look, maybe I suppose, somewhat practical trust theory. I'm talking about a series of trust access model for the extended workforce enterprise and how to make this work. And then as I said, with the leverage your day session, so enter your questions once you, they come to your mind. And then this will be very interesting.
I'd like to start with a very high level perspective, which is around picture transformation of the role, the extended enterprise plays. And doesn't so, but talking about the true transformation for pretty long time, I think from what I've heard, a lot of organizations had had you had to drive these forward initiatives of way faster than they maybe have done before over the past 12 months, because when you are not solved, the truly transformed doing business in a locked down MACOM is relatively complex. And so what does it mean?
We need organizations that have certain essential capabilities for success, which are agility, siren, which are innovative, but Victor also do this in a way that is secure. So security is sort of this PTA the foundation for, for actually getting away from less than the drive normal stations forward. And there are a lot of drivers of change, which between surfing, some of them are very much related to duty extended enterprise.
So yes, we have to cyber attacks and we have compliance risks, et cetera, but we have mobile workforces. We have distributed workforces. We have a global competition and global partnerships ever changing partnerships and other things. So our business is changing and it means we are in totally are totally, but in a, in a broader and an extended context of business broken was more populist parties having a more complex challenge in doing business. And so we need the enabling technologies. There are many enabling technologies, so there's club cloud service, big data there's IOT and outer sinks.
There's mobility inspired being a factoring, and we need to bring this all together, but to enable you to technologies, to neighbor working with partners, we need the foundation in security and we need to do it in a way to reverse it. So at the end, the first question is, what does it mean to it? From our perspective? The main question is what does it mean for the business? How does it does a business succeed? But it's also question, what does it mean to, or how does, how can it support it? I talked about us agility, cyber security, and, and in a way to, from us at the beginning.
And that also means we need to be able to teach you to reconfigure, to, to react on changing ways, to work on changing types of application, with deliver delivery models, et cetera. But also for instance, was supporting brought from home different verb models, et cetera. This was something which put a lot of organizations under pressure last year when, when, when the Alcon started, because they weren't really prepared to work that way.
So the second element is, as I've said, cybersecurity, it's a top priority for everyone in do organization to date at the C-level and not only this ITC level, but the enterprise C-level to CEO, the CFO is think about cyber security day. They know that that is a challenge and we need to enable it working securely. So in a way to note, this also has to do is the ability to change, to be at trial, to, to work in new ways. The problem is all that is at the end of the day, the way we do it over the past 30 years longer, doesn't exactly fit to these requirements anymore.
So just traditional, partly to base it. The pyramid of basic cyber security models are not made for a girl that we collaborate with each and everyone. And that is what we need to change. So we need to react to the deployment models are changing. We have different types of procurement of services, but they also have different partnerships, identities. We have remote workforce and we need to enable this and all this doesn't happen with independent. So our traditional security models don't work.
I can digitize station breaks the static security perimeter because users are not inside a perimeter anymore. And so we also can't trust as Paramita. So this is turn off. Okay. Moxham clipping it locked into his desktop PC in the office.
Oh, and that is reasonably secure. This is just the wrong assumption. So this implicit, the trust doesn't work anymore. And even Dan, well, we have some net repair meter there. So you may have texts because meals are coming from the outside. Fishing is not our stuff. Th that it just is not the correct assumption anymore. And it's also, we don't have stability anymore. Things are changing and we even sometimes have right now, like a discussion about it as are this pendulum of cloud. First is somewhat thinking back was actions. I see as concepts, et cetera.
Yes, probably it's actually true. But the important thing is it's that, that we say this, our, this is the way to deal with it's. We need to deal with everything we need to deal with ever-changing environments. We need to deal with, what do you mean far warmer at child world than we, we had to face before. And that brings us to this series or trust concept and zero trust at the end of the day is so that the key word is don't trust.
Verify, verify part is the Saturday department verification. We need to apply to us touches again on a minute VLP to apply this to at various places, various stages was in what we do in ITM. When you read this crafting from left to the riot, then, then it starts with the youth. Sure. User has a device over the network. The user is accessing certain systems or apps. I have no control over the system because it's running in the cloud and then there's data. And we have a high level of heterogeneity here. So we have our employees, we have our business partners, love different business palms.
We have software robots, we have sings. We have customers, consumers. We have a ton of different devices. So it's not that we say, this is the way who knows bookie. He was done. There's the smartphone you'd like to, and there's the tablet. Do you like to read your, is this does as well. So it's not the one thing that might be a corporate owned device might be a premier own UIs, whatever, and networks people sitting in the home office using their own wifi over their internet provider, but then ending at assess servers. There's no corporate network anymore.
Clearly you can artificially who to back. And first, sometimes it works. Sometimes he works, not a scoop applications, running everywhere. Data is crawling. So how do we get a crew of that? And so we need to understand first that this is the new normal and one of the best
And I think sometimes it is maybe you don't have any partners or where you have the identity identity wise, not a pair of meters, but maybe we don't talk about air meters, but think about what can we do then what can we kind of do this looking at? How can we manage and authenticate the user? How can we understand this is to this, the context we verify that user, if you also have the standard risks from the conduct, then we can make decisions on how much, what we allow to that user or not.
And for DWIs the same, if it's
Well, we might have less grip on it's a bring your own device. And so we need, we need to work all in all these levels. We need to oblige controls at all levels. And all of that starts at the end of the day. And this is us central. As for talk Richard later on, it starts with the piece of authentication around the user. How do we authenticate them in a way that is adequate to what we do? And I think this is what I've trusted. That is also reflected in my next slide, which is about the, in some way, a short history of zero trust. So when does concept first has been discussed?
So I think w probably around about 10 years ago, maybe some wounds GUI did even even more. It was mainly Zero Trust network. And that is when you look at this Perry meter story, and we don't have this traditional perimeter and more than this luxury starting point, but it's more than we have to as pickup networks. I is also my previous line about don't dress the firewall.
So even within the firewall things go wrong, we know for a long bit, so far, a long, long time, it was that there was far more damage caused by internal attackers than by external attacks, because it may have changed over the past couple of years, but there was always a risk from the insider. And it's still a risk from the insider.
We need to have one letter movement is liver movement as, so if you're in Canada's housing, then you can do the next things because you're across the wide single point of failures that was sorta Cyril trust network saying that security looking at system security, device security, added verification of many different levels than the identity SD. Then you Paramita, or as I said, you can argue about this.
This are seeing here clearly, but the end its identity acts is, are at the center of security because at the end, it's always about who can access, what, who can do walk it's the Uber and the walk that identity on the access who can access the data. Yeah, that's the question who can many blood data and your delayed data who can perform sovereign actions, business activities that are in an ERP system who kind of Levine. It's always about that. So at active authentication is really the core thing. What I attempt to add these days as also we should think about is your trust of software.
When you take the solo wins incidents from trust a couple of weeks ago, I think three highlighted, oh, we need to, to have to understand to which extent we are really able to trust software. And we need to add this to understand what is the risk of the software across our entire cyber security supply chain. So the CS CRM seems side-to-side slab per security, supply chain risk management needs to be integrated. So we should think a broad perspective of everything and zero trust. There is an essential paradigm for security.
So always verify it never cross or don't trust, verify the address, things to the equation because this, this welcome really helps us Nate, enabling business benefits of the district transformation or Houston, their cybersecurity risks. We make it easier to migrate you. You deployment models to new work models, so flexibility for your stuff to interact with your partners. You need to be able to work to, to onboard and off-board partners flexibly to give them access in a controlled manner. And so we are faster and you, but this is an addictive initiatives.
If you a cybersecurity say, Hey, no, we kind of allowed it because, so the data that they were, so that'd be always the, the notorious naysayers were blocking the that's it like you have to business and be con afford to do so even lesser in these days of, of, of really fast change and fast accrued information yet. So yeah, are many reasons from a business perspective to go for the route crust. And I think also for a reality checklist, you know, the perimeter, so shadow light, he has been a problem for, I don't know, well, and it will not disappear.
So except that there's not that steady growth idea anymore. And honestly know from a reality perspective is there's no Ciera trust or silver trust act. So I would like to call in a books. They are Dow winners. Richard will be well, I think a very good perspective that deliver really, to helping organizations in implementing zero trust. But it's a principle, it's a paradigm and it is something which then needs to be backed by products. But it's not that you're trying to go up and say, oh, I see zero trust.
No, you need to implement it as a concept, as a principle, as a paradigm and them to thrive. So what do you do sign off? This will be the topic very soon. You need to understand what it is. You need to understand the risks, the assets, the way you work and how you deal with that. What are your policies? What are you? Verification steps. Do you need it all? Do you also clean the bathrooms and it's attorney, but you need to start here. And that start is a Diablo on the left side.
He crushed wrong before is that he had, he also indication and moving from there to the auto parts and identity at the end, the data probably are the areas where you can best get a grip on it, far easier done on the network itself. Because as I said, if I access a SAS service for my home office, them getting a cripple on the network is not really simple today. This benefits from, from zero trust and for security means location, independence and meaningfully implicit trust. But he doesn't mean to you have FDA location, independence, CFD, agility, consistent policies.
Let's think about re being always online and then connected. And the efficiency today. I lost things you can really get from it. You enable, in fact, you enable digital transformation by being able to work in an untrusted environment. But you know, the pot is the end. That is what the true transformation needs, but it's also the reality. So trust to do it.
My, my closing sentence here is zero trust is to key principle, four models, cybersecurity approaches, and understanding to ride as a concept, support by tools and not trust the tool, but you need both. You need to understand the concept. You need to implement a paradigm and you need to support it by the adequate tooling was that I back idea of trends the slide, and I'll hand over to Richard. So thank you for that introduction, Martin.
I think you've brought up some very important points, especially around zero trust is not just a technology starting with the user and how important it is as part of business change. And I hope to touch on some of those points in the next 25 minutes, just on zero trust. I always describe it as an old idea. That's very new. It was actually started off many years ago under the Jericho for, and their assumption was the perimeter had gone. And I remember them when I was at the meetings, they came up with the expression deeper amatorization.
So I make that point because it might be seen as a marketing slogan, but actually this has deep roots in the CSO community from some of the top CSOs. But I think that's, that's an important point. I always like to make, I'm going to just try and talk about how we can make this a practical solution because I come from many years of running transformations in security organizations. And so for me, an idea is great. A practical solution is what we need to do. So that's what I wanted to try and shed a few ideas about going forward.
So what I always like to start off with, with a few quotes, and I think the top one reinforces what you were saying, Martin, that we're all technology companies now. And I think when Boston consulting came out with us just over a year ago, I didn't think, I don't think they realized how sure they would be, but we're all technology companies and every CEO will be wanting to know how can technology make our business better, faster, more agile. I've also got a few quotes in there from CSOs. And one of them is quite interesting about that because I'm just logging in.
And as we know, most attacks come through compromised credentials. So that's one of the big attack vectors. And one of the big risks we've got to worry about go forward, especially as we change the business model underneath our organizations and change the technology model. So I think that we have to bear that in mind and you get all sorts of figures of how, what percentage of breaches are caught in that way. Some say 80%, some say 70%, but it's a big number. So we have to be very careful about it. The other point is about visibility.
And as we go through this time of change, one of the major issues find that CSOs are finding is about visibility. What are my devices? Where are my applications, who are my users, especially when you get into an incident, this becomes a major issue. So getting greater visibility is absolutely critical to any CSO. And my argument is that if we start to apply zero trust approach, never trust, always verify, or as we put the military, especially in situational awareness around a mission, then I think that we can start to get better visibility.
So I think visibility is one of the key issues that we have to address when we look at zero trust, those are some of the issues that I've found CSOs talking about. So I just want to go along to what is the, the, the, our thoughts around zero trust and why defense and why that's important. Obviously we have the whole traditional approach around the network and being defended within the perimeter, but this has flaws because once the attacker gets in, they can move around the network. And I think as you mentioned, Martin, it's a whole question of, of, of lateral movement as well.
So that always becomes a major issue. And of course, with business change, the adoption of the cloud, the perimeter is gone and disappeared users aren't on our network anymore. So if we look at this new approach, why does that work? Why does it work? And why does it improve security?
Well, we're establishing a level of trust at every access. So it doesn't matter where it comes from. We establish a true level of trust. And then we can make sure that that secure access is limited to where it goes within the organization. And that way we reduce the chance of lateral movement. We can then start to use this new flexible approach across an organization, whether it's using different technologies, migrating to the card, whatever technology changes coming in.
If we have a structure of zero trust, then we can drop in the new application, the new cloud service quite simply, but establishing trust. The very beginning is very important. I always take the example I have of a breach we were dealing with many years ago and the, we, we couldn't identify where the access had come in from. The company had multiple outsourcer security, it providers, et cetera. So we couldn't do anything in both till we'll find out where that access had come from. So that's is a really important point for me going forward.
So what if we're going to start on this journey of zero trust? Well, first of all, I'm going to start at the user end. We tend to divide it into user, the network and the applications. And the reason we started the user is because that is the best place to start and reduces the risk the most. And as one, which tends to be more quickly applied and working out your network, people have been working on network micro segmentation for many years. So they might have some solutions in place, already applications.
You have to sit and wait for a long time to try and get visibility often equally important, but let's just start at the user user end. So I've set out statement. There is what is the goal? So it's secure access, trusted user trusted device to any appropriate application on any network and by any network. We mean whether it's in the cloud or whether it's onsite on premise. So there's a goal we can try and use to establish what are our journey to zero trust is. And then I've attached some principles. What are the principles we want to apply when we start our transformation program?
So we start off assuming every access originates from non trusted network, never assume trust doesn't matter where your application is. You're always treated the same to make sure that it's accessed in a controlled way. Very important is to enable workers to, to be able to successfully work from any environment, whether they're in the office or out the office, whether they're traveling or whatever. Because if we do that, we start to make sure that users are taken on the journey with us.
And one of the points I would try to make very, very strongly is that this is about getting users to adopt the solution rather than pushing it onto them. We have to make it as easy as possible for them. We have to include them in the program to just give you one example here in Cisco at the moment we're implementing these solutions and we have a website and users can go to that website and say, I want this application to adopt this approach. So we're inviting users into the program. That's a very important point.
And then of course we would have to make sure that we have authorization and authentication and make sure that we are controlling the application to the application based on the risk of that application. So all applications should not be treated the same because normally in any organization, some applications are more important than others.
Whether it's keeping a manufacturing line running, whether it's a payment system, whether it's a customer database, each of these will have a different level of risk and a different level of usage that we have to try and understand both from our security risk point of view, as well as from our business risk point of view. So how does it reduce risk? And this is one way I've tried to express it. If we take the formal risk equation, threat vulnerability impact, I've left our probability because I'm assuming that there's always some probability something will happen.
But if we look at the old system, we would have the, the, the threat would be an attacker getting into our system and being able to move around using the vulnerability of compromised credentials and the impact would be a widespread infiltration ex expansion across the environment. So if we look at it from the kill chain, it's the infiltration, the expansion, the exfiltration, those stages by adopting zero trust, we've shift our defenses to the left. So how do we do this? Policy driven access policy becomes a key that enables us to understand our devices and our users.
Then making sure that we have that trusted access and then making sure that even if those two areas of control fail, we limit lateral movement. And in that way we mitigate risk, but policy becomes absolutely critical as we go forward. For example, policy around a device. What if a device has to reach a certain standard on patching, we can enforce a central control around that, and that reduces the probability of a compromised device coming into our organization. So if we take many of these ransomware attacks, we know we can block them.
If everything is updated, the operating systems updated to a certain patch now. So we can check that before the user access as the organization. So centralized policy control point is absolutely critical to establish that control plane in allowing access into the organization. So how do we go about doing this practically from a practical point of view?
Well, what we've, what we're arguing is that you can adopt this three-point control around the endpoint, the user. So it's the user identity who is the user, can they validate who they are? What is the device? Can we trust it? I go back to my example of making sure that it's patched properly and then thirdly, understanding the access policies for every application. Going back to my point earlier, we have to understand the applications. We have to understand their risk, where they're controlled and how important they are to the end user.
So it's, it's these three points. These street legs that we build our S our approach upon and verifying the users' identities is that first step, because then you're asking the user to say who they are making sure the device is okay. You can then start to get visibility and control over your devices, and then having these policies put into place. So looking at those three points, you will have some technology solutions, but as I will argue later on that you have to also start to look at some more important aspects around the whole security organization.
So those three areas, the user, the device, the application, we can start to get better visibility, better control, minimize the infiltration issue, minimize the lateral movement issue. So how do we go about this in a programmatic approach?
Now, let's say having been doing security programs for many years, transformation programs, I never believe in doing a big bang approach, unless you absolutely have to. If you have the chance to build a program, there's better to take it in manageable steps that enable you to define business outcomes and measure your progress as you go along that to program. So we've broken it down into five steps, which follow the implementation of those three control points around the user, around the device and around the application.
So that's really what we're trying to do when we start to roll out any kind of transformation program around the workforce. So the first, sorry, the first step is to look at user identities and making sure that they can confirm they are who they are, reduce the risk of a compromised credentials.
Now, this is actually a really important part of any transformation program, because what you're doing is you're actually transferring security decisions away from the security function through to the end user. So the end user is now part of the security team. Every time they validate who they are, they say, this is me. I'm allowed to get access. They are in fact making a security decision. And this is where I talk about the adoption of users into the program. They can't be told, you've got to do this. It has to be explained.
If you do this, you will be more secure when you make this decision, you're helping secure the organization. If this decision is incorrect, then please tell us if you get told to confirm your identity, and it's not what you expect, tell us straight away, because there might be a security issue. So we have to start to bring in the organization on side with the security team and bring them out. What many people term, a culture change because you're changing the organization. You're making everybody alert to what they need to do.
So that becomes a very important part of what we as security professionals have to do. We have to spend an awful lot of time communicating with our end users and making sure they're happy that this works now, one advantage we have is that we can start to from a technology point of view, put a lot of applications behind the portal and the user might then be able to authenticate themselves onto that portal and then be able to access all applications. It doesn't matter whether they're in the cloud, whether they're on our legacy network. What that means for the user is that it gets easier.
It gets easier for them to do their work. And as I always say, people come in to do their work. They don't come in to do security. So we're helping them make their life easier. And when you make life for a business colleague, more secure and easy, that's always a very good win-win situation to be in. Then we go onto the visibility of the devices and the activity is this normal activity. Is this coming in from a certain place, is the device up to date? So we can then start to look at that.
The visibility around that the device gets better visibility of the technology that's being deployed in our organization. And this often applies to us as well. If we're looking at the application side, because applications change, they get moved. How do we keep a good picture of them? So making sure we have visibility is absolutely critical visibility into devices and how they're working. Then we start to look at the policies around access, how people are going to access this. And we can start to build a situational awareness context around how users are going to be working.
Again, this becomes quite complex because uses some users, might Trump, others might stay at, at the and work. So we will have to define where they are coming from in terms of location. Is it the normal device? Is it the normal time for them? We're going to have to start looking at those factors and build them up over time. So this becomes an ongoing activity. It doesn't just happen one off and you might change it from time to time. And then we can start to make sure that we roll this across the organization.
We can support DYOD devices, and then we can make sure that we have secure access to all applications. So we're improving mobility. We're improving agility to the business. We're making organizations, I work a lot more smoothly. So these are the steps that we think of. And these are all underpinned by communications communications to the user communications, to the business, identifying the business benefits. What are the other trends that I think where we're, we're coming across apart from just change in business is the whole change in how we deliver security.
And I'm finding CSOs are talking a lot about this in terms of the increased use of SAS security solutions. And so for many organizations, this is a way to simplify the technology delivery while still meeting the needs of the communication, the business delivery, the risk reduction and so forth. So there is a very careful balance that has to be drawn in this instance so that you can make sure that you're delivering on both sides of the organization. So take a structured approach of clear outcomes and make sure you can measure them and above all, keep your communication going.
That is absolutely critical. So if we now go to, to the impact on the security function, because this is really about the rollout of the solution and some of the impacts that it will have, but let's look at those in a bit more detail. What I have here is just a big gum sketch out. I usually start on on this one, I'm looking at a transformation is what's trying to build out or a little boxes around all the different functions and then break them down into areas of operation KPIs, processes, procedures, staffing, levels, interaction between them.
And you can build up almost an operational manual from this kind of approach.
So if we look at what happens, if we start to implement a zero trust approach, what gets impacted, but I think immediately you'll see that the large areas of the security function, how being impacted, for example, people who manage the endpoint authentication, how applications are developed, how we migrate to the account, then how do we enter into great all of the different solution pump components with other parts of the organization, like the forensics team, but want to be able to get all the logs so they can identify who's coming in, where and when and what circumstances, the threatened vulnerability management team, how do they alert a vulnerability up?
And then how do we change our policies? So we have to have interaction there. How do we use this? An incident response? For example, we come across environments where there's been a compromise and we can immediately start to roll out a patch or a control to limit that incident. How do we let's talk to work on this in terms of our risk profile? And I already showed a very simple calculation. We can do a risk. And how does that measure against our risk register and how can we start to mitigate some of those risks that have been identified? How does this change our architecture and how we work?
And we also have to tie it back to some of the more strategic drivers. How does it impact on compliance? For example, GDPR, does it improve our profile by having specific people limited to specific application that might have personal information? So we have to start to look at it from a very broad point of view because this will impact across the whole of our security function.
And also, as I mentioned already, the question of people, how do we identify? How can we work with people and how do we change the culture of the organization? And then how do we take the data we get and work with our it organization who might well have out of date inventories out of date CMDB and the data we're getting in. It could be absolutely critical to what they, what they need in terms of managing the it organization. So there's a lot of different wheels that move, that we have to get all working together in order to make sure that we can bring in a zero trust solution.
So go to go back to the initial comments that were made. It's not about a technology it's about the whole security function, the whole culture of the business underpinning the business strategy. So we have to look at it more broadly than just the technology. So where do we start? That's often the question that I, I get asked when speaking to CSOs and my argument is that we should always start by just trying to analyze what we're doing.
In many instances, we find that people have started to implement zero trust solutions, whether it be at the network, whether it be the application there, whether it be at the use of that. So what I try and do and working with other CSOs is to try and start off by just defining where they are trying to bring up a simple heat map based on five simple steps, those five simple steps that I mentioned before.
I just, by answering a series of questions across those different steps, you can start to see where some progress has already been made. You might have implemented, for example, MFA great. You might well have started to look at segregation of duties, so that's one more step forward. So you can actually see where you start to focus. So for many organizations, there is already a zero trust strategy in place, but they're probably really not aware of it.
So finding out where you're starting from and what you've done already is I think an important point and on any journey finding, make sure you have clear metrics around what you're doing, and you can see, I'm trying to define these by strategy, risk management and operational sort of a three, a half tier model, but how do we actually measure the progress and how do we actually show the benefit to the organization? So at the top level, you might want to look at the culture of the organization. How are people reacting to this?
And one organization I know started a whole series of quarterly surveys just to show how people's attitudes towards security changed. Then looking at risk audit and compliance to make sure that they weren't missing any particular points. And then start to look at what data we get out of the, the, the implementation around devices, around people, around our patching levels. So we can start to get a better vision of where we're going and what we're doing. And that becomes absolutely important.
So knowing where you are because you might've started already and then putting measurements against, it becomes absolutely critical using a structured step-by-step approach, communicating with the business and seeing how they start to react towards this.
So those are some of the factors that we have to think about when we start this journey towards zero trust, reminding ourselves the whole time, the benefit of being able to make sure that we can change the business or support the business as a change, make sure it's secure, make sure that transformation of the business is enabled by security and not blocked making life easier for users so that when they come to us about security, that part of our team. So I think that's a very important set of thinking that we have to, to keep it on mind the whole time.
Finally, my other argument about zero trust is from all our points of view, I think we have to accept that it's going to become a standard. And so we all have to have a strategy around it. And here I've just shown you two snapshots, one from the mis-gender, which I'm sure you're aware about. And in the UK, the national cyber security center is also now bringing out its architecture design principles. So soon this is going to be a standard. We will have to follow it. So now start your journey now as soon as possible.
And so that I think is a few thoughts I'd like to share on zero trust and how you actually get it going and how you actually make sure that you can make the transformation successful. Okay, Richard, thank you very much. So let's kick off our Q and a session. I already have a couple here on the Q and a. And so the first one is where do loose organization stark when implementing a CR trust strategy? I think we should have gave some recommendations on where they should start, but maybe you can talk a little bit about once you see where they really start. Okay.
As I say, I think many organizations have already started, but don't realize it. They might already have done some network segmentation or so forth, but I'm finding increasingly people are starting at the user point of view because as I think you pointed out to the left, that's the most more important part to start. And so I see that user protection, that user experience being the key area where they're starting start there, get that piece under control.
And I think one of the other reasons for doing for starting there is because as we go on transformations, for example, moving to cloud, we're going to have our applications in different places. So if we can control what I call a choke point, the entry point to the applications, we can put those controls in that place there that I think helps the overall security of the organization and helps reduce risks very rapidly. So I think that's where most people are stuck. And I think that that fits very always what I see.
I think most organizations have some element of what they need and is here for a more comprehensive Zero Trust picture already. And they might have thought was I think, around adaptive, false indication around a caspase in place or on many of the other elements that make up. And you had the sort of a more, a broader approach was a lot of points for verification.
So I would dare to say really many, maybe most organizations are determining to see or trust the point is that, that you need to have that concept, that the broader pick trend that stretcher on and say, okay, and this is why we do certain things and security and big where we also don't do certain things or not in west, or even retire certain elements because they don't tell us. And I think that is an important point.
Also
What we want to keep rid of one tweet, or do we want to, to, to, to keep running so that we don't just build up a constant stack of, of, of technologies, which just end up becoming complex and complexity equals risk. Yeah.
I mean, I think that the least very good too. Another question we have here, which has, most of these are shorter for sources, people, buckets, et cetera.
So, so how can they get to zero trust? And I think part of that is to trust the answers.
Yes, I, I think there's, there's a number of ways. And just as an appointee, in many, many seasons, I'm talking to a finding that budgets are much more limited now than they would have hoped. There was a lot of spending last year, but now some of that spending is being restricted. I think CSOs have got to do two things. The first is the communication side, pointing out the benefits and explaining why this will help the business run more effectively, more efficiently, it'll expand, it'll make more money. So the communication of that aspect is, is absolutely critical.
But also I think one of the points I mentioned, we're having this shift towards SAS delivery and that might well relieve a lot of the pressures on technology deployment. So it might make it sort of expand your resource capability in that because you're working with, with trusted partners, but at the same time. So he says, I've got to remember as they go on the zero trust journey, there's going to be a lot more emphasis on business communication and policy management. So I think that they're going to have to focus on that a lot more than they did before.
And that means taking the control plane away from being within the network. So you don't go into the network and then go out again to, to account application, for example, that you can just work easily straight from home bang into the cloud application. And so I think putting in the, the stages of authentication and device trust, right at the very beginning enables you to do that because you then have a centralized controlled policy, which says, this is what you have to be up to before you can access any resources.
And I think that you're going to have to have that, that approach because so many organizations are going to have legacy applications, as well as cloud applications. There's going to be, you know, the bill will be cloud native environments, but there will be some that will take years to change. You think of a manufacturing company, you think of a finance company. So we have to be able to, to make that invisible to the user. I think I mentioned the idea of a portal. You have all the controls behind all the magic happens behind the users and they go either to the network or they go into the cart.
They don't care. They shouldn't. Yeah. And songs will never change.
So your, your shop floor when you're manufacturing will remain on premises. So I think from that perspective, it makes sense as I think the easiest, I think we touched a couple of things which, which fit into that one important thing is at the end, you had traditional security elements in some way, also our power of your verify, your, your elements, which help you verifying what the heck was.
So trust, don't go to trust someone. Once someone has passed, solves the Paramita, everything is secure, but apply the other principles. You sort of speak, apply for the outer space of your organization in the same way for the internal space or just that, but then putting in what Richard and biasing also needs that single also the, what piece of the security elements do you really need in the future of which not? And I think the sort of aspect, so try to reduce what you, what is really sort of too redundant.
I think it's the word trust always involves some sort of redundancy because it's about multiple checks, multiple verifications, but can we look at how can you, can you optimize your portfolio that might meet either some of the traditional hybrid security elements, maybe of less relevant stuff, some of which work everywhere, but the search element Achilles, if you look at the on-premise part, you must not. You can record that some of the things your closer was providing tests for you in his provider responsibility remain your talent. So to speak.
I mean, you provide a responsibility when you write it on premises. So then you attendant responsibility to a cloud services when it comes to security, some smaller than your provider responsibility ability for your own on-premise environment. And that means good. There are things you need to do yourself in securing your environments, medallion on premises, but in some way. So the way I, I, I, I tend to think about is, think about you. You trust to have services that run as a service and you have users somewhere with something wise.
And if you can protect that everyone was energy-wise to every service, then, then you cover everything. And then you can still say, I have more control about that or less control about that and increase the level of verification you need.
And then, then you, you, you, you, at the end, it's always a hybrid approach in some way, For sure. You don't want to add something.
Yeah, no, I agree. I mean, obviously that's a whole debate around what does the cloud provider do and what do we do internally? But I think if we drive it back to who is going to use the resource, who's going to use the application. We're inevitably going to have to control that ourselves and make sure that only the right people get in there as much as we possibly can. Yeah. So we've two more questions, which are, I would say pretty, pretty much overlapping. I reduced it to one question, which is at the end of the day, bronc manages to consider an implemented zero trust.
That's something you touch, wasn't your talk. But also what, in this broader portfolio of things you can do for implementing a seabird trust paradigm out of things that are sort of relatively stable and established, maybe to start with instead of the ones which are maybe more, more Walla tile under changed as it prompts from actions or technologies and our, so one of the things that you were saying, if you do that, you can't do wrong. I think insecurity, you've always got to try and look at what's the risk you're facing and security is never easy as it. So you have to start looking at it.
What is the risk you're trying to reduce the most within the business? What is the benefit you're trying to bring to the business and then drive down from there and make sure that you're addressing those issues and, and helping that, helping the business move with insecurity. So I think that that's really how I look at. Yeah. And I think there are things you, you cut them away, but you won't do something wrong. So I started to set up that false indication.
There's, there's no way to avoid a modern risk-based context-based authentication, which allows you to use more than one factor, which allows you to use it. You get to use different combinations. I would dare to say, and in Westman, and that is mandatory.
Anyway, there's no way to get through, regardless of how your environment looks like. Oh, Martin, for based on my experience over the years, anything which stops lateral movement is just absolutely wonderful to me because it is so complex and so dangerous when you're, when you're trying to track it down, the words, lateral movement send fear into me straightaway. So anything which stops that is absolutely critical.
Okay, great. I think this is perfect. And for our Q and A's, so thank you very much to you, Richard, for all that input you provided. Thank you very much for do security and supporting this movement. Thank you very much to all the attendees for listening to this
