Anoop Mangla, Cybersecurity Practice Director, Wipro
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
We can hear you. So the stage is yours. Okay. Thank you very much and good afternoon everybody. And thanks for joining this session today. I'm going to talk about identities and how identity and access management should be treated in the zero trust model. And essentially it's a simple concept, but before I go, like introduce myself, ILA, I'm part of the process, cybersecurity practice. And I really enjoy being part of the session today. Thank you very much. Let's let's get into the discussion of how, what the principles of zero trust are and how do they relate to identities.
So as most of you would be aware, the principles of zero trust are simple. They're not too complex. Essentially what we are seeing is that we have to ensure that access to all resources should be secured the respective of the location. So no automatically no trust should be provided automatically to any user or any actor. And what we also say is that at all times, we assume that there are untrusted actors in the environment, in the network, which means you cannot always trust the network, or you cannot always trust. Who's accessing your application.
The systems that means you have to take trust out of the equation and ensure that we have least privilege principle of least privilege. And we enforce it with access control and last, not the least, essentially we need to monitor and audit everything on a continuous basis so that we make sure that we can know who's accessing what kind of resources, what kind of systems.
So in simple, if you look at it, zero trust becomes like the identity and access management is like the core of any zero trust program, any zero trust solutions, because it's all about never trusting the resources and users, but always define it. So if you look at how do we define, I aim for zero trust, what would be the elements? And we are moving from say really static approach to a more adaptive approach of the, there are various definitions in the market for sure, on, on how to adopt zero.
But the whole idea that move from a static way of doing identity to a more adaptive and the five five areas, which we see are important. First one is continuously very, so you need to verify everything and I'll talk about it. Move into continuously contextualize, which is where it becomes more and more adaptive, which means you are contextualizing the access users identities in real time. And it's the continuous activity.
We also need to continuously secure the assets or the resources that an organization has irrespective of where they're located in, in your data centers, on the cloud or on SA applications or in partner networks. It does not matter if you need to continuously secure them. You need to grant access to these resources as, as required. And we'll talk about it and we need to continuously audit these accesses. So if you look at these elements, let's go through them one by one and see how we can build a program of zero trust keeping identity in mind.
First one, again, very simple concept continuously fine. So you need to ensure that you have an identity source depending on the organization. It could be a centrally and governed identity source. It could also be a locally administered identity source, or it could be a third party identity provider, but you need to have a way to identify the sources, identify the user, identify the asset, identify the resource, which is making access, right? So that's basically first important principle. Then you need to look at what's the privilege of this identity.
What, what can this identity do? Right? So by entitlement, by account, that could be maybe more parameters to determine what's the privilege identity. And how are you going to verify, right? How are you going to verify these identity when it makes access? When it tries to access this issue, it could be credentials, multifactor authentication to factor authentication. Biome are some of the measures. So the concept is still very simple, but the pointed that how do we enforce it across the organization, principle of continuously verify each access to each resource. So that's the first principle.
The second principle takes into account. How do we continuously contextualize? And there are again, various definitions for it, but here it's much more dynamic.
The, the elements that we have to consider for continuously contextualizing the access as are multiple. So you have threat intelligence, you have value of assets, you have reputation services based on your policies, the risk tolerance that your organization has, any enterprise policies that you have, any behavioral signatures, any historical baselines.
There are a lot of elements, a lot of parameters you need to consider to contextualize and essentially have an engine, an engine, which also takes in your policy and compliance parameters and determines what kind of an access should be provided to a particular user or particular identity. And mind you, this, this could vary, right? A particular user identity could have a certain context depending on where they're connecting from or the time that they're connecting from. And it could change. It could change when they connect next time, right?
So the would continuously change as well for the user. And you could choose what kind of access you want to provide to the user. You could either block it, you prevent that access. You could quarantine that access. You can ask. For more context, you can ask for more information, you could give Readly access. You could isolate.
I mean, the list goes on and on. So the essential idea is that you should have all the elements to take in this information about users and their accesses and determine what should be the right access mechanism for them. And this is very dynamic in nature. So once you do the continuously contextualization of accesses and users, you need to also ensure that your contents to secure your assets and while, okay, and this is, this is there. You look at the entire state, right? Whether it's endpoint networks, servers, applications, or cloud systems, data, your identities, you name it, right.
The entire solution set your entire system stage should be protected. Contents is secured or the responsibilities malware. You need to have patching in place. You need to ensure audit trails. You need to ensure privilege access. You need to have gateway protection. So essentially this is a very dynamic approach as well that you have to continuously secure your systems, your endpoints, or network and things like that.
And then of course you have looked at how the make sure that the user access is control and contexts would also take into account the type of resource you're accessing and what kind of security you have on the resource. So it plays a role in contextualization as well. And once you have done that, I mean, the both principle is the principle of least privilege or least access. And this is, this is again, a well known concept to ensure that you only allow access for the time that it is needed.
So, and when it is needed. So just in time access ensure that there is no default access provided to users, which is for an in finite period of time. So how do you ensure that we always access is provided when it's needed and for the duration that it is needed after that it is kind of revoked or suspended. And also you have to ensure that we have just enough privileges. You don't have overs assigned privileges. You don't have overs assigned entitlements, irrespective of a user's role.
And this is where we see a lot of organizations having a challenge because the moment applications move onto cloud. The moment you have systems on cloud, you have so much of privilege that users start getting, which cannot be controlled. And this is where I believe just in time access, just in a privileges, in addition to continuously contextualizing their access is where the biggest challenge is like this whole, when you're building your identity management system for zero trust. And obviously the objective is why, why are we restricting this access, right?
Why are providing only time and just in a privileges to ensure that we can limit later movement? We, we, we don't have over assigned privileges. We don't have privileges, which are for Anite period of time so that we can limit lateral movement for resources. So that's, that's the end goal here.
And it's, it's in I, one of the key principles or key elements of identity management and zero trust environment. As we move forward, we'll see that continuously auditing the accesses is equally important activity. And you need to continuously discover your assets, your identities, accounts, and entitlements in the organization. And this in itself, you see large organizations having a challenge because identities and entitlements are not just internal. It also includes external users, partners, and other kind of users.
And it's not always easy to have a unique identity associated with them, or organizations have the ability to uniquely identify those actors. But continuous discovery will ensure that we can always identify the assets I accounts and entitle in, in our environment. And you need to then move into continuously monitoring, all accesses that are being made by these identities and these accounts. What are the sessions they're creating? What are the activities that they're performing, which are the users that they're connecting to? What are the, which is the actual user behind those accesses?
So that's the continuous monitoring element of it, which needs to be put in place. Then the analysis of it, right? What are the events that are being triggered? What behavior is coming in, what kind of correlation and context you have when you look at all this monitoring of users and, and target systems, and then you get into ING, what could be the action, right? So in terms of say access re-certification, do we need to restrict anything? Do we need to turn down anything? Is there a trend? Is there a policy?
Is there a self-driven re-certification when itself is, is a concept which should be identified. So the whole idea is that this will feed again, back into the original cycle, right? So from verification to contexts, to securing, to ensuring you have lease privileges, or just in time access. So this cycle of audit and monitoring would feed back into your identity life cycle, right? Your entire identity and access life cycle. And that in our view is, is what zero trust model should look at as building blocks or elements of, of, of a program.
And in the previous session, I heard that to build this kind of program, you need to take an agile approach. And that's, that's our view as well that you can't build this in, in, in a, in a very strict waterfall model, there would be changes because the whole paradigm is very dynamic. You need to keep on evolving, evolving your program as well. So this is where I would like to kind of take a pause, stop, and probably open up for questions. If the people audience have any questions.