Matthias Reinwarth and Martin Kuppinger dispel a few myths about Zero Trust.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Matthias Reinwarth and Martin Kuppinger dispel a few myths about Zero Trust.
Matthias Reinwarth and Martin Kuppinger dispel a few myths about Zero Trust.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analysts. In each edition of this podcast, we have one guest joining me, a fellow analyst, another interesting partner, and we have a 15 minutes chat or so around the current topic and the current topic for today, we will be talking about Zero Trust and I'm joined by my colleague by Martin Kuppinger, who is founder and principal analyst at KuppingerCole. Hi Martin. Welcome, Matthias and welcome to all the people listening to this podcast. Okay.
I've already mentioned it. Zero Trust. This is a concept that is actually around quite some time, but it's really gaining more importance just right now with more and more people being forced to work from home work from untrusted networks. What is the concept in a nutshell of Zero Trust from your point of view?
So what is the concept in a nutshell, Zero Trust sort of appeared when, when some people started thinking about what is the future beyond the traditional way of working the traditional way of working means you have a corporate owned PC working in the office accessing internal services, but we all have seen certain trends or at a time, which is bring your own device, which is odd for a while. Recently, far more work from home.
And on the other hand, this shift of services to the cloud service, I would say probably most of the larger organizations these days, following a cloud first strategy for deploying their services. So this traditional picture of I have a secure perimeter as my internal network or mine town networks in various zones, and I have secure devices, and that's where I'm working in this approach doesn't work the same way anymore. The reality is we have devices.
And when we look at the current scenario, we have a lot of privately owned devices running in a home office, connecting over to wifi in this house, to the internet, and ending up at a service, which is a runs was in the organization, or even more common, which is the cloud service and the idea of Zero Trust us that we are operating in an environment where we don't have single point of trust or this where we can trust this is B trust or firewall. We trust the configuration of the client PC. We trust our internal network.
It is about working in a less trusted environment where a lot of elements need to be improved Morphin and where we contrast in each and every thing, but we need after approaches for achieving an acceptable level of security. Yeah, I think that the most important point from, from my perspective is really that the, the, the, that we're shifting away from protecting systems, from protecting infrastructure, from protecting applications to actually moving towards protecting what really needs to be protected, which is the data and the processes that we are using.
So it's really making sure that the data is secure on devices and in the services that we're using, and that the communication between both sides, when you think of a, of a simple client service scenario, that this connection between the systems is well protected as well. So it's data protection and it's connection, protect.
Yeah, there are a couple of things. And one of the most important sentences, this Arantes entire C-word trust concept. Maybe we just start this, this versus verify don't trust or don't trust, verify it's about verifying. This is secure enough to us. This is the right person, et cetera. That's one element. The other element is, as you said, Martinez very important. It is shifting away from a network centric, security towards a security that focuses on more and prioritizes auto areas. So it's also interesting that at the beginning, the thing was called Zero Trust networks.
And at the end, the network, in the sense of technical network, security is probably of lesser importance. It is about I have devices accessing services, and at the end, I need to protect data. And if you look at this chain from the device or flow from the device to that data, to that information. So we have to device which communicates over network or a serious network. So your home wifi, the public internet, the network off the cloud service provider to assist them where an application runs.
So the system that might be also something where you didn't have something running in the container, et cetera, but think about system and application runs and the application done access to certain data. So it's a serious communication steps and flew off of information. And apparently we need to understand all of that, but you also need to understand what are the areas where things can really go wrong if you use secure communication channel.
So if you, for instance, use TLS protected access from the device to a cloud service, then the communication is encrypted venom flowing over the network. This is not our major concern. The concern from the application perspective is, is this really Martin Kuppinger accessing? Can we verify that this is Martin Kuppinger specifically, if he uses a device he's never used before. So can we trust that device? Or what do we need to ensure that our data isn't maliciously used? So we need to look at these things and look at what do we need to verify within that to provide a certain level of access.
It's far more about sinking in risk in context and repeat it and multi step or about level verification, multiple places, and then protecting data and thinking about what is required for data access and how do I treat devices and how do I, at the end, that's the outer side of the thing? How do I allow everyone to access what he needs, but in a secure manner?
Yeah, I think it's, it's really that, that triangle between the user, the device and the actual context that needs to be considered when thinking of well-defined policies and their continuous informant, to make sure we have clearly defined policies, which are capable of deciding whether an access is actually desirable and normal and should be allowed, or when it should be intercepted or should be really a terminated. So we have the user, as you said, we have the, the really a trusted identity, but we also have a trusted device, or at least we have information about the device.
Maybe it's registered. It's well known. It has been seen in that context already before. And we have context information. If really somebody joins from an unexpected network where he never has been, or here he should not be maybe in abroad or somewhere else, then you really can apply this information to, to verify this connection with clearly defined policies. I think that is a new challenge actually, to, to understand which access is desirable and which should be prevented. Yes. And this changes the zero trusr paradigm from, okay. If someone passed, my perimeter is good.
If not his bad too, we need to verify to check at far more places and V2 do need to do it far more frequently. I think this is basically the fundamental change here.
Now, now that many organizations are thrown in that situation. And, and of course we know that the traditional remote access approach via VPNs, all that kind of stuff really has proven to be not adequate just right now. We've seen that life.
And, and, and, and we've, we've seen that happening what to be then once this crisis is over, where would an organization want to start moving towards such a CRO trust concept, such a paradigm shift? I think that is something that cannot be just executed by rip and replace. This is some, some ongoing process. What would be good for starting points? I would say, yes, I agree. It's an ongoing process. And for most organizations it's already happening. So we have mobile users. So we use different types of devices. Many organizations have some sort of pre your own device access.
And if it's only allowing email access from a smartphone or access to soon to teams, to outer things from, from a smartphone and most organizations also have some sort of cloud first strategy, but I believe is important to us. Let's start at the backend side to treat everything as a service. So when you are not using already public cloud services, try to expose your auto services in a way that they sort of speak appear in an SSO service manner so that they are sort of your private cloud services and you have the public cloud services, but every service is accessible in that way.
So don't have this notion of I route everything first to my internal network, the knowledge or to my internal services created this. People use a device to access the service. And what you also will need is an identity management, which covers every single step. We have a lot of research on, on our concept of identity fabrics, which is how can you provide access for everyone and everything to every service?
I think this is a very essential element to get, to move forward, that space and the desert areas to figure out ways to use the wisest, various levels of security and the various levels of, I would say effort and administration, and maybe also restrictiveness and in some sense, so that can be some forms of workplace delivery, which work easy and flexible tool devices, vase it, this would be already working in a defined environment and understand where you can allow other types of devices to be used for rot.
And then go as part of this entire, for instance, identity concept towards adaptive authentication, which also includes a risk and context-based authentication. So broke up these strategic elements, devices shifts to the cloud of services or private clouds, really consequently going cloud first and go for the identity fabric is all it involves, includes such as adaptive authentication, flexible Federation and all the other elements. That's it? Okay. That sounds, that sounds like, like a very straightforward approach.
And I think that also goes hand in hand with, with the way that organizations are working right now. So many people think of this three phase approach. So first of all, respond to the crisis. And that is where we are just right now, people are moving to cloud services just for the reasons that you mentioned, because they want to have access to their services. And if they are not accessible via VPN, because the VPN is failing, then you need to have a different way of working. So that is this response to crisis. Then the next phase, hopefully soon will be the recover phase.
So really use all what you have and all what that is that you add a track now to get to an a, to, to a stable and, and, and sound recovery phase. And the next step usually would be something like rebuild, build new services, and obviously leverage what you have learned in the meantime.
And I think this first step, that many organizations just did moving to cloud-based services and realizing that these work well as well, that maybe that is a good starting point also for moving to a more, more, yeah, it's Zero Trust, like approach of working by just having networks in between that you cannot trust, but you have adequate means in place to making this work safe and sound and secure. Okay. That was actually also some kind of summary from my side.
So thank you very much, Martin, for joining me and for explaining the details behind the concept of Zero Trust with a, not that propriate name actually, but the concept is interesting and it's really relevant. Thank you very much for joining me and looking forward to having you in a further addition of this podcast.
Again, thank you. Bye-bye. Thank you.