Thanks. So without further ado, let's just start reminding everyone that zero trust is usually kind of as a buzzword used in a very different context. And sometimes people just fail to agree on what exactly it means through the whole presentation. I would stick to the definition by the national Institute of standards and technology. The nest zero trust is not an architecture is not a product, just a set of guiding principles on how do you design your it and your, even some of your business processes in order to improve them with regards to your security or sensitivity or all of other problems.
Many companies are now experiencing. So yes, zero trust is not a product. Zero trust is not even a market segment.
In fact, zero trust is basically everything that encompasses the whole field of cybersecurity identity and even goes beyond it. And zero trust sometimes is referred to as trust, but verify, this is actually an old Russian proverb, but again, this is wrong.
The goal of zero trust is never trust anyone without verification, as Christopher mentioned. So zero trust means no implicit trust anywhere within your it environment.
So again, this is just a concept, an architecture set of guidelines on how to design your, it, it definitely goes beyond just technology because adopting zero trust means you have to change some of your business processes. And even some of your kind of cultural, if you will, with a new company, zero trust is definitely based on more than just identities because every access decision has to be based on not just users, but also devices, other it assets.
And of course the resources, the data you are to access, but in the end, if you adopt or trust, you will get immediate and very tangible business benefits such as dramatically reducing the complexity of your it. Eliminate whether movements or hackers, meaning efficient protection against strength, somewhere and similar attacks. And of course, universal business productivity for your remote workers, which are more often than not still stuck at home.
And of course, zero trust is a life cycle. It's a continuous process. It never ends if you will.
So I can hear some of you saying, okay, you had it. You had me at tangible business benefits. How do I buy into zero trust? Like where do I start? And I have some bad news for you, sorry, you cannot buy zero trust, but I also have some bad news for you. You don't really need to, because you might already have at least some basic, but important part of zero trust architectures in your company. You just have to understand how to connect them together.
And I will even go and claim that as opposed to things like blockchains or clouds or other great buzzwords of the past zero trust, doesn't actually force you to rip and replace anything within your company. And in that regard, I'm always thinking about zero trust.
As I'm thinking about FHU that ancient Chinese art of bringing harmony and peace in your home, and you probably know Shu of FHU, whatever people call it in the west is basically an art of probably like rearranging stuff within your house. You don't have to build a new house.
You just have to maybe move some of your furniture, put in a water basin in the corner, or put a vase with flowers somewhere. And you just let the energy flow. If you will. You just follow this basic guide rules and guidelines and you achieve harmony. And of course there is more than one way to do it again. You just have to stick to the principles and what are the principles of zero trust?
Well, essentially they boil down to a combination of identity and security requirements. Again, all decisions have to be made per resource for each data source, every device, application, cloud service.
You cannot have any implicit trust. You have to validate every time you have to secure all the communications, obviously, and encrypt the traffic and so on. You have to enforce least privilege access for everything because nobody should get more access rights than they really need. Everything is guided by policies.
And those policies are guided by real time context based risk evaluation, because you have to know what's going on in every corner of infrastructure to make those sensible decisions, you have to continuously know that your assets are safe and their integrity was not violated. So you have to monitor them all the time. You have to use strong authentication everywhere, because if you cannot authenticate your users reliably, how do you know they are even your users and not some malicious actors.
And finally, you just have to collect every information and metadata you can from your infrastructure and use the data as telemetry as a source of those policy based access decisions sounds reasonable. Sounds fairly simple, I would say, but more importantly, nothing here is inherently new. All of these principles have been in use for decades. It's just the combination of how do you apply them altogether? That matters for zero trust.
Every time people start asking questions, okay, how do actually implement zero trust? They are referred to this picture.
This is an illustration from a, a very important paper published by N again two years ago, which covers zero trust architectures. And again, this is a really foundational and important diagram showing how you actually implement that policy based access within your company, but you cannot show it to your board and hope to get some money to implement it. It just kind of, I believe it, it's a relatively unfair representation of things compared to the importance.
Therefore, I would like to show you a different picture. It's gonna a step by step explanation, how it's actually supposed to work. So obviously we have identities and endpoints, the users and devices on the left, and we have our assets on the right, the sensitive data, the applications for infrastructure, and we want to access them securely without any policy trust.
How do we do that?
Obviously, there is something that within, from the previous picture, the policy engine, which decides whether that identity or endpoint can access or not. And it's, I, I draw I've drawn it as a fuzzy cloud. Not because it has to run in the cloud, but just there is no strict definition what exactly how it's supposed to work. It's just a concept. And of course we have policy enforcements points, which actually make decisions and enforce those decisions. Can I access the data? How do I actually protect the data from malicious access? How do I even know?
I have to protect the data and the same question apply to applications and infrastructure. I have to know what's going on. I have to protect them from threats and I have to make decisions and enforce those decisions. How does it work? And by the way, I, I almost forgot the network.
Of course, that medium, that connects all those identities and assets together. It has to be protected and monitor as well. And of course we have existing security and government tools.
We usually connect security telemetry from all those three sources. And we can use this telemetry to make even better decisions. We can optimize our policy management. This is in a nutshell how zero trust architecture works in real life. So only question that remains what is hiding behind those clouds, if you will.
And they have some bad news and the good news behind those clouds, this, all this security tools are hiding because essentially zero trust involves everything. Every tool you have or can have to protect, to optimize, to monitor, to secure your identities, your endpoints, your data, and your network, and of course applications. And the majority of those tools you probably already have. So you actually, you do not need to rip and replace anything.
You just apply the rules of you, connect stuff together, you move stuff around and you make sure that those existing tools feel as many gaps you have as possible.
So only you can know which risks are the most important for your infrastructure. Only you understand the requirements and in the end only you can define your zero task architecture. But of course, we are here to support you and as well as the vendors and advisors and everybody else. So you just have to start, you have to start today.
There is nothing inherently new or inherently complicated in zero trust in the concept, which would prevent you from doing this today, or ideally even yesterday, yes, implementing zero trust is a long journey. And yes, it requires a major long term strategy. And of course, if I had a whole hour for my presentation, I'd probably go through each of these steps and bullet points and explain how they connect together. That you have to start with some basic stuff. Like you have to know, what do you even have to protect in?
Whom do you have to protect in your enterprise?
You have to understand your key business processes and understand your risks. You have to define your policies based on those risks and identify your priorities. You have to look for solutions.
Well, basically you have to do the same job you have probably been doing for throughout your quote, adult it life. But I guess this is not what you have come here today. You've probably come here to look for quick win. And I can tell you that while still staying on that strategic journey and still having long-term goals within your reach and mind, you can solve some burning, acute challenges today, leveraging your existing tools. You just have to identify them and you have to apply some zero trust guidelines.
The most obvious solution would be if you still do not enforce multifactor authentication within your company, do it today.
Even that alone, without any strategic consideration, it probably protects you from like 99% of external account hijacking attacks.
Yes, we might argue, does it actually have anything to do with zero trust or not on one hand? No, it doesn't because multifactor authentication existed long before zero trust appeared to the concept. On the other hand, this is like one of the major product with it.
And probably for many companies, the first step towards that long term, zero first go, of course you have to implement privilege access management and enforce segregation of duties, at least on some key systems within your company, like your business applications or maybe finance department or anything else, which is crucial to your company. It's your job to identify those risk systems.
But again, start small implement quick wins another step toward you trust. And of course, if you do not have those tools available and you have to cover some new identity types, for example, like your customers, your partners, your external contractors, maybe you should embrace an identity as a service solution.
And of course you will learn more about those in our later presentations today. And the same approach applies to all the other aspects you have to cover.
You probably already have an existing endpoint detection response solution or mobile device management platform, which can monitor your devices and identify whether they've been pitched or for example, free of malware connect those devices to some kind of a policy evaluation engine. Even if that engine is still like almost manually operated, even if it's still maybe a set of Excel table, that's still better than nothing kind of evolve slowly adopt, adapt, and improve your existing tools. And those maybe steps will eventually lead you towards the zero trust goal.
And again, networking is probably like the most important area to consider because network connects everything. And I am almost not kidding. When I tell you, whenever your people return back from the working from home through the pandemic years, to not let them back into your office lab, disabled completely, even if they still, even if they will be working from their office again, pretend they're still working from home.
That alone is a huge step towards zero trust because it'll kind of implicitly apply additional level of segmentation of to your network.
And of course you can continue moving those steps or maybe your VPN provider what's, they support hybrid operations where you just have to change policies to like from blanket coverage of the entire network, towards isolated access to specific resources, consider deploying a soft based zero trust network access platform. You can do it within days, not month or years, and at least for some key applications, it would be a huge, quick win. And so on the same applies to systems and applications.
I believe in one of the later presentations, I will be talking about adding zero trust directly into existing software using SDK and tools, which kind of built into applications. So you don't have to bolt zero trust, networking access.
Later of addition to an existing architecture, itll be built directly into it. So there's a huge potential for application modernization.
And again, it can be done step by step. You don't have to do it at once. And of course in the end, all that matters is access to your data. So discovering classification with the must have enforcing all its own security controls, which again, your database probably already have in another step towards zero trust. And in the end, your goal is to ensure that your data is protected from every potential attack vector. So in the end, I would say the magic formula for zero trust is very simple. Zero trust cannot work without strong identities, policy enforcement and visibility.
And again, at least those two book ending solutions, the identity management platform, ation as well as C or XDR for security operations. You probably already have.
You just have to add those small missing ingredients like policy enforcements controls managed from the central location. The question is where do you find them? So how do you buy zero trust end?
And again, you cannot, but you can buy tools based on zero trust principles, such as case BS for cloud access security or identity, the service platforms, or even those secure access service edge platforms. Don't look for buzzwords, look for specific capabilities, understand which gaps you have, understand which priorities and risks you have to address and reuse existing tools as, as much as possible. And I would leave you with the last quote. I really love to use an Emory it related presentation. Yes. In the modern it world, you have to run as fast as you can just to keep it the same place.
And if you actually want to improve your security policy, if you want to reach the zero trust journey, you have to run at least twice as fast as that. So we'll start today, run as faster that, and we will be supporting you in the journey. Thank you very much.
