Paul do you wanna start?
Okay, so, so very briefly, obviously I'm a fellow Analyst at KuppingerCole. I specialize in my day job in the future of digital identity and I'm next CSO, many times over for global corporations.
What do I see in terms of, of futures?
For me, the key is, is understanding context. I mean, we've heard it before. It's this entitlement and context thing. If we're gonna make this stuff work, whatever technology you choose to employ, if we're gonna get better at it, we need to, we need to get contextual analytics better in the moment. Context is really, really difficult, especially if the devices and the people are outside of your control. So it goes back to this locus of control thing. I can make it all work as long as you play inside my locus of control and, and there's the floor.
So, so if we're gonna design for the future is how we can understand global context context. Can I leverage a global identity ecosystem for devices, code people, organizations, agents, and the answer currently today is no. And that's what we need. If we can fix that, we can put a huge dent in the bad guys.
Okay. Do again.
Hello again. So before Accenture you've heard for me, but before joining Accenture, I've been, I've been in the business for about 25 odd years. Spend some time with some startups in the, in the space of emerging blockchain technology.
I, if you heard of guard time as a, as a blockchain company, before that, I was with KPMG and chief security architect with DIJ the drinks company. So in, in, from my perspective, I feel that we are seriously flawed in the departments of identifying what do we need to protect all of these good stuff and technology that we have in existence today really kind of falls apart unless we have a target, unless we have a really kind of a view, what do we try to, you know, provide to business?
You know, what are those things that we need to protect? What are those digital assets, how do we traverse multiple realms of trust in data proliferation, which is very important.
If you ask anyone today to safely kind of, you know, lift their hand and say, I know exactly where my assets are, you know, please talk to us, you know, talk to me, I wanna really learn from you. And that's sort of varsity aspects, which really Paul was talking about. The context is, is really kind of providing the integrity elements of it.
The, the, the Providence and the context is really critical for the data veracity that we trying to aspire to. You know, how do I, I know the artificial intelligence system will be presenting or really kind of working on a trustworthy set of data. How do you know the data is complete and unchanged, you know, for, for something to happen?
You know, do I put a brakes on, on a car based on that elemental data set, or do I really kind of run over a person in front of me? So that really is critical. And I think is shifting from the space of cybersecurity to safety and is saving people's people's lives. Yeah.
Okay. Toman.
Yeah. Torston George chief evangelist at Centrify have been doing security for more than a decade, a lot of time involved in risk management solutions, governance, risk compliance. And for me, it's important when we talk about this topic of risk, that risk is security's new compliance in the past.
A lot of organization, we, we have focused on that checkbox mentality. Fortunately, over the last two years, we have seen them move towards a risk based approach. And for me, risk comes back to context. Course risk is determined by multiple factors by vulnerabilities, by threats. And you have to take these into account. And then going back to the fundamentals of cyber security for me, there are two things that you have to get in line and that's identity and that's data.
When you look at today's cyber attacks, there are only 0.6% of attacks that strive to take down your network, the rest of the time that they're to exfiltrate data. So in reality, I could make a bold statement and say, I don't care if you're my network. What I care about is that you're not exfiltrating my data and that I know who is trying to do it.
Okay. So thank you.
So we, we already touched on one of the former presentations to term of your trust. And so when we, when I look at what you've just been saying, it is, we need to understand where our, our assets are. Our critical assets are.
And Paul, you yesterday brought up a statement saying usually there are maybe 20 really critical IP addresses, so to speak in going down to the network, but at the end systems where really your ground tools, so to speak reside. So the interesting point is obviously, shouldn't, we a little bit provocatively said, knowing that there are, are few really critical systems and assets put a very strong fence around exactly these systems as sort of the pyramid of which would be sort of CR you could say this would be contradictory to zero trust.
I think the world has changed.
I think up till six years ago. Yeah. We had these 20 IP addresses that we knew about, but today I can pull out my credit card as a marked tier. I can subscribe to assess service and I put all my customer data there. And my it guy doesn't know about that IP address. So things have dramatically changed. And from that perspective, I can no longer build a fence. I have to apply a concept that allows me to verify who's accessing what and really put limits on that.
So,
So what you were saying is we have to sprawl of ground rules and we not even know in which that's all the ground rules are in which banker we have are crown rules, so to speak. And that means we have to, to, to change the concepts.
So, no, I, I don't think so. I, I think the fundamental truth hasn't changed, which is if we know, if you move all your marketing data in, in the cloud, which is what happens in reality, that I've still, that that just becomes one of my 20 critical systems. It's just not inside my network anymore. The fact that we still need to protect it and potentially in a, in a, in a zero trust network environment front end it with something that says, here's the conditions under which you are allowed to access this data.
I think the fundamental truth is still the same, because it's what you should have been doing when the data was inside. All that you've done is move it to the cloud. And the reality is that people are moving more and more.
If you, if you look at my future state network, I, I drew up.
The only thing I had inside was SAP, because, and even then you can probably move that to the cloud these days. But ultimately my suspicion is for a lot of organizations, you are going to want to closely couple your production to your ERP system with a known degree of quality of service on the network between the two. But that's probably about it. Everything else let's assume it goes to the cloud, but let's put the same amount of, of protection in front of that to do the, and I, I like that sale point.
We're using the entitlement word. So the, the entitlement is, is a great word. We coined it originally for cloud security Alliance. If you look in guidance, version three, it's a, it's a great word because it says that, are you entitled to access this data?
So I would agree from the security concept.
I, I think what I'm talking about is really the challenge of knowing that this data resides at, at this outsource SAS application. That is really the challenge that the practitioner face every day,
Just for kind of few points there. I think what is important with moving the data externalizing the data is that you actually, you affect your effectively kind of what happens.
Your architecture changes your data flows, changes your footprint in terms of what you're looking at now, in terms of interactions that really multiplies so older, you've changed physically the location of the data you deem important. The things you'll be doing internally no longer really applies. You have principles still the same. You still have same objectives, but achieving that level of security completely changes, you know, picking, you know, what people are talking about.
You know, maybe somebody mentioned earlier, but cloud access, security broker, you know, CASBY sort of, sort of came up into the kind of focus of this because cloud to cloud interactions are now of reality. You know, how do I know that your staff that is already in service now in, you know, in concur and HRS everywhere, you know, Workday, how do you know that data is not really kind of using for other purposes? How do you know that that stuff is really, is not exposed to an authorized, you know, entitled party to see the data.
So that really put things into perspective of your data, Providence elements for data, you know, kind of data security, what happens, you know, do I really know how data moves around? So do I really kind of safely say guys, I have no idea.
Yeah.
So, so what you're basically saying are, are choosing Ste ones. It's still the same critical data, but it's, we don't know, or it's not stable in the location anymore. Let's phrase it like that. So in former days it was in our data center right now, it's somewhere. I think that that's a challenge, but it's a matter of fact that it's still certain types of data, which are to be considered critical. And I think we also can discuss which data is critical and whatnot. I'm not a big believer in that. So to which extent is it critical?
So there are the aspect of what happens if you lose the data or what can you do with the data. And the other thing is how, how critical is it to have always access to it? So for instance, don't believe that HR is a system where, where you have a high away mobility requirement, the same way, like have on a factory floor.
So if your factory floor, so if your belt stops, it costs immediately money. If your HR system is down a day, yeah, it's a problem, but it's will that kill your organization? And so I think there, there are different ways, but that's one part of it.
We need to understand what is critical and we need to get better in understanding where it is and due to the fact, and that's what, what I take from particularly what you said at the end that this flows and the, the, the locations of the data and all this stuff are, are different. We need to apply other types of technology because we can't just say, okay, this is, it's always there. And because it's in the data center, we put something around the data center, but because all this is far volatile, we need to be more flexible. And that's where Providence, where context and other stuff comes in.
So at the end, that would mean, yes, we need what commonly is called zero trust, security, and probably is better and interpreted as a lot of elements in security, a lot of pieces we build together to have sufficient trust, or would there be another interpretation of what zero trust security really is?
Again, I would say it's, it's a change in, in the mindset. And when we talk about data flow and when we took the example, I'm moving my stuff into shadow. It it's a change of mindset as a, it security professional. In the past, I was overprotective.
I, I created rules that were very restrictive. And if I'm restricting somebody, they always will try to find a shortcut. So I have to change my mind and leverage technologies like CASBS that are non-intrusive. And I can tell you, marketing department, we completely open that you sign up for SA application. The only condition that we have is you use a CASP and that satisfies our policies. Yeah. CASP is non-intrusive. So that's a change of the mind.
And, and that's the important part,
Is it, is it not also part of, I think I brought this up as well, part of this change in mind that so you you've talked about the overprotection, I think, which is one element. So we create firewalls until no one understands the firewall roots firewall roots until no one understands the firewall roots anymore, which is, I think the reality is most firewalls actually, but it's also, I think, shifting away from this all X in one basket approach, we, so to speak at insecurity.
So we'll build one thing which is super secure, but if this breaks, we have scrambled acts and saying, okay, we move more towards something, which is, we have a lot of baskets which help us to protect things. Then at the end, probably with less attention to the single basket of X, because if one, a or one basket of X falls down the X break, okay, we have some scrambled eggs, but we still have a lot of X we, which aren't scrambled yet.
Isn't, isn't it probably from an analog perspective, also that part of thinking.
Yeah. I think a layered approach where we account for different use cases, meaning I'm, I'm not just a privileged user, I'm also an end user. So I should be exposed to different ways that I'm authenticating. And by doing that, I put basically a layer on top of it. And even if I'm privileged users, I might have measures that run in the background that make sure that if somebody compromises my credential, there's a backup that kind of picks up on the intrusion and alerts me.
So it's, it's really layering the approach and not having one approach that applies for everything
Paul, but I, but I I'd probably argue that this is not an it or even a security problem. Ultimately, this, this is a business problem that, so, so the, the original definition we were talking about yesterday, for those who weren't there. And I said, this is something I inherited.
When I, when I started a CSO AstraZeneca, they said we have a, a critical set of 20 systems. And their definition was very simple. Is it share price, affecting, forget anything else, forget the technology, forget the GDPR, or what went before it or anything else, if this goes wrong, is it share price affecting?
So yes, if you lose tons of, of highly sensitive data and it gets outta the market, yes, it's gonna be share price affecting if our production system goes down and, or, or, or we produce tainted drugs. Yes. It's share price affecting.
It doesn't matter. It's what works for your business, but that was their definition. And that works really nicely.
So, so I'd argue if you take that definition and say, if I choose to go out with my corporate credit card as the marketing department, and I choose to take one of the, the data out of one of those 20 systems and move it into the cloud, and I do it arbitrarily without telling anybody and the business doesn't know about it, actually you should be sacked. It's as simple as that it's got nothing to do with it or anything else. It's the fact that the business needs to understand where it's critical systems and critical data is.
And if you want to go move them, it better be part of our strategy,
Dragon, another point. And, and, you know, on, on this is that we should perhaps look at security in this context, the zero trust or digital truth as a business enablement services, what is, what is, what is the, essentially the problem? I think we constantly kind of really portraying this as a, the notion of some sort of a level of compliance, some sort of, you know, risk mitigation sort of service that we provide to the business.
Yes, of course this is, this is the sort of given, but what is really kind of difficult to portray to business people and sort of asking for the budget, you know, sort of, okay, we need to invest into here and there, you know, this is what we want is really reflecting this in the context of what kind of confidence you're providing to a business. They will be there tomorrow.
What Paul was saying, you know, what, what is the impact of this us being able to sustain growth? Can we sign up 2 million more customers in the next two years?
Can we diversify our products in a sense that we can still use 5,000 more times more CU partners to support us without breaking our architecture and security models and principles and everything that we have in place? I think this is ultimately the key for all the security professionals. Can you safely go back to your business and say, you know what guys next 10 years from now?
You know, we, we, we good? Okay. I know that it's not gonna be major disruption or whatever, but if you do an acquisition merger with something, how painful is that process of integration? How painful is this sort of aligning both organizations to the same level of a notion of security? Can they champion securities, especially if they're sort of at the lower maturity level?
You know, if you look at that, from that perspective, that is really painful. So giving back that sort of enablements and thinking about truly being flexible and always in flu is the key. And I feel we do have products and services to give us that perspective on how we enable the business, but we, we tend to forget those things from time to time, which is a bit annoying.
So yeah,
No, I completely agree. I think with all the data breaches that we read about, we, we have been so focused on protection protection that we forgot. It was meant to support the business, to run the business. That was the core function, not defending it. And so finally you have the opportunity with a zero trust model to really a architecture, your environment that supports customer transaction supports partner transaction. And my presentation earlier, I showed some of the results.
We, we run a survey among a couple thousand customers and, and prospects where they started implementing zero trust. And based on that, there were far more confident in, in dealing with their vendors in signing on remote workers. They were no longer worried that there would be insider threats. And Google's a good example. They haven't seen any threats since they deployed there's zero trust model. They have not been any phishing attacks at all zero and that's published. And it's also important going back to the Def ops initiatives to really incorporate that into zero trust model.
Cause that's really empowering your business. That's the agility, agility that you you need.
Is it not even exactly that point, which would lead us to more security design aspect as well, that we, that there's a very tight interplay between DevOps or dev zag ops on one hand and the entire ad trial business, digital transformation only you can take one password after the other and the zero address security. So without zero address security, the other things will not really work. But on the other hand, they need to understand this concept of zero trust security as well to finally work.
Because if, if we say we offer all of that and, and they do just what, what they want in, in, on the other side, I would doubt that that things really end up in, in what we expect to be an agile and secure business.
So, so one of the tricks behind doing this is, is if you like a set of patterns.
So, you know, first of all, we, and we talked about this yesterday in, in the risk workshop was understand at what level risk should be signed off for whatever the risk is. So you need to sign it off high enough to actually get the right level of approval, but low enough so that the person signing it off actually understands what they're signing off.
If you can get that bit of magic happening, and you couple that with a set of patterns for, if you're going to deploy this kind of service with our current architecture, whether it's hybrid or fully de ized or fully zero trust or whatever you want to call it without current architecture, this is the pattern I should use now to put that into practice, exactly what Torson was talking about within the marketing department, they are allowed for their data to take the risk because it's their data, according to this pattern, which is, you must put, if you're gonna put it in the cloud, you must put it behind this CASBY.
So here you have a very nice agile you're letting them because they're, they're, they're the correct people to take the risk, cuz they know about it, do what they need to do to do agile business with security signing off saying, you will use this CASBY because we are happy that meets our overall security plan. And that's a really neat agile risk minimizing way to work for a business in the future. And you can adapt that.
So when your architectural pattern starts to change, or you say our architectural direction is to move fully zero trust in five years time, you know, today we're gonna use a CASBY, but in your roadmap you've got and tomorrow or three years time will be using this type of product may not exist yet, but it's gonna have these attributes to deliver this business functionality that we need to do this and enable that.
Who wants that?
Try again,
Just got a few points. I on a haven't, you know, wasn't, you know that yesterday, I think in terms of what was this workshop about? So obviously kind of risk is very important, but what I see kind of things going wrong is, is sort of defining the risk in the first place. And it's happening over and over again is, you know, because the business will take action on a risk, but in the first place you need to get your risks, right?
And I think the sort of elements you take into the consideration now there's various methodologies and things you put in place by field, the sort of this should be more scenario based. This should be kind of more business kind of process driven exercise to define how various departments around the business use data.
You know, what kind of technology enablement services we have within the business.
So we can define what is the overall risk for the business as a architectural kind of representation and where you need to sort of take considerations in place. Are we ready for this new age? And I feel the sort of confidentiality availability, integrity, you put a alongside those risk statements, completely meaningless in today's world because, you know, somehow you need to put CIA just because your templates implies.
So, and then you, you realize, okay, your mitigation plan is completely wrong and, and, and sort of really kind of revolves around that idea. So the perception of risk and definition of risk, which is very difficult, obviously it, I think becomes a science, you know, together now, you
Know, okay, so we have two or three minutes left. So I would move to these sort of closing remarks of each of you, maybe a little bit around. So one of the questions we had prepared front was should companies build zero trust, security by design. Maybe we add a how in front of that.
So how to do that very quick and short and concise recommendation on what is your sort of best advice you can give on that? Do you wanna start?
Sure.
So for me, as, as the other keynote speakers pointed out, zero trust is a journey. There's a path to a journey. The path will differ based on who you are, what your business goals are. So you have to be flexible, but at the end of the day, for me, zero trust starts with identity and is followed with data, ensuring data integrity. These are two foundational elements for zero trust and building around that later on will make a lot of sense.
Okay.
Sorry.
Just find the thoughts is, again, coming back to the data strategy perspective that really will inform architecture and security you, you desire your business will require. And from that perspective, whether you're on the spectrum of control or flexibility will define the, the level of security, the type of security you need to put in place. Some of the emerging concepts, which will go beyond the typical security things we have in place, which will be having for decades would definitely help.
And if we would think that it will take time to mature, I think it's, they're still kind of, they they're already there to, to, to sort of, to be materialized and the goals of the modern enterprise as in data veracity verification, you know, for verification purposes and clearly kind of providing that back to the business to say, guys, you know, we here to enable the business rather than just protect and make it compliant.
Paul.
Yeah, for me, it starts with working with your business to understand your business. If you don't understand the business and what their business drivers are, actually, you can't develop an architecture to enable it for the future.
So it's a, so it's a joint exercise and, and it starts with that. And from that you, you end up with a roadmap and from the roadmap you end up with technology solutions for today in the knowledge that those technology solutions will need to evolve for the future. And that's ultimately how you pick your partners.
Okay. Thank you. And it's always good to start historic violence, not with the tool, so to speak. Thank you very much for the panelists for this very lively conversation.
