In Accenture technology in UK island, I'm leaning towards technology and security and sitting in between the various verticals and disciplines. So what is interesting is that we normally, I think overlook very simple thing with security. I felt who, who knows by the way, this ever seen this, this statement, you know, school of law, because it tributes you to Dan Dan, man, I dunno if you know this, this guy, but I was blown away by, at stake. Have I heard of at stake at all? At some point, Paul obviously kind of nodding because he is been in the business for long but late nineties.
These guys, we are the guys to go to in terms of ethical hacking, passed with cracking, anything that really led to sort of breaking the windows platform. So Dan was sacked from at stake, the beginning of 2000, 2001, he wrote in, in insightful paper about Microsoft and the monopoly of windows and what Microsoft is doing is bad for the future of business and technology.
So that was a long time ago. And it's very insightful piece of paper. If you look up on the web, you can see kind of, really kind of good ideas in there.
So obviously, you know, we still use, you know, we've been using windows for the last, you know, how many decades is it? Good.
Not sure, but still. So this is really important. How do you establish the empirical evidence? Your security works? How many of you been using users of Netflix? So probably gonna raise all of you gonna be raising hands and couple of years ago, maybe not that long ago, I wept when they introduced blocking of proxy, the service, basically. So you can search and look Netflix around the Globes. You can look up for the film.
If the movie is not within your country database, you can go off to United States or Sweden using the same accounts, appearing that as you're coming from that country and they can watch that movie.
And I thought, how brilliant is this? I was using very simple, all our service, which is the Chrome plugin into your browser. You pop in your VPNing through their systems job done. And then they start to sort of gently subtly kind changing that message saying you're using some sort of proxying service apologies, but you're not gonna be able to watch this content.
Please use your row country, which really kind of implies the ways that they can really rely sophisticated control to say, okay, we know this guy's actually trying to break in and sort of work his way through the, through the network, but still right. Can they actually block you? Do they really want to block you? That's the main question.
No, they, they wanna do that, turning this and flipping into the, kind of the banking world as KYC. How many people from the banking industry here?
Okay.
You know, couple of hands. So, you know, when I, when I say know your customer, it's very important over the decades, we've built a sort of the, the sort of the system to protect the customer.
And, you know, it turned out to be a sort of a global surveillance systems in, in some sense, because they want to know everything about you, you know, have you been associated with these addresses before, you know, some silly questions that you have along the way. And I thought this is really kind of surreal, but still I think the billions in terms of the frauds, in terms of what, what are the losses despite the sophistication of the system really implies that there is no empirical evidence that that stuff really works. And that really is the bottom line.
So how do we shift this into the space where it can empirically prove that your security really works?
What Paul has been saying a lot, you know, in terms of zero trust, predominantly around the networks.
And I think Forster guys coined the term zero trust, you know, kind of years ago, you know, they've looked into the space of, of data flows and the networks and segregations and controls you can put in there, but let's see sort of decentralization of, of the world that we know of how this has changed and evolved over time in terms of it delivery model, in terms of data, in terms of supply chains is mind blowing.
You know, supply chain today is a physical supply chain, the software supply chain, the information supply chain, that sort of information and, and, and sort of the information and software is sort of a call digital supply chain that really converging now with physical, because the physical instances you're trying to track and sort of providing insights back to the business somehow becomes sort of bundled into one.
And it's really hard to distinguish.
So when Paul and and guys from Jericho decided to come up with a sort of model really was working beautifully, but still, I think we have a big sort of duct tape across everything we do. You're trying to compensate rather than kind of coming up with something that truly evolves with the business models that we, that we have in our own enterprises.
So as you can see clearly kind of now we have multiple interactions between things and you'll really single tiny dots in that space of extended enterprise, or however you wanna call it because you know, you're not actually that big enough, you have your partners and everyone else on your pay list, they actually represent your business. How do you know that they do good security on your behalf? Whether it's the Googles Microsofts Amazons of this world still is a big question, mark.
So speaking of the centralization at the fragmentation, I, I felt this is very important to say, I think Martin and, and the guys, and obviously a lot of vendors outside and clouds himself probably previously, they can relate to the kind of the custom orientated model. So what has changed is I used to work for a beverage company, dijo, if you, you know, have ever tried, Johnny Walker is their brand, but this is the sort of the typically kinda what you deliver is a product. So in the old days, it was really product-centric.
You have one product, multiple customers, no brainer, it's easy, right? You, you sort of selling bucket loads of boxes of drinks, and that's pretty much it. So if you flick it back today where there's a, customer-centric, you have these products revolving around the customer and then basically really complicates the model in the sense of architecture, security, it delivery, and everything else.
How do I actually sustain this? How do I make sure that this is ready for the cus customer-centric world and the age of the customer? Why is that important?
Because a friend of mine who leads the, one of the energy supplies in the UK, the, the development business parts of the business, not necessarily just DevOps, but creating the business opportunity. Now, they said they've been having some insights with our customers and say, can we bundle up new products for you? Can we bundle up partner of broadband services, mobile operators on top of the energy and electricity we sell you. And a lot of people turn back and say, we don't want any of that. We just want electricity and gas.
You know, many of those, it really makes you wonder now that you sort of trying to sort of come up with new business ideas. Some of the people are fairly simple. They want really kind of simple products, but at the same time, you need to cater for other customers that want more to entice them, to buy your products, really reflecting again, decentralizing everything that we do. Okay.
Flipping now and focusing on, on data, why data is important. And I feel the data is, is sort of really the key.
And then we pointed out many times because I think we think about too many things in terms of what we need to secure. What we need to focus on are, you know, are those, the devices, are those, the identity management pieces?
You know, what are the kind of, what is the cloud security? So, so everything can have the sort of suffix of security. You just put sort of the buzzword in front, big data, security incidents of everything, security.
You know, what about those things? Essentially, if you ask yourself, where do you sit in this spectrum as a business, we'll give you some indication how well you're gonna be able to sort of define, you know, fancy defense.
You know, if you are a business heavily regulated, if you're a farmer or, or a bank, you know, basically you'll be sitting up the slope and gonna be looking maybe kind of, I need to sort of spend more defense, really kind of that's changing all the time with the open banking kind of perspective.
Banks have, have done something tremendously. They've opened the gates via the APIs to other businesses to come up with the new business models. So what is, what does that mean? Really kinda terms of data management? Data management really is about one side of the things is control.
The other side is, is flexibility. Are you willing to define security for flexibility, security, flexibility, not necessarily kind of works in, in sort of the regular kind of head of our CSO.
You know, we don't really kind of provide flexibility. We want really good security.
I mean, you look at that sort of what Paul was saying, you know, heart shell around, it's really kind of outside in sort of making sure that everything stays close to, you know, what I think is the best way to protect the data versus, you know, inside out you basically, there are no boundaries whatsoever. You want to provide access to, to our partners and everyone else. So that really complicates things.
So think about this in terms of what and how security should, should work, because I feel that really, it puts the sort of the balance between where you making compromises and why
We, we do have a zero trust in the title, but I like to think zero trust seriously will never exist. And I think digital truth is what is the key, I think, in this, in this sort of sense, you know, zero trust.
Yes, but essentially we're talking about the maximum truth in the stuff we do. Why empirical evidence of your security, that it, it is effectively operational and working, you know, can I put trust on my data?
So if you look at this, it really can revolve around simple idea. So if we had as professionals, we had the sort of triad of confidentiality, integrity and availability. Let's sort of flip it back so we can understand the business context.
If we say, protect access, protect development, and protect data, that really kinda resonates better because when you say confidentiality, integrity, availability, you know, it's, it's sort of very difficult for people in the business to understand anymore. Is it relevant if you're drafting a risk statement, how does it work?
You know, how much confidence I get. If you say this stuff is actually kinda leaning towards the confidentiality. So let's encrypt everything.
Let's, I don't know, you know, lock down our laptops, you know, make sure the mobile devices are encrypted as so on. Let's make sure the channels are encrypted VPN and everything, whatever that might be.
So is this really working for you as a professional to sort of say back to the business guys, if we do this, everything will be perfect. So starting off with identifying profiling, visualizing your data where you can really safely say, I know where at least structure data is within my, within my business.
So if you, if you remember the previous, the, the slide at the beginning, sort of those small dots, that sort of visualization could be across all of those dots, but you can safely say, I know where the data is to protect and govern. This is really what it comes to mind as in, you know, the regular dense loss of identity and access management, you know, looking from the space of the user, the identity, the human, the machine, or a device where you want a fingerprint in some way. So we know what kind of browser is coming sort of to access the application, what kind of device?
So on by more importantly, what we're really hearing is machine learning, artificial intelligence terms of the UBA, you know, geo velocity. If I would say my point with Netflix, let's say, we say they need empirical evidence.
So for, for them to sort of confirm that that control is working. If I would be flipping from one country to another using the proxying service, you know, one minute I'm in Sweden next, next minute, I'm in Austria. So geo velocity will trip up immediately that and say, it's impossible for you to come up with these two countries within two minutes, something's wrong here. So some of the things they can put in place so safely, you can clearly say, yep, UVA works. I can stop this and you issue a warning, but do they want really want to do that?
No, because obviously they want more money. They want those 10 quids from you every month you're gonna be paying for, I don't know, HD or 4k contents you use. Right? So working out to the, across these various business and technology domains, you can see the operational technology, information, technology, and internet of everything. So imagine sensory of things.
So this uniformly works across all of these domains and what really points to is building that value and allowing you to, to sort of build a platform to sustain growth, whatever the market market sort of interruptions you're going to have, whatever compliance, legal, regulatory pressures you're going to have that really pushes you towards that goal and really speaks volumes.
So coming back to data, we did say about sort of making sure that the boundaries are secure and sort of beyond core.
I, I, I have issues with that. What, what Paul was, was pointly kind of alluding to, and sort of looking into that is basically, there's nothing new in that concept whatsoever. And when you look at that really sort of simplifies, modernize the idea of again, having another layer defense around something that deemed to be required or important, and really making sure that that fence is still okay. Okay. So this is the flip saying defense is okay versus what's about data and digital assets.
So data could be anything, you know, is that firmware sitting on a, you know, on your, on your, kind of on your phone or is it a firmware on your thermostats? Is it an executable code? You try to load to a machine, it could be anything, an API, a word document. So making sure that digital asset is okay, is very interesting idea. So making sure that you can provide the empirical evidence back to your business to say, yep, I can do this now.
So very, this is very complex. I was trying to sort of make it as simple as possible, but let's say that we have a zero trust sort of digital truth into a digital supply chain. We wanna instill this. We wanna really kind of create something that will really kind of make sure that we do have empirical evidence of things. So let's say we have an executable code of any kind, something you wanna load onto a machine.
Something we wanna load on onto a, I don't know, maybe a controller in a power plant, you know, something that STS was maybe 10 years ago, Stuxnet, if you remember that malware, there was, there was infected the power plants. Basically there was a compromise of a firmware. So imagine that you have something similar, you wanna protect. So in step one, one, you can say, okay, what do I need to do to create a sort of a, you know, a compromise free state for this particular asset?
And I wanna really make sure I provided evidence back at the end of this, that this will be secure and safe.
So what it does is basically provides the risk scoring exercise. It provides the sort of the insights into the time, which I think somebody pointed out, you know, how this artificial intelligence works. It's very important, the time the data lineage and Providence of things. So you see how assets will be changing over time, because I think we are security professionals. We can seriously, when you get, we get a breach, it's always gonna that point in time. What happened before God forbid what's going to happen next? We have no idea. It's very difficult to establish.
So in this case, we have an identity of a tool, which we can say, you know, just for kind say purposes here. We say, black carbon fire, eye, you name it, sort of, any of these vendors can actually provide a, you know, how the risk score is generated.
It's basing based on the malware analysis. So we say that, and we really kind of provide an evidence, which is really caching, is signature of some kind of those two things moving into the second phase, creating a, an entity where you can safely say that once it goes in there, it will be intact.
But more importantly, you provide the forensic evidence that you can go into and provide that back to your business to say, if something happens, does happen, I do have an evidence of these things taking place who when, why what and so on. And you can provide that and is admissible in any court of law, if you want to. So in this case, you, again, can we have a user machine? You have the signatures of the above from state one, but at the same time, you wanna make sure the user machine submitting this is authorized for this, for this action.
So you have additional step.
And then again, you sign everything. Whenever you do this, there is a distinguished element in the blockchain, which will be kind of having its own life.
And again, going into there, going into the blockchain, a ledge of any kind that point in time, you always have a, you have a time lineage as well, basically what happened in the past and what's going to happen in the future. And finally it goes sort of going, going into, you know, kind of the regular phase into the operations security operations, and the guy sitting there monitoring, they're gonna have information of this. The executable codes will go over the air somewhere, you know, is gotta be delivered. And then basically continuous monitoring will be, you know, doing his job.
So the end, we do have evidence of this being empirically kind of effective. We do have evidence that data is secure, whatever that might be. And more importantly, it really is technology agnostic.
So what are the kind of, I'm not gonna really kind of spend too much time on this, and there's a, there's a really kind of, it's really broad topic, but what is happening with this is I wanna say again, the new triads emphasizing and protect access, protect development, and protect data.
As I say, development, not necessarily DevSecOps, it just goes into the space of secure developments and the old as the, as, as you know, secure lifecycle development, you know, sort of phase, those are the things we need to sort of pay attention to, you know, identifying investigating, you know, where data sits, building data flows, all of the things around the networks, all of the things about the devices themselves will still exist. Don't get me wrong.
But sort of saying whether those things are really critical for you to establish zero, zero trust or digital truth within your business are to think they're necessarily, you know, vital because you're gonna be still doing them, but not really focusing that much on them data strategy position, as the slope was identify offensive defense, you need to ask yourself, where do you sit in that spectrum?
You know how this will inform your security and architecture is very important.
Bringing protection closer to data.
As the previous example was showing, this is where the integrity verification is important versus anything that is confidential with beyond Corp and the what, what Google was saying. I have a big, big issue. They have a trust repository in there. The last component is sort of flexible trust certificates and everything else. As we all know, they rely on secrets.
You know, anything that is really revolving around the regular encryption. I have issues with secrets because secrets tend to be kind of revealed. And then really everything collapses, everything gets, you know, in, in a sense you get into the exposing the news, you have a breach. So with the integrity, as a, as a sort of very critical elements of your strategy, data security strategy becomes very important that you don't even, you don't need to have an encrypted channel to pass these things around.
There's those signatures I was referring earlier. They're not sensitive.
They're just really kind of 2 56 bit hash using char 2 56, you know, sort of hashing algorithm. There's nothing in there sensitive. So when you look at that is really offloads your current mindset in terms of where do we need to look into in terms of the, you know, to achieve security zero trust digital digital truth, as I would say, is cannot be achieved. At least we prove the following identity, time, integrity, and Providence, whether it is a human, you know, actually interacting or machine a system of some kind.
And it's very important that we, we have these things in mind, imagine audit that you have today, you're coming in six monthly or whatever that might be. You walk into the vendors environment. You wanna audit, you wanna confirm this is, you know, really good. They're gonna issue with various certificates, various signs of their compliance with security standards.
How do you know that with this and something this, you know, implemented, you can safely say, you, you basically say, do I really need security audits process at all?
Because I can any given point, you can verify the authenticity of a user machine data or digital assets you were trying to protect cross discipline integration, interoperability collaboration. So imagine this, you have developers. We're gonna talk about this more tomorrow in this, you know, application security sense, but you do want to implement these things across operations technology.
It, you do want to make sure you have links and inter interconnections between development C I D I QA operations. You need to make sure that whatever goes to Splunk has been actually the event taking place and is taking place as of now, rather than something that we tripped, you know, basically kind of by accident, realtime notification really brings things to life.
Again, you want to know when things do happen, why do they happen? And so on. And finally, I would imagine with some of this, which is relatively kind of progressive and, and unconventional we need within the business. And at the same time, you know, people are advising from the outside, such as, you know, distinguished colleagues from co a call or Accenture. We need progressing minds in there. And I think that progress will lead us to sort of new, I think, horizons of security, which hopefully will be something far more efficient than it is today. Thank you.
Thank you.
Yeah.
