Zero trust is probably the buzzword of the moment. Now this is not KuppingerCole research up here. This is purely a Google search. So I did a very quick Google search. And literally these are the companies that came up somewhere in their marketing. They are using zero trust. It's not to imply anything about any of them other than they appear in the Google search. When you put in zero trust, as you can see loads and loads, and I could have kept going. I literally, I thought, well, I can't put any more on there cuz I'll, it'll get to be an eye test and it'll get too small.
The thing to say here is that pick your products with care because how much of zero trust is just the latest marketing buzzword? It's our old technology product and marketing have badged it with now with added zero trust. And we've seen this yeah, security I've I've been in this industry far too long and yeah, security. We joke is a bit of a fashion parade at times with the latest buzzword.
So yeah, electoral product with care. So let's, let's just talk about what zero trust is and what it isn't. So I was privileged. I may not be quite the correct word, but I was privileged probably 12, 13 years back to actually be present when John Kindig in Boston presented his first and, and coined the buzzword zero trust. So in Aster Martin's earlier question.
Well, what does zero trust mean? Well, John defined zero trust as being zero trust in your network. And of course it's been a little bit adulterated because now it's zero trust on every single product, but John's original thesis was Jericho had it, right? The border is disappearing and therefore you have to design for zero trust in your network.
So let's look at what zero trust in and what it isn't.
So, first of all, it's, it's a state of mind. It's an architectural state of mind. This is about security architecture done, right? And that's really difficult because traditionally what we've done is we've come on the back of it or the back of network. And we bolted products on you can't do that anymore. It's when there is no difference between the internet and the internet.
I was, I, I did, I was CSO for a very large global pharmaceutical company for a number of years, we had 140,000 IP addresses on our intranet and an intranet that went into 50 countries, including Russia and China, and was effectively flat. Now, if anyone believes, if anyone cares to argue with me afterwards over, over a drink, that that is anything other than the internet. Yeah. Effectively for all intents and purposes, because trust me, we had Chinese state intelligence on there. We had Russian state intelligence on there.
We knew that yeah, our design criteria was this network N cannot by definition be secure.
It's a business enabler. This stuff done right. Enables your business to go faster, quicker and more securely. It's a combination of process. And technology says, you've heard this before. I think you heard, you heard this in the keynotes. No later movement reduced complexity. Security. Complexity is the enemy of security at the end of the day. If you make it too complex, people either don't use it. Can't use it and therefore bypass it or it doesn't work for people.
And, and security are just the people that like to say no. And therefore, actually the business bypasses security. And we've seen that with cloud and it's a unified experience if you get it right, it doesn't half work for everyone, not only your users, but also your joint venture partners, your, what we call frenemies. Anyone heard the term frenemies are horrible Americanism. Yet you compete in people in one PLA with, with a company in one place. And you're a joint venture in another place.
So especially in the drug industry, yeah, you'll be developing a drug jointly, but actually you'll be directly competing over other drugs. But of course we need them to have access to research networks and other, other, other places, what is not, it's not about trusting no one.
It's not a next generation perimeter. It's not VPN mobilization. It's not an off the shelf product. You cannot go out and buy this. You have to architect it. And that if you take nothing else away from this talk, please take that away. It is about architecting for the future. It's not an it only project.
The business have to be involved. And it's about continually continual evolvement. So hopefully you'll recognize this. This is what our networks used to look like circa 90, 95 ish. Yeah. Cast and moat design. And we had photocopies and we had a little bit of corporate email and we had started buying corporate laptops in 95 ish. So therefore the pressure came to say, look, could you put some wireless in? And about 2003, four, we started to put wireless in so that we could connect all those corporate laptops we were buying. Yeah.
Everyone recognized that everyone used to anyone still operate in that environment.
What did today's business look like?
Well, much of the same. The difference is anyone buy desktops in any quantity here? No 90%. If you talk to Dell or, or HP or anyone else corporates buy 95% laptops. And of course we don't just buy laptops anymore. We buy windows, PCs, tablets, MacBooks, iPads, Chromebooks, you name it. We buy it depending on, you know, what the spending power of the executive is. And depending on which company and, and what the corporate culture is. Yeah. It could be anything so good goodbye to the gold build that we used to have with the corporate laptop. It's anything goes corporate smartphones.
Well guess what? Now all the staff have phones and smartphones. Therefore we've got a, B Y O D strategy. And because we've got a B by strategy, oh, Bill's wrong. Bill will come in a second. Photocopies and printers outsource the management. Of course.
Anyone, anyone still run their photocopies inside their organization? No, didn't think so. So guess what? Your drilling holes in your border so that that outsource management company can manage those printers and printers or what? They're a Linux box with a dialup modem for facts still. Yes. They haven't been patched. Anyone patch their photocopies, which a Linux box. Why aren't you patching photocopies? Because guess what? It's the biggest entry point into your network and he's gotta gig a bit on it.
So once you can compromise that, that photocopy or that Linux box inside the photocopier, you can jump off anywhere inside your organization. Third parties when their own laptops and because of these two, what we've done, we've added guest wireless networking. And what else have we done?
SAS email, office apps, storage, backend, et C, et cetera. And we are playing with ISAs and we are playing with pass. And we've still got some legacy systems inside that good old DMZ. And what are we doing as an industry? Yeah. Everything looks like a bandaid. Doesn't it? We're putting sticking plasters in to make this lot work for the business. Yeah. And remember when we said upfront complexity is the enemy of good security.
Well, here we are. And that's where we are today. And guess what? The bad guys are taking us for a ride. So what does tomorrow's business look like?
Well, it looks a bit much like today's business, but we're gonna think about it differently. So here's a zero trust business. Yeah. Probably the only thing inside we're still doing is ERP because it needs to be closely coupled. We actually put our plant and manufacturing online. Why? Because actually, if you want to do things like just in time production, then you are just in time, partners need direct access to know what going on in that plant. We've been doing it for a long time with OT. So if you've got a contract with someone like British oxygen to supply a nitrogen tank, guess what?
They've had a sensor on that tank so they can keep it replenished.
Since about the mid nineties, it originally started on a dialup modem, then move to an internet connection, et cetera, et cetera. We have partners who can direct connect because they need to direct connect into our business. Cuz that's our business model.
We, our users expect to be able to work seamlessly from wherever. Of course we've got the internet things coming. If you've got the internet are things coming. You've also got 5g and IPV six. That's what tomorrow's business looks like, like it or not. It's coming to a business very close to your heart. And what's it look like? Will it looks like a Chinese bizarre. Everybody sits on that network. Why? Because it's open for business and that's what the business wants. So how do we do this from a strategy point of view, you need a strategy rip and replace sounds good. Doesn't work.
So, you know, if you're a, if you've got an existing business, you cannot rip and replace it. As much as Cisco who did the previous presentation would love it because the bonuses for their salesman will be fantastic. You are not going to rip and replace your entire global network and replace it with brand new Cisco routers with the latest iOS on it. You just can't afford to do it. Or most people can't afford to do it. Initial name is Google
Reduction of complexity hybrid. You can read it for yourself. Key assets are the big thing.
Identify where your key assets are and the business needs to tell you this. The fact is most businesses don't have more than 20 odd key systems, which are share price affecting. And if you don't know where those systems are, you can't design your business around it. Why is it 20? I don't know.
Actually, when I joined, when I joined AstraZeneca, they ran on 20 and I challenged them and I said, why is it 20? And they said, we don't know. It just works. And I haven't found really a business yet that actually gets to a round about 20. You are never gonna achieve this in one step and reuse what you can. Data asset discovery, absolutely data classification, data flows, data protection, data, security analytics. It is all about the data. Data is what we're trying to protect here. Not the network.
The network is just a method of getting packets of data from one place to the other, whether it's the internet, internet, or anything in between,
You've
Heard this from other people. Identity is key to this. How do you put trust back into the system? Yeah. User identity, device identity and context. Identity context is the really important thing here and well, you'll see why in a minute networks, no DMZs or VPN anymore. No security perimeter, not a, not as such. You might still have an internet. Don't get me wrong.
You might want to pay for an internet, but philosophically, think of your internet as a quality of service boundary, it's there to make sure those packets transit between two points in your network in a defined, known time. It's not there as a security boundary. It has to be application and user-centric, it has to have authentication, authorization, cetera, et cetera. And there's more than one way to implement it. Because again, this is about architecting it right for your business. Yeah.
Micro segmentation, lots of tiny firewalls, software defined perimeter identity where proxies, there's lots of stuff out there that you can use to build this. And ultimately you will have legacy. So if you're going to embark upon this journey, you need to understand with the business, what stays as legacy and what needs protecting.
I got faced with a, a microscope in a lab that was running XP and we were trying to eliminate XP off our estate. We had nine instances of XP left in the entire global network.
One was connected to this microscope and I had discussion with the business and said, come on guys, 50 quid for a license, please just upgraded. And they said, we can't, the microscope costs about 2 million. And it only runs because the company's outta business. It only runs with XP because it's all 32 bit or 16 bit or whatever it was. And absolutely.
So it, isn't a 50 quid upgrade. It's a 2,000,050 quid upgrade if we want to, if we wanna fix the problem. So we put it behind a, a baby firewall, easy job.
Yeah.
Lots of ways to do it. Data diodes are great. If you've never discovered data, Google data, diodes, great tool, but it's gonna be a mix of that to deal with your legacy
Access management is absolutely key.
Again, you've heard this. I'm really not gonna repeat stuff. Least privileged, centralized, dynamic and adaptive. Adaptive is again, really key here. Yeah.
Open, open to new authentication methods. And ultimately you need to monitor and audit because you need to know what's going on, but it's not a question of monitoring necessarily the network, although you might choose to do that, you need to monitor the endpoints. You need to monitor where traffic is hitting data. So where traffic intersects with data, that is where you should be monitoring. Because the say, if you do this properly, you are moving to encrypted protocols. And at the end of the day, yes.
If you've got port 80 running through a firewall, yes, you can monitor it because it's unencrypted, but you've got 4 43 HTTPS running through a firewall. What can the firewall do? And the answer is not much.
You can do some clever package, you know, interception on it with certificates and other bits and pieces. I really wouldn't recommend that because I, it, when your, when your users want to go and get their bank details, you're intercepting them. And they don't like that. And of course the new generation of, of TLS is, is breaking that anyway. So you're not gonna be able to do that.
So why, why bother plan a plan, an architect around it? So monitor, detect, audit, and adapt. Absolutely adapt again is really key. This isn't a one stop shop, buy it, fit it, forget about it. This is about continual adaption. And it's a journey simple as that. I think you've got that by now.
And yeah, everyone's been saying this trust, but verified the interesting thing trust, but verifies attributed to this guy, Ronald Reagan, the, the interesting thing that a phrase he used, I'm not sure he knew he was using it, but in this context it actually is a Russian proverb. So to use it for the, the salt treaty when against the Russians is quite ironic, but that's where the phrase comes from. So let's have a look at a quick example and I'm, I'm really indebted to the guys at beyond Corp and Google because these are public domain slides. They made these slides publicly available.
So I'm stealing with pride.
So beyond corporate Google, if you haven't heard of beyond Corp, go Google it afterwards. Google was beyond Corp is a six year plan to move Google.
And, and it's six years starting in 2012. So they've done it to actually move into a zero trust environment. This is their mission statement.
As I said, thanks to, to Rory ward. I've seen his presentation twice. He does a really good again. After here, it's on YouTube. He did it first at RSA two years ago, and it was videoed and is publicly available. So if you want to see Rory do this presentation, he'll do it much more justice than I can. It's really good. Google it. It's on YouTube, RSA beyond court, Rory ward. You can go and watch it. It's really good, but here's his six year mission to have every Google employee work successfully from untrusted networks without the use of a VPN.
In other words, any Google employee can go into Starbucks or the campus and the security model they are using is 100% identical. It makes no difference where you are physically located.
So what are the principles principle? One connecting from a particular network must not determine which services you can access. In other words, the user experience is identical. Wherever you are. The access to services is granted based on what we know about you and your device, and finally access to all services must be authenticated, authorized and encrypted.
Now, when Google say all services, they mean all services. So that's not only what Google uses. That means what you and I use, who uses Gmail or Google search or anything else. This is one model fits everything. So this is whether I'm a Google member of staff accessing a Google DevOps environment inside Google, or whether I'm a Gmail user accessing my Gmail from home. The security model is 100% identical simplicity in security.
How's it work really simply wherever you are in the world, you go into a standard access proxy sitting in front of the particular server in the cloud that they are using. It is single sign on it is invisible to the, the, the person. And there is an access control engine that says you are either entitled to see it, or you are not.
If you, if you are not entitled to see it, you can't even see the IP address. How do you make it work? And this is, this is what they have done. So first of all, get intimate with your users. User management is really, really key to this. So they have literally a joined up arrangement with HR. So HR and it are effectively one and the same. So if I leave one department on Friday and I join another department within Google on Monday, my access and what I can see automatically changes because there is a one-to-one tie up between my HR profile and my access profile within the it systems.
You need to get intimate with your devices because ultimately it's about not only the device you have, but also the person you are. So every device needs to be certificated so that you can do that bit of magic. And Google will tell you that they actually have written some public domain software because actually the devices out there in the real world didn't exist to be able to support this. So they've actually had to provide add-ons to some key devices, particularly Linux devices, which are now released as open source.
So again, you can go and steal them with pride and finally, a dynamic trust repository. So again, working with the business to create a trust repository so that you know, who can access, what, when a very simple set of rules.
So, you know, if it's the, the lunchtime menu, all Google staff really easy. If you're in Google, you can access it. If it's a dev DevOps environment, are you a developer on this particular project, you can access it. How do you make it transparent for the users? And this is the key to it. This was their, their access control engine. I said it front ends EV identically, every single Google server.
And they've published it, go read it for yourself. It's a really good story. Is it perfect? No.
So one of the, one of the reasons it isn't perfect is it's what goes back to the original work that predates zero trust from Jericho, which, and describe Jericho describes as the locus of control problem, which is if you all play inside my locus of control, I can make it all work for you. So as long as you have a Google device inside a Google environment with a Google username, then we can make it all work for you. Yeah. If you've got a logo on the Google system, absolutely. We can make it all work for you for Gmail and search and other bits and pieces.
So in conclusion, what's the best practice.
If you're not doing it already, you need to have a zero trust, security implementation strategy. It's an architectural strategy and you need to design internally with an internet mindset. If you can make this work on the internet, you can make it work better and more securely on the internet. Your conclusions might be, but might not be because it's gonna vary for you HTML delivery by default vulnerability analysis on everything, leverage, leverage identity attributes. Absolutely.
You've heard this before adaptive authentication segment and fix it once, fix it properly. And one of the business benefits, well, yeah, it works security likes to say yes, and there's a bunch of, of related research. But with that, thank you very much.
Thank you, Paul.
