Yeah, so welcome everybody. So my name's Robert and I'm part of the global cyber security leadership team at Mercedes Spence. And there I have the role of lead architecture and governance. And today we will talk about continuous zero trust transformation using value and risk based approach. Yeah. And two years ago I started in for zero trust at cs and that's also the reason why I, I'm able to talk about our approach and I, yeah, I'm happy to share informations and also insights which maybe also help you to go into the right direction and I'm not alone.
Yes.
Hi everyone, my name is Aaron Ch, I'm the advisory practice lead for the cyber security division in atos. So I'm a wonder co-pilot, you know, of of profit so that you know, like to help them trying to come up with a transformation journey plan.
Yeah, thank you very much. So, okay, quickly again, I will mainly skip the introductions to zero trust because we had a lot of sessions about that and then last days. So we will go more or less directly into the approach and at the end there will be a short summary and then hopefully also time for questions and a lot of answers. Okay.
So yeah, so this is old council. It is more or less a symbol for the old network based protection. I like this old funny stuff and, but as you can see, like if you, if you are in this castle, yeah you can like move, maybe want, and of course like the origin, origin thinking was the assets are in the castle, they are secure there. But as you everybody know, so this old perimeter of tradition network Yeah. Is somehow to be released in int and because there are a lot of circumstances which changed how we should do security.
So the assets are not anymore in the council. Like they go out. Yeah.
And they have to be protected where they are. And of course zero trust is here, the main password which you have to know and what was earlier, more static and hard to protected now must be moreally protected during authentication authorization and so on.
So, and hopefully in some years, I don't know, yeah the network will, the networker will be gone and, and I hope that like never trust always verify can be done really for each request and each transaction and you know, okay, so let's go into our approach.
So I think we, we know where we want to go. Yeah. So zero trust is our vision, our goal, but how to go there and, and we thought okay, we have, we have to think about that and our approach is yeah, a cycle based one and it starts always with the people. Yeah.
So you, you can't do anything about the people. You have to integrate the people, also different stakeholders, but also the technical people. So to be in the end successful with zero trust. So zero trust is a journey and of integration. Yeah. And it's also evolution over time and that you have to consider, so using the business drivers, we can identify the targets and of course you have to explain the management or other people why we have to do that. So with without value, yeah they will not believe you. So the next step is like to consider technical and risk governance.
So, and this is very important to be able to prioritize, so to investigate into the right domain and as like zero trust is a big elephant. You cannot do zero trust at once. So you have to cut it in pieces where you focus on what you need for that from our perspective is reference architecture. So the reference architecture is like kind of a map here where you can find the stuff which you have to integrate technology processes and so on. So if you want to drink a cappuccino in Rome, Yeah. So you have to find a way to the, to the, to the bar. Yeah.
And therefore you need a map and like the reference architecture model is the kind of a map. So using that, you can then go into transformation. So transformation means in this case you put things like requirements demands into the work package and start to implement. Maybe you have to develop something by your own or you can integrate a good product and transformation is like the step ahead. But you need also a maturity model because you can only control what you can measure.
So therefore we have to find a maturity model which we use to assess the cycles and also like this, the very important stuff to see where we are. Okay. And I now hand over to Aaron. Yep.
So the first things we do first is to look at a business driver, right? So that will give you the vision and also what target you are. You're going to look at what matter most to your organizations. Why do you need to have zero trust? So that is the kind of the main thing you need to go for first.
And then you use the same, you know, model such as you know how how maybe you know you want to enable, you know, your business more agile or maybe you know, doing modernizations or maybe you know, doing, you know, audit and compliance. That is the goal that you can actually, you know, achieve. And then you start thinking about how do you, what is the matter most your organization right now to create that priority, you know, like a view so that you know, like that will become a baseline to justify your zero plus just journey in the first place.
Once we do that, and then we will look at, you know, like how you're going to use the risk, you need to do a risk assessment, you know, what kind of things you're trying to mitigate, you know, using a risk approach and then you know, not just, you know, like using a list of you know, like a Excel spreadsheet to track the list. You need to visualize the list, you know, how can you actually use the risk to show people what is the risk appetite would be?
And also assess you know, what matter most and what is the most important things you need to work on first with that so that you can create different kind of architecture views so that you know you can address, you know, your planning and actual execution risk, cybersecurity risk, or maybe you know, the technology integration list. So that is our second step of our methodology. Robert.
Yeah, thank you. So, and now we will come to the reference architecture. So the reverence architecture is a really important piece of the approach and we spent a lot of time to creating it and we had a lot of workshops and discussions with a lot of people because in the end you need a commitment of the people who are responsible for the technology, for the processes and so on.
So okay, the reference architecture is the map and of course there are already architectures there which you can use, isn't it? So the first one, which is I think everybody knows here is like the one from this. So this architecture, the first between logical components like the PDP or P P and IT focus also on the data sources you need to integrate the data. So in order the politicization point and policy enforcement point can work together.
And another good example is the one from nsa, the zero trust architecture.
So it focused more on the pillars, so like the identity devices, networks and so on. And it focused also on the relationships between these domains and the components which are within these domains. So from our perspective, we need both sides and, and we created like our own zero trust reference architecture because like a big company like SEES is had a lot of technologies of course and not all of the components are there, which we needed and therefore we created our own. The free factors which are important from our perspective is the first one. You have no greenfield approach here. Like yeah.
So life would be easy with that, but that's not the case. So you have to start with brownfield approach. So recommendation is to think big and put really everything what you have on the table, be honest about that.
Yeah. So that you really can also take care about the technical governance and the processes and so on. So you have to have a holistic view about your it and this is also the heart stuff you have to do. Then the second factor is think about the big five. So what are the big five use cases, scenarios, which you have to consider because again, you cannot do zero trust at once.
You have to cut in pieces. For example, the workplace topic is more the easy one. If you go more in the direction of OT and factories, that's the hard one. And if you have to integrate applications, if you have a lot of them then it's also a hard one.
And yeah, so we have five in the end and the third one is technology governance. So this is really a pain. So because if you have a product and you choose a product, but this product does not suite to another product, then you have a problem.
Yeah.
So, and this is of course also a reason of good governance, but you can imagine maybe that in big companies this is a real challenge. Yeah, okay. So in the end, like our reverence architecture from a high level perspective is looking like that. So you will find a lot of domains or pillars from the other ones, but they're also, once we have added like the self service automation area, more focused on zero trust interfaces and so on. So in the end we have 13 transformation domains, which we focus on. And within this 13 transformation domains we have 54 components, which we are inve investigating.
And yeah, and I think that's a very important basis for, for the next topic, the maturity level. And would you like to add something or can I go on?
Yes, I think, you know like, like like Robert is saying, you know, there's no silver bullet, you know, on reference architecture, you know, but you know, we will, we go out and look at, you know, objectively what the existing architecture will look like, what kind of, you know, the risk and also business driver would pay to this, you know, architecture and things in there so that people can start visualizing, you know, when it come to technology governance, which component, if I change that, what are the ripple effect would be?
And I think that pay a lot of dividend, you know, in our, in our approach.
Yeah, thank you.
Okay, so the reference architecture is the fundamental or it's strongly related to the maturity model. Okay. So as you have 54 components in our case, so every component will have like a maturity level and of course they also interact with each other. Yeah.
So, and that you have somehow to clarify for you and also define, okay, what maturity do you gain after you reach a step during the transformation phase? Okay. There are already some maturity models. So for example, that one from C I S A ci, thanks. So they focus on five domains and they have also a free maturity level approach.
Yeah, it's, it's an interesting one. And then of course there's another one for Microsoft, It it's similar, like they have also three maturity levels and focus and in this case six domains. So the infrastructure domain is also part of it.
I think that's very important.
And yeah, so from our perspective, again, free factors. So, so I talk about big enterprises, so my recommendation is build your own like, because it's good, but it's not enough from our perspective. And because it must be very generic and it must consider your requirements you have in your enterprise. The second topic is it must be repeatable.
So yeah, you have to invest a little bit time also define, get the commitment of the people so that they say, okay, I can go with you. These are the steps we want to achieve in the next cycle. Yeah. And then of course you have to repeatedly measure and see if you are in the right direction. And the last one, the third topic here is I think if you don't have that, there's a very high probability to fail. So because think about the cappuccino in Rome.
Yeah. So you don't don't know where to go. You have no map.
So you will lost, I don't know where maybe in the pizzeria but not where you want to go. So yeah, again, you will lose control over time if you cannot measure it what your, if their steps are. Right. And this brings us to something like that.
So that's, that's a example of a dashboard for zero trust release. So just quickly go over there the domains, it is, as you can see we have percentage. So it's more fine grained than the free level approaches from Microsoft or from Caesar.
And, and can see like we define the baseline maturity on the base, on the baseline maturity, we can identify the release and there's also PLA maturity. And by the different steps we proceed during the transformation we can measure if we are in the right direction.
Yeah,
Maybe I say something in here because you know, that is where, you know, like we have the business drive to plot out the whole trans journey. We have a dashboard to chat where you are within a journey so that we can optimize your existing IT investment, mitigate your risk, and also deliver the maximum value of zero trust to your organizations. And this is a quite a unit that approach that we find it extremely useful.
Yeah. And of course also for the management, very important
They can understand. Yeah.
So you, where are my KPIs? Here they are.
And yeah, so that's very important. And yeah, finally we came to the summary. So free takeaways, sorry, free takeaways for you. The first one is, so the reference model, the reference architecture model and the maturity model, they are strongly related to each other. Then continuous transformation is always value based. So it's hard to talk with management or debt and you have to be well prepared. But if you can say this is our value, then they will understand and support you. And the third topic is like the maturity provides a very good indicator where you are. Yeah.
And, and yeah, where you have to go next. And Aaron, would you like to add one before?
No,
No. I think, you know, like this is a quick summary of what we have done and I, I believe, you know, like the, the approach can be repeated and also, you know, using a reference you how you create that kind of journey, you know, within the organization and take on the zero trust challenge.
Yeah. Thank you very much.
And yeah, questions? I think Martin is very happy now we have still two minutes left.
Yeah,
I think you are a bit too fast now. Oh, all goods. Wonderful. And we have a couple of questions here.
You know, two minutes are super, I think during lunch I talked about this experience of a keynote planned for 20 minutes and ending after 12 minutes. That is a different story. So I have a couple of questions and so I think we have time for maybe two of these. So the first one is, have you tackled zero trust in the operational technology space? So new factories, et cetera. And if there are no industry standards, how to apply this approach in that space.
Yeah, so this is the, this is real big challenge and we, we aim for it and, but we have to prepare well. So we had a talk yesterday from, from the colleague from Siemens, which I think our step before and it's really hard to go there and talk about like restrictions without, to have a good plan and the values there. And we have prepared it, but it's not a first step we have prioritized. But it's like for, for next year it's on, on, on the plan. Yeah. Okay.
Can you please share some insights about the deployment of the initiative in your organizations considering at least partially decentral IT organizations?
Okay. Okay. Okay. So it's Mercedes. We're really big, you know, and we do a lot of stuff, but I think it's, I think it's a top down and button up approach. So if I started two years ago, like the Caesar say Robert here some money go on. Okay. Yeah.
And, and, and then it like developed and it's also like very important to change the culture. So, and then also from top down we have really big support of the top management. Yeah. So this makes it easy, but as you can see, it's very hard planet and then to take over responsibility and sometimes you have also to reorganize some stuff and that's a hard one in there. Yeah.
But, but I could imagine that it's a bit simpler with zero trust than with some of the other topics because zero trust is a term that is in the mind even of the upper management. Yeah. So probably easier than with some of the other things to do. So thank you very much Robin and Aaron. Thank you Aaron. Yes. That a bad name. Sorry for that. For your insights. And we continue with the next industry directly.
