Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. Today we want to talk about a topic that everybody has talked about already and we want to do it anyway because we want to talk about how it's done properly. We want to talk about Zero Trust. We want to make you understand when you are at the end of this episode, what are the next really important steps to take when it comes to implementing Zero Trust? And for that, I have invited my colleague, Alejandro Leal. He's a Research Analyst with KuppingerCole Analysts. Hi, Alejandro.
Hi Matthias, happy to be back.
Happy to have you. And the topic Zero Trust, that's a quite interesting thing. And I've been talking about it also quite a while because I'm an identity analyst. I'm an identity advisor. And of course, it's easy to say identity and identity verification, authentication, never trust, always verify. When it comes to identities, that's the key portion of Zero Trust. But in the end, that's not true. It's part of the equation, but it's by far not the full story. So how does Zero Trust go beyond just identity verification? And why is it essential to consider much more when it comes to planning, architecting, implementing Zero Trust?
Yeah, that's a good question. And like you said, we talk a lot about Zero Trust. But I think that's mainly because there still some misconceptions out there. And you have a lot of experience in advisory. So you can probably also tell me about your experiences with organizations. But like you say, Zero Trust is like the principle, the famous principle, never trust, always verify. And it seems that some organizations or some people have the idea that as long as you just implement an identity and access management solution and just focus on identity, that should be sort of the whole process. But as we know, it's more complex than that. So Zero Trust, it also should ensure that every connection, whether from a device, a user, an application, is subject to strict verification. So going beyond identity, it also includes device security, network segmentation, application access controls, and of course, data protection. And the goal of Zero Trust is to address blind spots in traditional security tools and reduce the attack surface by improving the overall security across the IT infrastructure. And I think that another aspect that is important to consider is we published a document a while ago, an Advisory Note on maturity levels and how organizations can assess their own maturity level to understand more about their Zero Trust journey and what they need to do. So I think that's also an aspect that could be useful for organizations. And I think one of the important things to learn from assessing your own maturity model is that one of the things that organizations need to understand is that it's not really about Zero Trust, it's not really about adding more complexity. It's actually more practical. So you don't really have to replace all your tools. It's about leveraging the existing tools that you have and implementing on a sort of like step-by-step basis additional tools that could lead you to where you want to go. And of course that depends on the organization, the industry that that organization belongs to. So there are many things to consider, but absolutely, Zero Trust goes beyond identity.
Exactly, and you've mentioned the maturity levels and I think that is an interesting aspect. We both said already the famous sentence, never trust, always verify. The question is, when do you verify? And I think one aspect that is often overlooked is the aspect of monitoring after the initial authentication, authorization. So continuous monitoring, continuously checking the devices, so real-time device inspection. I think these are aspects that are more mature or expected to be at a higher maturity level, but nevertheless they are really essential. So can you explain a bit more about these two aspects when it comes to creating a robust Zero Trust strategy?
Yeah, of course. So like you said, continuous monitoring is a very important aspect because it can help security teams detect anomalies and vulnerabilities in real time. And that enables security teams to have a of like a rapid response to potential security incidents or potential data breaches. For example, real time device inspection, it can ensure that only secure and compliant devices are allowed to access critical resources and critical information. And that reduces the risk posed by unmanaged devices or compromised endpoints. So for example, by implementing tools like endpoint detection and response and mobile device management solutions, those support continuous visibility and also risk assessment to all the connected devices. So that really provides a sort of window to the organization to really take a look at what's going on within, by combining these elements, also with something that we're probably going to talk about later, but with automated response mechanisms that can ensure a proactive stance against emerging threats. And as you know, with the recent developments in generative AI, you and I had a conversation about that the last time I was here. We see that there are many phishing attacks, many social engineering attacks happening. So it's about continuous, not only continuous monitoring, but organizations need to have a continuous sort of stance in their own security and facing the emerging threats that we see out there.
And we've already mentioned that main misconception that goes along with Zero Trust, that it's mainly identity. Don't get me wrong, it is identity, but it's not only identity. And even John Kindervag just published a blog post about common misconceptions. And Zero Trust is often burdened with some misconceptions, which makes it somewhat difficult and sometimes also makes this term Zero Trust like a don't use it word, so no go don't use the word Zero Trust because it's so worn out and so much used. If we think of these misconceptions, can you think or did you come across during your research for the blog post across other misconceptions when it comes to Zero Trust? What are people thinking of Zero Trust, which might be wrong?
Yeah. Yeah. I found a couple. And like you said, even John is writing about the misconceptions that are still happening. And even though we talk a lot about Zero Trust, it seems that it's, I don't want to say it's not clear enough, but it's such a comprehensive topic that there are many things that could get missed. So one of the things that some people or organizations often miss is the fact that Zero Trust is not a simple off the shelf product that you can just acquire the latest technology or the latest product and that's gonna lead you to having a Zero Trust strategy within your organization. But it's a strategy, it's a journey. It's not a one time project. It requires continuous refinement and integration across multiple layers of security. And another mistake is assuming that Zero Trust means that you, I think you already mentioned this, but you can just get rid of all your tools and then start from scratch. But instead it should be seen as enhancing the current tools that you already have. So yeah, many companies underestimate the definition of Zero Trust. And then they often assume that it's just something you can do instantaneously or something that you integrate by basically eliminating everything you have and starting from zero. But as you know, it's more complex than that.
And I think using what you have properly is simply the best approach to start with and then continue from that in getting more mature. And one aspect of getting more mature is something that's a promise that comes with many technologies. Of course, it comes with AI, but it also comes with Zero Trust when it comes to getting more mature, when it comes to advanced security measures. And that is automation, orchestration, and really getting to automated threat detection and more importantly, mitigation. And that is something that many organizations are finally working at with Zero Trust being around for many years right now. It should be the case right now. Can you tell us a bit more about this automated threat detection mitigation? What is around there? What will be talking about in the future around that and maybe in Frankfurt in December?
Yeah, so it's interesting because the DOD, the Department of Defense of the United States, they published a memorandum, I believe two years ago, on how organizations can achieve Zero Trust. And they mainly focus on five pillars: users, devices, networks, applications and systems and data. But at KuppingerCole, we've been doing some research and we've been publishing a five plus two model. And I believe that in advisory, you have also talked about this topic. And in this five plus two model, we added automation and orchestration as well as visibility and analytics. So for automation, it's important because it can really benefit Zero Trust. It enables real time enforcement of security practices without the analyst, so without human intervention. So for example, by having automated tools, you can instantly revoke access or isolate devices when some anomalies are detected. It also reduces time. It also provides more productivity for the analyst to focus on other tasks that can be better for the team and the analyst. On the other hand, orchestration also allows for a more cohesive management of multiple security solutions. It's a very important aspect of access management and passwordless authentication. Some of the topics that I've been working on over the past few years. And also if we look at security information and event management or security orchestration, automation and response platforms, automation plays a really big important role there. And like I mentioned earlier, we had a conversation on generative AI and how this is another tool that is helping analysts to improve productivity and also deal with the emergent threats that we see in the landscape.
Absolutely. And to give due credit, this 5 plus 2 model is also derived from the DoD, at least from the latest version. So that is something where we are also standing on the shoulders of giants because there has been lots of great work, but it really makes sense. So highly recommended to have a look at the NIST plus the DoD Zero Trust documents. Just Google them with what I just said. So there's no link required. You will find them. But just to make sure that the due credit is given. One aspect that is often ignored, although it's actually at the core of Zero Trust, we do all these security measures to protect the most important thing, which is data. So the systems providing access to our data. So when we turn it a bit around or look at that from a different angle, what is the significance of data protection in a Zero Trust framework? And how do we make sure that data integrity and confidentiality is maintained properly because that's at the core.
Yes. Yeah. Like you said, data protection is a core pillar of Zero Trust and it's often overlooked, but having data protections ensures that sensitive information remains secure. So techniques like encryption, tokenization and access controls are used to protect data from unauthorized access. So for example, by implementing data loss prevention tools, it helps detect and prevent potential exfiltration of sensitive data. Recently, we hear a lot about SASE, so secure access service edge. Our colleague, John Tolbert, has written a lot on this topic. He published a Leadership Compass last year, so I also recommend that. So SASE, it sort of integrates network security with data protection measures, and it provides a sort of unified approach to protect information across all locations. So yeah, absolutely. especially in the time of GDPR and many organizations are often trying to make sure that they are compliant and data is a huge aspect of Zero Trust.
Absolutely. Now we have been talking for quite a while, very in air quotes theoretical about how to do Zero Trust well. When we do our events, the EIC in May and the upcoming event, one of the most highly frequented presentations that we have are best practices sessions where people talk about how they actually did it. Can you share some successful real world examples of case studies of Zero Trust implementation, that really worked, so that it's not theory, that is really out there and people are using that?
Yes, I can provide you with a couple of examples. And also, if you have any other example that you'd like to share, you deal with lots of organizations advising them, I think it'll be also nice to hear from you. One example is a large German supplier, energy supplier. So basically, they wanted to protect their IT infrastructure. And at same time, they wanted to support hybrid workforce. So many of their employees were working from home. And they were owning both company owned and personal devices. This energy supplier, the goal that they were trying to do was to ensure secure and controlled access to internal resources, especially because many of these employees were using their own personal devices. So as we've been talking about during this conversation, Zero Trust goes beyond identity. So one of the solutions was implementing identity and access management tools, MFA for example. But they also had to work on micro-segmentation, so implementing micro-segmentation to limit lateral movement within the network. They also did some work on conditional access, so access policies based on user roles, device compliance, and risk levels. And also they did some bring-your-own-device policies by using mobile device management and mobile application management tools. So as you can see, they didn't focus only on one aspect, but they really saw the whole comprehensive area of Zero Trust and they focused on the different aspects that we see there. And the outcome was that they improved security for remote and on-premise workers. They also reduced risk associated with unmanaged devices and personal devices. And also they improved flexibility for employees, which also led to more productivity from their side. And another example is from an online banking platform. So this banking institution, they wanted to provide a secure and frictionless online experience while also protecting users from fraud. So one of the solutions was to implement adaptive authentication. So they did MFA and transaction specific verification to protect users from performing, especially those users that were performing very high value transactions. They also did some work on behavioral analytics and fine-grained access controls. So the outcome was to reduce the possibility of fraud. They also improved customer trust and security. And also perhaps one of the most important aspects, they were compliant with many of the regulations in the financial industry.
Right, very interesting because these are the stories that really tell us, also tell us as analysts and advisors that this is really something that has arrived in the real life out in the wild, they are using that and they're using that comprehensively as you've described. Maybe one example, not a big example, I don't describe it fully, but a company that is quite mature in implementing Zero Trust, but the only thing that they do not do is they don't call it Zero Trust because this term, as mentioned before, is so worn out, so yeah, it has really lost its appeal. They call it continuous verification, and that's true as well, and it's much nicer than Zero Trust. It makes much more sense than Zero Trust, because you need to trust somebody, the identities, for example. So that is something that we've seen out there as well. So they implemented, they used the principles, but they don't call it like that. Maybe a final thing to hint at, it's again a bit more theoretical or more forward looking. But one thing that we just see right now and that one thing that we've just added to our identity fabric is the idea of workload identity. So it's really identifying workloads and that is compute, is databases, that is everything, that is not a person but that deserves an identity, that this is an upcoming thing. And by the end of the day, you do this to replace cables. You have a bilateral authentication via device or workload identities to make sure that there is secured and authenticated bidirectionally authenticated communication in a hostile network. And that is what Zero Trust is about, protecting communication in a hostile network through trusted identities, but this time for workloads. So if you're interested in that, there will be more to come. And it's a really interesting topic. It sounds like identity, but it's much more because it's the replacement for the good old firewall and the perimeter. So lots of things going on right now, again, on our way to achieving Zero Trust maturity and to getting to real life Zero Trust solutions. So the final words, Alejandro, should be the recommendation to join us at CRE, right?
Absolutely. We'll have a, I think a track on Zero Trust. So there'll be two or three sessions on the topic.
Right, and there will be again real life examples, case studies, success stories of how things really work. So if you want to talk to somebody who's done it, who's already there, they are there with us at cyberevolution in Frankfurt in the first week of December. Thank you Alejandro for being my guest today, for telling this interesting story about Zero Trust and how it evolves, for providing that blog post. So if you are interested out there, please just go to our website and find it on the front page. Any final words?
Yeah, think that organizations, need to... because we use the word continuous a lot. So I think that's sort of hinting at how the threat landscape is evolving. So at the same time, we need to be having a dynamic response to the continuous threats that we observe. So Zero Trust, as we mentioned, is not just a one-time project, but it must involve a continuous assessment. So yes, that's it.
Great. Absolutely fully agree. This is an evolving story because the threat actors don't sleep and they are a multitude and we are but a few. So that's an interesting story to continue. Thank you Alejandro. Looking forward to meeting you in Frankfurt, but seeing you before that in probably another episode of this podcast. Until then, thank you and bye bye.
Thank you, Matthias.
