KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Fabrizio has been working on Zero Trust Architectures since 2017. In this talk, he will show how to approach a Zero Trust initiative (or program) in the most successful way. The presentation will touch on both strategical and tactical approaches and what needs to be considered for each.
Fabrizio has been working on Zero Trust Architectures since 2017. In this talk, he will show how to approach a Zero Trust initiative (or program) in the most successful way. The presentation will touch on both strategical and tactical approaches and what needs to be considered for each.
When I was researching zero cross in 2016, 2017 for my master thesis, I was always wondering myself, how should I start to how can implement zero cross action? Of course it was for myself, it was for research purposes. Zero cross at the time was totally different. So it was easily to replicate zero cross action using ware and sex, or gen three from that time.
Now, so zero cross evolved to a more robust series of control school, a proper architectural model. And, but when I start consult about the topic, my master degree is easy after I acquire confidence on the topic, I realized that companies were asking basically the same question as I was asking. So how should I start? And I was thinking about that, but the truth is that the question was wrong. The question was like, how should I approach the problem of zero cross in order to be successful?
So over the course of the 15 to KKI meals, I will guide you through the same process I'm going to, when I'm consulting the companies willing to implement zero cost, of course, minus the implementation part. But that will be, we can discuss later in the open cable discussion and hopefully that will help in your implementation. So before get a little bit about myself. So I'm fabric, I'm the head of pro infrastructure security. TBI Soka B is, is a company very active in supply chain management and optimization.
I also work as a security advisor for companies in startup and previously working Berg group. So the German of exchange insurance group symantech and so on, I work on zero cross from 2016, 17 as mentioned, I was lucky enough to work alongside junking, the bag so-called father of zero cost. And as well as we scale key, that right now is acquired by Okta. So it was because a company very active in the, in the zero cross space, so fit and let's go the approach.
So, as I mentioned, these game of difficulties to give an introduction how to make zero cross project successful gives us the outcome of so many hours discussion, proof of concept, and also failures that I had during these years. And we, we can, we can see why failures. So in my experience, you need to have two approaches. One is this strategic approach and another one is more the tactical approach. So the more pragmatic approach.
Yeah, the truth is that, although it's nice and conceptually you have to separate these two, you need a combination of both approaches and you will see why you need a combination of both. So what I mean by by strategic approach is that zero cost is not gonna the only project it's not off the shelf product as Alexei was mentioning the introduction of this event. And therefore you need the level support or the board support to sponsor, to gig your zero cross initiative.
And also to, to, to basically to use the leadership and influence for, for making this project more cross-functional on the other side, you have the tactical approach where basically it's more suitable for short term engagement of proof of concept, but is limited in scope and in time, but it can be used as a driver, as a pure, we will, we will see that later now, before we go to the approach, I I'm afraid of doing my, my experience as an architect and as an consultant, I saw a lot of level exchanging as leg deck of a strategy deck as a, just like full of password.
So I decided get, I like to, in every engagement I have, I like to define what strategy for me. And I found this perfect definition, which is from a book by, by EWI technology strategy pattern that said strategies about determining the problems and opportunities that are in front of you find them properly and shaping a course of action that will give you your business. The greatest advantage. I found this definition, very true, given my, my experiences architect. And that's why I wanted to give you this, this quote.
So you can bring with yourself over the course of this and also over gig, the course of your professional part. So coming back to this slide, strategic approach. So as I mentioned, zero cross is, is a cross-functional topic. You cannot, it's not an security topic. It's not at an it, but it touch different parts of the, of the corporate estate. So it catch governance, it touch emerging acquisition, it touch corporate infrastructure at working cloud and so on.
So, well, in my opinion, you have, including your earlier conversation of, of zero cross implementation are for functions, governance, enterprise capture, change management, board, and operations. So why you, you want to, to involve them early is because as we, as a security protection, we, we preach the shift shift, left or early approach to security to minimize the cost and improve the security of improve the security posture of the company. We also want to integrate cover functions incr to make this project successful.
So why governance governance is the one that provides policy and as well assess the risk of, of, of the technologies and zero cost of technology from zero cost perspective. So you want to involve them as soon as possible to familiarize with the concept, because they may be not aware of, of zero trust. You want to involve also the enterprise architecture, the architecture, however it's called in your company.
First of all, because they can assess the, the technology that you use, not from a risk perspective as governance, but really from a technology perspective, you want also to have the enterprise architecture on board because they called and gave and came the knowledge of your company architecture. So they are more aware of every of everything that can impact. They can be impacted by production of, of zero trust in the company. Why you want to have the change, imagine board.
Well, that's more historical as a young arch, as a young engineer. I remember that spending how works of call like seven hours in a week in a call sometimes even for a five minute change. So you want to make, to keep your, your change management aware of what's going on in. You want the change management board aware of what's going on in the implementation so they can be aware of the changes they can do, pick of project management, if you want.
And, and, and they can move entire transition entire journey cause electrical journey for zero cross. And finally you want to have the new operations aware. So info team is not sometimes is not the one that he keeps the, the operations, not the one that keeps the lights on in game infrastructure. So operation, they should be aware. And there was a case I mentioned, I will mention later where basically operations was one of the roadblock in, in material cross. So that's why you need to involve this function.
Of course, the lease is not exclusive. You can, you can involve more, more people and more function enterprise function in, in the earlier conversation. But that's something that you need to know based on your reality, based on the risk type of stakeholder and on how you can approach that. So what are the, the drivers, what gig driver, what kind of value? So why the company needs to invest in time, effort and money in, in zero trust. So what are you selling points? And in my opinion, there are five. So there is security. There is compliance. There is agility.
There is user customer partners and there is modernization infrastructure, complexity reduction. So let's go step by step security.
Well, that's abuse. I'm a security by heart and security is quite, is quite obvious here.
However, as Alexei say mentioning earlier, even just a brief change, a quick win, it can already change the possibility of the company just enable MFA or enable internal encryption or internal encryption. The communication get can make huge difference in the company posture OK. And compliance.
Oh, by the way, coming back to security. One point that I forgot to mention during a presentation, during a slides during a police presentation, I actually mentioned that I, zero cost allows you to kick off 10 out of 20 areas controls so basic control. So that was based on the version 7.1 of the CS controls. Now there are aching controls and they are slightly different, but implementing zero cost made huge, huge improvement of your overall security posture.
So coming back to the compliance gets less obvious of security, but having a zero cost in your company, it can be, it can lead to easier and compliance. So I, I recall when there was the period, the on daily basis in my company, all the people were scrambling around looking if I don't know the asset management was working or if the policy were right and so on.
So we go and with zero cost, you don't need to worry about because effectively, you know, exactly at any point in time, which user with which device access to which data and when, and it gives, and basically you have the entire system and commission. So that is, if working on that, that is giving you gloves is giving you the track information. So get is exactly a huge advantage. Cause you can just simply click extra report. And so on agility, what do I mean by agility?
So we heard a lot of companies working, saying cloud first cloud first approach and song, but effectively is knocking this way. So having a zero cross in architecture in place allow you for real agility, cause everything is automated and you have everything in, you have all proper guardrail in place, goofing up your project to spin up your sandbox or developer template with new services. I don't know, AWS lunch and lock of service during AR that your security team is not able to assess. It's not able to assess all the time. So in this way you have the proper and the developers can play.
And then, you know, that can up an application, try and see if that is fitting to the market or not user customers and partners. That's also from, from a personal perspective is quite useful.
Why, but every time I join a company independently, this is a startup or this is an enterprise and it's not gonna need by way. Your user spent from around three months in the best case scenario could get all the proper access. My partner was telling me that she was trying to get an access for, for a customer, for, for a company partner. And it took two months to get just an access for, for, for the offshore company, for the outsource. So it is to together with agility, having, having something that you can integrate so easily, it will.
So you can just simply have a set of roles or a set of attributes that allow the user to access or allow the partner to access or allow the customer to access. So that is skill matching with agility is still matching with security because every access is, is granular. So you have a, a very granular set of permission at the same time is quick.
So your user doesn't need to wait three months like the access to the proper system, your partner doesn't need to have all the layer of approvals and all the technology stuff to, to give the, to give the access and finally, modern Fisher infrastructure complexity reduction. So it's very long time ago. I have to change. So I have a case once where basically there was a VMs running operating system and running a mission critical application get, unfortunately, cannot be gated cause it cannot be touched.
Cause the company that was developing the application went bankrupt, but the application was so critical to the business that we have to find a way to secure the application, working financial services. I also had to basically to work with mainframe. So having basically zero cost in place allow you to modernize infrastructure secure and also reuse the basically reuse your I'm conscious about the time.
So I will try to go quickly about the slides, but happy to call later now, initiatives are always easier to be execute and keep them under the however that this, you have to be aware that if you do not involve all the Kings, it can be seen as zero cross first. So it can be seen that zero cross is a solution core problem that is relevant to the business.
So what I was saying earlier of using one project as a pro is find a project where zero cross can really solve the, a business issue, have that as a sponsor and get English where you can advertise zero across, across all game, across all the business. If you are doing a POC or if you're doing this project not involved, involved, not only team, but also access management, also networking infrastructure. Also cloud. I went with a little diagram, my opinion, how the project should be executed or should be gone.
But again, that's, that's, that's my point of view. Now, even if I implemented some, several zero cost, let me give you some advice from, from experience repair place. It sounds good, but it doesn't work unless you are Cisco or Palo Alto networks. And it connects also the point to reuse, incorporate existing security monitoring orchestration and cook. You already have them in place. You train your own team. So you use them. Now you have also assessed them cause they may be not fit. So one example is, is a firewall.
If it's a simple firewall where you can specify the Porwal, the protocol and definition sourcing, destination, get maybe not the best fit for zero cost architecture. However, if your firewall has API capabilities as I IP integration and so on and API where basically you can automate based on the scoring system. While in that case, you can use, identify your key set, biggest risk. And to do that, you need to know, you need to be aware of your network of your traffic patterns, where the inbound traffic is generic, where the outbound traffic go.
And you can expect that the companies are aware of these details. But no, trust me, every time I ask for the architecture or having a profile graphic gets not easier to have. Now we get the tactical approach. We get the strategic approach. Technically we are ready.
No, we are not. We have some real world challenges for zero cross implementation that I would like to make you aware. I split again in two, one is one section is technical. Another one is not technical. So technical is, I am in maturity. You have companies that are struggling with their own I access management. Sometimes it's easier for them to give access to everything, just set up, set up the account and access to everything. Cause it it's much more to make granular effort.
Sometimes they have multiple IDPs because some merging acquisition, sometimes they have plenty of plenty of groups in, in their directory. So you can use zero cost as a, as a tool, as a catalyst to fix these. You will not fix immediately. So it will take some time, but you can use zero cost as a forget, lack of visibility into asset. So that's a very interesting topic because I spoke with plenty of Cecils and gay are not aware of work. Exactly gay gay have asset.
And again, work is an, I mean, if we bring your own device and cloud with Lambda function and filling groups, if your Lambda function exists for 20 seconds, do you define that as an asset? You have also companies that they don't have a proper asset management cause they update only once day. And so therefore for 24 hours, your asset management is not updated and you have this limitation because probably use some legacy technology. So assess your, your asset management tool, evaluate some open source tools, evaluate some to build something yourself.
We, we created a nice, a nice little script from, for basically for one cloud provider that grabs the gig of every cloud provider. So that's possible. See if you can do something like that to improve your asset management, you have non technical topic, which is resistance, either poly operational category or compliance constraints and overthinking. So resistance. I had a case where basically operations were not board with zero cost.
Although we had everything in place simply because it was not in knocking their operating model and they were not aware of their advantage, same as regulatory compliance and constraints without that zero trust is bringing some advantage, but is again, maybe not aware. So my advice is type on the send concern involved in the discussion earlier. Yeah. Hi Tio. Can you hear me?
So we, we should take care about the time you're already nine minutes over time. So I would appreciate if you maybe find a closing sentence from the presentation. Thank you. Oh Yes. I apologize. Sorry. So well to finish, find the balance in the key and find a balance between the approach and cause you cannot just have only one or, or an order you need to have both. So let's it. I apologize for taking over the time. I'm happy to cook hold privately later on today. And as well think as in.
