Now from the security Analyst point of view, we would like to switch to someone who is working in real. Life's responsible for managing the security and identity systems in a, in a real organization with people working where he's actually ultimately himself responsible for doing things. Right. I would like to welcome on stage Dr. Ravi Bindra.
Oh,
Thank
You, Anna Rav long time. You see
Indeed. I'm glad to be back.
So what do you think about all this OT stuff? Is this something you are worrying about at all?
No, I'm too busy trying to get basics done. Okay. Like patch management.
Okay. Okay. No matter it's really, I mean, this is, this is of important, obviously.
So it's all about the vision you have and how you wanna achieve it. So if that's the ultimate next step in security involvement, then we need to start thinking about how to achieve that today. Yeah. Because we won't get the budget till next
Year. Yeah. That's true. Okay.
So, and one step going there is obviously to open up the enterprise. Yes.
Which is, I would say from a security management point of view, a prerequisite for it, plus OTs working together. Yeah. And this is something you're going to give a little bit more detail on this.
Yeah. I'm gonna talk about taking a radical idea and evolving your security strategy to fit it.
Very good. I'll be very interested in, in hearing. Thank you very much.
Thank you. So I'd like to talk about moving the security perimeter and what should you be thinking about when you wanna remove it? What are the steps you're gonna have to take?
So what I'm gonna talk about is what are the thinking process you need to go through in order to develop your vision, your strategy, your goals that will meet this very small goal of moving, removing your security perimeter. So I'll go through how this idea came about how it fits in with the Jericho principles. How effective do you actually think your firewalls are? And when you have your vision, the idea is you need to get funding for this project. So you need to have a vision. You need to have goals.
You need to have roadmaps and timelines and doing all of this will actually assess what your security priorities are. So I joined my present company five years ago and we were sent away in the first year to our goal was to revolutionize the strategy for the company. There was a bunch of architects.
There was a bunch of service managers. We went to a very nice hotel next to a lake in the Swiss mountains. And we were put into a room and said, brainstorm. I looked outside, I looked inside. I took a 15 year old principal from Jericho, wrote it out and went swimming.
I got zero out of 10 for commitment, but 10 out of 10 for innovation for picking up on a 15 year old principal and saying, Hey guys, let's remove the internet firewalls. Now I of course had my own vision of this. I was like, if we start doing that, we need to reassess where the security perimeter actually is. What do we need in place to still be secure, but deliver this goal management heard, oh, budget cuts. That's easy. My peers or my colleagues were, Hey, great idea. We hate the S they stop us being agile. They stopped me delivering services. Tomorrow.
I have to fill in these pesky reports and get assessments done. Security operations thought you're an idiot, but they weren't invited. They weren't important enough.
So, so removing the security perimeter is about not about removing your security enforcement points. You need security still, but it's where you put it. I'm also not talking here about your small law, medium size businesses, which probably don't have a perimeter anyway.
So how does this fit into the Jericho forum?
Well, point number two, on the Jerich forum is all about assessing your security system as an ecosystem, different layers, doing different things. I agree with that when the Jericho found forum talks about the free flow of information and data, I think individuals in my organization would love that because they don't have to get permission for doing anything.
However, the management, if I go up to my CEO and say free flow of information in and outta the company, go hang on this. Let's think about this. He's a bit Texan. So that's most closest I can get to a Texan accent.
So when you have this goal and you wanna get funding, you have to go to your management and ask for funding. They're going to want to see what is your vision? How does this fit in this small part of the goal fit in with what you want to do? What is the strategy to achieve that vision? So start off with any vision you want.
The one I like is I see the day when the data knows who is looking at it, what they're doing with it, where it is, where it's going and will stop them mistreating it. It's something I came up with in, in a few seconds, because I was also swimming in the lake at the time, others are, you know, you wanna know where your data is and who put it there, whatever it doesn't matter what the vision is. Just have one, because the vision is the basis for your security roadmap.
When you have a roadmap, you can then start doing your gap analysis and assess what you have in place, what you haven't got in place, what you need in place and when you need it. And this allows you to prioritize your budget request. So I did this with identity access management many years ago, and it worked very well. So here's a slide which teaches your grandmother how to suck eggs. It tells you what typical internet gateway looks like. It shows you what the DMD services are. Your VPN gateway, your reverse proxy, your proxy server.
So that's what you wanna try and get rid of.
Now, if you wanna get rid of it, first of all, what are your firewalls doing? Anyway, I was an external auditor at a company and my background is firewalls. And this person was very proud of the fact that they were running enterprise, not enterprise, very carrier class, firewall hardware. And he said he has 900 rules on his internet gateway for Europe. And I looked at him, I said, Hmm, 900 holes. He didn't see the funny side of it.
He then went on to tell me that in his external business partner, firewall, which is also carrier class, he said, every single rule in this firewall has a business owner, a business justification, a security sign off, and we know what it's doing. I said, okay, have you run an analysis tool on it? Like TwoFin or sky boxer? And if the others, he said, oh no. So he ran one, we hit 1,726 shadow rules. I still don't know how many rules he had on this firewall. But this is so, as I said, I'm a firewall person. I've been in firewalls for almost 18 years. In all that time, firewall rules have evolved.
I've never seen an evolution of a firewall rule, remove firewall rules. I've only ever seen new rules added and added. That's how we got to where we are today with that firewall or heated
Doesn't sound like security. And that's why I say your firewalls. Aren't doing anything. Think about getting rid of them. Cuz if your firewalls are doing something and you know what they're doing, that means you must know what's inside your network. Now I work for a company who have 130,000 users. I asked the question around to various people, including the people doing the network access control project.
I said, how many devices have we got inside the network? Various people said, oh, we've got 130,000 users. It must be, let's say 400,000 IP addresses. Somebody else said 600,000. Somebody else said, oh, 180,000. The network guy came closest.
He said, close to a million. I said, yep. Bang. On in December we had 980,000 IP addresses. Everybody else said,
Where
The hell are they? Or what are they doing? That's the point? Our portfolio management system registered 6,000 applications and 12,000 servers. That's what management thinks we have. So if you don't know what's on your network, what are you protecting? Do you even know everybody connecting to your network? I dunno about your enterprises, but how easy is it to walk into your campus and find a cable? So the vision who where's the data who's looking at it, what's it doing?
If you want to deliver on that vision, you need to have goals. So I want to have an IAM system that knows the authenticity of my users and the actions that they are performing. I need to have security enforcement points that automatically and transparently manage the identity of the user and their access rights and enforces the policy for them. If I start thinking this way, I can now start thinking of what I need to do to remove those external firewalls. I'm now concentrating on the data and not the security of the network.
I'm now concentrating on identifying my users and what they're allowed to do, what they have done. And if I share this vision with my vendors, it gives them the ideas and the ability to go away and get their roadmaps for future developments to fit in with this, they may deliver, they may not deliver, but the benefit for them is they get a unique selling 0.5 years down the line. When they come up with strategies to help deliver on something, which is, it's not radical, it's not new, but people aren't talking about it.
Now the benefit for my customers, my users is the transparency of what they do. Any time you put a security gateway in front of someone and they have to do something to get past it. They hate you. Now I dunno about you, but I more or less log in remote access to my networks. Similar times, few days a week. Why do I need to authenticate? Why do I even need to tell my laptop? This is what I wanna do. I should just open it up. It should go through and say, oh, it's you again, come in. Now.
If my CFO
Creates a new pay and performs a approval of a payment to that payee, they do this, you know, 20, 30 times a week, usually in the million dollar range, that's fine. But if he's doing this and he's doing it from a mobile device on a beach cafe, maybe I wanna recheck that it really is him. And he really wants to do this. That's where having a vision moves on to having all the little gaps identified. And that's where the assessment comes in is your gap analysis. Where's your vision gonna take you? What have you got in place? How are you gonna get the funding?
So you may very well be able to do this by yourself when you'll be probably hitting the mark a hundred percent of the time, you'll know everything you've got and everything you want and everything that's missing. The problem is your management is gonna want a second opinion.
Now, whether it's a big account as consultancy or a big it services firm or grouping a Kohl as an example, they still wanna have an external validation. And whoever comes in, they're gonna bring two people, usually a techie and somebody who speaks management.
If you're gonna be paying for these people, it's really worthwhile to ask them the right question to find out. If they really know what they're talking about. Dunno how many I've come across that. Don't so ask your techie a simple question. Can you tell me how different next generation firewalls handle the identification of users?
The 40 net guys, the Palo Alto guys, they'll usually sit there and go, oh, well we just pick up the ad credentials. How quiz them find out if they know what they're talking about before you hire them, your management person, are they actually listening to you? That's a really good criteria for whether you want that person to be doing your assessment or not. So once you get them, you're ready to go into the next step, which is to do your capability roadmap. So here's an example from IM just sit down a whole load of capabilities, assess yourself. And with them, what's in place.
What's partially in place. What's not in place. This is a diagram. You can show your managers because they will be able to look and immediately see, oh yeah, okay. That's what I'm missing. That's what I've got. And it works the same for your infrastructure security.
This allows you to put into place where the location is of your security enforcement point and what it is your security control is. And whether you have it in place, whether you don't have it in place.
Now, this is what I took for my identity access management project some years back. But the one slide that they loved was the one that was the capability maturity index, which took different aspects of identity. Access management showed where we were today, where best in class was and where I want to get to. But most importantly, it showed them where our competitors were.
Now, if you think about security for me, the single purpose of security is not to make myself totally secure. The purpose of security for me is to make me less likely to have a data breach than my competitor. I just have to be harder to hack than my competitor does down.
You know, the next IP address down the range. That's all I'm worried about and showing them this, that our competitor was further ahead than we were got. Buy-in 25 billion spent over five years. They bought it. They haven't delivered on that 25 billion of course, cause we get budget cuts every year. So I'll conclude
If that's my goal. Here's a very simple phase. One strategy. My office wireless land network run by Swisscom. I don't care. My laptops are on the internet.
Anyway, most of the time public network, straight into an enforcement point. Not necessarily a file. I just wanna make sure that the bad stuff isn't coming through, don't care where it's going to just stop the bad stuff inside the network. That's where I want my enforcement points. I wanna have my printer zone. If you're worried, if you're thinking, why am I choosing printers? If you wanna run a denial of service on your entire network, do a vigorous necess scan.
Or if all your printers, I can guarantee you, you will not have any paper and you will not have any network connectivity until you've turned them all off. And on the 980,000 IP addresses, guess what? We have several thousand badge readers on every door. That's what accounts for them. Those are running Linex. We never thought about the security of them when we put them in. So it's all about where you put your enforcement point, where is your security? If you take it away from the internet, gateways,
How to reach this vision management wants to see a roadmap.
They wanna see what you're gonna deliver when, how long it's gonna take, because they don't wanna have surprises four years down the line. When you say, by the way, I need to do a identity management solution.
They say, but we paid for that three years ago. Yeah. You only paid half of it. Conclusion haven't mentioned it at all, but if you wanna be secure, the first thing you need to do is to have a good security team of people running your operations, looking at your logs, monitoring all activity. If you don't have that, you haven't got security. You can have all the security controls, all the security devices you want in the world. And my company usually has most of them, but until we got the security operations center going, we didn't know what was going on.
Know who your users are, know what they're allowed to access, know what they are accessing, knowing what they're trying to access and should not be accessing, monitor it. Trust only the devices, you know, and control. That's not the same as give a managed device to all the people, but just know what it is they've got when they're accessing during runtime, analyze it, make sure it's up to date with all the patches you want remediate it. This allows you to do bring your own device, bring your own mobile because you stopped worrying about that.
You supplied it for them, that it's got all of your controls on. You just wanna make sure it's got the right controls, give up, protecting the entire network. You're never gonna do it. Examine the ingress and egress of all your data. Data is where your intellectual property is and the availability of access, those printers that that's gonna deny you access. Maybe it's actually cheaper to go back to having directly attached printers and sort of network ones, but, and protect what needs protecting nothing else. Thank you.
I wasn't expecting you to stop so sharp just because I was,
I ran answer things to say.
I, I liked the idea of replacing.
I mean, I've been advocating firewalls or useless just to move people to think about the data for years. And I liked your sentence, putting that into a positive meaning, namely to ask the question where to put the enforcement and this slide with the different enforcement points is very good. Think a very good instrument for making that transparent. One question I have though, is you said in one of the slides, your vision is that the data knows whose users going access it, blah, blah, blah, was the context and so on.
What, what's your vision on how this is going to happen?
I'm not a programmer. I have no idea. I think if that's take a radical vision, give it to, and I've given it to the vendors and said, make that happen. Let them think about it. I don't need to have the solution. I need to make people think of the solution.
That's fair. That's fair. That's a management perspective, by the way. And last question, you've been well, educating us on which success factors exist. When you want to have the budget and the approval for a project, what are the success factors?
Once you got it approved and you need to execute it, are there specifics in that area you would like to share as well?
No, that's project management. I'm not a very good project manager. I have the ideas and I put things in place and I make sure they're going along the right lines. Having a good project manager makes all the difference to success and failure of a project.
And it's, it's down to the KPIs you want. And KPIs are very, very hard to come up with. I knew a guy in risk manager whose KPI was every single project running this company must have a risk register. Every single project in that company had two items in the risk register, which was, was management buy-in management support and resource conflict because that's, what's given me the example. And I said, no, what I want for my KPI for risk management is how many issues and incidents come up that were not assessed as a risk beforehand. That's how you measure success with the right KPI.
Okay.
That's good answer. We will hear more about KPIs and metrics over the next days anyway, so, okay. It's very good. Thank you very much, Ravi. Again. Thank you.
