Good afternoon, everyone. I'm Jim H I'm vice president of security and business development for the open group. I've been with the open group now for about 14 years. And I've seen the evolution of our work from early work that was done, that I'll touch on in the Jericho form around deprioritization maybe some of the origins of the thinking around zero trust to work that we're doing now at this moment in specifically on zero trust. Next slide please. So just a little bit about the open group. If you're not familiar with us, we're a global consortium, a standards organization.
We help industry to develop standards that help both customer organizations and vendor organizations to meet their business objectives through the development of open vendor, neutral standards, as well as certification programs, we have over 740 member organizations spread around the world from all corners of the it community.
So customer organizations, suppliers, tool, vendors, trainers, consultants, academics, and so forth.
I'll, I'll also mention that we're maybe best known historically for standards like Unix, as well as Toga. We have a security forum that is doing work specifically around information security topics, and currently has done a lot of work on the open fair quantitative risk methodology and standard. And then we've also done a lot of work in recent years on better integrating of security and risk in the TOGAF enterprise architecture methodology.
So next slide, the agendas I'll I'll quickly step through why we think standards are critical in the area of zero trust and overview of some of the zero trust standards work that's going on. And then we'll wrap up with, you know, some of the benefits to user organizations, as well as to suppliers of advancing zero trust standards, next line.
So the origins of zero trust when the Jeal form, if you're familiar with that, remember that when it was operating, it operated from roughly 2005 to 2014, they did a lot of the foundational work around.
What does it mean for the perimeter security model to be breaking down? They, they recognized early on that their organizations were asking them, and this was principally a group of chief information security officers from very large it organizations, they recognized that their organizations were asking them to make the perimeter more permeable, to, you know, effectively poke holes in the perimeter security architecture to enable business with partners, with consultants, with contractors and so forth. And they really did some of the, what we think is the foundational work around.
What does that mean to information security, to try and operate in that sort of way. They also spend a lot of time thinking about data-centric security, which if you really look at zero trust these days, you know, it's, it's both about, you know, what happens to the networks, but also it's about, you know, wrapping security around the data, making it more data-centric so early work in the Jericho forum we think was foundational to what you know, we're considering in the industry.
Zero trust today, the Analyst firm started talking about zero trust in those terms in, in maybe 2010, Google was certainly influential in releasing the beyond Corp papers that describe zero trust in their environment. And I think at this point, you'd have to say that, you know, the industry is rallying around the concept of zero trust and changing the security paradigm from, you know, keeping outsiders out and defining parameters toward, you know, what we think of as zero trust today. Next slide.
So, you know, in terms of our view of things, you know, there's a growing consensus that zero trust architectures are really strategic for information security, definitions and standards are starting to emerge with the key characteristics of what gets described as zero trust being that it's asset centric and data centric that it uses adaptive access control, that it's holistic across the full technology landscape at this point. And that there be continuous improvement applied to it.
I'll talk more about this later, but we are, our, our security forum is works very closely with N to coordinate the work that's coming out of the us national Institute standards around zero trust, as well as the work that that we're doing inside of the security forum. Next slide.
So a quick definition of zero trust and information security approach focuses on data and information security, including the life cycle on any platform or network with the implication being that we have to be able to operate and grow while continuously managing attacks and compromises. Next slide.
So why do we need zero trust? You know, these are six of the, the key reasons that, that we think inside of the security forum. Certainly we see changing business models and, and drivers from that. There are E evolutions that are happening to the ecosystems in information security. There's certainly a changing technology landscape with, you know, the, the cloud and, and, and other and mobility. And just the, the implications of the, the pandemic, the last two years, really changing how we do business.
There are regulatory, geopolitical and cultural forces that, that come to bear and, and really help to drive zero trust, disruptive events, you know, like the pandemic, and then, you know, the shift to remote work and online learning. All of those really are things that we think drive the need to, to change from the previous security models to the zero trust model. Next slide.
You know, there's also a shift in the approach that needs to be taken a strategic approach for a very long time.
In information security, we've been reactive to threats and zero trust really implies that we need to be more proactive. So thinking about things, you know, from a reactive standpoint, assuming that all attacks can be blocked at the firewall and perimeter, you know, flipping that to being proactive and assuming for each assuming compromise may have already happened inside of our networks on the reactive side, being reactive to business.
And it changes zero trust allows us to be perhaps more proactive in aligning to business and it on the reactive side, you know, trying to build better walls, better firewalls, better defenses on the proactive side, think about reducing the threat space and the blast radius from a compromise on the reactive side, thinking about, you know, a different box for each security problem.
And then on the proactive side, thinking about an integrated approach, that's woven into how the enterprise does business, and then, you know, the reactive on the reactive side, finally, you know, being network and perimeter centric, as opposed to on the proactive side, being data and, and asset centric. So really a different, a different way of doing business, a different mindset towards how we apply and deploy security. Next slide please.
So I'll talk a little bit about this. We have a couple of publications out there at this point from the security forum.
One is the zero trust commandments, and this is kind of the short list of the commandments, the actual papers, I want to say 12 or 15 pages, but the commandments are intended to be aspirational, but also provide, you know, clear thinking and guardrails around zero trust. Hopefully they help create a shared vision and shared under shared understanding, pardon me, of what it means to, to be a zero trust architecture and or solution. So the first one is to validate trust explicitly.
So validating it using trust decisions, using, you know, all relevant information and telemetry that can be brought into the decision. Second one is enable modern working so enable productivity and manage risk as the organization's capabilities goals. And so on evolve.
The third one is enable pervasive security. So security discipline needs to be integrated into the culture norms and processes throughout the organization. The fourth one is secure assets by value.
So the thinking there is, you know, designing your security, such that the controls can protect business assets appropriate to their business value and their expected risk. The fifth one is to implement asset centric controls. So security controls that are tied to the actual assets. The next one is enable simple and sustainable security. So security controls that should be as simple as possible while doing what they need to do through the full life cycle of asset.
The next one is, has been around in security for a long time utilizing lease privilege, then improve continuously, so continuous improvement, and then finally make informed decisions. So security teams making informed decisions based on the best information that can be brought to bear next slide.
So some of the differentiators that we see in, in zero trust one is asset centricity, and that, you know, applies both to it assets as well as OT and OT assets.
Again, being allowing for security to, to really be focused on the assets, whether be they data apps, APIs, or systems, the next next differentiator is adaptive access control. So agility and adaptability, and then finally data centricity. So reflecting the shift to protecting the data as well as the asset, as opposed to trying to lock down the perimeter. So next slide, some practical standards challenges, you know, I think as this has evolved, there really hasn't been a standard definition of what zero trust is.
And without accepted standard definition vendors have been known to kind of use and abuse the term within the market. So clearly, you know, that's a standards challenge is to, to come up with a standard definition of what, what comprises zero trust many organizations have bought into network based security controls over, over history at the expense of plan security architecture, and zero trust really requires them to, you know, flip that mindset and change the way that they approach things.
Zero trust policy expression is not standardized. Hence the solutions tend to be custom at that level.
And there's a general lack of standards for the zero trust solution components. So making them interoperable and making policies portable and reusable or challenges, next slide.
So a quick overview of how zero trust standards work let's or an overview work in the zero trust standards area. Pardon me? Next slide.
So we think, you know, where there are standards opportunities are and doing things like creating standard frameworks and architectural models and zero trusts guidance to bring clarity to what is, and isn't zero trust architecture and how to architect for CTA enabling a rich set of standard attributes that can be used in trust decisions is a standards opportunity, and then maybe coalescing some early standards, effort, standards, interest, and efforts to, you know, help drive an ecosystem of open and compatible zero trust components. So that could be algorithms.
It could be some of the components you see listed there as well as reference implementations. Next slide.
So I mentioned N has done some work. We work pretty closely with them. There are other efforts out there in this area, some work by the cloud security Alliance around software defined perimeters that plays in the I ETF has some work going and there are also some open source projects that are worth looking at that may factor into, you know, what we ultimately hope are open and interoperable zero trust solutions. Next slide, in terms of the open group's work in this area.
So I mentioned the zero trust commandments, which is publicly available. Now, we actually started this work a couple of years ago with the zero trust core principles, paper that you see here, both of those publications are available via the open groups website. If you look for the library in the website and do a search on zero trust, both of those publications will pop up and are freely downloadable. And we're working on a zero trust reference model, which is expected to, to emerge over the next maybe 12, 12 months or so.
And I mentioned this, there's a link there to their national cybersecurity center of excellence where some of their zero trust work is happening. Next slide.
So I'll wrap up just talking about some of the benefits to, to both sides of the industry, the suppliers, as well as customer organizations. So let's just go to the next slide. Some general improvements that we think are offered by zero trust.
You know, the fact that the perimeters are granular can limit lateral movements within networks. You can limit these threat factors. There's an assumption that networks are untrusted and that threats exist at all times. And that enables more, more robust, really requires and resuscitates more robust controls in our networks. We think there's an improved employee experience by enabling mobile and cloud use and the use of all the information that's available to us in security decision making enhances security, next slide, and some other benefits.
You know, we think ZT really has the opportunity to make security architectures less brittle and maybe reduce entropy or the tendency of security architectures to degrade in effectiveness over time.
The ability to the opportunity to minimize security, technical debt over time, minimize lateral movement within, within networks, and really fundamentally a better model to address the changes and threats that we've seen over the last 10 years, as well as those that we're, we're likely to see in the future.
And from a supplier standpoint, to the extent that we're able to drive interoperability standards among CTA solutions, history shows us that standards can help provide a bigger market opportunity for suppliers and embrace standards. So hopefully that's a benefit over time as well.
I guess I'd like to end with a quote, this didn't make it into my presentation, but I it's something that I saw just the other day, Phillip, by the name of Jack fand who's VP and head of methodology at bit site offered up this quote, I'd be willing to estimate that a relatively proficient threat actor leveraging a compromised endpoint to exfil trade data or disabled critical business services faces an additional 20 to 70% level of difficulty in achieving their goal, depending on how well configured and ubiquitous the CTA is.
Jack is someone that I have a lot of respect for.
He previously headed up risk management for a large financial services company, T I Aaref in the United States. And he's the co-author of a book on the fair risk analysis methodology. And so he's someone who's used to thinking about quantitative risk, me measurement, and the effect that security controls and security architecture can have on cybersecurity risk.
So I thought that quote was, was pretty telling that someone with his background and his understanding of the impact of security controls on risk, you know, figures that there's maybe a 20 to 70% increased level of difficulty, that's put on the attacker as a result of doing CTA well. So I thought that would be a good thing to end my presentation on. And I'm happy to take any questions that y'all have.
