Hello, good afternoon or good morning, depending a little bit on your time zone.
Yeah.
Hello,
Fine.
Perfect. So maybe we start with a short introduction round. I think that's the easiest way. And we start with rhino.
Yeah. My name is Hernandez. I'm a VP of engineering at keeper security located here in nice Northern California. And you know, I have been, my, my background is in telecommunications and, and it security I've been doing it security pretty much for the last 30 some years. So I've kind of seen quite a lot and she, oh, just be careful. Don't let me talk too much.
I rather wanna tell you everything from, from the beginning to the end, so it could be a very daunting story.
Okay, great. So it's early for you in the morning.
Yes, it is.
Phillip next,
Everyone. Yeah. So net Foundry, I look after business development and interim head of marketing and that's pretty much me
And Victoria.
Oh my name's Victoria. I'm the CSO and DPO for Costo and Costo is the leading SA solution for content and social media marketing in the Netherlands.
Perfect. Thank you.
And again, to our audience, if you have any kind of questions, tourist panel attendees, to me thinks that we should discuss, feel free to use the function on our Casey live platform. And I will have a look frequently at your input and I will ask it to our attendees. So let's start with the first question. Why is zero trust increasingly essential for securing access to enterprise applications today?
Phillip,
I think it's essential for a couple of reasons. Number one is that we are increasingly moving into a distributed weld of applications. It's no longer we have the intranet and we go into our offices and we're able to access those resources. We have the cloud, we have the edge, we have IOT, we have machine to cloud. We have all of these different applications, which are in different locations and that has massively stretched the attack surface, which we've plunked on top of the public internet. And it's incredibly easy and low cost for malicious actors to orchestrate attacks.
Therefore zero trust gives us a framework and a set of principles that enables us to reduce that risk and to enable us to continue distributing our applications, continue digital transformer, but make sure we can secure things in an easy, in an easy way.
Perfect.
Victoria, your thoughts about that?
It also pretty similar, you know, simply say, you know, our world has kind of evolved, you know, we've created one big super network with the internet, the cloud, the internet of things, or our mobile devices. And we keep adding in on top of that.
So, you know, having this kind of traditional network centric architecture is anything connected to it that then automatically is trusted. I don't think it's no longer appropriate.
I know you are nodding your head, you agree or anything to add from your end.
Yeah.
I mean, as, as we all know, right? The, that the way everything evolved right from infrastructure from user access, from application deployments, you know, resource utilization, I mean, everything has fundamentally changed. And as I just said, you know, I've been in this, in this business for like 30, some odd years and you know, I I've, I've seen the share right.
Of, of everything. So obviously the, the traditional right perimeter based approach was, was quite appropriate back then, you know, but of course we had everything slowly kind of moving out of the home right out of the, out of the internal network.
You know, first we had the users, we had road warriors, you know, we had, well, our branch offices, you know, remote locations, data centers, right stuff, moved into the data center. And, and, and this was all pretty controllable. Right. We knew where all this stuff was.
We know our resources and it, it was, it was very well structured and we could assess, you know, where everything is and we could secure it. Right. We had everything secured by infrastructure security, right?
So VPN, we have dial up VPNs for our road warriors side to site VPN. Right.
And, and, and everything was kind of secure, but then things kept really falling apart. Right. We had to open up the perimeter. We had to open up more ports in the firewalls. We had tunneling, TLS, all kind of protocols, tunneled through TLS, right in and out of the network. And then we had, you know, people working from home, we had vendors, partners, suppliers, all those third party relationships, right over the years have been evolving. And we really had to do interaction right.
With, with everybody. It was just, it was just the normal business.
And, you know, with that, of course we had to find ways to have more open communication. And then, and then finally now the, the last basically straw, right. The enterprise applications, they're all now moved around. Right. And they're moved into the cloud and now everybody is kind of utilizing resources in the cloud. So resources are pretty much everywhere. Right.
And, and we know it. I mean, everybody here and people in the audience probably can relate to that.
I mean, you, you have heard it in the recent past, right. Where a vendor was telling you, oh, well guess what, you know, your old on-prem application is no longer supported. Guess what it's cloud now, or you, should you shopping for a new application. Right.
It's, it's just cloud cloud is the only option. So it's like, all your applications are basically everywhere. Right. And you have this mesh of communication, everything communicates with everything, you know, back and forth.
And, and I mean really assigning trust to such a, a meshed and, and distributed environment. Right.
It's, it's just crazy. You can't really do it. So we really have a deviation. What we see is a deviation from DT old model, when, when, when I used to do actively it security, it was basically trust but control. Right.
And, and, and now it's, it's really the opposite. It really reversed. Exactly.
It's like, do not trust, you know, anything, you know, and just, just control.
Yeah, exactly. Perfect rhino. So this was really the overall answer.
I'm sorry,
As I said, be careful, you know, what you,
But it's also perfect. And over to the next question. So how do you define the goals and requirements for your trust strategy? So what is essential? What is not, and also, how do we deal with the alt stuff in our data centers on premise, maybe Victoria?
Well, I know in the end, it's, it still comes down to risk management, right? I mean, we feel, we, you know, feel first have to really understand what our business goals are. And we define how kind of zero trust feeds into that. We don't do zero trust for the sake of doing zero trust. We wanted to, you know, deliver value in supporting our business goals.
And, oh, it feels like I'm kicking in an open door, but easiest way to do that is to really identify and understand, you know, the cyber trusts to those business goals. And how is your trust helps to mitigate those risks?
So, you know, look at your assets, your crown jewels, your business processes, and based on that really just that it guide you to find, you know, what are your biggest risks to your company? Where can you get the most value of implementing zero trust and really just defining the achievable milestones to get, to get there. It can really differ depending on where you are with your organization, how mature your information security is. Maybe you already are on the journey of zero trust, maybe, so have to start, you know, from nowhere, it would depends.
Yeah, absolutely. And this is what we heard in previous presentations today, risk based approach at the end, maybe defining policies and decide based on the policy and the impact on potential, not allowed access to maybe add for second factor or whatever, put in the, you put in the center of zero trust strategy, Phillip, your thoughts about how you define the goals and requirements for zero trust strategy.
I, I agree with Victoria said, you think the most important thing is to ask the question is what are the critical applications? What are the critical processes, which are the things which in fact, I'll take an example, colonial pipelines had they made it so that their applications, which facilitated the pumping of their products to their end consumers and the ability to build their customers for it could not be compromised from ransomware. Even if ransomware got on the internal network, would they have to shut off their systems anymore?
Maybe, maybe not, but you massively reduce the risk of those critical applications. So fundamentally it's looking at which systems are most important and then building a journey of how you go from the, you know, very immature to, to more mature and more automated as you go through that process.
Absolutely.
Rhino, anything to add from your end, what do you think is the risk based approach of protecting the most critical applications? The right one? Is there anything to add from your end?
Yeah, I, I think it's, it becomes more critical than ever to assess your pool of resources, right? Try to you, you have to have a clear understanding of where your resources are. What are you using? How are you using it? You also probably should consolidate your vendor relationships, make sure you have, you know, fewer vendors with more integrated applications.
And, and, and it's really, everybody sort of has to contribute this, right? So from, from the vendor side, from the, from the user side, from the customer side, it's, it's really a, a joint effort. And definitely the trust relationship is in a sense, you know, needs to be measured. So you need to now assign right. Certain attributes to the level of trust that you're giving to, to everything you do.
And, and, you know, assure that you give access rights and access privileges based on what you can measure. So it becomes even more critical than ever to, to assess, right?
What, what am I giving access to based on what parameters and what methodology
Absolutely. What changes are required in enterprise, it environments to facilitate an effective zero trust implementation right now.
Yeah.
So I, I think there are multiple things and, and I, I just kind of hinted on this, right? It's like, we, we are all part of the problem and we all have to be part of the solution, right? It's the end users, it's the customers, it's the vendors, right?
I mean, we, as a vendor, I, I just say we keep a security, right. Because I know this very well. We implemented zero knowledge from the get go, you know, it was like 10 years ago. And it was like, wow.
You know, back then it was like, you know, why, why are you doing that? Right. And it's certainly somewhat inconvenience sometimes for customers, but it's like now it's, it is really one part of where we give customers assurance, right.
That, Hey, at least you don't have to worry about, you know, where where's my data, you know, does, does somebody has access to my data, right?
And it's, so it's like everybody, everybody's part of the problem. Everybody needs to be part of the solution.
So, you know, the, the, the architecture right. Needs to be, needs to be, needs to be better.
You know, hardware vendors, software vendors, you know, suppliers, partners, customers, end users, everybody needs to contribute. And, and of course we have multiple problems here, right? One of course is an economic issue where a lot of customers have investments right. In their existing infrastructure.
And, you know, over time, of course, that needs to, you know, there needs, they need to consolidate, but then also you have cultural problems, right? Where you have silos of organizations, right? You have the ops department, you have the it department, you have the security department and they often don't talk to each other. So that also there needs to be a cultural shift where, you know, all these teams now have to collaborate. It's all about really collaboration.
And, and in the end, one thing I, I may, I just say at the end, I think every vendor really should see themselves as kind of a security company. You know, everybody really, if I develop something, I develop security first, and then my application, second, I think everybody really needs to have that mindset of, you know, bringing security to the table, you know, into the market, to the customer and really be part of the solution.
I, I, I strongly feel about that, that this is how it has to be.
Absolutely.
And, and I'm pretty sure, or I know from experience, the newer or younger developers are really focused on doing so, but nevertheless, in organizations, you still have the old staff in the cell and have to deal with this. This is something like a big problem.
Phillip, what do you think, what changes are required to enterprise it environments?
I think there is a requirement to think of this as a, a, a cross-functional piece of work.
You know, Siemens were very much talking about it earlier in terms of how it's, it's not just a, you know, the security team or a product team, but it's actually, it's a company approach. And that means being able to identify the, a, the strategy in which we want to do it, but then also bringing together, how do we give benefits to, to every part of the organization?
Normally, security is a tug of war. If I want more security, I get less velocity and agility.
And then, you know, vice versa, you've got the, the developers and the creators versus the people that are trying to reduce risk. If you're able to find a technology which enables both parties to get exactly what they want, because one party can, you know, close or inbound ports, they can, they can massively reduce the attack surface because malicious external actors cannot get in micro segment while the other team gets to work programmatically with APIs, not have to worry about constantly opening tickets to do firewall ports, et cetera. Then everyone wins.
We're able to, to, to move fast and be secure so that you can really drive it as a, a cross company initiative to resolve the problems, which effect effectively impact everyone.
Absolutely.
Victoria, what is your long-term vision for zero trust? How can you measure progress to achieve this vision?
Well, you know, first of all, regarding the long-term vision, I mean, I do think it's really, the future is based on how the world is evolving. You know, how technology is evolving the possibilities and how more we getting connected with each other. I think it's too old school to, we just rely on, well, you're on the network.
You are, you're good. We have to look way beyond, you know, the traditional things that we used to look for in the past. So I don't think there's a way back to before if there even was a true before, in that sense, when regarding, you know, manage measuring progress, I would say just, you know, define your milestones, stick things, step by step. We have to keep iterating.
Anyway, there is no end to this journey. You know, I mean, we are evolving. Things are being added in technology has so many more possibilities. We become smart in so many sense.
It's, it's just really just reiterating and really reevaluating it's. You are not, you're not done once you have implemented this. So make sure that in your risk governments, whatever, when you bring in new assets, design your business processes, your vendors, or whatsoever just include this into your risk management strategy.
And well, just make sure you keep track on that. And just really, you know, reiterates and reevaluate.
Absolutely. And especially presentation Siemens was sharing with us, shared this idea of an iterative. They call it wave approach how to proceed or be successful in its zero trust strategy. I know. What is your long term vision on zero trust?
Yeah, I think it's, it's really, it's an iterative process and it'll, you know, it'll never end it, it it'll keep going on. And, and, and I think it is really, we, we have to have some, I think also good frameworks that, you know, enterprises can use some blueprints, right?
Where, where they can implement a strategy that will prove successful in the end. And I think we have some good examples of that.
I mean, if you think about SASI right from, from Gartner secure access service, I think is an interesting approach towards that goal. And it, it ultimately is, you know, that everybody has to look into a consolidated approach, right?
And, and look at your entire everything that deals with a communication and data exchange. Basically you have to look holistically, right?
Your, your, your devices, your infrastructure, your applications, your data, and you have to make sure that you hopefully can manage as much as possible from, from a single pain of control. Right. But of course, that is kind of a, I think a very, a very optimistic vision, right? Giving the, the, the, the number and the complexity, but, you know, ultimately companies have to internalize the problem and, and really have to, you know, have to address it by reducing complexity, implementing processes that, that, right.
It iteratively assess, you know, all the, all the parameters and, and measure health and do to continuous adaptation. It's a continuous process.
Absolutely. So Phillip, we are almost at the end of our session. It's incredible how fast the time is running. So you have the honor to answer this question as the last one. So what is your long-term vision for zero trust?
Our long term vision.
In fact, I'll take an example. Over 10 years ago, we wanted to access something. The internet, we did it completely unencrypted, and therefore we didn't use that many services. And then things like let's encrypt and HT HTTPS everywhere came along and it became easy to do encrypted communication from the browser.
Therefore, we had an explosion of new services, and the reason that happened is because it was free and it was easy. And while we see this as an iterative approach, we believe there is a, a step change in the future where zero trust networking is pervasive. And the reason it's pervasive, cuz it's free and easy. We are working to drive that. And that's why we created open ZT, which underpins our platform, which is free open source and enables us to apply zero trust, networking principles to absolutely any use case where it's client to serve or server to server or machine to server.
So that zero trust can and zero trust principles can be applied to any use case. So that as Ryan was saying earlier, a vendor can just say, Hey, I'll put zero trust inside my application. So the enterprise doesn't have a problem and they consume it for me. That is the vision which we have, which we are looking to execute.
Perfect. So as stated, we are already at the end of this really cool panel discussion. Thank you very much, Victoria. Thank you very much, Phillip.
And thank you very much rhino for participating and sharing your thoughts about best practices to get started with the journey towards zero trust. Thank you.
Yeah. Thank you for the chance to be here.
