Good morning, everyone, nice to see you. This is the first track session. This one is where we'll be focusing more on the identity side of cybersecurity and also we'll be talking no doubt about Zero Trust.
Obviously, there's not so many of us, so I don't know if people want to interact while you're speaking. I know that you're an interactive kind of guy. So without further ado, let me introduce our first speaker, Sunil Yoo, from Nostic, who's the Chief AI Safety Officer and talking about rebuilding Zero Trust. I didn't know that we needed to rebuild it, but over to you.
All right, I appreciate the opportunity and yes, I definitely want to make this interactive. So I want to just start off with just a baseline because not everyone has the same definition of Zero Trust, but let me start with that perspective as to why we did this. So first of all, our digital ecosystem is rapidly changing, rapidly growing and such, and our old security model assumptions are flawed. There were three assumptions that we made.
One, we have a perimeter, you're inside the perimeter, you're considered trustworthy, whatever that means, and I'll talk about what that means. Second is that the perimeter itself is impenetrable and the third is that everything is inside this perimeter.
Of course, we all know that these assumptions are wrong. The perimeter is not impenetrable, that once you're inside, you're really not trustworthy because we should assume that the attacker's inside. And then lastly, our assets are now moving very quickly outside of our environment. So all the assumptions that we had around our architecture have been pretty much invalidated and thus we have to rethink what our boundaries are going to be. And what we've seen in the market is a lot of different solutions that have come out to basically try to tackle this.
And you've heard a lot of these terms before, and what I'm going to try to do is to give you a sense of how to think about all this in a very systematic way. And one of the tools that I use, a mental model that I created, is a mental model called the cyber defense matrix. And the cyber defense matrix is a really simple model. It consists of these two dimensions, things that I care about, devices, applications, networks, data, and users, and things that I do, identify, protect, detect, respond, recover.
Now, I use this model for a lot of things. One of the basic use cases I use it for is to just map vendors. So you saw all those vendors out there, they're selling stuff. You talk to them after a while, you're like, okay, what do they do? I don't remember. But I use this model to just kind of figure out where everything fits. So these are just various vendors.
Now, look very carefully. I'm going to now show you all the vendors that also use AI. Okay? Ready? Okay. Now I'm going to show you all the vendors that claim to do zero trust. Ready? Okay. All right. Okay.
So, in other words, it's like, okay, really, I mean, everyone's using AI, everyone's using zero trust. The first thing to really recognize is neither AI nor zero trust, they're not products, right? They're really a part of how we think about the problem space itself. And to understand why this matrix is actually really useful to help understand the problem space is because it actually undergirds a pretty significant way of how we think in the U.S. about zero trust as well. And so I want to point out something that I shared back in 2016. So I first shared the cyber defense matrix in 2016.
And in 2016, I also had a slide that said, I'm not sure, there's this model that I have, I'm not sure where to put orchestration analytics or governance risk and compliance. But in 2021, CISA, the U.S. agency for cybersecurity, created this zero trust maturity model. And if you noticed, it looks pretty much exactly like what I had in the cyber defense matrix. But there was one small change that's important to recognize. Let me go back and I'll show you what happened. So you see the word users, and the users turns into the word identity, okay?
But this implies something that is, I think, a mistake, which is that only users have identity, right? That's the natural implication. But that's not really true. All asset classes have identity. And that's really the key point to make here. All assets have identity. The question is, how do we now want to use that identity? Okay?
Man, a lot of y'all missed the earlier joke. So I won't go, I don't have time. Okay. All right.
So now, if all assets have identity, how should we use that identity? So first of all, this is a session about zero trust. But actually, the session is not about trust. It's about transparency.
Now, there's this general view that we believe that trust and transparency are kind of the same. But what if they're actually not? What if they're actually almost opposites of each other? In other words, if you have a lot of transparency, you don't actually need trust.
In fact, if you have trust, if you need trust, it's because you lack transparency. And there's an author, Rachel Botsman, she wrote a book called, Who Can You Trust? That really captures this concept pretty well. And I'm going to give you a real quick idea of what she talks about. So she talks about these trust leaps, these leaps that we need to make when we don't have enough transparency. So if you have a lot of identity information, if you have transparency around who you're interacting with, then that's the known space.
And what we do in security, what we have to do in business in general, not just in security, is we have to make these trust leaps to the unknown. To jump to the unknown, we need bad trust. Okay? And we oftentimes talk about, again, zero trust, but I don't actually think that's going to be feasible. We have to make trust decisions at some level. And when you have insufficient transparency and the lack of trust, you result in uncertainty. And when you're in uncertainty, business grinds to a halt. Okay?
So our concept of zero trust is actually, I think, a flawed concept, because there's no way that nothing will really fully operate if you operate truly with zero trust. The goal is to have as much transparency as possible so that the trust leap itself is as short as possible. Okay? So we want to extend this known space. And the way to do that is by having more of those identity attributes. Okay? The more identity attributes, the more that's known, you end up with a shorter trust leap. That gets us closer to zero trust, but never really zero. Okay? All right.
So hopefully you get the concept here. The goal here is not zero trust. The goal here is greater transparency. How do you get greater transparency?
Now, in my view, looking again, going back to the cyber defense matrix, I've mapped out a lot of those buzzwords that you saw earlier. You've seen all these buzzwords in the past around, like, how do I control access to these different resources? But I want to make sure that I want to describe this model so it's clear what's happening here. So first of all, there's a function of identify. And then there's a function of protect. So protect is where we have these proxies that are asking for these transparency attributes or these attributes for transparency.
In other words, hey, you want to gain access to an application. Well, I'm going to put a proxy in front of that application, and I need to have identity attributes from you to be able to get to grant you access to that resource. So that's the protect side of the equation. On the identify side of the equation, we have a whole bunch of resources to help manage those identities. But here's the key point again. Identity is more than just users. Identity includes information from devices, applications, networks, data, and, of course, users as well. You've heard the whole term non-human identity.
It's like saying, well, not users, but it's also not very clear what you mean by non-human identity. And what I'm trying to be here is very clear. It means all these other types of assets too. So with that in mind, here's how I look at the zero trust equation. So what we have now is we have on one side things that are trying to request access. So on the left are identities associated with devices, apps, networks, data, and users. On the right are things that we typically want access to. So our traditional network model looks something like this, where my network identity is an IP address.
I go through a VPN. I go access a resource. And once I access a resource, I have a free reign inside of that entire environment. I no longer have to authenticate to another device or another application inside of that environment. This is the old way of thinking in our security architecture.
Now, we can try to improve upon this by saying, give me more identity, more identity attributes from my device or from a user, 2FA, whatever else it is. But once you get in, again, it's a squishy middle inside. So what we really want to do is to have this sort of micro-segmented perimeter, to be able to have more trust boundaries between each of these different elements. And instead of a VPN, we put an access proxy, a network-based access proxy. So what we call zero trust network access is really about controlling access to the network, right?
Versus, let's say, zero trust application access, which is controlling access to the application. Same concept, but now towards a different resource. And in terms of what type of transparency we're asking for, we're asking for transparency from some subset of these different resources. When you access an application, you're accessing the application from a device, but you're also accessing it from an application, another application that's on your system. You're also accessing it from some network. You're also transmitting some kind of data. And of course, you're doing something, right?
So there's opportunities to get attributes from all these things. But we have to strike a balance, because that can be pretty onerous. And I'll show you a little later what that looks like. But depending upon what type of resource you're trying to gain access to, you may want more attributes to get that transparency, okay? The goal here is, again, more transparency requires less trust, a shorter trust leap into the unknown. And we have to deal with the unknown, because that's how business works.
So anyway, the whole idea of all these different buzzwords that you saw at the very beginning, how do they map into zero trust? It's basically providing those sort of access proxies and asking for attributes from these other resources that you see here. And here's one more zero trust device access, and you can kind of see how that all works, too.
Basically, again, accessing the device. So at the end of the day, when we think about if I were to apply this to the nth degree, it would look something like this, okay? And this kind of gets crazy, right? This probably looks unimaginably complicated and hard and onerous, and that's actually very correct.
It is, okay? And there's a lot of different types of attributes, and there's all these different ways to proxy or request those attributes. So on one side, again, on the identity side, you have all these attributes that you can consume. On the protect side, you have all these different gateways or proxies that you can put in place.
Again, the key point I want to leave behind is just this notion that the perimeter is more than just so, you know, you've heard the term identity is the new perimeter. Guess what? Identity has always been the perimeter. But we've thought about the network identity as the main perimeter.
Right now, we're thinking the user identity is the main perimeter. My perspective here is all these are identities. All these give us opportunities to create a perimeter.
Now, again, my question I mentioned earlier is should we take advantage of all these? And the answer is no, because that's just way too cumbersome. So the question is how much is good enough, okay? And the way that I've thought about this is I want to create these zero trust policies, but it's really not about zero trust. It's about what is the acceptable level of transparency that I need from these different assets?
So I have I can go from a scale this is a really simple scale, but on the left, if I have a zero, meaning I don't really need any attribute from these things, it could be any device for all I care or any software or any network. For certain use cases, I may want to move this scale and say I want a greater level of transparency. I want more attributes from these resources.
And, you know, from anything, no attributes to give me DNA samples, okay? We have a sort of way to be able to say give me more transparency. Know that the cost for getting this transparency is much higher as you go up, okay? So the relative cost to implement is going to be I will put it on orders of magnitude. It's much harder to get to the next to each stage.
And so the cost for implementing this can be pretty enormous, which is why we need to take a risk the whole notion of a risk managed approach to say given different types of use cases, you may want to have different levels of transparency that's needed, okay? So for example, when I was at Bank of America, we didn't care that much if well, we used to not care that much if people just wanted to check their balance, okay? They wanted to move money. Now we needed more transparency.
But different use cases, again, had different levels of required transparency, which means, again, different amounts of identity. And, again, the identity is coming from all these different types of assets. All right? Okay. So let's see.
Oh, and the notion of transparency is really a function of how many attributes can I get? What's the strength of each attribute? And how well can I verify that? How well is that bound to the entity? And then also what is the past behavior of that entity itself? So the combination of all this really adds to greater transparency. But having, like, a level two transparency is, again, 10 times more expensive than a level one transparency, which is 10 times more expensive than a level zero transparency.
For each of the different types of use cases, you need to pick the right level of transparency that you need. Again, this is why I hope this makes sense. This is why I'm calling it, I'm not calling it zero trust. I'm calling it about how do you increase transparency in your environment? And the way to do that is through capturing identities from all these different types of assets. All right. So just to summarize. Okay.
So, again, transparency helps us get closer to zero trust. We cannot operate in a zero trust environment. Zero trust is not a true zero trust is not possible. It's not feasible. We still need to make those trust leaps. We need to be able to jump into the unknown. But we want that trust leap to be as short as possible.
And so, ultimately, our goal is to basically how do we gather just enough transparency that we need to be able to make that trust leap as short as possible within the context of what the business really cares about and the risk tolerance that they have. So with that, any questions? Any questions? Some of y'all missed the original slides, which I thought was kind of cool, but I can't go back easily. Yes? Perfect approach when it comes to transparency.
Now, talking about secure access, secure edge, all the products that you have in the slide. So what's your advice for a large enterprise?
I mean, what are the quick wins, high impact use cases that you have to attack first for getting the products landscape? Yeah. So first of all, the whole notion of secure access, service edge, SASE.
To me, I put the whole boundary, all the different types of solutions around creating a secure access edge is what all these solutions are all about. In terms of what type of assets do I want to put that boundary around, it would be those things that people, well, I mean, it's really your high value assets to some degree, but those typically would be like your email, your email provider, your email service itself.
But then if you, when I was at Bank of America, one of the things that we did was we tried to figure out what type of assets did we actually want to create that boundary around that didn't have the boundary. And that ended up being some of our fairly critical systems that we didn't want to make it even reachable to an attacker if they were inside of our network. So the way that I would describe, and this is not easy, but the way I would describe it is we tried to create that boundary around those things that were a lot more fragile because we couldn't assume that nobody was in the network.
Therefore, we create the boundary and that allows us to then segment it off. Was that your question? Okay. Yeah. So most critical assets and or the most exposed assets. And email tends to fit both of those categories. Thanks for your question. One more question. You were talking about devices.
Oh, sorry. You were talking about devices, application, and networks to get control, which are things we can control if we want to grant access or not.
Well, if you go back in history, control started with controlling networks because it was just handy and we had firewalls and we could control IP addresses and ports. That was easy. And then the infrastructure grew and we were able to have proxies and gateways and whatever we could pull up the stack on, take control on application or device level or something like that. Maybe it would be a wise idea to put device application and network together because we don't know what kind of control we will be able to control tomorrow.
If we just pull it together into something we'll call environment, client's environment or user's environment, where the access is made from. Because there could be also, let's say, a timeframe or a date which will allow, which will influence access or not. And it will be neither device nor application nor data nor network. Just for example, so maybe the model should be put up on a pretty more abstract level.
Yeah, the comment was, should we collapse some of these different types of asset classes? I would actually suggest not. And the reason why is because when we say the word cyber, what do we mean by cyber? Are we talking about network security? Are we talking about endpoint security? Are we talking about application security? Are we talking about information security? So my answer is no, we're talking about all these different types of assets. And if we collapse them, then sometimes we forget that it involves those things.
Oh yeah, there could be other types of classes. The main goal of this was to make sure that people understood not to be overwhelmed with having to do all these things, but rather to understand that you have optionality. We have optionality and the goal is not, you don't want to turn, it's way too expensive to do fives for all this. This is a somewhat of a, actually this is a real example, where for a really, really, really critical database, we made it really, really hard to get into. We wanted attributes from all these things, okay?
But it's also very expensive to implement and you can't scale this at any level, okay? There's way too much friction to get into this, but that's what we want for something really sensitive.
Okay, so we're going to have to, but please, I'm sure you two could have a discussion much more in depth. Thanks for your question and also you, sir.
Thank you, Sunil. We also don't go anywhere because we have a panel debate about Zero Trust straight after this next session.
