KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
You're talking about securing the cloud and hybrid environments. So little different title than cybersecurity architectures in the hybrid world. But at the end of the day, we'll, we'll, we'll have a talk here for standing on both sides of this desk, because then we, we can face the camera as well over there. Okay.
And, and, and it goes through some of the points. And I, I made a couple of notes over the, the past, the past 30 minutes on, on things I, I feel are very versed to discuss. And as I've said, trust Trump in, if you, if you have other questions, other topics here, and, and I think it all starts with in your model.
And, and I think this is a nice model. You, you brought up here and it also goes into something we had yesterday in a panel. And in a and later on in a, in a presentation, which was about authenticity and integrity, for instance of data you receive in sort of security analytics. So it's the data really real data, or is it fake data? So the attackers at the end might, might, might send you fake data where your AI feels, oh, this is something I, I really should look at it. Isn't.
And in my, my presentation I talked about is need to understand what we have in assets, what we have in systems and actors in the broadest sense. And, and so, so from a practical approach, how do we get there? How do we get to a situation where we know first, which actors, the other side assets we have, and which of the actors are good and which are bad because saying, okay, we need to distinguish this is, is the one part, but how do we do we more practically? Yeah. But say the person as a actor, we are quite well doing well in identity and access management.
There are many tools around, even the cloud provider. We got those protocols, which are widely used some to might connect. And we got the older protocols, which we can use on the legacy systems. I think we are doing a quite good job in identifying persons and we can apply multifactor authentication. We are doing more and more password. This that we are the right way. I would say, it's We also have a lot of stuff popping up in, in, we call it fraud reduction, intelligence platforms. Yeah.
The interesting thing is I remember I've been talking with the CEO CEO of a company that became later on acquired by CA technologies, which do this fraud stuff. And they mainly did it and still do it mainly for the financial services where it's quite common. When you have a credit card transaction, it might happen that they ask you for additional information because it's a little out of range and stuff like that.
But Becca, this is probably 15 years ago. If, if this is yeah, probably around, about 15 years ago, I had this conversation that I even think, I believe I even wrote a blog post and this, that we should extend this technology into everything. And right now we see this happening. So my colleague tr brought recently a leadership on this flip market fraud reduction intelligence platform. I think we have really a lot of technologies, which helps us to, to use a lot of sensors, a lot of information to understand, is this more risky or less risky interaction?
So it's this actor currently a good actor, or is there something we should be concerned about? Yeah, we, we are getting better at analyzing unusual situations and detecting unusual situations. The machine learning and AI and ki technologies are helping us a lot instead of static white and blacklisting. Yeah. But there's still a lot of things to do.
I mean, it's, it's quite complex. If, if you got online banking, you've got only a few transactions which are exposed to the customers and you're doing a lot of stuff to apply a zero trust model in online banking, but regarding a, a office environment, try to rethink about all those tr actions or interaction and usual office worker will have in an office environment with the different service. How should something detect while he is doing regular action? Or this is somehow an irregular action.
It's, it's quite difficult. Yeah.
And, and it's also, I think, difficult, and this means we, we can't do it. Trust a security. Yeah. It is something we need to do with the business. Because I think we noticed from the, the credit card side of things and financial fraud, there's always an impact on the, on the customer or on the user or on the system on the, on the, the, the service. If you trust say, oh, risky, I block it. That can be the right action. Right. Can be the wrong action. We as security, I believe can't charge on that. We can enable the business to define the policies on how to react on what we can guide them.
And clearly there's also this aside of the, sort of the active security people. There's the governance piece part.
There, there, there are the, the regulations internal, external, which say in that case, you must react that way, for instance. But, but I think this is very important that we not just see it as a security problem, but at the end, it's, it's, it's a business problem because there's always an impact on when we say block this, then yeah. Do that. And this impact might be bigger or, or it might be lesser depending on what is done. So sometimes we can trust, hide things. We probably can, in many cases, trust hides elements of, of a website, which we feel are, are a little bit more critical.
And the user doesn't really see much of that. What is happening in the, in the endocrin so to speak. But if you say, okay, you, unfortunately, we need to stop the communication in your OT environment for a while. Then you probably will get very quickly a call from your CEO. Yeah.
Or From, or, or if you stopped power transmission. Yeah. If you stop power transmission, we got some phone calls, which are worse. Yeah. Yeah. Just Remark when we had payment service directive too, which tells the banks that mandatory, they have to open up their back office for payment service providers. Yeah. To do financial transactions, get the data out, do the availability of funds checks. So it's not a customer at your backdoor. It's the server of PayPal at your backdoor. Yep.
And you lose all the endpoints parameter information that you would use in the fraud engine to detect who is at your door. So you lose a lot of this sensor information because it's not a person, but it's coming through and it's, it's very easy to, to yeah. To be a fraud and That, and if you, if you go for it, not only applies for financial transaction or financial sectors, if you go to the API driven economist where you're selling APIs or offering APIs.
So you're not, the customer is not directly a person using a web browser or an application or whatever, but the customer is another machine, another service, which is calling services, you are offering where API that's this, where we come up to the subject of lifecycle of machines or lifecycle of services, lifecycle of APIs, which is a huge problem, which is completely neglected.
I mean, how many vendors here did offer you something, what you would call, ah, an API lifecycle management or, and life cycle management for machines or whatever, or protection in this area Are, you know, I think we, we need to be aware. We still, in many, many areas, we still think too much and a human is doing something. And this is just a small share in of the reality, because in the most cases, it are services. It are syncs in our devices.
And, and so, so the world is way, way more complex. And there are a lot of things also done. So to speak where we just don't really know anymore, which service are. And if you're honest, it's not really new. So I'm an old active directory guy. And when you looked at, at whatever, the active directory, after a while you found out there are so many service accounts and that are doing something and, and most of them are not even needed anymore because the application for long has been retired and stuff like that.
So this, this, this problem isn't due, but it's way, way, way bigger these days, if you like at look at how an AWS environment or an Azure on Google cloud platform, infrastructure as a service environment is treated, oh, and you will find accounts where the domain admin for your active directory is really a small issue because there things are sometimes way worse, even as it's commonly implemented. But I want to pick up in the interest of time, maybe also another theme, which is you had your, your, your closing slide or slide ahead of the closing slide.
And on the also earlier, which was around, there are many scenarios. Yeah. And you need specialized tools. On the other hand, we have this too many tools thing, which, which means we always have a sort of a dichotomy here. Yeah.
Between, between this, there are specialized solutions and, and there are unique for certain things, but you, you, you must not go over the top, which is something, as I've said, I I'm, I'm someone who, who doesn't believe, and we should have always a new, separate solution. This is happening always when, when something new, when we see, okay, there's this machine identity problem, then I get as an Analyst, oh, we have solved this machine identity problem. We have solved this, whatever serverless computing on AWS. Yeah. And then we'll end up with a new tool. Yeah.
And there are many tools and, and which is good because you can't start innovation by saying, I built the next, super big tool. It evolves, but I think that's the point we should have my perspective. And our thinking is we should understand what is our, our challenge and what is our big picture. And I still see too, too few big pictures in, in the sense of how do we, do we address this? How does our world look like, what are the common elements? Like I always emphasize in policy based automation. Yes.
For instance, as, as something which, which some, and assets and building sort of the clue around that. And, and then say then on the other hand saying, okay, what do we have? What still delivers to that? What we need in the future, what doesn't deliver anymore? I think we need to be get better also in retiring tools, which is challenging in security. If you retire tool and something happens, it's, you're potentially in trouble. So you need to have a good, good answer on that and say, okay, there are other things we need to invest because it helps us mitigating more risk.
We can spend our money better and we we'll never have my, my common example. They want to have heard most talks about of me. Talks of me know it. We will never have a 100% security. The limit of cost is infinite for security going towards 100. And I always hint on the movie Illuminati, which shows, yes, there is 100% security when the eyeball is lying on the floor for the Iris scanner. So you always can overcome and the usual waste blackmailing and stuff like that.
So don't, don't think about 100, think about risk mitigation, but what is your perspective? So I, I have my view. Maybe you have, From an architectural point of view, I would say we can see, I see two art. I see two architectural approaches which could work. The one is you reducing your demands and what you want to do. And you go for one big system, which fulfills all your needs, but you will obviously reduce the, all the diversity and things you can integrate.
I mean, you probably cut off some public cloud services. You probably cut off some OT systems, and then you got a more Hogan it system. And then you can go for reducing tools or having one big tool, which is doing most of the work. The other ideas, as we can see in the identity management, there has been a very good approach for standardization.
I mean, if you, today, almost everyone, every tool knows some two ID connect. And so we can interconnect those systems. We can centralize. We have even, we can have multiple identity providers and put them together because they can work together. We got standardization. Maybe we should get standardization for policy definitions. We should get the more standardization for exchange of tickets, alarming systems and so on. And maybe then we can interconnect those things if you want to have interconnection, but bigger, the thing gets the more expensive it gets probably.
But, but I think you hit hit point. We need standards. We need interoperability to get better.
I think, as I said, open policy agent, more focused on the sort of the deaf world of policies, but still going into a direction where, where there seems to be something which is more around the standard, the modern standard happening. But there other areas I remember at our first European identity conference, which was back in 2007, I believe if I remember right.
I, I tried to get a couple of vendors working on exchange information about identity related risks and, and so access governance related risk, stuff like that in a standardized manner I failed, but, and we still don't have it really. And, and we need, we need more things around that. That's where I also would fully agree. We need this interoperability. And that's, by the way, also, the thing, for instance, when I look at the sassy Matthias will talk about sassy.
And in a few minutes, I don't want like one vendor lock in with SSI, which means we need a lot of interoperability between all these elements. If you go down that path, there are so many components, like the CA piece, the next generation, the application GA gateways and all that stuff.
And, and the consults you have and the, the so solutions and whatever is in, and, and this must not be a vendor monolithic approach. It must be something.
If, if you go down the path, if you have the use case, it must be for my perspective, something build on standards and interoperability. But, but I, yeah, sometimes might be a little Sonic on that also from, from a perspective of, from a perspective of clearly winners want to the vendors like login in. Sure. That's the point. And then by the way, it's not, not necessarily bad. I think you, you, you trust need to understand. I opt for a lock in. The funny thing is I currently have conversations with, with a range of companies.
And then there are discussions about Azure active directory, and then they say, oh, should we go for active, after active directory? And the, and then I say, you know, the decisions already made. If you go for Microsoft 365, then you have made a decision. The problem is most organizations haven't made clear. The impact. One is impact of deciding for Microsoft 365.
It, for instance means from an access management perspective that you always will have Azure ID plus something maybe, or only Azure ID, but you will never have something without Azure ID. And so I think there are a lot of things happening around that, and we need to be clearer just about what, what does it mean? That's easier when we have a broader perspective on the, the other thing I, I, I thought about when I heard you around this was talking about these challenges and all the tools that is something we, we think a lot.
And, and I, I brought it into my team over the past couple of weeks, several times. I think we, we, we need to go and Matthias will do it by the way around sassy. So we need to sync from use cases.
So, and, and sometimes it also helps building the bigger picture by not trying to build a big picture picture, I believe, but by, by starting with use cases. So if you zero trust architecture, how to so build your zero trust architecture organization, know don't do it, not that way.
So do it, but not that way, say, okay, zero trust. I define the principles. And then I say, okay, what does zero trust mean for work from home? What does zero trust mean for my edge computing? What does zero trust mean for that?
And that, and then you bring it together and you look, where does it overlap? Where can you optimize? Where can you reuse? Where can you minimize? What is the clue? What are the common elements and where do you need specifics? And I think that belief that I believe this helps us in, in, in reducing the complexity of too many tools, my thinking, yeah, I, I think it will do.
And if you regard zero trust, for example, I would say, okay, if you're applying zero trust to a home office scenarios, or when does the user allow to lock in or not, you may say, okay, I already have this fully integrated Microsoft office environment, and there's this, I got a license for conditional access and whatever. And then you can very easily define policies and rules and apply a zero trust model.
But it's just for the actor, your employee, the interaction, which means office interaction and the services you want to access is the whole office collaboration environment it's might be quite large, but it's only for this part. If you have production environments, if you have operational it, you want to also want to have an access policy based on a zero trust model, but then you've got to take completely different look at it because your operational technology won't be able to participate in Azure active directory or conditional access or whatever.
And you don't have classical clients which are connecting. You've got some obscure protocols, obscure client software, something which is very, very old fashioned legacy. And you've got to find a model for this. So we'll probably end up with some kind of jump post proxy technology, so-called ACAP technologies or whatever, PIM or Palm solutions or a combination of that. So you have a, quite a tool set to secure this area. And even if you want to apply zero trust model, but maybe if it's worth, because if your business is producing something, it's your business model you are protecting. Yeah.
But you also will probably learn a little bit about when you overlay these, these different use cases. What, what are the things that, that are really the, the common elements and, and what are maybe also things you might use for, for instance, OT, which you have in other areas. So take privileged access management solutions or, or take even good old, boring enterprise single sign on. Yeah.
So, so you, you still have way too many in many of the production environments, you have still too many computers, which are trust, open, someone walks over there and says, oh, I need PL in. And that's it. Yeah. Sometimes even PL in that's the point.
And, and we have this fast users which works in hospital for nurses, doctors. So why shouldn't that work in a protection environment? If it works, when it's about death or life, clearly you can do a lot of things and you can learn things. We have one question from the online audience here, which was also about integrating the business and understanding what a business means and the comment, or, and in some way, it's also a little bit of a question somewhere in between. This sounds very much like shift left of it, security IOC.
So the indicators of compromise into business transactions on business assets. So actually the comment, this is the core idea of enterprise service management driven by smart agents like AI or smart contracts.
And, and I think there there's a there's my perspective would be there's a, doesn't really well, very well point behind that, that we, that we need to, to, to understand also can use a lot from enterprise service management for automating, for saying, this is what we really want to do in the business. Yeah. I think there's just, there was in the past, there were several approaches to, to this problem.
Enterprise service management was one of the, the older one was what, which was called it system management is what was more based on infrastructure, but it was IBM Oli and all those very large suites, which don't much, which are outdated, completely audited. We got enterprise service management and some people put up in API management, which was kind of enterprise service manage at ultralight, but, well, Yeah, They're promising things, but it didn't work out completely.
It's, it's just only solving partly a problem. And it's just another tool which is solving a part of the problems. Yeah.
But, but it's, I think it's about the alignment. When you go back to this and we need to understand what it means for the business. I think we need to, to get better in the alignment on one hand, what, what is really to think the business wants from it and what is the impact and, and aligning that better. I think there's, I would agree. We still at a very early stage, so have a little only few minutes left. So you brought up one other point, which was the micro segmentation. Yep.
So, so when I talk with customers about zero trust, I quite frequently get this question about network segmentation. Do we need to do network segmentation for zero trust? And I wanted to get your opinion.
So, so there might be the tendencies, oh, micro segmentation. That sounds very much like network micro segmentation. So how do you, it, that I have my Opinion.
Oh, that's, that's very, very good question. It depends. If you have a legacy, if you have a leg on premises data center, which is full of legacy equipment and legacy, it you'll probably go for some kind of network segmentation because there's no other thing you have to, it's the smallest Equipment you can create. It's the smallest and easiest segment you can create and you already have firewalls and why you shouldn't use them.
I mean, it's like any door is better than no door. I mean, so if we have firewalls, if we have a network, which is completely under our control, why shouldn't we segment put it into segments? And if we want to take something out, we can block IP addresses. It's very nice. And even if you go in the more difficult areas of pro production environments in OT, often network segmentation is the only way to segment things that or air gaping, if it's possible, which is a very hard kind of network segmentation.
Yes, it's the hard. But if you, if you have to arrange yourself, or if you have to put cybersecurity in a legacy environment, in an old environment, you somehow have to stick with the old models because there are only your old methods, the old tools and the old fashioned parameter, and that's the way to do it there. But the main MIS, if you go, then you rent cloud services, you run private cloud services. Maybe you can fit them somehow in there. So building an SD one or building and VPN or something like That, the SASI macro segment. Yeah. SASSI macro segmentation. Yeah.
But if you, if you are entering the world of the public cloud services, and I would regard an office 365 S and partly public cloud service, whatever you we've been told, but it has some very strong public aspects in it. Well, then you've got to be really careful because then you're mixing two secure cybersecurity paradigms, which are opposite. The one is saying we're building a wall maybe around smaller segments, and we are controlling the border, which is crossing the segments. And the other thing is more or less, we are hardening the services itself and we don't care.
Do, do we do not care anymore about any network segmentation? We even can't do network segmentation.
We it's, everything is public IP addresses. Those IP addresses shift around, in some ranges you can't control, you can't get control or hold of the DNS entries. It's just Mo moving target. You can't catch it that way. So you can't apply for segmentation over there. It's just impossible. Yeah.
So, so at the end, we are back to the use case. Yep. In some way. And by the way, also very clear firewalls have a value because they feel so much noise without a firewall, regardless of how you think in segments at the end, it's, it's one of these elements that feel the noise. But I think the point is in today's world, we have so many different use cases, and we need to understand what fits to which, and I think you brought this, or you made this very, very clear in your use case driven presentation in your sketches factually.
So we're already at the end of the time of this talk, at least for, for me 30 minutes passing very, very quickly, hopefully for you as well here in the room and online Ellen, thank you very much for taking the time and, and for, for all your thoughts and insights, I think they're very valuable and I trust can hint back to the use case scenarios, your sketchbook from the earlier presentation. I hope this was as insightful as to you as it was to me. So thank you very much again. Thank you. Bye bye.
