KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Start right ahead, because we got quite a complex subject. So cyber security architects in a hybrid moved, and first thing, who am I? My name is Richard. I'm working I'm BOF engineer from university of Costco, and I'm working for more than 20 years in different positions. It security and so on. And right now I'm chief architect of organizational identity management. What is IM more or less at, in BW in BW is one of the four largest energy providers in Germany and further on I'm lecture in IM at Lue university of applied, applied science and arts.
Well, I'm not going too much into the content of the sketch group, but I'll stick with the more or less practical approach in cybersecurity architecture because it's getting more and more complex. And we, I think we need to have some models to get an overview on those on this complexity. So we'll have a look at it, security, but are not only will stick to it. Security. I'll also take a look at OT security and production environments, cloud security, and so on.
We take a look at, from basic basics of cybersecurity, classical parameter security, to a gap models and zero trust in a hybrid world, which means we take a look from isolation to integration. So, and we'll close with some tops and flops in practical cyber security, but this is my own opinion. So you can follow me or you count that's up to you. So we'll just start as you can see I'm engineer. So I brought a sketchbook and we'll start right ahead with not sketch number one, introducing a basic cybersecurity model.
So at the first place, you should find actors interactions and services and actor can be a person, but it also can be a service. This actor has some interaction with any cyber device, which can be a system, a service, a machine, a computer, a programmer application, any kind of resource. And these all can act also as actor. So find actors, interaction and service, then be define a boundary of the cyber system. You are looking at a system can be made out of one piece. It can be made out of multiple parts. It could be a cloud service.
It could be multi-cloud service, which are tied together and offering some service together. And of course, course it can be a completely mixed and hybrid environment. So put some cloud services and some on-premise services together and have a system which is fulfilling something useful in your company. So the subject here is to find it technically and organizationally definable system boundary. Organizationally means you can find someone who says he's responsible for this system. And the purpose is well known for what the system is for.
And technically means you got some technical parts, assets and things on which you can tie a technically system boarded. If you have a situation that sometimes one person is responsible and sometimes the other, and one is not absolutely clear with the system board, you will run into problems, defining policies, which should apply for the system.
So, and then you will go and distinguish good and bad actors in interactions. We have here. Those two good actors, good interaction that is wanted. And in red color, I marked everything which was unwanted. It could be that a good actor is doing an unwanted interaction. It could be that you have malicious bad actors, which are pretending to do good action. You can have bad actors doing good, bad action.
And also you should include, wanted an unwanted conditions of the environment, which mean this person might be in his home office, which should be okay, but he might also be an internet cafe, which you regardless an unwanted environment and you would wouldn't do let him do his work. So if you have all this, the bio secure cybersecurity models, quite easy to define regarding a cyber system allow only good actors doing good actions under wanted environmental conditions. You have only to think how to do this, but we got to need to analyze, defining control several things.
So the green one here is the one we want and everything else should stay out. The main problem is to distinguish this. So we'll take a short history of service security. We'll start in the very distant past where we had security, something which was called nowadays. We would call security by OBS security. The main ideas nobody knows about my system. So it is safe. We had very few experts, very first steps with interconnections. And most of the things were isolated at university or some or somewhere. And the boundaries didn't exist really exist.
They were based on expert, only knowledged or completely isolation. Then we already there, we had some occurrence of bad interaction and the regarding our BCS model, this security by OBS security while it's bad in definition of the cyber system, it's bad in definition of what is a good actor.
We, it didn't even define any actors. It is bad in defining good actions and wanted conditions. We even didn't think about it. So overall, the security of OB security model is a very poor approach. And of course this approach is still a poor abroad. So we had some reactions on this situation. The first one is we should control access via network parameter security. It was one of the first ideas. Next one control access via authentication and authorization, which is also a very good idea. That one was more focused on the system boundary. This one is more focused on people or interaction.
And we also had the reaction C controls on the system itself like hardening the system or not exposing so much of the system. Okay. We'll take these three main ideas. Take us to the period of parameter security, which was the main idea of cyber security from the past till still it's, it's a very common idea and it shapes our thinking of security till today. And it probably will shape our thinking little further on. So the reaction a was control access via network, main idea, check, secure network location.
So we, we define some areas inside. This is good, everything which is inside and we define everything else is outside and outside is bad. That's quite easy to define. And network is based. We got a network based boundary definitions or IP addresses and ports and network address and protocol types to distinguish action actor and action. But it's funny idea.
I mean, it's a network address. It would be like if you are living where you are living, so you're living in Berlin and I would say, okay, if he's living in Berlin, he's a good guy. And where you living me. Yeah. Anyone Bon in Bon. Okay. And I'll say, okay, Bon, it's out of discussion. It's about location. That that's not really a, a good idea to do it like that. Okay.
So they, what happens is the bad guys hiding behind good looking traffic and he can enter easily enter this, this boundary. And we had a reaction, a two, we had enhancements. So we placed more intelligent and specific cybersecurity tools go for deeper and better inspection. We got email gateway, which controls emails, but they only control emails. And not the other stuff. We got web proxys with content control, but they control only the back proxies. And that's, that's the point where those many security tools start started.
They are very specialized and each time we got another problem here, our answer would be, we got another specialized security tool to filter that traffic. And we are using some smart security tool here to helping us to enforce our pyramid. Okay. Let's look at our basic cybersecurity model.
Well, the boundary of the cyber system is, is, has quite good definitions. We got insight. We got outside. Yeah. Somehow we can, can distinguish good actors. Somehow they'll be better in getting better in defining good actions. And we'll somehow getting better in defining wanted conditions. But it's mainly based on a lot of tools and the intelligence and the complexity we are placing in here. Of course it's not perfect.
Well, as long as you can be sure that everything is staying at its place in this case, in our network, and you have some up to date enhancements in place. Well, parameter security is not that bad. We've got to face it. So reaction number B, what I would call AAA security control access via authentication and authorization is what's the next idea in the past, which is still going on for till today, which won't leave us till tomorrow. I think it's more or less the control of the question who is allowed to access.
What, so it's focused on the people that means identification, authentication, authorization of actors, mainly people. And first steps. We are decentralized with local user management and later centralized identity and access management and all those IM identity management systems and so on. There's a lot of things and a lot of tools around yeah. The main problems, of course, the bad guys hiding behind stone identities. Of course. And so we got reaction. Number one is enhancements.
We put in multifactor authentication single on better IM so to make it more difficult for him to get a stone identity and reaction number B is we are doing some combination with other security approaches. So maybe we can look at the person and its device or something like that and open up the boundary or not. If you look at the basic cybersecurity model, the cyber system boundary is well defined. We were very strong in defining good actors, as long as we're doing all these things here.
Well, the actions somehow is controlled, but not really. And the wanted conditions, it's depending little bit on how much combination of other security approaches you're doing something like conditional access or something like that. So main focus of IRM is personal actor, an important, but not complete approach for cybersecurity. It has to be combined with other measure measures. It's just one building block. So reaction and C controls and measures on the, on the system itself, meaning reducing our attack surface or blocking our attack surface. It's your old things.
Closing non vulnerable closing, known vulnerabilities, keeping every part up to date, using the systems to bear necessities, hardening of the systems, including some more smart security tools, applying application level controls on the system, whatever. And always depending on how much work and money you want to spend, you can do a lot of things. And if you're looking at the BCS model, very good definition of cyber system says mostly nothing about good actors. It's depending on the things you're doing here, what is good action to determine good action for bad action.
And it's also, it doesn't do much about wanted conditions or not hugely. So quality of service security is depending on the implementation of security on the system, since all of the authority and information to process a request is on the system itself. It's the most powerful, full point to control, but it's all so the weakest.
So, and we got one thing which is really bad. Not all systems are able to do the necessary control work. If you go to production environments or operational technology, you'll usually find systems which are not able to run any agents because they're computing power is too weak. They don't have enough memory and they can't be slowed down in the environment they're working and that's quite a problem. So we've got a building block of a security cyber security model, which we can't apply to a real important area or which we can only be apply partly to a real important area.
So what was the next thing from today? Back into the future we got in the present, we got distributed in hybrid environments, which mean the situation abuse. We got remote access. Every it thing goes web services, cloud services and processes of digitalization. So cyber systems are spreading out more, more traffic, more, more business needs for distributed environments. And what is happening is this. We got our inside, inside and outside to get part mixed. Then they get completely mixed, good and bad interaction becomes more and more similar.
So everything is somehow over overlap and pyramid becomes more complex up to be undefinable because we got so many exceptions and things we've got to do here. We can't it's, it's almost, it's not such a, it's not so easy to control there anymore. So reaction number one, expansion of insight, that is the private cloud model. It's the idea that, well, we've got our pyramid security has, is pretty good in defining what is inside. What is good? So we are putting up some SD one or some VPNs to include our remote access or, or data centralized data centers or cloud services somehow private cloud.
So it means the extension of the parameter to remote access scenarios or to private cloud scenarios. Yeah. So we got the advantages of a working parameter. We can use all those tools and we got the modern word of decentralization network gets in this model network gets some virtual overlays and at on, so SD a VPNs or whatever, but it's still playing an important role in defining boundaries. That's the green line it's gets quite more complex, but there is a system boundary from self-defined VPNs up to redirecting all traffic using virtual macro parameters through cloud providers.
What I would call SASI it's more or less a macro parameter secure access service edge, but it's all more or less all the same idea, put a boundary around the whole thing. Even if the boundary is spanning all over the internet, which is quite easy. So if you're looking at the basic cyber security model, well, well we got a cyber system.
Yes, we've got one. It's kind of AOV, but we got one. We are well, good actors, bad actors. Good action. Bad action. Wanted conditions. It's more or less the parameter security moon. We didn't change much in there. What we did is reconstitute our parameter in a wide scale, a macro permitter. It might be difficult to find suitable smart security tools, at least for the parts which are on premises. As we've seen for the more modern parts, we can have security as a, as a service or as a service or whatever. There might be tools out there.
Well, but somehow some would say it's a debt lock in vendors. If you are, if you're using a SSI solution. But I would say it's a debt lock in private networking because there are all those nice public cloud services. And in fact, you can't include them because you're somehow in a private debt lock. And that's not really that what business wants, but if you don't have many public cloud service and you don't have any need for that, it might be okay, but it is somehow a debt lock.
So if there's another development for distributed and hybrid environments, it would call it arrangement with the outside or microper we got our here private extension. And then we say up to some degree, the acceptance of the outside is not so bad. We started with this very early, the first part where we accepted outside as not so bad. And we can allow interaction was internet because it's useful. So we allowed our employees to go to internet. Can anybody remember that this was forbidden for some time, some years ago, or they were not allowed to send emails to the outside the battles.
And now we allow the internet usage and we allowed to send them emails. Okay.
So we, we put in here something to try to control the content with the proxy or something like that. Then we allowed these private extensions and somehow acceptance of bring your own device, which means four stronger authentication methods, add some extra controls and security techniques on end user device, combine them with IM some maybe conditional access. And then at least we somehow accept the existence of public cloud and that it will be quite useful for our business.
So then that's the point we've got to go for more modern security concepts like micro parameters, zero or zero trust security models. I can't go deep diving into those models because time would last. But if we look at this security model and or situation, well, the definition of the cyber system can be good, can be so, so on because we got all these parts, which are quite heavy control where, which is which part is still good, which is we want to belong to our service system. We got a good definition of good actors, as long as we are doing the IM thing.
Good, good actions is still a difficult point when, as an act interaction within cloud service, isn't good action or not. And, but if we go into something like IM and conditional access, we, we can pretty good in detecting wanted conditions. This approach is the most complex and most invasive approach because we have these kinds of, of interactions and we somehow have to control them. And there are not so many smart tools out there which will easily help us. So now we take a look at the really difficult spots for cybersecurity.
So does anyone in here has production and environment, OT environment or something like that? The operational it, well then in fact, in here, we got it and it's used for controlling some production device or whatever. And the cyber system is internet connected through network for controlling production system.
Of course, otherwise it couldn't control the production system. And the situation in here is the technology is still in the age of early parameter security or even before. And that's the situation we have today. We are facing it. And the main security model in this area is still isolation. And the isolation gets penetrated through business demands for interconnectivity. First of all, interconnectivity with the it to share data, to do whatever production on demand.
And on the second part, there's also wishes for interconnection with cloud services and cyber security in this place is really difficult because we got a lack of hardware performance. Usually you can't just put in antivirus software agent or something, intrusion detection agent on one of these devices because they are just too slow or they're not supported. And also you have in these environments, you have to have compliance with regulations on production environments, safety reasons.
You have to put up something which is non retroactive, which means you're just not allowed to put in classical it security. It's just forbidden. Maybe your contractor, the company who is selling these devices is telling you if you do manipulation on those devices. And I regard any patch, software update or additional software trying to put in here, I regard as a manipulation and I won't guarantee anything for your production environment. And that is a situation we are facing today. It's not a yesterday's situation. The other part, which is really difficult spot of course, is legacy. It.
We've got our on premises data center, which is full of legacy it, and this is running our business, Mandy. I mean, unless you are a startup and you're completely cloud based, and technology is still in the age of parameter security, we've got to face it.
It's, it's not one day hop and everything is cloud. No it's not. And network security is overgrown by interactions over the years. That mean all those policies we've got in place since 20 years. There's a lot of interaction in 20 years, which needs needed. And that's how our policies do look like. So legacies tend systems tend to have extensive attack surface, and they're really not designed for interconnectivity with public environments because their design is about 10 years old, 15 years old, and their internet was something quite exotic.
So another difficult spot for service security are cloud services, cloud services. I would call the cloud service as it is, whatever you rent in the cloud, the provider cloud provider SA pass, yes, whatever he's offering. He got two kinds of customers. He got a start up like customer who wants to access everything fast. And he got a customer who got somehow the opinion of running Fort Knox. And so the cloud service provider has to design his cloud service for serving a wide range of customers. And he still has to look at his budget and his money so he can run a business case on that.
So he probably won't build two kind of cloud services. So we somehow have mixed security demands up there. And the technology comes as it is, as it is can mean it's better than what you have, but it can mean it's less than what you want it's depending. And what you always have is a public back door, like an admin Porwal or a public only service or something like that. This cloud provider has to sell and to manage his cloud service. And this guy here says, I don't have VPNs. I don't have private networks. I run everything over internet.
So I want to access my administrative Porwal over internet. And this guy, he says, I want to run everything closed, like Fort Knox on a private cloud, but somehow they're meeting somewhere in the same data center and the, whoever is running this data center has the same problem as you have in your own data center, he has to look at the cost and whatever he's multiplying, it it'll multiply his costs. So what we can see is this model is absolutely not compatible with parameter security and functionality is the primary selling feature. Not in most cases, not security.
So putting it all together regarding our basic security model. So regarding a cyber system here we need, if we have it on premises, OT systems, public cloud services, private cloud service, or whatever will come next, we got to define system boundaries, songs, any kind of segmentation is good, which you can apply. It can even split a cloud into two halves, and we've got to combine parameter micro parameters and create small risk based sections though. So we have our service systems. Then we are taking a look at the good actors.
We need a high quality IM system cap, capable to service, all demands, which means we've got to serve those legacy systems and all the old protocols carriers won't go away. And we've got to serve all the modern protocols for the public and private cloud providers. And it should work with the risk base grant access on a risk base, which means the zero trust model should be applied to all of these.
And if you've got a situation where you can't integrate this system, because it's just to old, you go for jump post proxies or similar technologies for those systems who can't participate, which usually find in OT environments, but which you can also sometimes find in cloud environments if they're not supporting your special needs. So then we go for good actions and environment. So we place in our smart security tools, we apply smart security tools, helping to enforce sections and boundaries, check for suitable technologies, not one size fits all.
I don't believe in that because something which works fine in our legacy system, won't work in our OT environment. And for cloud, you need something completely different and combine together with IM for enhanced access management.
Yeah, so you will have the very old fashioned security model, an old fashioned security model and the modern modern ones. So my tops and flops in cybersecurity architecture, it's my very personal view.
Well, there are many business cases where you have to accept any device. If your cybersecurity is based mainly on end users, device security, you will run into trouble because you can't go for every business case. So if you have too much focus on end user device, that's, that's a flop. I think you should go for a complete approach on premise it and legacy systems, operational technology, production environments, infrastructure level, private cloud, and application level public cloud services have different capabilities and requirements.
Cybersecurity architecture must be suitable to com to do a combination of several approaches. There is not one model fits all approaches, and you've got to always to go for several models, which will end up in several tools. Of course. So next thing is next flop is interaction of machines. Interaction of machines can do as much harm as a person. Machines do need a proper identity management life cycle. As much as people do, if you neglect, neglect them, you will run into problems.
And yeah, server next flop is server security. As letter external add on server security is laid at on or something built on top is better than no security at all of course, but it will never be as effective as being an integral part. So go for security as an integral part.
And ah, that's one of my favorites, former security only there's so there's so much regulation out there and cyber systems can count, be secured by doing paperwork only. And attacker won't bother reading a formal security concept. He will simply attack your real system and you should keep that in mind.
I mean, usually you can't run an OT system or whatever without a formal paperwork. Okay. But the formal paperwork won't protect your real physics. So we need applied security. And one of the main flops is lack of ops. We already had it. If you're missing staff who, who knows to the experts who know to run the system, you come run into problems. If you don't have the experts, it won't work. So final world summary, they introduce basic service security model may help to design and review cyber security architectures in a practical manner. And conclusions.
Reality needs a mix of different cyber security architectures. There's not one size fits all as much as we can have an architectural approach for all kinds of building. We can't have one for all kinds of cyber security. So you can't build a garage and one office building with the same architecture. It doesn't just doesn't work.
And all the cyber security architectures as they can be found in legacy on premises or OT systems needs matching cyber security and cloud services, especially public ones need more modern security approaches and good cybersecurity architecture is a chief by clever combinations. So that's it. Any questions.
