Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. My guest is, again, and we are continuing a series of episodes around the topic of Zero Trust, is Charlene Spasic. She is a Senior Advisor with KuppingerCole Analysts. Hi, Charlie, good to have you back.
Hi, Matthias. Thanks for having me again.
Great to have you. And before we dig into this topic, we want to continue our conversation about identities for Zero Trust. Maybe a bit about yourself. You've joined KuppingerCole more than half a year ago. So you've been to our larger event, the cyberevolution in Frankfurt. You have talked to lots of our customers. Since you are an advisor, you are getting into contact with our end user organizations. What is the most striking for you when you joined KuppingerCole? What is different? What is fun? What do you enjoy in being with us? Of course, don't tell the stuff that you're not enjoying.
Yeah, so for me it was a big step since before joining KuppingerCole, we are more focused on, let's say, the advisory side of things, I was working on the enterprise side. So I was from now looking back in the perspective of our customers, handling day-to-day business and the typical issues, challenges that you face on the customer side. So when joining, I think this gave me a good understanding of what exactly the customers might need and what challenges they are facing. And what I enjoy most about working here is, of course, the people. We have a great team. I'm very happy with how things are managed, handled, and also how we work together as a team. And also one of the main benefits I see working at KuppingerCole is that we have a great overview about the market, we know different vendors, we know different products, we have a great community, it's great for exchange and for learning. So when we work in identity, I do this since around 2016/ 17 something. I'm still learning. There's always something new. Technology is evolving. Processes are evolving. There are new regulations coming to the market. So there's always something new to look at. And the job here really gives me the opportunity to do so because this is what really drives the customers and what's really interesting to me.
Yeah, exactly. I can really agree. I'm doing that a bit longer than 2016. So don't ask. So before the 2000s. And I'm still learning every day because this is really an evolving market and emerging market just right now, when we talk about decentralized identity, which we do not do here, but we do at EIC. But these are topics that are really interesting and change the game for identity and access management. And it has been changing over the last 30 years. And I think the change you are seeing with all the different types of customers that we are dealing with as well. When you said you were on the enterprise side, yes, this was your organization, you being a customer in one industry with one organization, but we are happily dealing with many organizations and many industries. I think that's part of the fun as well.
Exactly, it is.
Right, so now let's jump back into the Zero Trust topic. We started last time when we talked about what does identity mean for Zero Trust? What can identities contribute to Zero Trust? And why is it so important that we have strong and reliable and well authenticated and continually authenticated identities? On the other hand, that really sounds like a lot of work just for Zero Trust which might be a bit overwhelming just to say, although we are improving security, but in the end, is all this work that we're doing for Zero Trust with strong identities also reusable in other areas? And that is what we want to focus on right now. So securing digital identities, does that have any other positive effects that can justify the work that we're doing outside of the direct cybersecurity?
Yeah, of course it does. So when we think about what we do within the cybersecurity space, at the end of the day, how I like to put it is that we are trying to manage or mitigate risks. So that's not the only purpose because cybersecurity has their purpose of being there, but the management of risks is really crucial, at least from my point of view. There are different measures to manage risks. So there can be technical measures, like implementing a new technology. There can be organizational measures, defining a process. And on the other side, we also have regulatory requirements that organizations need to comply to. So it's not like a self-fulfilling activity that we are doing here. But we are also... Organizations also have to comply to regulations. And this is also, from my point of view, a main driver of Zero Trust.
Absolutely. And if you look at these upcoming regulations that all these organizations are currently fighting with, be it NIS2 for everybody who is more or less in a critical infrastructure space, if we look at DORA for all these financial organizations, all these regulatory requirements or directives or laws or frameworks demand a strong entitlement model, a strong authorization model, but also strong identities and strong processes, especially when it comes to privileged access. So all that we are doing here right now and ensuring that there is a proper cybersecurity in place as part of Zero Trust, that is also something that needs to be ticked off for these requirements. So the work that we are doing has at least dual use, if not more than just two. So we looked at risk, we looked at regulatory compliance or regulatory requirements to fulfill. What other aspects come to your mind when we say, okay, let's make these identities stronger, more reliable, make them a foundation of our cybersecurity.
So another aspect that Zero Trust benefits organizations outside of direct cybersecurity is, on the one side, regulation that we talked about already. And then we also have business continuity and resilience. This means that organizations have to think about what they will do in case of a security breach or a security incident. And they need to think about how to handle when these things occur. This can be done by implementing robust access controls that verify the trustworthiness of users and devices, so organizations can better protect their more critical assets instead of focusing on the overall attack surface.
So kind of risk-based data protection to improve organizational resilience, even when it comes to threats that you did not already plan for because they are new. So the principles that we are implementing with Zero Trust, they are designed to even deal with incidents with threats that are not yet foreseeable, but nevertheless, they will come up and reducing, as you said, the blast radius that really helps in improving the resilience. We've talked a lot about you and me as users having an identity, thus using accounts, thus using a device, thus using then an application and data. If we skip out or if we leave out the carbon-based life form in the middle, so the person, the Charlie, the Matthias, does Zero Trust also apply in other contexts? Think IoT.
Yeah, it does. So Zero Trust does not only focus on users, physical people, but also on devices. And when we think about IoT, we think about a network of physical objects, or let's say, things, that are connected with each other and maybe communicating with each other. So this could also lead to new threats that might be exploited and Zero Trust has this holistic approach that it does not only look at a certain type of identity or a certain type of user or a certain type of device, but it looks at the overall sum of what we have within the organization, whether it be users, it be devices, data, apps, etc.
Last time we talked about the lifecycle management as one of the key enabler for allowing for these reliable, stable and trustworthy identities. We've mentioned the optional additional output that these measures that we are making for regulatory requirements when it comes to risk based approach, risk management in general. You said it applies also for IoT. But there's still a lot of work to be done. We've mentioned that before. What are the cost implications of adopting such a comprehensive Zero Trust strategy, at least when it comes to the identity management part? Does this add another level of cost or would that be there anyway?
Yeah, I wouldn't say that it necessarily adds additional costs, because when you think about Zero Trust and where to start, it's like this huge, huge strategy that needs to be implemented in different steps and different measures that we can take. But there are some, let's say, basic hygiene factors that organizations should do anyways, which is, have a proper authentication, have proper access controls. So there is some basic work that needs to be done. I wouldn't say that it's a major cost driver since, like I said, it's also basic work that needs to be done. And also when we consider what value it creates within the organization, then the cost is really overseable.
Right. And I would even answer the question in the opposite direction. The importance of identities has grown over time and using it for Zero Trust is actually an additional benefit because we need to do it anyway. But when we do it, when we have proper life cycle processes, when we implement a huge amount of oversight into managed identities, when we apply proper governance, when we make sure that the principle of least privilege is well implemented and by restricting access to really only these access rights that are required to fulfill a business purpose, then we can use that for Zero Trust. And we need to do that. And we've learned that at the beginning of this episode, anyways, because of DORA, because of NIS2, because of compliance requirements. And even if you're not regulated, you want to make sure that your identities are stable anyway. The Zero Trust aspect for me is actually an add-on to the effort that you need to do anyway, because strong identities, reliable identities are there anyway. Is it for free? No, it is not. That's a lot of work to be done, but it needs to be done for many purposes, including Zero Trust, but not for Zero Trust and then having to justify that. An important question that of course is an important part when we have 2024 and it's the hype topic. How important is AI, automated systems, artificial intelligence, machine learning for Zero Trust? Where do we see that? Where do you see it in your daily work?
Yeah. So I would say that AI generally starts to gain more importance within like the technology, whether it be Zero Trust, whether it be talking about identities or whether it be talking about threat detection tools, but still I'm convinced. I mean, AI gives some great benefit, but I'm still convinced that we need the people and we need like the basic groundwork, the understanding of the business. And there are some things that maybe AI can't really answer, which is the business context. So let's say we think about vulnerabilities and threats. They give some room for interpretation. So the business context also needs to be considered to see if this is really something that should happen or should not. But the part where it could really give some great benefit is the analysis. Because when we think about Zero Trust, we have many, many signals, a lot of data that needs to be analyzed. And AI could really help there with the data analysis, with giving recommendations on what to do, maybe pointing out some things that might be suspicious, which will then be handed over to an analyst to take a closer look at it. And still, what I found also very interesting about Zero Trust and which might still be a bit of a misconception is that it's not like a software or a tool that will just be installed and then it's there and then it's ready. But there are many, many different things that need to be considered. So it's more seen as a strategy and not a tool that we can install on the system and then it's like done for us.
Exactly. So when we're saying we're talking about identities as part of the Zero Trust strategy, that exactly illustrates what you just said. No matter which IGA system you're using, no matter how you have implemented your lifecycle processes, the outcome of this is something that directly feeds into your Zero Trust strategy and then into strong authentication, authorization, and everything that's down the line from there, governance, compliance, resilience, etc. So we're getting close to the end of this episode and to this two part series of talking about identity in the context of Zero Trust and looking at it from a practitioner's point of view, which you are, which I pretend to be as well. So when we look into the future, are there any challenges, future directions for Zero Trust that you expect for say the next half year, two years, five years and for Zero Trust as a universal security strategy?
Yeah, so I think one of the challenges that I see is that we have to face legacy systems that might not be able to be, let's say, demised easily. So they have to be considered and we have to think about how to make them fit into the Zero Trust strategy that we are driving. When you think about authentication and the continuous authentication that means that we need systems that can do it. Are the legacy systems able to handle these, let's say, requirements? So this is really something that might be challenging to organizations and it also gives some additional complexity since we have to look at many signals that have to be analyzed. So yeah, there are still some challenges that customers will have to face. So, but still, I think that Zero Trust is a concept that will stay there for the next years, actually. We also see that the DOD, the Department of Defense, really gives this recommendation to go towards a Zero Trust model. So the relevance is there and I guess it will still be there in the future.
I fully agree. I love this concept of Zero Trust. If you look at it on 10 slides and it's presented well, it feels really like the next generation cybersecurity. But when it comes to the real world, we come back to legacy systems. There are still mainframes. There are still RACF. There is still "old" traditional SAP systems that are built on premises. R3. It's still around. Having Zero Trust to interoperate with that, to collaborate with that, to integrate with that and to power such systems, I think that's still one of the challenges. And if you say Zero Trust might not go away, maybe it does go away, the term Zero Trust goes away, because we have many organizations which really are reluctant to use the term Zero Trust, because it is this buzzword thing, to say, okay, make it continuous authentication would be nice, would be fine for me, make it micro segmentation plus never trust always verify, but omit the term Zero Trust, I think that is something that I can happily deal with as long as the principles are still in place. We are heading towards EIC. You will be there, I know that, I will be there. So everybody who's willing to get in touch and talk more Zero Trust or identity and access management in general and cybersecurity in general, please feel free to reach out to Charlie and or me or our team. You can even book an appointment at EIC with us. So that is possible. So go to our website, reach out to us to have an appointment, just to meet us there in Berlin in the early weeks of June 2024. We are happy to talk to you and continue that conversation. If you have any questions about what we mentioned this episode and the episode before, please leave a question. If you're watching that on YouTube, just in the comments section. If you're listening to that in your favorite podcatcher as an audio version, just drop us a mail. If you have great suggestions for what to cover in a next episode of this KuppingerCole Analyst Chat, I'm happy to pick up your suggestions for that as well. Charlie, thank you very much for being my guest today. And again, for this second part of the Zero Trust journey that we just did. Any final words that you would like to recommend to our audience before we close down, maybe towards EIC, maybe towards Zero Trust, anything you would like to be kept in mind?
Yeah, so to wrap it up, I would say what really stuck with me regarding Zero Trust is the thought that it's not like a product, but it has to be considered as a strategy. It's a journey, as you already mentioned, and it includes different aspects that we have to consider. So I think there is no, let's say, black or white approach on how to do Zero Trust. It really depends on the organization and the industry that we are in. And yeah, I'm looking forward to EIC, looking forward to connect with the customers and also talk about Zero Trust or other topics. And yeah, I was happy to be here. Thank you for having me. And then talk to you soon.
Great, thank you very much. And everything that you do that's good for IAM is also good for Zero Trust. Thanks, Charlie. Thanks for being my guest today. Looking forward to having you back soon. But first of all, we will meet in Berlin in June and we hope that you all will be there and talk to us. Thanks again. See you, bye bye.
Thank you, bye.
