Oliver is not here, right? Okay. Here he is.
Yes, Oliver, come on. Okay. I won't ask all the panelists to introduce themselves because we have only got 20 minutes, but I will say who's here. So we have Oliver Pfaff from HP. Thank you. Hi.
Sorry, Joseph Carson from Delinea. And then my good friend, Jacoba from, where are you now? Independent. Okay. And finally, Aus from MBC Group. So welcome, everyone. So we're talking about Zero Trust. I'm going to ask Joseph, because we prepared this earlier, I'm going to ask him quickly to give us his overall definition of Zero Trust. And then we'll go from there. Absolutely. It's a pleasure to be here. And really kind of excited about today's topic, because it's something it's really important to make sure that we all have a common understanding.
If you think about, you know, Zero Trust is, it's not new. It's been around for almost, what, 15, 16 years now. I think it's really important to understand about where it started, because then it gets us into better context about what we can do today. It really started back when, you know, organizations started introducing bring your own device into the networks. And as those devices came into the corporate networks, where you had trusted environments and trusted networks, and then the employees went home and brought those devices out into the, you know, the wild internet.
Before you let them back in, you wanted to check and verify and make sure they actually were protected, had the right security controls, and didn't get any nasty viruses coming back into your networks. And that was really when you started getting network access controls, things like NEC and SNAC in order to putting them into VLANs, scanning them. You don't trust them. You don't trust those devices immediately before you bring them back into the corporate managed network. And that's really where Zero Trust started.
It was all about, you know, devices leaving trusted environments into untrusted environments, and then verifying the security was still in place before you brought them back in. And I think as organizations moved to cloud and more connectivity, it really saw the need that actually most of the organization's transactions and workload is actually outside of the trusted networks. And therefore, we needed to continue and enforce that today. So it's really, it's a fantastic strategy around security controls that we must embrace, not just in the network, but every area on the organization's workload.
Okay, thanks, Joseph. Now, the thing is, for me, Zero Trust has now seems to have taken on a life of its own. And it's become this kind of juggernaut. And I think, for many people, probably, like here, find the whole idea of Zero Trust a bit daunting. And I think people think they have to somehow create this huge Zero Trust infrastructure.
So, Jacoba, I'm going to ask you, because you're more from identity side. I'm the identity specialist. Yeah. And so let's take it a little bit, forget about this Zero Trust juggernaut. And what are some of the challenges that you see in trying to manage identities, if you're told to do it in Zero Trust? I have been trying to do that Zero Trust, which is a long time ago when that was not that, the tooling was not that exquisite as we have it today. But the challenges were to implement that with identities.
And I'm coming back to the Sunil Yu presentation, where you have all the parameters on the devices on the time, the location. And I developed the seven any of Jacoba, which was network, time, location, device, and a few more. But the seventh one was what type of transaction is it? Is it a riskless transaction, something that doesn't harm anyone if an unauthorized person would do it?
So, and then we made a rule-based access control system, which we had to build by ourselves. We used XACML protocol. And then we had the policy information points that, well, the whole set, the PIP, PAP, PDP, policy enforcement point, and make sure that every identity could get only the authorizations and the minimum set that was required for that transaction in that time, that position, that location, that whatever. And the main problem was getting the right data for identity, because actually, we had role-based already.
So, if you roll it out, a role is actually also a rule. You can sort of limit someone's actions based on the rule. And if you add attributes to that, that became our strategy to add the attribute of time, location, blah, blah, blah, to the role or airbag.
Actually, it became a lot more simple. But the problem was how to set the rules for who has to define these rules? What are the crown jewels? And what do we have to protect? And who sets the rules about that? And that's in the business. That's not in technology. And that was the most difficult part, to get them involved and make them understand this problem.
Okay, so now we've heard the theoretical, we've heard the identity. Now I want to ask you, presumably, got some real-world experience of this.
So, how does it actually relate to the theory? It's not easy, honestly. I have to agree with Sunil, that Zero Trust is not a product, it's not an endgame, it's a journey.
I mean, it will take you a decade to say, I have covered some aspects of Zero Trust. But if I can give you advice, it simply starts with visibility.
I mean, you need to understand what you have in your network, your entire footprint, because if you have blind spots, then how do you tackle them to start with? We run a very large organization, 45 companies, five continents, with hundreds of thousands of endpoints. The idea was to start making sure that every asset is visible, every asset is managed, and then your identity is your basic requirement, as simple as that. You have to unify all your workloads on all public clouds, and I'm running five public clouds, by the way.
So, all the American cloud providers, as well as Alibaba and Huawei. So, when you talk about single sign-on and MFA and creating a unique set of identification across all these clouds, it's challenging. It will take you a couple of years to reach there.
But yes, if you have a maturity model, and we do follow the CSI maturity model, by the way, I would love to say for all our operational teams, we need to reach the optimal stage. But in reality, you have legacy systems. We have tough discussions with your CFO. If this MRI machine in a hospital has been running for the last 15 years, why do you need to spend $10 million? Then you have to worry about the workarounds, the micro-segmentation, the air gap, and applying different layers of controls.
Okay, so now we're going to hear from a vendor, and I'd like to hear, do people come to you and say, we want a Zero Trust network, can you install it, please? It depends.
I mean, as a hardware vendor, we look at Zero Trust since, I would say, 15 years from a holistical perspective, right? So, we have printers. Nobody takes care of the printer, but the printer itself is also a very big spot, right? And on top of that, of course, in HP, it starts, of course, with the hardware, right?
So, we have two layers. We have two dimensions here. We have the hardware layer, everything below the OS.
So, we need to make sure that the hardware itself, so let's say the motherboard, the chips on the motherboard, needs to really prevent intrusions, right? This is the first step on the hardware side, and then on the second step. And we are quite proud that we get, let's say, the mastermind on virtualization to really do Zero Trust. It's really micro-VMs.
So, micro-VMs are super, super sophisticated in terms of blocking the things out, because it doesn't eat that much performance, which is great, because if you're a company like HP, we have 60,000 clients. We want that our people can work smoothly, right? Same for our customer, right? And this is how we see it. And always, we always look at it from two different angles, so software side and also the hardware side.
Okay, so let's talk about users then, because I know that, obviously, we're not just talking about user identities these days, but let's just simplify it and talk about actual human beings. And how, Joseph, can, how can we have a frictionless ZT network? Is that possible? Absolutely. I just want to reiterate something that was mentioned, is that it's really important to understand that Zero Trust is not something that you become. You have to continue to operate as something you practice.
So, the best term I've ever heard was that Zero Trust is a mindset in how you operate your business in a secure way. That's always my favorite term of understanding, and it's about getting technology, people, and process all working on the same understanding of what the actual use cases and the problems you're solving.
Now, when it gets into one of the things, when you're looking at applying Zero Trust in the people side of it, it's so important to make sure you get people on board. And we're always, from a security side, we're always inventing new terms that are very much kind of embedded from a security enforcement side.
So, when you're actually introducing Zero Trust into the employees, sometimes it's not the best term to say to the business. So, I always find that when you're going down the path of a Zero Trust strategy or framework, that's important to think about, that you actually have to approach it with a zero friction mindset as well. That how are you making the employee's job better? How are you removing a lot of the security kind of friction and putting it behind the scenes?
So, you have to make sure that whatever you're putting in place from a security perspective, especially that meets a Zero Trust strategy, is that it has to be a better experience for the employee than it was yesterday. Because that's how you get adoption. That's how you get people to enjoy using it, is by taking away the pain.
So, one of the things sometimes when I'm, if I'm talking to security, I do use the term Zero Trust. When I'm talking to the business, what I'm referring to then is Zero Assumptions. I'm assuming that security has not been met, so therefore we're putting the right security controls in place and challenging them. And that's kind of where you start getting people's understanding. It's about, not about eliminating trust, it's about actually finding the basis of what our trust is built.
So, it's important to make sure that you actually have a translation that converts back into employees and the business. Because sometimes Zero Trust gets a bit lost in the translation side. Is there any questions from the audience at this stage that you'd like to ask?
If not, okay. Jakob, maybe this is something that's maybe not your area exactly, but how, how, how can you actually manage Zero Trust through like monitoring and visibility and using the conventional tools that we have in SOC and stuff? Does that actually work?
Well, I'm not a SOC person. I used to run a SOC, but that's a long time ago. Probably hasn't changed. The problem was that I think only one percent of the real penetrations got noticed by the SOC and some of them, many of them got noticed by customers that something was not working.
So, and of course the cost of analysis of all that data and that whole Splunk whatever database that was there. And then there was, the database was full and we had to buy extra storage and of course AI can help with that. But I think there, and I think this is important because as we, for the previous question for adoption, I think that you have to do it risk-based again.
So, looking at what transactions, what assets are the most valuable and get all your efforts there and then indeed not only prevention like identity access and access control, which is preventative control, also focus very well on the detective and the business continuity and resilience because you're going to get hacked. It doesn't exist that you're 100% secure.
So, if you balance these three and do that in a risk-based way, I think that could be, first of all, giving you more a strategy on where to start and secondly, if something happens, you can also warn your board that it's going to happen and that's, so it's a play of all three of them, not just the preventative controls. Okay, you used the word risk there, very interesting because there's something that I wanted to bring up, a bit controversial. John Kindervag, who's known as the father of zero trust or the grandfather, one of the two, I don't know.
He recently posted on LinkedIn, I think he's just being a bit provocative, but he said no one needs risk management anymore. Risk management is a dead science, integrated risk management, all you need is zero trust, right? I thought that was a bit, a bit far-fetched. I think that's too much. Yeah.
Yeah, because you still need to know where your most, what will bring your business down if you don't know that and still don't trust anything. It's undoable almost, you can't boil the ocean, so know at least what to focus on, at least when you start. Focus is one very important topic.
I mean, look, our solution is a very tiny one, right? But it does what it does, right? So the problem is always sitting in front of the PC, which are us, right? What are we doing the whole day?
Emails, Excel, PowerPoint, especially on HP, right? So you need to take care of these, yeah? And we made analysis that, let's say, I don't know, 90% of the attacks coming from that segment, right? It's Outlook, it's Excel and so on, and we're exactly doing this, taking care of this, but we are not saying, hey, you don't need any EDR, you don't need any of this.
I mean, it's always a combination of the different aspects and tools. And if you really can play this orchestra very well, then you do it right. So it's really not this or the other, it's how can we really run this together in a harmonious way, right?
In HP, I think we are running apart our own solution, five other solutions, right? And it's absolutely mandatory to do so, because the speed of hacking and everything, I mean, it's increasing dramatically every day.
Okay, so how can Zero Trust help you, talking about risk, how can it help you with future threats or changing compliance rules, et cetera? But mostly, it's at the moment, if you have a Zero Trust, it's set up for what you know, but how can it work for what you don't know?
Yeah, maybe before answering that question, I would like to jump in what you just said. I mean, a strategy that works with users, you need to always ask this question, what is in it for me?
I mean, security is all about achieving the balance, resilience with convenience. So what we do is, let's say your password in the domain is eight characters, you want to make it into 12 characters, that's one step, MFA, SSO, another step, and then down the line, go complete passwordless. When you go passwordless, then you have to implement just-in-time access. A domain admin will ask, I have been accessing the system as a domain admin for 10 years, why you want to work my access? So we never mention Zero Trust at all, we don't say Zero Trust.
We trust you, but this will make your life easier, as simple as that. Now back to your question about the threat and the landscape, the idea is to always assume that there is someone hiding in your network, assume breach. There is someone, whether you like it or not, you are being attacked by APTs 24 by 7. So if you invest into multi-layer security approach, this will pay off. Micro-segmentation across the board. If your CFO gets hacked, then the finance department will be affected, but your TV running live on air is still okay intact.
Today, a single production at our company will cost 200 million dollars. Are you certain that the S3 bucket hosting a backup of that movie is secure, configured properly? It's complex, it's a very, very wide attack surface. Do you think most organizations are anywhere near Zero Trust? I'm just asking this to the panel. From my experience, last two and a half years, when I was on different exhibitions and I was talking to many CIOs, they always said, hey, we are not completely on Zero Trust.
I mean, we have this, this, this, four or five tools, but at the end, nobody can guarantee. So I would say not, but it depends really on the company's strategy, how to deal with it. We always have this discussion with our solution, for example, we have sandbox outside, we have our micro VM, and nobody knows that there's a big difference, right?
I mean, we can really emulate a complete operating system in the pocket, right? Where a sandbox is, let's say, a holistic approach to simulate an operating system, right? And if you talk to the people, get down to that, they are not aware because they are flying so many passwords around, especially on Zero Trust.
So Joseph, you're obviously with Delinear. I think Zero Trust has come a little bit late to the privilege access and Kim market. So what's your experience? I think it's the same as that many organizations, they haven't got Zero Trust across the board, but they've taken specific use cases where they have applied Zero Trust in the process and workflow.
And I think, you know, when it comes to identity is one of the biggest areas that the foundation of getting to Zero Trust from identity access is really the principle of least privilege is one of those foundational parts is that if you can get where basically people have just enough privileges to do their job, but when they need access to sensitive systems based on risk, that then they would have to go through higher security controls to satisfy those. So organizations have applied a Zero Trust strategy in certain areas, but they're not across the board and there's a long way to go.
And I think it's really important is that, you know, the risk base is actually a key to that. If you're not taking a risk-based approach, then you're putting your head in the sand and ignoring what you need to be doing. So I think for me, it's really important to have a strong strategy. It's a long-term approach.
You don't, you know, it's not something you say in six months or put a product in place and I'm done. You have to continue on that journey. It's a vision. It's ultimately, you're in a car and you're going down a road that has no destination. You'll never get to the final place, but along that way, you'll basically be able to put things in place that helps the organization become resilient. It's a never-ending journey. You look like you want to have a last word.
Yeah, last word. I mean, it's just an example, right? Because Zero Trust, you mentioned you need to take care of several aspects, right? Let's say you are working and we are working hybrid, right?
So, and you are there and then you have, let's say, this sandbox, which only works normally if you have an online connection, right? If you're not online, let's say your son is picking your notebook and sitting on the beach and taking USB sticks, very simply putting it in and who's then controlling the content of the stick, right? Very simple. And then the virus can get inside and that's it and spreads all over the network. Those are the seven NE on the beach. It's not allowed. Depends.
I mean, who's really taking care of this, right? Okay. Sorry.
I mean, we ridiculously short time to talk about such a big subject, but I'm afraid we have to move on. So thanks very much, panel, for being there and thank you for listening. So thanks again.
