Zero Trust in an Industry Where Trust is Key

I'm very glad that Fadi went up first cuz he covered all the areas that I don't care about that are not identity. So he did a great segue too for a lot of the ways that we try to implement zero trust. So quick guess if you all looked at your agendas, I'm sure y'all have the app. How many times does the word zero trust appear in this, in the agenda? Any guesses? It's a non-zero number. Oh it is, it is true. 35 times. There are 35 presentations on zero trust and I'm one of them.

And, and something else that he's stressed on. And I will, I will talk about it as well. Zero trust. There's a lot of components to it and it's, it's not, you know, I come from a, a vendor space and technologies do offer zero trust capabilities and we'll talk about those as well. There's no silver bullet. It's not something you can plug in and turn on. As cool as that would be, it's just not gonna happen. So to a quick view of it from a financial industry perspective, I can tell you a little bit about what we do at Royal Bank. So I am a Canadian and by heart we are mistrusting of everybody.

We don't believe what people tell us. We don't even believe people within our own country of technologies. I wouldn't say it's a bad thing, but it's also, it also makes things for us to be slow adopters.

So things, when you hear about alts and onboarding of technologies, it, it takes us a little bit longer. We traditionally break up consumer identity and enterprise identity or we call it workforce for the employees for zero trust. And we'll talk about those financial institutions. Fadi made a good point. Their regulations are coming, they're gonna make it make you implement it. They're starting to squeeze the, the squeeze, the lemon. They're starting to tighten the bolts on.

Zero trust now for how you protect identities, how you protect access for any of you in financials, you know, if there's the PCI regulations who has access to everything is highly regulated. We'll talk about who it impacts. Question asked, where do you start? I'm gonna tell you how far you can go on the other side of it. So we'll talk about those. Fadi gave me a great segue cuz he talked about capabilities. I was lucky enough to work with one of the divisions of the US government. There's a group called cisa, you can look it up online. We published a zero trust capability model.

So in cisa they, they broke out the pillars that he talked about. So as far as infrastructure endpoint, and this is when he talked about how to, how to start and where to start. All the green things. I highlight our identity. I figured it'll make Martin happier if we talk identity centric this week. If you go onto their website, you can download, there's good documentation up there. The pillars. And for us, identity was, was a different area. So being a bank, we are Canada's oldest bank and we started on the left side. We're heavily regulated, like you said, that's our requirement.

Our big thing, aside from money of course, is data. We've published that we are the largest data holder in the country over the federal government. We have more information on our citizens than the government does.

So if, if we get hacked that, that's a bad thing cuz we know everything about you, where you live, where you shop, what you buy, your things that you own. So there are things that there are consequences. So we set up every possible gate and moat and wall that we can think of. Unfortunately that doesn't, doesn't work well with everybody because that's not the only way to get into our bank. You'll start to hear about deep fake technologies going around as you, as you guys are walking around, a lot of cloud tools out there that we can't control by just putting up a wall around it.

There are, he mentioned the concept of working from home. Thank you to Covid. We've had to open up our infrastructures from people working from a Starbucks or a train in different locations.

Oh, I can do sock puppets but it won't be as effective. Yes, I feel a breach.

Oh, I see a blink. There we go. There's a lot of words on this and I won't go through it all. But what I tried to do is break it into two categories for you and the slide deck and, and me up front will be available for download I think tomorrow. So you can get a copy of this. We broke it into two different sides. So on the identity side, like Fadi mentioned, it's, it's usually easier to start off with non-critical systems. Things that employees have access to, things that are more regulated.

There are resources that you can secure with basic multifactor authentication, step up, authentications, different types of technologies. The last couple bullet points on the left side, we like to tie authorization into authentication every time. So not just the fact of do you have access to a group or a folder, but should you, should you only have it for so long? Are you a support person? Do you need access to technologies? So we start with a model of nobody gets access to anything and then by your role in the organization, we enable it for you.

On the consumer side, it it's a little different. So you as consumers, I'm sure a lot of you have applications that you can do wealth management transfers, you can do investments. I talked to the Bitcoin guys earlier or for cryptocurrencies, sorry, I shouldn't have said bit Bitcoin. Their technologies require different type of access. You need to move funds between services.

How, how many of you have a loyalty type application on your phone, airline, hotel. Okay, how many of you have one application that has 10 loyalty cards linked into it? So there's the people that travel in the room.

So, so those are the ideas where you have to do that. Segregation. I don't want my airline to know what cars I rent from. I don't want, you know, restaurants to know where I get information.

So that's, that's where the zero trust comes in. We have to protect our consumers as a bank. We have 18 lines of business. I have insurance, I have consumer banking, business banking. It's not that they don't talk to each other, but my consumer profile as Denny with a wife and a child shouldn't have access to my Denny business accounts. So I need to have that segregation. So they're things that we want to be aware of. AI driven analytics is something that we do. We try to look at your trending, what you're doing, how you're using things, and that's how we provide you access.

So like I said, by default zero trust for us is, I'm sorry, you don't get access to something until you ask for it. If you do something out of pattern, we start to tighten the screws again. The reason we did it, and I, I know talking to PWC earlier, so last year's numbers, these, these are, these are rough percentages in numbers. They're not decreed in stone, but I can provide you the resources where they came from. This is just on the financial side of the house. 690 disclosed financial breaches. Last year we, we weren't one of them but you know, 93% of those were financial gain.

So that's, yes, they tried to take money from someone, but a lot of them were data or just information that they can return around and resell the 61% numbers. Kind of interesting. So the breaches weren't actually through the fis, they were through third parties that we work with through suppliers, through resellers. So that's something else to keep in mind. So if you're looking at your targets, not all of you are in the FI space.

So I'm, I'm sure there's other, other areas that you work with. The the, I dunno if that's a boast number or not, but we have 17% more attacks than every under industry. That's why I asked him that question. Is there one that tries to jump up first over any, anybody else? The FIS in Canada. I forgot the actual number I had had it in my mind. It's in the tens of thousands of website breach attempts we get per day trying to access our spoof, our website and, and it's not be it, it's because of the different services that we do offer.

The, the last one is an interesting one. The type of error, and this is something that he alluded to where an account is given access to something but they gained access because they have it of someone else. I'm sure you guys have joined a group or a department and they gave you access like a fellow employee. Does that sound familiar or similar credential? My last organization when I joined, they, they literally went into the tool and they said create Denny like Armando. So I got all of his access rates.

Armando was there for 17 years and I was the brand new guy, which was awesome for me cuz I had access to everything he did until they figured it out. But so this is something for you to keep in mind when, when you're giving that that type of error, did you get access to something maybe you shouldn't have. The regulators in Canada, I'm not saying they're slower to adapt, but now their mindset is starting to change. I have two roles in the organization. One side is on the enterprise architecture side.

So I have security responsibilities to make sure every mobile app, web app, and I hate to say it, even badging into a vault or a building is under our, our review, but I'm also on the innovation side of the house. So all new technologies, they're not solved by, by software. So now regulators are coming to us and saying, well we know you have tool X and we know they promise to do zero trust, but it's not just a tool. And like Fadi said, you have to have processes in place, you have to have auditing in place and continuously be validating. So something else to, to lean on on his presentation.

It's not a one and done. And I heard, actually heard someone mention it when I was standing up. We have to keep reviewing this. So I think a few of you're on this journey and I saw the head nodding that yes, yes it is something that you have to do. We looked at it and I'm sure you've heard those three terms for the people process and technology for, for every scenario, the the same, I'm, I'm gonna reiterate a lot of the si similar comments. We wanna make sure that only the right people have access and when they need it.

I have teams that should be doing things in the office that should not be doing things remotely. Not cuz I don't trust them, but they don't need to, they don't need to look at client data when they're sitting in a coffee shop. We may require additional training and I'm sure with zero trust people are used to logging in in the morning and gaining access to a specific application. But if I need you to do perform a specific task, you may need to factor.

Trying to introduce the Microsoft authenticator and an an OTP type token on people's cell phones when it's their personal device in our organization was brutal. Nobody wants a corporate app installed on their device.

So I'm, I'm sorry we have, we have to do that. If you're gonna do work stuff on your personal device, we're gonna need to protect ourselves and protect our customers. The process side, our biggest change was workflows. Most of you have service management type technologies or maybe a help desk where you can request things. It was usually click a button I need access to, it may or may not have went to someone for approval. Now we have not only approvals that might be first, second, third line manager.

We also have attestations that that monthly, quarterly, yearly, they have to say, yes, Denny needs access and if they take away my access, they do a certification to make sure it's actually been taken away. So there's a few vendors here that do the certification side of the house. If you're talking to them and you're Nick yesterday from OpenText talked about I G A when he was on the main stage. So if you are looking at those kind of technologies, try to do both, do the certification that proves the right people have access. Do the attestation that you know it's been added or removed correctly.

Technology, well I mean the traditional bells and whistles there, do lots of auditing, record everything. Every transaction who has access when they've accessed it, you can filter out the unnecessary stuff. Your regulators will help you with that.

In Canada, our paranoid IT people help you with that. They want every bit of data. The his comment about just do it was similar to my, how far do you go?

The, there's no limit to it. You, you can lock down infrastructure, you can lock down applications, zero trust.

Oh, slack went off screen. Zero Trust has been around a, a long time. When I first started, I worked with both IBM and Dell. And Dell published a, a document called Zero Trust in our Infrastructure and it was around hardware access. Like who would thought accessing a network card in a computer was, it could be a bad thing.

People were getting into physical servers through the network cards, through protocols that were available at that time, you know, and in the late nineties, documents were published about access to websites and all you should, you should restrict access to only people logging in. And then Ian's document, Ian's presentation on ceremonies was great cuz it had all the, the boxes of the logins. We've been doing that forever.

So, you know, think about who you're protecting and what you're protecting. For us, we protect both the employees from themselves. We protect the customers so we don't lose any of their stuff and stuff meaning money, data access information. And we need to know who we're protecting it from. It's not just black hat people. It is sometimes us internally, i, I don't know if any, how long have some of you been in the industry? But anyone went? Remember going back and removing a folder and all the contents in it are also gone by accident.

Yeah, I did it myself. I transitioned to a newer group in the organization and I went to go move an Outlook folder because it was Office 365. I forgot to drag the folder and all of its content. So I lost two, three years worth of archived email and folders.

So yes, we do protect our users from ourselves. There are some best practices you do have to educate your employees or, or people that you're, that are on the other side of the Zero trust. Someone asked about where do you start the, the concept of start small, you know, limit that blast radius of who you're impacting. If it's segmentation, if it's infrastructure. We started with micro segmentation, specific servers, specific lines of business specific functions. Have a baseline, know what's happening as you go along in each phase you need to show adoption.

You need to help the executives be convinced that they need to give you more money for zero trust. So you have to show that people are using the technologies and phase it in.

I mean, you can go big bang even before coming from the vendor space. I'll be honest, I have not seen anybody make it work for an entire enterprise. You can turn off an entire set of functions or capabilities from that second slide. It's a lot of work guardrails, depending on the size of your organizations. Some of them have, some organizations like ours have directives. If you're going to implement something, these are the things you can and cannot do. So we have policies of how to implement technologies.

We use a, we use a term called patterning. I'm not sure if that's an industry term or not, but an enterprise architecture world for us, we create a reusable pattern every time we employ zero trust for an employee. These are the six check boxes we have to do. I don't care what tool you use or if it's cloud or on-prem, use this tool. As long as you check these boxes, my security team is happy. So things that you can make repeatable, great way to do it. Don't forget things outside of your organization. And I put M and As and regulations at the bottom of ours too.

Rbc, if you're following us in the news acquisition of Brew and Dolphin in the uk City National Bank, in the uk, in the us hsbc, we've been fairly active and, and it's a considerable amount of extra work. His last slide was similar to mine. When you start, there are lots of different categories in that slide. When you download it or if you go to the CISO website, there are pillars of zero trust. It's not just the network, it's not just your identity.

Selfishly, I'd like to say it is, but I can't, it's not a product. So I'm sure you've heard that there's some basic hygiene. You may have to do stuff in your organizations to do some cleanup before you go for zero trust. We're going through that too.

We're 95,000 employees scattered around the world. So we're not huge compared to like a, a pwc. But there's a lot of people I have to look at in how they do their configurations, watch for those anomalies. And it was funny, just before I came in, one of my guys is on a train, on a conference call talking to me while there's people all around him. So the VPN access, consider your users and where they're coming from and don't neglect the experience.

Zero trust is great, but if you're preventing people from doing their jobs or customers from gaining access to your services, bluntly, you're gonna piss them off. They're not gonna be happy with you. They're not gonna enjoy the, the, the, the functionality. I hope this helps, gives you a little bit of insight on what we went through. Great. Thank you. Thank You. Excuse me. Thanks for the insights. Thank you. We do have, do have a question online here. How do you segment the workforce between enterprise IM and customer? Im situations when an employee is also your customer.

Oh, I always hope that never comes up. I am an employee and I'm a customer of our own services. Our technologies, like most of the fis, we have two different platforms. So for us it was a, it was a, a physical distinction between the two. There's no reason, unless someone can tell me a reason. We haven't found a reason in Canada where an employee should have access to their personal banking information. At the same time, you can log in as yourself. It does make it easier to approve loans though, in those cases. Right. Wouldn't that be fantastic? Any questions from the floor? Great.

Well thanks again, Denny. Thank you.