Hello, Wolfgang Gok. I'm an advisory CISO with Cisco.
My name is Gerald Horst. I am a digital identity leader in pwc.
Hi, my name is Rajan Barara. I'm director of product Management at Entrust for Identity and Access Management.
And I'm Carla Ron Catone, and I'm the Vice President of Identity at WatchGuard Technologies. But I'm also gonna tell you that before that I worked at Microsoft in Intel and McAfee.
Okay, great. So the way we're gonna do this is do the initial question. You're welcome to discuss, you know, other questions among yourself, and then we'll ask also the audience and look online to see if there's any additional questions. So the first question is, you know, what advancements in technology will drive this adoption of zero trust architecture over the next five years?
AI microphone.
I was saying that loud enough, right?
Well, people online can't hear, so please use the mic for
Oh, yes, yes, of course. Well, I thought I, I expected the crowd to say AI first. Right? I think that's something that we can see helping, making decisions quicker using all kinds of context-based information quicker to either provide access or not provide access as an example.
Yeah, I think I completely agree. AI is one of the key investments and the second investment, which people sometimes overlook is post quantum cryptography. That is like, you know, it seems like it's far, but you never know when the tsunami will come and hit us. So these two I think would be that.
I was actually just gonna say, like, philosophically, I think people need to break up with their emotional attachment to trust first. I think we need to get people to, it's not so much about a technical innovation, it's actually trust is an emotional thing.
And you kind of starting with AI machines at least are not yet sentient and don't have emotional trust for people. And so like you can go and ask chat g b T, does it trust you? And it'll say, I, I, huh. I don't know.
So, so it's, it's an interesting word. Trust is not something that machines are capable of at least yet. So I would say that that's what I like about zero trust is it's breaking those silos of believing that we started with this root of trust and all these bad habits that we created for the last, you know, many, many years.
I think it's caused us as vendors, as well as service providers and whatnot, to have to go back to the beginning and rethink the way we actually developed our products in order for us to help organizations move forward and make that progress.
So it's not really a buzzword, it's actually something, it's a process in people and procedure and, and all those pieces. But, but for me, I think actually what, what really will transform zero trust is people breaking up with the notion that it's actually trust. Like there will ever be trustworthiness when it comes to machines. Like the cloud won't trust you. It really doesn't matter if you trust the cloud. You have to find the balance in figuring out how you're gonna de-risk your organization. And I think that's a very popular term at PWC as well.
Absolutely.
I think it is.
You bring up a good point, right? I oftentimes say that we are running 20 years of it on 20,000 years of legacy technology. And the legacy technology is culture people, right? The way we tell stories, the way we communicate, but specifically to zero trust. If you think about how we're extending trust every time there's a session, every time there's a connection request, we're, we're doing that programmatically by policy. So the policy engine becomes important. The AI ML becomes important.
And that's arguably the, the important, the critical quintessential aspect of zero trust is that policy enforcement, now we've got a strongly identified user, we've got a strongly identified device, it's connecting through an encrypted connection to make that policy decision to get to that resource and to the question of what technologies are gonna disrupt, there's disruption across all that chain, right?
Everywhere you look, how do we authenticate a user?
Well, we've already had some great questions and conversations in this conference around passwordless. And the minute we get there, we know from what's happening with multifactor today, the minute we get there, that's gonna be disrupted. How do you authenticate a device?
Well, we had some great conversation around digital device identities in this conference. The minute you get there, we know that's gonna be disrupted. And then that encrypted connection is at, at question, do we run that through a CASB or dlp and then that final end resource, is it on the cloud? Do I trust that resource? Who provisioned it? Do I need to do I need to know anything about it? Right? So across that whole stack, what's really fascinating is, however I define trust today at a technical level reflected by governance will be disrupted in the coming years.
John, do we have any questions online or we'd like to go to the audience?
Yeah, we don't have any online.
Yeah, but just a reminder, if you want to type in a question in the q and a blank, we'll be happy to take it. Anybody here have a question for the panel?
You know, you do.
Oh,
Right here, Patrick,
What
Do you guys, what do you guys consider the long, you know, pole in the tent? The hardest piece to get? Right.
So I think to get it right, right? I mean if we look at the five pillars, right, of zero trust starting there, I mean 35,
I
Saw six, maybe six
I saw,
It's like, it's like memory, right? You can remember seven,
It depends who you ask. It could be five pillars and three foundations, or it could be seven pillars, one foundation or eight pillars. And no foundation.
Because it's a,
But I guess it's
A strategy.
Yeah,
It's a strategy, right? It's a plan. So you have to have a plan. You have to start, you know, by making a plan, understanding how mature you are when it comes to these different pillars. And I think that's basically, you know, what we have to do. It's about minimizing the attack surface. It's about being able to do our business as companies, institutions securely. That's what we are striving for, right? So start with a plan.
To me, the hardest thing is deny by default. It, it's just something that people bristle. It's again, it's about people. At the end of the day, people bristle at deny, you know, deny by default. Whether it's the application, whether it's the device, whether it's the user. Data can't deny itself. So you're just denied it. But it's really interesting, I think getting comfortable with the concept and seeing that that's the way I feel like I'm in the mandalorian. This is the way it, it is, it is breaking up. It's almost the inverse of what we've been doing. All that inherited and implicit trust.
Like it just has to go away. And you have to get comfortable with the idea of, you know, deny by default.
To me, that's a process. It's a product, it's a bunch of other things.
And it's, it's a way of actually operating. It's your operating model after this.
So deny by default, a quick story. I do mentoring and coaching for younger people. And I always start every coaching, every relationship the same way.
I say, here's the trick to security. Write this down, get out the pen. Cause they're students, they're very studious. I love that. You will not get in the way of the business. I will not get in the way of the business. You will not be the department owner. You'll be an enabler. All right? You got all that. Your first two things, remove privileges, remove trust. They're like, how do I do that?
I'm like, I have no idea. When you figure it out, please tell me. Exactly.
So I think, I think, I think what what we are saying is effectively, if you think about zero trust, the underlying principles, the 10 tenets least privilege, access.
Access, right? Then if you think about people, process, technology, standing, those swings. No standing. No standing. Yeah.
So, so lease privileged access, zoom breach, it is gonna happen. That means that be ready for that breach. And what are you gonna do? That's where process is gonna help. That's where your lease privileged access is gonna help just in time access. If you don't need it, don't give it. But if I need it, gimme right then and there. Keep on right sizing the permissions also, because most of the people don't know most of the organizations. Another aspect we were discussing earlier, I ask my customers, I say, so have you classified your data? They look at me like, you know, they've seen a ghost.
I dunno what the hell? How do you classify data? Yeah. Have you encrypted your data? Where do I start?
I'm like, right now.
I wanna add one more on that one too.
Oh, on the data thing is, think about no data. If you need to, to do a financial transaction with credit cards, use a payment provider who will take care of that information for you, because you really don't need to collect the credit card in order to complete the transaction.
So the, even the concept of de-risking the way you collect, so minimal collection, you don't get audited for PCI if you don't have the data the provider does. So think de you know, you don't have to own the estate anymore.
You, you can actually have your entire business running in a way that, you know, and again, you, you knock these these concepts off one at a time. You can't do it all. You can't do it all at one time. But you can certainly target certain systems and de-risk your organization by making better selections and having a more informed way of thinking about whether you really need it. We collect a lot of data we don't need, and it's not even about privacy.
It is, but it's about de-risking your organization. Don't collect credit card information when you can allow our provider to be the one that's responsible for it. Absolutely. And you don't have to trust them either moving
The zero, move the zero trust to the service provider.
So I feel we, I feel we still didn't answer the question of the gentleman over there. Right? When do you get it right?
I mean, will we ever get it right? So I think Yeah, exactly.
So, and, and what, what we see is that clients, if they make a plan and they do actually start, right, they have to prioritize, they have to come up with a roadmap, which is really difficult. But then you see that there are some things more easy.
I mean, we talk a lot about CM and SOAR and endpoint detection and response, but what we see happening is that clients start with identity. They start with single sign, they start with not factor authentication. And I think that's, but the good thing is they actually start, and that's what we, you know, are advocating, I think make a plan start zero. Trust is a strategy, which is another word for plan. Right?
Exactly.
So if you, if you think about, I'm gonna go with five pillars,
We can debate that. Anyone who wants to argue with me, throw out in chat.
If we think about the five pillars, right? Identity devices, network application, workloads, data, we've got, I mean, we got, we're, we're all here together. We're very smart people. We're here to tackle identity. We've got a lot of mind sharing identity. We've got a lot of tooling around identity. To your point, a lot of people start with identity as you go down those pillars, we've got a lot around devices, networking. We've been doing NAC for many years, although we can argue about how difficult sometimes NAC projects can be. Then we get into applications, then we get into data.
It's almost like a hockey stick in terms of complexity. So oftentimes I'll say the easiest thing and zero trust is identity the hardest. Our application workloads. And people say identity's hard go. Huh? Now multiply that by 10 or a hundred fold. And that's difficult to get to your data on your applications.
I disagree.
And, and, and yeah, she disagrees. But in the meantime, one, one more thing to add on to him is, is not only those five pillars, but also like, you know, CISA has come out with maturity model.
That's so, you know, like figure out what maturity level starts with an issue, then go up to optimal, but you will have a journey. So the zero trust is a journey.
Now, whether which one is harder pillar, I will leave it. That's a, that's a, I'll leave it to you to fine.
But, but do take care of the maturity model. Start and start as a holistic approach in terms of maturity model.
Okay.
The reason I disagree that it's not applications is because we've, we've done a pretty good job of solving data at rest. We've done a pretty good job at data in motion or data in transit, but no one has really solved data in use.
That's, yeah.
So that's,
That's it.
So, right. The question becomes what do I mean by data? Yes.
Yeah.
And, and, and I think, I think we have beaten that horse for death.
Okay.
Questions from the floor?
Okay. Which bodies do you think will be the most influential in setting standards and guidance around zero Trust.
I can tell you what I know, I know nist, I know cisa. These are very active in, in making standards, maturity models, et cetera. That's the two that I know of.
Yeah, I'm with you. I'm with him.
So we've talked about the most popular acronym of the week, ai, how do you think AI actually helps zero trust?
What, what at a technical level can it do for zero trust?
I can go first with that.
So again, an identity on a system going through a policy engine to get to a resource, that policy engine, as I think in my mind, one of the strongest use cases for iml, if you look at, now we gotta do a couple things here, right? I, I don't need chat G P T to tell me, hey, maybe Jailbroken devices and unpatched devices and 10 year old Windows XP devices shouldn't be on my network.
I, there's certain things that we can codify and if then else rules and say, let's eliminate all the noise, let's eliminate all the known bads. But there's still gonna be residual risk. To your point earlier, there's still gonna be residual trust in that. Because even though I say it's not jailbroken, just because it's not jailbroken doesn't mean I should trust it. So that's where we start. I feel layering on and lining on ml.
Now, one of the ways I think about this is like, and I'm, I'm gonna date myself with this, but like Rosie the robot, you guys remember my mic just died. I such an old reference to cut my mic.
If you remember Rosie the robot, right? It pushed her on a vacuum cleaner of sassy and it made food. And everyone thinks that ML is gonna do that. No. Who wants a $600,000 robot that does that? When you just want your floors clean, you want a $200 Roomba. And the difference in complexity between those two mental models and two ML approaches is huge. Cost and complexity is huge.
So I prefer Roomba's over Rosie's gimme a very simple, straightforward ML model that runs after I've already eliminated what's known, creates few false positives. That's where I'm the happiest today in the next couple years.
For ml,
I think AI ML is interestingly on both sides of the play. One is on the attack surface side of the play or the hacker side of the play. Another one is on defending or implementing the zero trust side of things. So analytics is very key, like you mentioned, like, you know, gimme a Roomba, gimme fit for purpose. What I can do, policy driven things like that over a period of time.
As you move into multi-cloud strategies, as you move into cloud native apps strategies and you want to give entitlements and take away entitlements, rightsize the permissions, that's where analytics start playing more and more role. The part which concerns me is the chat gbt, like bots. If a contact center is based on that chat, G P T and a hacker is driving that contact center and, and calls you and says, I'm calling from cra, Canadian Revenue Agency or your social security and I want to know this piece of information and it gives you the agent name, da, da, da, all that stuff.
Now it's very hard to differentiate. So how do you, how do you approach those kinds of things? So AI is a threat at the same point in time, can be a very good tool to analyze and prevent those threats from happening within Europe. So let's parameters,
Let's ask the, the group here, right? Who thinks that AI is a threat and who thinks that I AI is a benefit?
Yeah,
Exactly. A threat.
Both. Both.
So and benefit.
Yep. It's both. Both.
So it's about 50 50. I think AI will become part is already part of a lot of technologies, right? Like SOAR and cm, it's already part of that. But I also think that the attackers will use it to the benefit much more strongly than we can now see and that we can now anticipate. So first and foremost, you wanna say something?
It is, it is going to be a threat. And I think we need to start trusting AI and make sure that we govern it, right? That's governance around it. Because there's a lack of governance as today, as we all know. Well that's actually a a,
I would like to suggest that we have a precedent. We have two people didn't trust electricity not so long ago. Do people think about electricity nowadays? Do you walk around thinking, I'm not sure I trust this light switch just saying, I would also add the genome project. We have precedents, it can be solved.
We're lucky in that way because we didn't have to solve the electricity problem. But I'm just saying I completely agree in that manner, but I think we know how to do that as human beings. We just shouldn't let the machines decide.
Yes.
And I, I don't remember the philosopher who said this, so this is not my quote. And also I've mangled it. I own the mangling. I don't own the original, but there's, there's a philosopher who said, when you invented electricity, you invented the electrocution. Yes. When you invented the airplane, you invented the airplane crash, right? For every technology, technology is never neutral. There's always a downside. And what's gonna be really critical is that we as security and identity leaders navigate that in the next coming years. That's exactly
The point. Exactly.
A hundred percent.
So got a question here.
Go
Ahead.
This yeah, this is kind of for a almost a non-traditional take. Like almost everything that's since sasi, a lot of things we talk about zero trust end up starting with kind of traditional risk surface attack surface. What about, you know, but one of the, you know, one of the interesting new, and you know, hard to solve set of threats is the whole attack surface from the supply chain attacks.
You know, whether that's, you know, embedded stuff, you know, it's almost like coming sideways at us, not, it's not coming in the traditional way. Whether that's embedding software and open source stuff that gets brought in, you know, that, that we've seen recently or you know, actually really nefariously, you know, breaking open solar winds and actually depositing, there's different attack. What do you guys think about, you know, any thoughts about that from a zero trust kind of perspective?
I, I think there are, there are a few things like, you know, you must do, for example, when you are doing into supply chain mechanisms, your code signing becomes extremely important. Why would you accept code from any third party, even if they're delivering it to your house kind of thing.
Saying, you know, yeah, yeah, this is, this is, I'm I'm giving you a link phishing kind of link or a spurious code coming in. And even, even then supply chain attacks can happen, right? What we were discussing earlier was any credential stolen takes about 361 days. That's almost a year to be discovered. So if you're discovering 361 days after the attack or credentials got stolen, basically the threat actors are already inside. So at that point in time, your supply chain could also be compromised. And that's where the pillars start coming into play.
And you say data application workloads, my encryption technology, my networks, my infrastructure, micro segmentation, all that stuff. So it's not, like you mentioned earlier, it's not just one thing. And you mentioned also thing, you know, it's, it's collective approach to that.
Having worked at Intel, there's also counterfeit.
So it's, it's just, again, it's non-genuine. I if you know Microsoft, there's tons of piracy, right? So there's, again, everything is good, can be used for bad. So super difficult problem to solve. And typically, you know, each one of the manufacturers attempts to improve the way in which they protect the integrity of the things they make. And so much. Now what we see is those, those infiltrations, they start usually hackers log in, they don't really break in. And then once they're there, they're able to, which, you know, the solar ones one, build scaffolding. Yeah. Take command and control.
And then they are able to set up identity infrastructure to self issue themselves, tokens and access. So it, it's extremely sophisticated behavior, but it, it's going to get easier and easier as the tools get faster and AI and you can just start, you know, trying different techniques and and tactics.
So I don't have a an answer for it.
It, it's just, I think it's one of those things where now there's so much awareness about it. So perhaps a number of vendors will, you know, strategize as a way in which they can not create trust, but be, create some method of authenticity in, in a way that just helps the supply chain move forward.
And, and again, your point on co-signing is, is really salient. And, and of course, you know, that does exist today.
I mean, that's how Apple protects the, you know, the Apple app store and and whatnot from, from unsigned software being launched. But the problem with SolarWinds is it was sign software. Yes.
I mean, they used their own infrastructure against them and really de determined how they wanted that payload to behave as well. So that was really special case. And it doesn't mean it can't happen again. Of course it can. I just thought I'd comment on that.
It's, it's a really hard problem to solve. It's really difficult
To pull it up a level because I'm not gonna go into code signing. I've been too many years as a CISO to talk about that. To pull it up A level zero trust really has a moment right now. And that moment began of course, because of the pandemic. That moment began with the employees and the conversation and advisory work I did in 20 and 21 and into 22, it was predominantly employees and 22.
And in 23, the conversation has shifted to the extended workforce. It shifted to my contractors, my suppliers, my third parties, the people are coming in. So we know that the other security capabilities have filed this the same way. Right? Back to identity. How many times have you guys seen over the years, we solved identity for employees? What about your contractors? We don't talk about them, right? How many times have we seen that that happens again and again, the earlier question was a, a good one about standards.
U K N C S C put out their principles for zero Trust a couple years ago, and they have something in their, their principles that I have not seen anywhere else, and I would argue should be everywhere else. And their last principle is, you'll purchase and mandate services that are using zero trust. So zero trust no longer becomes something that I apply for my organization, becomes something that I also apply for my, or require for my suppliers and my extended supply chain. And I think that shift twofold.
One, looking internally external, secondly, looking from policies to supply chain management and governance that pushes the pressure on our suppliers is really what we need to, to make some advancements.
So we have a, a comment slash question from the app here. It's pretty good. We're currently discussing the same issues we did years ago that is which data to hold, how to do data classification, et cetera. This isn't a tooling issue as a security community, we have not managed to get the message across and implement the processes successfully.
I think, you know, kind of going back and talking about DLP and CASB and you know, ai, I think there are innovations that are out there that can help address these issues that we have been talking about for years. The issues haven't gone away because the problems we're trying to solve are pretty complex.
What, what does the panel think about that?
So, so I guess there's a lot of innovation going on, right?
You know, if you, if you talk about identity, you know, there's the externalized authorization management, right? There is the identity detect and response that's coming up. So there's, there's, I think there's lots of innovation that is happening, but that's the business that we're in, right? There's always something new.
I mean, you talked about Sassy and casby in the previous session. There's in innovation going on all the time addressing these different, you know, risks that we see, but it is getting more risk based. There is more legislation. There's Dora, there's all kinds of new legislation coming up.
And, and for that reason, you know, we need to, we need to automate, we need to standardize, we need to go cloud-based. All these things are relevant in order to be minimizing that attack surface and also be able to recover from when there's something not working in the way that we think it should be working, right? That's also part of zero trust.
Yeah, I think, I think what Wolfgang mentioned earlier was the attack surface. He, he mentioned about like, you know, how people have been attacking forever, but education and awareness of people improving, saying, you know, okay, now I understand people have, especially in covid, like you mentioned earlier, those days, a lot of people said, you know, we are sending our employees home, we need multifactor authentication. That's the first thing we want to do. I have customers who actually sent their employees home and then they said, we are gonna ship you Microsoft Surface tablets.
And then the question became, you sent them the Microsoft Surface tablets. So you said you can access information application data from one machine, but then who gets on that machine? How did you control that? So that become another problem?
So the, the fact is that in last two and a half, three years, the awareness, the education, the amount of ransomware attacks that have happened all around the companies, all around the world, and Gerald has numbers about it. What, what kind of companies or percentage of companies have those things Is is that, that that has definitely helped in promoting zero trust to the level where it has become standards are being launched, the maturity levels are being defined, mandates from White House are coming saying, you know, this is what we need to do.
Other countries are jumping in and they will continue improving.
Okay, we're coming up to the end of the session. So I don't know if each one of the panel members want to just give a closing comment or something to take away. Sure.
I'll give a closing comment that also addresses that comment.
You know, fundamentally, one of the problems we have in security as we recreate the wheel and we cause the same problems over and over again, right? And we can, we can almost project, if we think about the topic here, five years in the future, where we're gonna be five years in the future, we're gonna have five different silos of zero trust. We need to rationalize and we're gonna worry about zero trust sprawl. And that will be a topic somewhere, right?
We can protect these things, we can predict that, you know, five years from now people will be breaking zero trust and there'll be zero trust fatigue attacks and zero trust bomb attacks. And the media will go, oh my God, no one thought this would happen. We thought it would be solved. Why? Because we see this with password.
Listen, we saw this with passwords and so on down the line, well we need to start thinking about is looking back on some of those lessons on every domain that we've deployed over the past 20 years and applying them forward to zero trust. And we're truly gonna be successful in solving some of these intransient problems.
I like the word you used, rationalize. I think that's an important word because the world has changed, right? I mean the cloud is there and I think there's, we talked about innovation and I think it's coming back to, you know, make a plan, get started, get help.
There's lots of vendors here, service providers, consulting firms that can help companies understand where the maturity is, where the biggest risk is. But get started.
I completely agree with Gerald. I think get started now. Don't delay people, process technologies. Do not get out. Like do not miss any of those things. Increase awareness, education, technology will help you. But people process extremely, extremely important. You need to get started today. If you're not thinking about post quantum, do it today. If you're not thinking about I am, do it today.
If you have not got an mfa, do it today. If you're not classified your data or you don't know what to use, what not to use, do it today. Get started,
All that and more. So my piece of advice would be, yes, get started today, but again, you do not have to be the expert at, at at, for any of you. Get a managed service provider, you know, work with a managed service provider who can help you make that blueprint, make that path, do the discovery for you because what what is constant is change. You've got join yours Movers Levers coming in and out of your organization.
You know, it's going to be continuous change. And so as a result of that, you're in a much better position if you do not have the ability to get certified on everything. The ability to evaluate every single vendor, the ability to make gets cyber security insurance.
I mean, there's so many parts to this. Focus on your core business and hire an outsource to a managed service provider.
Hold them accountable.
You know, SOC is a service mdr, whatever it is that your business needs to help de-risk it. You can get those services today and you can change those services over time because they'll be able to help swap out a product or, you know, they'll do the integrations for you. And the reality of it is, is you don't have to do it in-house anymore. Like the perimeter is gone. So like you really don't have to do it in-house anymore. Stick to your core business, stick to what you guys are good at. Don't try to do security if it's not the thing that you're in business for.
So I just really, really encourage people to not focus on trying to build the competency in-house necessarily. Do what you're good at.
Hire, hire professionals. Hold them accountable. I love the supplier list. Make that part of your, your, your tender, your RFPs.
Make them, make them do zero trust and then you will get there because you're gonna be enabled the end. Yeah.
And be ready for the breach. It's coming. Oh yeah.
Breach is.
