Zero Trust - Redefining Security Architecture in the Age of Advanced Threats

As the speaker we have Martin Schöpper. Martin is the Deputy CISO for BASF. I don't think I need to introduce BASF, but maybe a bit about Martin. He has a Bachelor of Science in Wirtschaftsinformatik from around the corner, Hochschule in Mainz, and an Executive Master of Business Administration from the University of West Florida. With 21 years of experience at BASF, Martin currently serves as Deputy CISO at the Group, where he oversees global cybersecurity strategy and alliance management.

His previous roles include Head of Solution Architecture for Networks, so coming from the network side, Zero Trust makes a lot of sense, Unified Communications and Key Management. Please welcome Martin on stage. Thank you for the introduction and thanks for having me. Is there a way how to flip my – perfect, there you go.

Yeah, so first of all, thanks for being here, early presentation. I hope I will somehow have the chance to wake you up a bit with a, to my opinion, very interesting topic, Zero Trust. So what are the things we are going to talk about? First of all, I want to give you an outlook on the current threat landscape, which is one of the main drivers from our perspective why we are going to introduce a Zero Trust strategy at BASF. This is somehow also handing over then to why we think Zero Trust really matters for enterprises and within the cybersecurity market.

How we launched that journey, what are the things we are currently doing in that specific area and yeah, how our program called CyberShield is really going to grow, how it looks like in action. And last but not least, also a little bit coming to the challenges and benefits we see and yeah, then also some real world examples on how we would like to see Zero Trust at BASF implemented in the future. So coming to the threat landscape and I'm pretty sure I can go through that, yeah, quite fast, should be nothing new to all of you here.

We have more and more and increasing nation state actors really somehow trying to attack enterprises, trying to attack on a country level, especially with these current geopolitical challenges, I think the whole nation state actor environment is growing significantly. Cybercrime, still a very urgent topic, especially when it comes to ransomware. The human factor is, I would say, especially in times of artificial intelligence becoming even more important.

We just recently had a look at our figures and facts and we recognized that the amount of phishing emails we filtered went down by approximately 12%, which is something we questioned, of course. And at the end, we figured out that we are pretty confident that it's no longer a matter of quantity, but rather a matter of quality of phishing emails. So it could be the case that we also see here kind of trend in more qualified phishing emails based on AI technology. Supply security is a huge topic for BASF as well. We are having a supplier network of more than 70,000 suppliers.

And with more and more digitalized processes, our goal is also to make sure to secure our supply chain, of course. Other than that, our threat landscape is continuously developing also due to the fact that we are increasing our tech surface. We have more and more digitalization is expanding this tech surface. We have a new strategy just launched recently at BASF, which also will give our business departments much more flexibility.

It's called differentiated steering, where we'll have more and more business areas using this kind of more flexibility to also think about how they set up their IT systems in the future, which again could lead to a more distributed IT landscape like we have it today. And last but not least, the growing regulatory landscape.

Also here, we've recognized that regulations is somehow the answer from states to somehow counteract the development and the threat landscape. So as a global acting company, we have to fulfill more and more regulations in various different countries. So let's then jump to the why we think Zero Trust matters. I think before I will not stop talking, I just bring a short video that should explain it. Once a game of lone wolves, hacking has transformed.

From basements to corporate boardrooms, the threat landscape now operates at a global scale, with precision, strategy, and the backing of nation states. On top of that, in the world of traditional cybersecurity, operations are complex as silos dominate. Despite advancements in each domain, their lack of integration leaves vulnerabilities unaddressed, weakening the system as a whole. Without integration, as well as central monitoring and orchestration, vulnerabilities persist. It creates cracks in the system, opening the door for threats to exploit and move laterally.

With Zero Trust and AI, integration across all domains enables faster responses, greater transparency, seamless collaboration, single source of truth and unified decision-making, as well as a resilient security posture in an ever-evolving threat landscape. The transformation ensures that the Zero Trust principles are implemented. It assumes that all users, devices, and applications are inherently untrustworthy and must be verified before being granted access to any resources or data.

Additional layers of protection ensure that even if one layer of security is breached, there are other layers in place to prevent unauthorized access and data loss. And this is CyberShield.

Yeah, I think this shows really, I would say, the change in the strategy. And whenever I've been asked, what is now really the change when we come from a traditional security architecture towards a Zero Trust model? I think the real benefit and the real change is that we do not look into the domains by their own and really separately. We really try to combine the different domains at the end.

So, as shown in the video, we will move the identity into our, I would say, central focus, no longer the perimeter. We will make sure that all these different domains are interacting with each other. And I brought some examples also with me. I will come to that in a second. But I think that's the major change when we talk about a Zero Trust strategy. And for me, that's the way forward that will really help us to somehow counteract this developing threat landscape.

So, looking at our CyberShield program and what we've done so far, as a first step, we – and I think this was one of the most important steps – we've heard Zero Trust since years already. Coming from a network background, every vendor wants to sell us their Zero Trust product at the end. And Zero Trust, coming from the network area, always was not really tangible for us.

So, we decided to get a group of people together from all the different areas and said, OK, let's first of all really define what does Zero Trust mean to BSF. So, what are the things we really see as a Zero Trust strategy for our specific environment? This exercise took a while, but it was really worth to spend this time. And at the end, this was kind of a first milestone to really define what is our definition of Zero Trust and do we have all a mutual understanding of that. Then we started to design the program.

We went to the Board of Directors at BSF and also presented this approach as a kind of countermeasure to this further developing threat landscape and received here really a positive feedback and full support as well from our Board of Directors, which is especially in such challenging times, I would say nothing you can expect when coming to the Board of Directors and asking for so much money over the next years to implement a Zero Trust strategy.

At the end, we then started to really break down the capabilities that we need to establish within BSF and also within those different domains to really achieve our goal and our strategy goal. And then, and this is where we are right now, we started to really implement those different reference architectures we defined. So maybe just some principles and objectives to give you an example. So we defined those guiding principles of our Zero Trust vision and we started implementing that. One example that we looked into was, for example, do we have all logs, all information available?

Are we able to somehow get all the information we really need to be able to do this kind of on-demand decisions at the end? We broke down those guiding principles into a kind of target implementation, which consists of really increasing network visibility, increasing visibility when it comes to users, risk-based authentication topics and so on. Segmentation is also a very important topic and now we really want to implement those actions across those different domains. This picture should somehow show you the basic idea and I will advance it in the next slide.

So the challenges we encountered is, how can we achieve really this kind of visibility across our whole organization, across these different domains? How can we ensure an informed decision-making process based on a central policy decision point in the best way automatically? And how can we also improve access controls, reduce risks and at the end also a consistent decision-making process really from a user who wants to access a certain resource until he actually gets access to the information?

Because what we want to protect is not necessarily the device that the user is using and we probably do not want to protect maybe the identity that the user is using, but at the end it's all about the information and data that we want to protect. And at the end, to be able to do that, we have to look at the whole chain of processing information from the starting point where the user boots up a system or is using his mobile device to access a certain resource. So we have a resource request and at the end we have a resource access and something happens in between.

And this is where our vision is somehow developing towards that we have identities, we have all kinds of varieties of devices, we have all kinds of networks. And at the end, we have those information about the identity, about the device, about the network, where is he coming from or where is she coming from, what kind of risk level the identity has, how good is the health status of the device, is it a patched device, is it an unpatched device. And based on all this information, we can then do an informed decision-making to which resources this specific request actually gets access or not.

And that's also the, I would say, quite challenging part now to really establish this. And I just brought something with me as a kind of short example which I already somehow tried to explain verbally. So we have a user, an employee in that case, that is going to log on to a certain device and is using that device to authenticate. Then the system is recognized and we do a kind of check on the identity. We check the network, where is he coming from, where is she coming from, is it an unusual location. So that person usually logs in from a location in Germany, for example.

Now this person logs on from the US, which is a different time zone. And based on this information, the device, the identity, and also the network, we then try to do this kind of informed information-based decision-making, which leads to the fact that we request a one-time password from this person because we've recognized something that is unusual to the behavior we usually would expect. And then the user confirmed this one-time password that will be sent, for example, to the mobile phone or whatsoever. And we all know that from our private life.

I mean, looking at your private Netflix account, it's a similar way at the end. If you log on to a Netflix account from a different country with a device that is not known to your Netflix account, then you probably also need to enter an additional confirmation that you are really the person you seem to be.

Right, and then we are going to again check the health of the device. Is the device patched? Is a proper AV installed on the device? Are there any suspicious things going on on that device that could lead to the fact that we are not granting access to certain information? In this specific case, luckily, everything is green.

And yeah, we will grant access to the corresponding resources and get access. And I think that's the really important topic. And for me, this is really the future then to grant access to these resources on demand.

Today, we ask for access for an application, and you will probably get an approval process, and you will get access to this application, and this access will remain as long as there's a revalidation. But what about if this revalidation takes place all the time you try to access this resource? And this is somehow the vision we are having to have really also on this level granting access to certain applications, to certain areas within an application, to certain data sets really on demand based on the evaluation we are doing beforehand.

And at the end, in this specific case, we have checked the identity, we have checked the application context, we have checked the device context, we have the data context. So is it, for example, trying to access confidential or publicly confidential information? And we have the network data, and at the end, in this case, we allow the access to the information. This is somehow the vision, how those domains will in the future interact with each other. As a reflection, what are the key takeaways from our perspective?

And I would like to start with one perfect example, is really when you look at all these different domains, you will recognize all these interdependencies between different roles, which is really important to get the right people together and to talk about those potential interdependencies. We did a great workshop together with the team, tried to really identify those interdependencies, and it was really a huge outcome to really see how many people have to talk to each other to really achieve this goal. Done is better than perfect.

If you try to really implement the perfect solution at the start, you will probably fail or you will take years to start. So really said, let's start in certain areas, even knowing that in some areas, technology is not even capable of serving us those things we would like to see in the future. So done is better than perfect. You have to start at a certain point of time, do the evaluation, look at the different domains, do a kind of assessment, where are you when it comes to the majority level of the different domains, and then start with those where you have more things to do.

We had domains where we were already at the quite high majority level, for example, the devices domain, and we also figured out some domains where we have to put in the extra work to reach that certain level. Mutual understanding, I already mentioned that one. It's also important to really understand what is your definition of zero trust. And then proper planning, and it's a huge program that will last over the next five years, so planning was really a crucial point. And at the end, we all start from a brownfield.

On paper, everything is nice, everything is easy to be implemented, but at the end, we are starting from a brownfield approach, and we also have to take this under consideration. That's somehow where we are at BASF with our zero trust journey, and I'm looking forward to any questions, if you have one. Thank you.

Thanks, Martin, for now. It's overrunning already, a couple of minutes, so if there are questions, maybe a good opportunity to do them over coffee, but very insightful. Thanks for the insights on that, and probably nobody is surprised that zero trust is all about identity.