Hello, and welcome to our KuppingerCole webinar "Zero trust through identity-based segmentation". This webinar is supported by Illumio. Your speakers today are Trevor Dearing, who is EMEA director of technology at Illumio and me, Martin Kuppinger, principal analyst at KuppingerCole Analysts. Before we start, some quick insights on the upcoming events and some housekeeping information, then we'll directly dive into the topic of today's webinar.
So from the themes of the next events, there's one virtual event, KClive, starting tomorrow at 2:00 PM, about the access management playbook securing today's organizations, definitely very, very well spent time to attend. I'll talk in my keynote about major trends and disruptions in the area of access management. and then as a fully hybrid event, we will run our European identity and cloud conference 2021.
Again, this time it will be September 13 to 16th, again, and Munich every year don't miss to attend this event or on-site or virtually, plenty of options too.
Register for this event. I would not miss this, too.
There are a few things too. The one is we are doing a recording and we will make the video. So the podcast recording, as well as the slide decks available for short term after this webinar. So you can then download them, review them, whatever you need.
Second, there's a Q and a session by the end of the webinar, and you can enter it anytime. Your questions you have.
Yeah, so usually applied to the rights. I would just green to go to webinar control panel, and that's where you can enter your questions and just the respective sections. The more questions we have, or it is. And lastly, at least we were run two polls during the course of two webinars, two very short polls, and we highly appreciate your participation in these polls and Wilton pick up the results during the Q and a session at the end of the Orenda print, less direct before we go to DHR and go to the first Paul.
And then Paul is a simple, yes, no answer Paul, about, have you considered CEO or trust or your organization? So it's something you're looking at or right or not. So please enter your perspectives here.
As I stopped the Maurer, trying to call the better it is. So I'll give you another 10 or 15 seconds for that. Okay. I would say five more seconds. And I think we kind of close, close to Paula right now. Thank you for participating. Let's have a look at the agenda.
It's usually in our webinars, the three parts and the first part, I'll talk about key elements of Sierra crest and how to proceed from the concept to implementation. I also have to look out how to see or cross then identity management and sassy as another concept. How are these related to each other? And the second part, then travel gearing. We look at Sera trust the concept of identity based segmentation. So segmentation is a discussed a concept. Intensively discussed the Sierra dress context. And by the way, also disaster context, it is also something where identity comes into display.
And this is a traveler and we'll talk about, and we'll give you a lot of insights into this area. And doesn't set that we will do our Q and a at the end. I'd like to stop with some terminology first and the logical point to start with a, your trust. So probably all I've heard definitions of Sierra trust, maybe also some different definitions over time. So what's your trust factually is, is a paradigm. It is don't trust, always verify. This is the state that really the essential principle of zero trust.
And so what it really means this, he must not trust a single element in your security, like a firewall or something like that. It is not about having to one Paramita or run your organization anymore, but it's a principle for doing cybersecurity ride in the ward and traditional pitfalls, and also a buck enabling everyone to work from everywhere because don't sink into Perry, meet in a traditional internal network versus ultra space, right?
You think about every bottom connects us every service from everywhere. How do you protect it? And that can't be done by a single entity.
It's a set of elements. Did this repeat it sort of, I'm always a little reluctant with the term continuous verification.
Yeah, because continuous with mean all time, it is repeated frequently repeated with different, sorry, systems and mills, which help you to understand what is the risk, how good is your level of assurance? How good is your verification, then make your decision about what is allowed or not. So this is the basic idea behind your trust. Yadda we didn't have is the concept of sassy, which became quite popular over the past few months. It's a term. It stands for secure access service bench. So there's access to a service in a secure manner.
And there's some single Rocky edge in that term, which means excess from the edge, not only the sense of edge computing, but from every edge, the end point, the service as an edge.
How can you make this secure?
Honestly, I didn't have to say in the current state, sassy is probably Maura or a potluck and really an architecture or a paradigm. It's a set of components. You will see form for various pods in the market can include hours. For instance, you can get sort of more advanced architectural pictures, but basically it is saying what you need to enable a user to access services in a secure and far, and also in a very performance manner or this performance thing is very important for the hybrid rural.
So sensei is very much focused on the hybrid it world, where you have people who are working in the office or the home office where you have services running on premises or in the cloud, but you need to transfer data from maybe your Trump floor in manufacturing to a cloud service for photo analytics, or they need to collect 5g data and robust step data. So it's really for these areas, delivering services securely, fast, reliable, and mainly for hybrid scenarios. So the shop floor retail was shops. Look is logistics system depots or bags is print project offices.
And it has to do a lot with zero trust because for instance, one of the elements and sassy is to see where cross network exists. So these concepts play to each other and I'll discuss this also in a minute, we did also have the concept of, I am well-established by far the oldest, one of the three it's a technology identity and access management is a foundation for dealing with identities and their access. So how can you manage the digital identity? So everyone, everything and the access to every service seamless yet secured.
And it is one of the elements that really make zero trust and sassy work. So you will not be able to implement a zero trust third. She was out identity and identity based technologies like identity based segmentation. You will not be able to make Ceci work solid. So it's one of these essential technologies is essential part of all these things.
So we have a relationship from a paradigm to a potluck, which is not, not sort of one-to-one mapping to zero trust. You need to be clear about it. So it's not that fewer trust is the biggest than does assay and then identity management.
It is three elements which have a relationship to each other, probably better a triangle. If you want to see it that way, where you have different ways to look at, how can we create a secure environment for our business follow. We are again, identity and access management and everything, which is based on identities, essentially because at the end of the day, and I'll discuss this in a minute. It's about always someone who's an identity is accessing the access services. So identity and access are very Sasha. It's about all types of identities here.
So when we look at zero, trust them, the perception of what is your trust and how has Sierra trust changed over time has changed massively since the early days. So Sierra crosses that's a term out there for more than 10 years right now.
And at the beginning it was zero trust networks. So it was about segmentation already from the early days, because the basic idea was don't trust the firewall don't trust, trust this perimeter. I believe that everything was into peer reviewed or secure there's this lateral movement thing.
So someone is studying can do a lot of things because there are not enough verifications anymore. This is where it all started and I'm over time. I don't know elements for edit. So you also, all of you have heard these terms of the wisest, a new pair of BRT identities, the new pair of meter, et cetera. I think we kind of discussed this back and forth, but what is really the cases that we have a situation where we need to think bigger about zero trust, especially in these days, it's the reason solo and Kaseya and sedans.
And if you're honest, if you go back a couple of years, Hopley also was something which in some way falls into that category, but more that case due to a back then to a targeted attack.
So it's a little different from SolarWinds Kaseya, but back to, to number two, so to speak, if it's beyond network security. So there's the perspective of system security or device security. It's at the end, it's about layer security, verification of many levels, creating smaller segments where less things can happen and identity also comes into the place. So what is someone allowed to do?
This is sort of speak to perimeter around that identity adaptive authentication, for instance, still is from my perspective and my strong belief, one of the most important elements of the entire Sera trust theme. So it is about if we CA if you have more risks or indicators, if you have a different context, you might need a stronger authentication. So we do more verification so that we can finally make a decision and say, okay, yes, we can allow that access. And that is a really good example of us.
Your trust works. What we need to add is software.
We can't trust blindly trust software anymore. The Sono wins attack because AI type posts have proved that there's a huge issue of attacks coming sort of into the organizations, why at a software supply chain. So we also need to add software security verifications that are around. That is what already is happening. If you want to sell to the us government, then there's this need for pen testing also of the, sort of the supply chain of software, which is Powell of that story. I don't think the pen testing is enough. We need more in that.
We need more modern approaches, but that would be a totally different scene here. So it's about everything we need to understand. So you are trust isn't the central paradigm, it's the foundation for cybersecurity supply chain, risk management, and it is taking a broad perspective.
And this perspective, again, I touched us a little add this perspective really is about saying, okay, well, what happens at the end when you look at the flow of access, that it's about a user also indicating using a DYS over a network, two systems and applications, and lastly, at least something happening with data data's, so to speak that flow, and we need to implement verifications at as many levels as we can. That's many places, unless it's totally redundant for sure, but, and we can do it as relatively easy for a user because the user authenticates.
So it's a good thing is, are a little more tricky because we have bring your own device latest in the days of over from home over the past 18 months, the network. So today where we had a PC, the corporate network accessing servers into the corporate data centers, they are path.
So the networks means someone is working from home over a wifi installed in his house or her house accessing the telcos network, and then ending up somewhere, maybe in the cloud or in a data center, relatively hard to get a crib on. There are ways to do that, but there are that we have to system and application space.
We again can control the access. Who's allowed to do all what data we could do it theoretically as well. But we are both for structured unstructured data. That's really, really good in that kind of different scene, but we definitely need to get better. And by the way, in some ways, sassy is also looking at that flow because that is looking at how can you ensure that the use comes reliably and quickly? So the systems and applications and the data that should be excess. This is basically the, the same, the same storyline here with Russ secures the distribute it digital enterprise.
It consists of a arrange of element that we need multiple elements in depth to make it work because user site, anyway, we can't trust the trust. On the other hand, we also need to manage change in the complexity. This complexity, I think becomes apparent when we look at the next slide, because let's look at elements of software security is that even in that graphic, then there are so many technologies which may contribute to a zero trust solution to a zero trust approach. But to you, you will not eat all of them. You really need some of them.
You need to carefully select and understand what helps you to move forward zero trust strategies, or why don't you need to do who is really, you need to understand your risks first. So what, and audit the sinks to protect what are you really risky items? What are those things that can go fundamentally wrong?
Your requirements, which are related to the risks, go by, go beyond the risks. Then you can define your architecture and then make a fit gap, analyze for a tooling. And you'll identify that some of the stuff you might have cybersecurity tooling is totally obsolete.
And the meanwhile, so you're spending money for something which doesn't really deliver to your mitigation. And on the other hand, you will see that there are things that are gaps you need to close, and that's why you need to prioritize what helps you most and mitigating risks. We are the biggest gaps. What is the best sort of risk matrix to cost ratio you have and to implement and run it. So it's really something that I need to spend some time, some analyzes, cybersecurity, tos, proposals, assessments, things like that.
Or if it capitalizes whichever term you want to use, do you even have like a perfect CUNY? The reality, there's not that perimeter anymore does a lot of shadow it. And you really, that really stopped.
It's also very to your desk, no Sierra trust in a box thing, it's there a cross access to your trust. Security is a complex thing. And there are elements of, you will hear about one, which are very helpful in doing that, but it's not that it's a one-stop shopping saying, okay, I need this tool. And I'm logically clear, isn't it? Because once you are, trust is about not trusting a single system.
That can't be a single solution, which souls, everything in which we trust. That would be exactly the opposite. It's a combination of things, but there are essential components. Things like identity based segmentation are elements that contribute to a Cedar trust concept. You also need to understand what you have assets. First. I talked about this before, and it's a journey it's not approach checked. So I understand it really has something which is a longer trail and not saying, okay, three months from now, I'm out of this mess. You are trusting. You won't be. So how to proceed from here.
The first thing I believe is important to clarify terminology and understand the relationship between concepts. Then you defined your perspective on that, your strategy, your requirements, use cases, and then make a plan 3d about planning. Don't directly go to always plan. First.
One of the most reliable ways of wasting money is picking tools before you know, what you really want to do and need to do, and then you can execute it. And by the way, the time you spend for planning always pays off in time. And in money, you will get faster and you will spend less money.
If you plan first, you don't lose the time. And if there's a critical need, then you always can balance first actions to mitigate the most silver frisks. The most of our problems with moving forward, it's a plan that is something you can do. We do it every day, every week, guiding organizations so that it's feasible. So recommendations. They were trusted. If we stay sassy will is Wolf and is here to stay the identity management.
Anyway, it's here and it's the foundation. So you need to understand how this relates.
You need to include redid the right people on the CSOs, the stakeholders from the various areas like network security, infrastructure, identity management, et cetera, and review all your initiatives. I don't imagine just cyber security, your sewer trust initiatives, et cetera. This is what you really should do. Then I'm confident you will be successful for the zero cross. And the success will be that you are lesser at risk than before that is your success. You improved resilience. Yes.
Cyber techs, you higher level of cybersecurity was that I'd like to erase a second question that is volatile in the second poll. Do you already have an approach for implementing a comprehensive that is the bold term year. So queuing identities, devices, network systems, applications, not just a single element.
Do you, or do you already have an approach for implementing this comprehensive zero trust model defined unnecessarily, so really doing it, but at least having a picture defined again, the poll is open. I give you a little time to answer it. Okay. Come on. The more participate, the more interesting the results are I give you another 10 seconds to click? Yes. Or no five. Okay. And then maybe a little more time with them to close the poll. Yes. Perfect.
So without further ado, I right now hand over to Trevor who is the speaker from side, he goes into one of the central concepts, looks at a lot of the central concepts, identity based segmentation. And so Trevor Tuto.
So thank you, Martin. Thank you for that, that overview and introduction.
It was, it's really interesting to be able to see exactly what is happening in this, in this sort of environment. And so we, we Illumio has been running a number of executive round tables recently.
We've, you know, small groups, maybe, maybe up to 10 people in various countries where we were discussing the implementations practicalities and things like this around zero trust. So we decided to, to actually do a survey and, and look into a bit more detail, a few of the, a few of the things that we heard from attendees at these of these round tables. And so that's sort of built some of this this agenda for, for today. So we're going to sort of look at, you know, the big question is, is zero trust real.
We're going to look at what people think about zero trust, and then really talk about how zero trust feeds into segmentation.
Sorry, how segmentation feeds into zero trust and the various aspects of that. And the one that we're we're talking about here is really something called identity based segmentation and how that relates to something else called zero trust segmentation. So I think there's quite a few, quite a few just concepts that we just need to need to straighten out. And then we'll sort of finish with, with a few things to remember.
And I guess the, the question around is zero trust real. It was really answered by precedent president Biden when he mandated that a lot of the, or pretty much all of the agencies in north America need to look at building a zero trust model for security, and then follow that up with guidance to enterprise organizations in America, to look at zero trust and segmentation. So I think based on that, we can, we can pretty much realize that the zero trust is a real thing and that we, it is going to affect us.
And we, we do need to look at how it impacts the way that the way that we do things. So the research that I spoke about, we, we picked 203 people and that they're across a wide range of job titles.
So, so some C level heads of it, it managers, security managers, et cetera, et cetera, and also wide variety of different sizes of companies across a number of sectors. And we thought this would give us the best sort of view of exactly how, what people's attitudes are to zero trust, what they're doing with things, how they're implementing it. And we're actually going to take all of this, this research and we're going to package it up and publish it in just in the couple of weeks.
So, so we just literally got this research back last week. So it's gonna just going to take us a while to package, package all this up.
And so we started with a fairly obvious question, which is, you know, what is zero trust?
And, you know, Martin put up a diagram in his session. We showed loads and loads of technologies that apply and fit into the zero trust model. And I guess for a lot of, a lot of organizations, zero trust is really the, the bit that applies to them at that time.
So, you know, the most popular response was it's a security framework and model. And if you, you know, if you read the Forrester definition of zero trust that sort of fits, but it's, it also raises some other interesting things.
So, you know, the talk about it's applied to various perimeter security products and, you know, Martine spoke about the don't trust, the firewall sort of things. So is it, is it replacement for firewall? Is it about building resilience?
Yes, absolutely. It is. We spoke about obviously regulatory and audit team and a lot of organizations build a zero trust model to try and solve some of their regulatory issues. And where it says, is it the VPN replacement? I think that's, you know, where organizations are really coming across something called zero trust network access, which is one of the, you know, one of the subsets of zero trust, very similar to sassy where that can be used as a, as a, as a VPN replacement.
But, you know, the reality is that there is a lot of marketing. There's a lot of confusion around exactly how, how all this fits together, but regardless of what people's view of what zero trust is, the question of how important is zero trust your organization was quite, you know, it was, was that response was quite amazing, you know, 91% of it's extremely important or very important.
So there is obviously a view amongst most organizations out there that zero trust is, you know, is the thing that will help them to develop their security posture in the right direction.
And just to Deering to a lot of the principles of zero trust will actually help to, to achieve some of those goals. So the question is, you know, how's it going for a lot of organizations. So there's still, you know, a small number of organizations who aren't planning to do anything zero trust related.
And, you know, there's gotta be reasons for that, but you know, a lot of organizations gathering information, developed a plan started implementing a plan and a few that are actually quite a way down, down the path. And this sort of lends itself to something that Martin was saying, which is really, if you're going down the zero trust route, build a plan, get a trusted advisor, you know, work to a work to a framework because the more that you do that, the easier it becomes to, to actually achieve actually achieve that.
And there's a, you know, there's a phrase in English, which is about, you know, don't try and eat a whole elephant, you know, eat a slice at a time because, and zero trust is very much like that. It's about break it into a number of sub-projects and then, then do what you need to do to achieve, to achieve that.
Because, you know, the benefits zero trust are a wide and a lot of organizations and looking at doing this for a number of reasons. So, you know, when we look at this, this was a question where people could tick basically all the things that they felt that zero trust is going to do for them. So we see here securing highly confidential data.
So within, within Europe, then that is probably all about GDPR compliance, reducing risk exposure. So, you know, saving us from a worry of, of ransomware and these sorts of things.
Being able to have the same security across all devices, users, and location. We'll talk a bit about clouds and things in a while. And the other one, the other one is just greater visibility of exactly what's happening.
So, you know, so that, that sort of thing becomes, becomes very powerful in that, in that environment. But obviously there are some challenges.
So we, you know, we, weren't just asking questions about how great erode trust is based on some of the feedback that we had at the round tables. It was worth sort of identifying some of the, some of the technology or operational barriers.
And, you know, there was, there was concern about legacy systems. There's concern about the budget.
Do we, you know, do we have to have the right, all the right data because we talk about identity management, do we know everything that's going in there, a view that because you use the cloud, you don't need it a view that it's only applicable for, for big enterprises.
So there is a, a wide range of technology, technological and operational concerns that being able to go down that route, but there's also some non-technical issues. And this is about things like resistant to change.
So one of the, you know, one of the subjects that came up a few times is the name zero trust, and that, you know, the second most important or second highest here, 32% was a fear that the employees think that the management don't trust them, maybe in organizations with work councils, there was concern about the amount of data that was being collected and things like this. And so there was a, you know, quite a discussion that we had about, about this issue and about the fact that it's not that zero trust is about trusting nothing.
And making sure that organizations understand that zero trust is about only trusting what you can verify and identify.
And that's, that's sort of, sort of quite important. And then there was issues here around the board, doesn't understand what zero trust is. And so one sign off of it, you know, it's too big a job. And so I think there's, you know, there's a definite requirement here for more education on exactly what zero trustees and how to build those projects.
So again, trusted advisors and organizations who can help doing that are going to be, are going to be really useful. So really, if you think about it, the, you know, the ultimate challenge that people face is that, that they either believe that the job is very big or they believe it's very confusing or they believe it's very expensive. And so this is where we, we sort of have to understand exactly, you know, what order to do things and where and where to do stuff.
So he said that, you know, in Martin session, you spoke about the fact that identity management is, is really important and it's probably one of the first things to do. And that's, and that's absolutely correct because what you need to be able to do is identify not only the users, but all the, the computing as well. So all of the workloads, all of the servers, all of the, you know, all of this type of information.
So, so being able to be able to plan on the strategy about identifying everything is, is quite key. But this thing leads to a challenge because not every organization knows everything that they've got. There's a lot of sort of hidden it, shadow it, things on, in the cloud servers, in cupboards that came through acquisitions. There's a whole series of things that, that have to happen there. So there's a long with identity.
You need to have visibility of, of exactly what's what's going on and you need to have the visibility of all the communication that's happening.
And then once you have that, the one of the principle things with zero trust is really being able to then segment and separate and isolate a lot of those resources from each other. And that's where the segmentation part comes into this. So we'll sort of move on and start to talk a bit about that. Because if you talk to an application owner, they, they really would like the capability of pretty much every workload or every service to be able to talk to almost anything else within that environment. And that makes it really easy to develop that, that application.
If you remember, a few years ago, we moved from monolithic applications to services oriented architectures and.net, and, you know, all of these sort of very fine-grained services.
And it makes it very easy then to share resources, to develop applications. But the problem is, if you then talked to the security team, they actually want the opposite.
They want, you know, ideally they want nothing talking to anything, but in reality, you have to identify the pieces that you want to communicate and then allow them to communicate and stop everything else. And the challenge is that when we go from the traditional old world to zero trust, we're moving from a model of identify what's bad, or try and identify what's bad and stop it.
And we're, you know, everyone's struggling with just how difficult that is at the moment to a model where I, where we identify what's good and allow it. And so, you know, being able to do that is in the long term is probably easier because you, that, you know, you can identify the things that you want to happen and everything else is just default deny.
But obviously you need to be able to do that in a way that allows the system to work.
So the traditional way that we would have done that was be to use traditional firewalls and they were, you know, traditional firewalls next gen firewalls are absolutely brilliant. They're, they're much more than just a firewall nowadays. They are the, you know, they've evolved into a platform that you can run all sorts of security services on like XDR like DNS protection, like same boxing and, you know, a whole host of various things. But the challenge with, with a firewall is that it's, it's very good at creating barriers for very big things.
It's not so good when you're trying to create something very sort of microscopic or down to very, very small component. And the other challenge is that with the firewalls of the perimeter, the problem is that when an attack gets through you then end up with chaos inside the organization.
So, you know, we've seen many, many times in many attacks, and if you read some of the, the reports on these attacks, you'll see that the speed of the attack, the rate at which you move through your organization was, was so fast that no one could stop it. And this was because there was no segmentation within, you know, within that organization.
And so, you know, we need to be able to work out how to do that. So there's several ways, you know, and historically you could try and use firewalls, but as we said, you know, the number of rules, the complexities is, is quite high in doing that. Alternatively, you could do that using a network.
So, you know, we've had software defined networks for a few years and a lot of organizations will, you know, will attempt to do segmentation with that. But, but the trouble is if you're tying to those network constructs, you limit you're limited in two ways is if you want to change the network, you have to consider what's going on with the security. And if you want to change the security, you have to understand what's going on with the network and that, and that just creates problems.
And that creates the, you know, the potential for misconfiguration and the biggest failure in firewalls or networking or anything like that that has caused attacks to get through has been misconfiguration.
And that is always that danger. And so we need to try something new. We need to, as we said, identify each workload and then be able to allow that communication to other workloads that, that it needs to communicate with. And this is really where identity based segmentation comes in.
So what we're effectively doing is building a protection or a layer around each workload and then creating places where that can communicate with other workloads as has required. And the reality is that you already have all the stateful firewalls, you need to do that because they come built into the operating system. So regardless of whether it's, you know, Oracle Solaris or windows or Linux, or, you know, whatever it happens to be, I X I S for hundreds, yep. There is stateful firewalls built into that, into that process.
And they've always been there, but the challenge has always been, how do we actually, how do we actually get at them?
Because if you've got 10,000 or even a thousand or even 50 workload being able to get in and create all the rules to do that is, you know, is pretty complex. And so what we need to be able to do is to sort of simplify that. So as we said, we want to, you know, verify first. So we need to understand what, who, what each workload is, what it's doing, what it, what it needs to achieve. We need to pull, get that metadata. And so we have that already.
So we have, you know, CMDB, we have things like service now and all of those sort of things. We have metadata that we can retrieve from each workload to understand what it's doing. We can find and see the communication that's happening between any workload and another workload. So once we have that things be, can become very simple, because what we don't want to do is to sit and create lots and lots of firewall rules.
We want to keep it really simple. We want it to be Childsplay. We want to literally be able to say, allow application a web server to talk, to application a database.
All we want to be able to say, prevent develop servers in development from talking to servers in production. And the literally needs to be that simple mini to do it in that way. And then the next important thing that we need to do is that process is fundamentally to test everything. One of the, you know, one of the big challenges with creating rules in a lot of systems like firewalls or distributed firewalls or anything like this is that when you create a rule and you publish it, then it goes live.
And if you can't actually test the rules that you're creating on live traffic without impacting what's going on, then you'll never know that you've made a mistake and you'll never know how to go backwards to solve that problem.
So you need the ability to test any policy before it goes live. And one of the, you know, one of the challenges with that came out of that survey is that is, you know, the, the sort of the trepidation or concern that organizations will break things.
And that zero trust is really difficult, but if you can do it in slices, by testing, by building, by testing, by, you know, creating the next thing, then you're going to actually solve a lot of those problems. And there was a question, you know, one of the things that are, we don't need to do zero trust because we're in the cloud, there are trust. Segmentation can be done anywhere, and it actually makes it much easier to move to the cloud if you've got an agile security policy.
So if you're using zero trust and zero trust is everywhere, it's on the end point, it's in the data center, it's in the cloud, they're moving things around becomes much, much simpler, becomes much, much easier.
And then the final thing is really, as we said to create and do those things in, in some sort of order.
So, you know, probably the first thing you want to do is to isolate your core services because, you know, almost everything needs access to it, but it needs to be protected. So DNS and active directory and all these sorts of things. The second one is you probably want to separate your key environments. We spoke about development, production tests, all of these sort of areas. You want to keep those separate and ring fence your high value assets. So that could be your database for GDPR requirement.
It could be test information, it could be customer information, it could be development or anything like that. And then you get, can get to that point of controlling every float. So we spoke about earlier about the differences between segmentation identity based segmentation, zero trust segmentation.
So effectively the point that, which you get to where you have a, I guess, a full allow list of communication between workloads that you can see on a map that you can create rules for, that you can simply change and, and organize is the point with zero trust segmentation.
So it's a full allow list it's, you know, gives you that capability. And one of the key building blocks to that is that piece of identity by segmentation. So doing the segmentation, which could be using denials or allowables, but fundamentally based on the identity and the verification of that system. And I guess segmentation is sort of the, the, the overall top level classification of what you're actually trying to achieve.
So, yeah, so if you look and move from sort of left to right in this diagram, you're moving through to the ultimate position of zero trust segmentation.
And it isn't the fact that you need to know everything to be able to achieve that because the things you learn as you go through this, that you're getting from application, dependency, maps, and metadata, and things like this, you can feed back into your CMDB to improve the accuracy of all, all of that all the time. And this is really what the final selling side, what Illumio does.
And by doing that, by creating that zero trust segmentation, you can stop any sort of attack becoming a cyber disaster because you can slow down and prevent the passage of an attack through the organization. Then you can control it. You can actually use that to slip, to be able to identify it and stop an attack in its tracks. So it gives you that time. It gives you that extra time to use your other tools to be able to, you have to be able to provide that security. So with that, thank you for your attention.
And I think we can hopefully go to some, some questions now,
Thank you, Trevor, very much, for all insights you provided. And I think there's three, a ton of relevant information and what to talk about. So we have our already at quite a number of questions here. If you have more questions, please enter them.
Now, the more questions you have, the better it is for, for the flow of two webinar and a 40 una. And that is what right now we'll do several Tara can move into the Q and a, and maybe before we go into the questions quickly, like, like would like to look at the poll results week because of tear into the webinar and maybe display for us the results of the poll, number one, and then followed by the poll number two, and then I'll comment a little of that and maybe travel you as well.
So can we see the results, please? Here we go.
So for the first Paul involves the question was, have you considered a CRO across them? It's roughly three out of four, say yes, and one out of four snow. So we see that zero trust is really a concept that has taken off. And if we look at a second poll, then we have what you will see in a second more or less the opposite result for the poll number two, which we should see in a second, because it is that one cert SAS, okay. We already have, we have built a comprehensive Sierra trust concept of comprehensive approach from that while the two certs say, no, we are not yet there.
So it is, I would dare to say, does interim state, and thank you for displaying the pulse interim state between the, the, the understanding and perception. Yes, we need to move into direction, but then yet being fully there. And I would dare to say, it's, it's not really surprising because this is really also what I see as the state of the market today. Adrenaline, how do you see it?
I think that that's, yeah, I think that's pretty spot on and sort of fits with a lot of the, you know, a lot of the things we're hearing and, and, you know, and the research, that whole piece of the fact that the organizations are still in that planning phase or they're, you know, they haven't, they're sort of working out what to do next, how to apply it. And I think there is slight, slight different view, maybe in some different geographies as well.
And, and that may be something that we'll investigate a bit more in, in subsequent research.
Yeah. And I think, as I said, we, our approach, depending on who, whom you speak, you will have a little different, different answers, but I think it's a challenge to go. And when we took out some of the questions we have here, so one of these questions is, does your trust work into cloud Trevor?
Yeah, absolutely. So we, you know, we, we've heard from organizations who've said that zero trust has sort of sped up their move to the cloud or made their move to the cloud easier because, you know, because of the fact that, you know, you can actually do that implementation on the end point or in the cloud, it sort of becomes irrelevant because you're deal dealing with really just securing identities. You're not worrying so much about individual machines or where those machines are, anything like that.
So, so, you know, a lot of people are talking about zero trust and digital transformation as being almost, you know, two things that you would do. You, you would do it at the same time.
Okay, good. And then, then we have a lot of, a lot more questions here. And I think I started with that one and it might be as a worse for you to have a full off with the one asking that question. But the question is, the problem I have is that I understand the zero trust principles and also the NIST zero trust architecture publication, but I'm currently missing the point of how can we exactly establish the last step? How can I implement the trust relationship between assets workloads?
So how can I, can I exactly do it any FYI, some that it's a difficult question maybe versus a follow up after the webinars, but
It is, it's one of those where, you know, it depends on, on, on your, your sort of asset management as well. So, you know, in one of the, you know, one of the, the key things that you find it it's, it's sort of is fairly easy for users and workloads and virtual sort of sort of environments, but you can, you know, you can tie that into, into the, the physical, the physical environment as well.
So, you know, purely from a segmentation perspective, if it's not something that is a workload that just has an IP address, you can, you know, you can, you can still treat it the same way. You can see it visually, you can give it a name, you can do all of those sorts of things. But I think, you know, there's a lot of physical asset management systems now that tie into the more sort of CMDB type type world.
And I think that's, that's probably probably going to be the answer, whether that works a hundred percent today is, is, you know, it depends, depends on the relationship between the, between various vendors. But I think it's something that, that will happen more and more. But I also think that that it's the, the, the sort of the decoupling of the, the sort of the compute level away from the fiscal level and the network level that sort of makes zero trust work.
So I, I sort of think, you know, ultimately it, the, the, a lot of those, those sorts of physical devices won't become such a, won't become such an issue really, or be much more around the operating system, much more around the application, much more around who the user is and things like this,
But I think you're,
You're in business.
Yeah.
Turn, I think you're touching a very important point here. That is, yes, we need to get better and posted unified endpoint management, 20% around two I's this year and the ITSP of management CMDB is behind et cetera.
So that, because we can't protect if you don't know. And so, so I think, yes, it is a journey and it, again, shows how, how complex this entire oops, how complex this entire seamless. Okay. So another question I have, I think it's equally equally challenging and complex sizer, maybe a question to both of us in, in your experience, have you seen companies trying to achieve and, and implement a zero trust architecture specifically for data, for instance, data lakes, et cetera, do you want to start?
Yeah, I think a lot of, probably a lot of that is about that. There's a lot of systems now that are using data lakes for security analytics, and we see, you know, we see them.
So it's, you know, it's almost a fundamental building block of EDR and, and behavior analytics and, and a lot of, a lot of this sort of stuff where they collect data over a long, long period of time and process it.
And, you know, ultimately they chose you when this changes and what's, what's going on in that system there, I think trying to, there's a danger that you try and do too much with that data, because there's a lot of things you need to do in real time that, that those systems don't necessarily do because of literally they're, they're almost doing some sort of batch processing and, and that sort of environment.
So, so I think, you know, I think that that absolute, those systems are absolutely valid of what they, what they're trying to achieve with that analytics piece.
But I think if you try and sort of apply that into certain areas, maybe like sassy or, you know, firewall rules or VPNs or segmentation or things like that, I think you get sort of the limit of what they're able to do because the, you know, because of the time it takes to actually achieve some of that stuff and the huge amounts of data that you end up having to process. So, yeah, I think, I think a lot of that data lake stuff is really interesting, but I'm not sure it's applicable to sort of every environment that everyone tries to, to push it into.
Yeah. And I think that's the other angle.
We have a ton of data there and potluck is entire because it was a, how can we protect data because so relatively good at the application level. So aesthetic entitlements, we are not as good at structured data. We still have a long way to go for structured data. But on the other hand, we see a lot of brokers, for instance, when it comes to data management, data governance, which again, like, like I Thomas from my perspective of foundation, because only when we know which data we have, where to resides, there's really, a lot of innovation does phase.
We can stop protecting it and adding it into this entire Sierra dressed seemed so, so understanding what our data is and how we control the access context we allow access. But it's, it's definitely one of the bigger, more advanced challenge with Indiana IRC or addressed Stevia. Yeah.
I was gonna, yeah, I think, you know, I think you're absolutely right, but it's, I think one of the, one of the key things there is, is the visualization of who is doing what to, who on that, with that, with that data and sort of being able to control those, those points.
I think one of the, you know, it's one of the, the thing that's sort of thrown up through recent attacks is the, the challenge that, that things that you trust are actually the things that you are able or able to sort of hurt you. And, and so being able to analyze and see exactly who's, who's having access to what, and maybe, you know, using more proxy and controlling, some of those things will, you know, will potentially have an impact on controlling some of that challenge in the short term.
Okay.
My next question, I'd like to ask you for short answer in the interest of time, five-year very close to the end. The question basically is about, do I need to start with a comprehensive approach or trust? What can I trust to start with an MVP approach?
I think,
I think it's one of those things. You, you sort of need an idea of where you're heading, but you don't need to do everything at once would be my, be my view.
It's, you know, if you're, if you're going on a, on a long journey, you want to know where you, where are you going to end up? But the thing you actually want to work out is what's your first, where's your first coffee break going to be.
And it's, I think it's that, that sort of thing. Really.
Yeah, absolutely. I agree. And then I think there's one final question I'd like to pick this directed to me, given to us, the identity management is a foundation of sassy and Sierra crust. Do I also see the verified identity or decentralized identity, verifiable credentials, the personal identity as a cornerstone of the foundational identity access, access management dance, you were across concepts identity, say it's not a must, but it helps.
So, so what can we see happening around verified identities with a high level of assurance is helpful, but again, it's not the one only thing we can trust because we shouldn't trust. We should ensure that it's well verified. And it's still current that this verification to the current. So we must cross check, double check it, but then it really helps us because I think we see a tendency too, to have a better onboarding and higher level of assurance. We can have better verification that always helps in to see where trust seem okay with that.
I think we already am close to the top of the hour, so thank you very much for attending this coming on. Call webinars. Thank you very much forever for your insights. Thank you very much for supporting this KuppingerCole webinar and hope to see you soon. And one of our upcoming .
Thank you. Thank you.