Welcome to this KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm senior analyst and lead advisor with KuppingerCole Analysts. My guest today is Alexei Balaganski. He is a lead analyst with KuppingerCole working in his area of expertise, which is cybersecurity. Hi Alex.
Hey, good to see you.
Hello. Thanks for having me again.
We want to have a look at a topic that we've covered in earlier episodes already. We want to have a look at how we should and can do cybersecurity more properly, more adequately in a world of changed communication that we are seeing right now. And this is really reflected in the way we do business in the way we work. As of today, we are no longer relying.
And that has been said so many times on a perimeter based security so that we have a, the organization of the company with a firewall around that and a secure inside and an insecure outside. We are now working from home from everywhere in the world. And every communication is under attack is endangered is taking place in a hostile world. So no longer a perimeter, how can we do business? How can we do security in such a world? Aleksei
Yes. Matthias. You're absolutely right. And this whole idea that our, our it infrastructures are losing the perimeters when it's definitely not new.
I think it started nearly 20 years ago. This whole notion of the perimeter innovation was already discussed before we had clouds before we had all zero trusts and blockchains and other stuff, or even back then, people hadn't realized that this idea that you built, basically a castle is a wall and the mortar, and you keep everything sensitive inside the castle and hope that nobody breaches your wall. This idea was not sustainable back then. It's absolutely doesn't work anymore nowadays, simply because we have don't have those castles anymore. We have no parameters.
We live in the cloud or in multiple clouds. We have people working from home. You have IOT fleets, we have whatever connected vehicles and when you're fracturing plants and multiple data centers adjust your it, or doesn't even belong to you anymore because you probably rent huge parts of it.
So there is just that one idea that there is no perimeter anymore, a slightly related idea, or what fewer people think about. It's the overall increasing complexity. The problem with that, the complexity does not increase. Linearly actually grows exponentially.
If you get, let's say 10 times more computing devices in your network, the complexity doesn't grow 10 times. Perhaps it grows hundreds of times, if not thousands, because all those devices have to communicate with each other. We have to communicate with external or people, devices, identities, whatever, though you have to deal with, like in our corporate network of a reasonably large enterprise, you probably have to do this hundreds of millions of potential connections. And by far the majority of those aren't even necessary.
They're just additional opportunities for a potential hacker to get inside your enterprise. And this is exactly why we are talking about this interesting notion that the zero trust means zero blind spots.
Basically you have to know what's going on in your network, right? You have to keep an eye ideally on all of those connections. The problem is that you cannot, it just does not scale. If you just say, okay, I will have my sock. I will have a team of experts watching Emory connection. They want a device and they will have absolutely full visibility into all those millions of connections.
Then I will definitely stay on top of the hackers. No, you won't just have way too much information in the game. 99 point 99% of those is simply unnecessary and we have to reconsider and find an alternative approach to it. This is exactly what we were going to discuss today, right? Exactly.
And the first approach to making to achieving cyber security actually was to, to segment, to have a segment that really represents the, the safe Harbor, the safe organization, the, the premises of an organization to make sure that everything that is inside is considered to be trusted.
Everything that is outside is considered to be hostile and that needs to be controlled. And there was a, a ring fence that made sure that there was a clear line between inside and outside that could be inspected. And every connection into this perimeter and out of this perimeter could be inspected. But that was just the starting point. Right? Right.
Well,
If you just mentioned kind of the original way to segment your networks was just to have one segment, the Lam, right. And there were some health was untrusted and there was an inside line was implicitly trusted. It didn't work even back then. Now we don't even have a lamp anymore because we are working from home. For example, still, unfortunately then people decided that maybe we have to configure an additional segments, a DMZ. We would place some of our like important resources, which have to be accessed from the outside without actually giving full access to the land.
I mean, again, even 20 years ago, it wasn't really that particularly flexible nowadays. It just doesn't work anymore. Then it came to this idea of doing a logical segmentation. If you will, first, it was based on pure, like on like V lands and like virtual networks and routers then came the firewalls.
The basically people try to find a way to build kind of tiny walls within your castle to support one department or one part of the data center, one specific application subnets from the other two to keep those unnecessarily connections under control. Right?
So if you only have, let's say one single firewall and you have to channel all your external traffic to a sensitive applications for firewall, that dramatically reduces the potential attack surface. On the other hand, it, this approach alone kind of gets out of control quickly because nowadays large companies might have tens of thousands of firewalls. Of course not all of those firewalls are physical devices anymore. They're probably virtual containerized cloud-based, but you still have to manage them.
And or when you have a complicated, additional infrastructure you're only needed for security and you cannot even manage that infrastructure alone, or what's the point of it. It doesn't actually add anything to the overall security.
Exactly. And this is especially true as the way we are doing our work on a daily basis has dramatically changed. And we don't always have to talk about the pandemic. This way of working has changed before.
And we are moving towards working from nicer places than at home or the office we think of working from, from cyber cafes, somewhere close to the sea or stumbling or something like that. And we also want to be safe and secure in such an environment.
So we would like to consider ourselves being in a situation where we know that the systems that we are communicating with are secure and that they are communicating safely, but also we, as we are user in that cyber cafe and that coworking space can be considered as being protected as our device being safe, devices, being safe and communicating encrypted and securely with our target systems, be they in the cloud be they're still on prem if this exists anymore. And this communication also needs to be well protected.
So us being in a safe bubble and the systems being in a safe bubble that is much closer to reality right now. Well,
What you have just described dust suspicion literally sound like you don't trust doesn't it because you just mentioned, instead of having one large perimeter around the whole network, you just build a tiny perimeter around each device, each user, and so on. That's exactly like the primary principle of any zero trust architecture that access controls to anything has to be poor resource is post-session.
So in effect, or even before going into technical details of potential implementation, we can see that zero trust. Exactly, exactly the right approach to actually logically segment your network in a way which was previously impossible, because again, where you would have to deploy hundreds of thousands of firewalls and then manage them somehow manually, probably now you would probably have like a tiny built in firewall around MRR resource and application and device.
Again, there was more than one way to actually implement it. And actually we, we discussed technical details in many publications we have on our website, you know, maybe an hour, the waist, there was always more than one way to actually design a zero trust architecture. And then the real life scenario, you probably need the combination of all of those, my point here, that regardless of how you approach it from a technical perspective, logical, it's all about segmenting your network access to the point that each object on the network leaves in its own segment.
And that alone are guaranteed that there are no more potentially open, unnecessary ways to communicate between different resources. We do not actually need to communicate because your zero trust architecture is designed on another foundational principle. Default deny don't trust anyone or with verify. So if you had a flat network with a handheld device at probably like 10,000 potential communication path is now we would only have handheld devices each with a tiny micro segment around, and you would only have maybe 10 or 20 open pockets because all the rest closed by default.
And this is exactly, again, kind of goes back to this idea of zero. Trust means zero blind spots. There are many ways to approach visibility, security, analytics, XDR EDR, whatever. And the only kind of real future-proof and proactive way to show visibility is not to see everything it's to ensure that nothing which isn't worthy to be seen even exist anymore. Right? And this is exactly the point of zero trust.
Well,
This is interesting because that sounds like we are introducing the, the principle of least disclosure also into the way we protect our, our security, our systems, our communication. So we only let out the information that is actually relevant and this, we keep as secure as possible and as authenticated as possible, but everything that is not of importance. And on the other hand could even be dangerous too, to disclose is, is left out is, is hidden, is omitted from communication in general.
So the only thing that we need to make sure is that we decide what is important, what not, which communication is secure and where we can identify where communication is safe, where users are legitimate, where authentication is insured, where encryption is safe and communication as possible. Right?
Well, again, if you kind of go back to one of our previous episodes about the principles of zero trust, one of those core principles that you have to separate policy management and policy enforcement, meaning that you only have one single place where you define the rules, who, or what can connect to what and how and when and all the other aspects. And then this policy should apply regardless where it's located, whether it's a SAS application or IOT device, or a mobile phone, or a legacy computer in your basement, ideally to work the same way everywhere.
Unfortunately, I believe we are not quite very yet, but at least we have solutions which kind of already can scale or for thousands or tens of thousands of devices protected by the same way, if you will. And again, there might might be like application micro-segmentation solutions, which are basically tiny firewalls, virtual firewalls, or maybe even built in firewalls, which I would have windows machines on Mac or Linux.
So I have along with our separate control plane, which actually manages and monitors all of those firewalls and distributes policies.
And again, if you have this platform, which just knows how to talk to one firewall quickly and efficiently, it can automatically talk to 10 thousands of firewalls and orchestrate their communications, or actually prevent unnecessary ones. Unfortunately, as I mentioned, we have such solutions implemented as quote unquote, traditional micro-segmentation technology.
You have SDP the software defined perimeter, which basically does the same, but through a different technology for instead of the firewall, you actually have a point to point connection, but it's basically, it boils down to the set of same thing, allowing access to a resource securely, and only on top of need to know basis, you can only access what you are allowed to explicitly. There are some other projects.
For example, the Google beyond Corp is based basically on a slightly more sophisticated web access management so-called identity aware proxy, which is basically either allows you to access the web based on access token or not. But there are multiple technologies. The only of missing link is our control plane, which could orchestrate all of those together. We are not there yet, but at least we are one step closer to the goal because we have more than one way to implement it.
So that sounds really like a concept like a, a technology, a concept that really is forward-looking.
And that maybe also our audience wants to, to focus on, to understand more, to learn more, what would be technologies and concepts and documentation to look at when it comes to moving forward in the right direction to improve this visibility, as you said, and to reduce this disclosure of, of data and to make sure that you are on the right track, moving towards zero trust done, right? What would you recommend here?
Well, again,
I would like to assign that, regardless of which technology you choose in the game, you probably have to use more than one visibility comes at no extra prize. The whole idea that instead of maintaining visibility by kind of taking an effort and looking everywhere, which you do now is traditional tools like seams and SDRs. You are only allowing things that matter. And by having an explicit control over them, you automatically know about them. So basically you only feed what's necessary and you don't even bother looking for things which aren't necessary.
And that alone saves you probably 99 of our administrative monitoring and forensic effort, if you will, or the great thing about zero trust and that by eliminating implicit trust, you are eliminating the need of implicit visibility, if you will. But back to your question, if you actually want to know more about specific technologies, of course you can start on our website maybe because we have a lot of publications on zero trust. We have webinars or common and specific technologies and even vendors. We are definitely working on leadership compass reports in this area.
So there's lots of things to learn at KuppingerCole dot com. Of course, I mean, zero trust is such a major buzzword.
Nowadays, you can find lots of information around, you have to know what to look for. Again, explicit visibility, I believe is one of those hidden gems of zero trust, which not many people talk about
Really interesting. And this is really also something that I took away from our today's session.
This is really something that I learned from you today, this, this visibility, and to make the right steps towards that is really an important step, a great summary, also from your side to, to summarize this overall topic, which has a lot of complexity in itself, but doing things right, and having a grasp of the bigger picture really is often important. Thank you very much.
Alex, say some final words from your side before we close down. Yeah,
You're absolutely right.
I kind of, it might even sound kind of Contra counter-intuitive, but with zero trust, you are actually massively reducing complexity and by slowly reducing the administrative effort, not just because you are kind of eliminating the duplicated infrastructure and stuff like that, or unnecessary security tools, but because you are centralized in management and visibility and that alone, probably your security teams feel thank you for that more than anything else.
Yes. That really sounds interesting and promising reducing complexity, improving security through technology and its orchestration.
That is really a way to move forward. Thanks again for that summary and for your insights here, Alex, thanks for being my guest today. And I'm looking forward to having you in an upcoming episode very soon. Thank you. And goodbye.