KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Hi, good morning, everyone. Good afternoon. Wherever you are in the world. My name's Paul Simmonds said I'm a pH Analyst from kobu Cole and speaking to you from a L to down UK. So what are we gonna talk about today? Very quickly. Zero trust is a concept. Is it hype? Is it a business imperative? And hopefully you'll agree with me by the end of it, that it is a business imperative. So we don't have islands anymore as businesses, the, the days where you employed staff as full-time staff, and that was it.
And you had no one else and you walked into the office and you worked in the office and you talked to office systems only. And if you wanted to collaborate someone, you picked up a telephone. Yes.
You know, for those of us who are working in the nineties, that was the norm, but business does not work like that anymore. The, the advent of the internet and the connectivity and the whole plethora of the way we work globally, these days has changed everything. And the problem we've got, and this sort of started happening in the early two thousands, was that how we operated as businesses just did not meet the security model that we had put in place in the nineties.
So, you know, the security model in the nineties put in a firewall harden, your firewall, you only allowed staff to connect through, usually using say like a secure ID card and a VPN as, as, as life went on, we do not work that way anymore. And the problem we've had since the early two thousands, is that the, what the business wants to do and what security and it want to do have been diametrically opposed.
So it is, so it is really, really key that we sort of, we change our mindset and get in, get, deliver what the business wants us to do. So there a trust look, it's a buzzword. And the key thing to note here, it is morphed as a concept over time. So originally 10 years ago, when John Kindig launched this magical term, it was called zero trust networkings.
You know, John was a, a network man. And the paper, if you go and read the original paper, it's called zero trust, networking it. But it had its roots in the concept of de parameterization, which came out the Jericho forum, Google Jericho forum, gone to Wikipedia. Everything that Jericho did is actually linked for free off the Wikipedia pages. So you can, so you can look at that, but this is what today's business looks like. Yeah. And you are, you are collaborating with all of this stuff.
You know, whether it's cloud services on the right there, whether it's partner connections, whether it's work from anywhere. Of course, you know, we're all working from home at the moment. We'll talk about co a little later, the internet of things, 5g, IPV, six, you name it, it's coming. If it isn't in your business already, I bet you it is. But if it isn't, it will be very soon. And the little picture in the middle is actually Hong Kong at night, because if you've ever been to Hong Kong at night, you've got all these market stores and it is throwing with people. You are open for business.
And the challenge is how we, as, as modern businesses are open for business open for collaboration. So is it hyper? Is it real? There are so many vendors out there selling you zero trust. And you know, as this box says, here is lot of it is just old technology product that the marketing focus shoved zero trust, go into Google and put in zero trust, and it will bring you up a list of 50 or 60 different companies, different products.
The key thing I'd like you to, to, if you take nothing away else away from this presentation today, please take away the fact that there is no one product out there that will deliver a zero trust solution, no matter what the salesperson tells you. And that, and that is probably the real key thing. Zero trust is a concept. It is not a solution. So what is zero trust? Not if we want to, to market.
And, and the reason, the reason you've got a martini glass there is, is what we are doing is sometimes referred to as martini networking. It works for Europeans because we had the martini adverts in the seventies, the eighties, the nineties, you know, anytime, any place, anywhere, there's a wonderful place we can share. That's what businesses are about. It's sometimes referred to as martini networking. What is it not? It is not a next generation perimeter. Yeah. It is not a VPN modernization or software defined networking.
That might be part of the solution somewhere for you, if that's what your business wants, but that is not the solution. It's not an off the shelf product. It's not an it project. It is a business project. And that one is really key. This needs to be sponsored by the business. Yeah. It could be about eliminating your internet.
The, the companies that work fastest and quickest and are most agile in the world are those companies who have gone, you know, have not adopted an internal network from day one. They've gone cloud they've leveraged external services. They've Le they've leveraged joint ventures and outsourcing, particularly cloud based outsourcing and SA services to do everything they do on a daily basis, other than what they do as their secret source, which they keep in-house. But when we say in-house, it's probably on a server in a cloud that they own.
So if that's what zero trust is not, let's talk about what, what I'd like to call true zero trust. So this is, this is sort of your list, your starting point for any discussion on zero trust. So what is zero trust? So let's look at where we trust the moment and where actually, if you're going to do zero trust properly. So the first one is no trust in your own network. Yep. That's what we originally, 10 years ago, when zero trust was coined talked about, but you know, where do we not want to have trust if we want to work globally and transparently and agilely on the modern business network?
Yeah. It's no trust in the internet. Hopefully you assume that one already, but let's state it. No trust in the internet, no trust in any countries you operate in.
You know, I've, I've worked for global corporations that have worked in 50, 60, 70 countries where we had a flat network that, that stretched to 30 countries, including India, China, Russia. So, you know, no trust in the countries you operate in, no trust in any I, no trust in any identity ecosystem, which is an interesting one. Cuz we'll talk about how you use identity perhaps to enable zero trust, but actually stop trusting your identity ecosystem.
Because when you have 88,000 people in active directory, can you guarantee that every single one of them is logging in with absolutely strong credentials and are who they say they are probably not, no trust in the server other than for availability. Wouldn't that be nice, no trust in the operating system because operating systems, we know get hacked, no trust in the hardware because you know, hardware is not as, as a lot of the military folk will tell you, they do not trust a lot of the chips that are made in China.
No trust in your system, administrators, because again, you know, it's dirty little secret is if you can subvert an administrator or an administrator goes rogue, they've got access to absolutely everything, no trust in your secure server location and no trust in the system's physical security, because it's fairly easy. I, I have spoken to the, the penetration testers who said, yeah, not only did we gain access to the server room, but we actually managed to enroll ourselves with user credentials. Yeah. They can do it. They can do it in your systems. I can guarantee it. They can do it.
It in most systems and ultimately no trust in the endpoint. So that's your list of, of what zero trust truly should mean. And what we're about is actually looking at those in your business and coming up with an architectural strategy that designs in trust to replace those various things.
So, and, and some of you might say, well find, okay, we accept that. We're gonna have to trust our staff. Find if that's your decision, but at least you make it with an open, you know, an open mind and it's out there. And that assumption is out there with the business. So ultimately it's all about the data because those are most pupil's crown jewels. I know whether it's data that goes to people to make decisions or whether it's data that goes to systems to operate valves. It doesn't really matter. It's all about the data. Yeah. It's about making this.
It's a risk based decision about access to data or systems based on the trusted identity and attributes of all the entities and entities are people, devices, organization, other organizations, code and agents, and, and forget about agents. That's a whole different discussion, but of all the entities and the components in the transaction chain, the better you can understand the end to end transaction chain for this bit of data, the more you can protect it. So zero trust should be about adding trust into criti, into your critical path, depending on what your business does.
I said, this isn't an off the self solution. This is about working with the business to decide where your critical systems are. And actually if you do that bit of work and I have done that bit of work in, in my professional life, then actually you'll find that probably around about 20 critical systems within your business, that you actually need to concentrate on to make this a reality.
So, you know, take aways from this. Do you understand what those 20 critical systems are? And do you understand the data flows for those critical systems? So correctly implemented actually you reduce the whole probability of bad actors. It enables you to migrate to the cloud. It's amazing those people who have gone down this road and say, we don't rely on our internal network anymore. If we don't actually need to worry about computing on our network, it enables computing off our network.
I E cloud, it enables much easier access and more agile access to third parties and joint venture partners out there. It, it really is phenomenally good. If you can do that.
And, and all of a sudden security are the people who, who, you know, like to say yes, rather than who are perceived by the business as they like to see no, like to say no, the really neat thing behind this is, and let's just say aligned, aligned zero trust strategy enables new roots to market. So all of a sudden you are saying, well, we've adopted this zero trust strategy. Now we don't have a reliance on our hardened perimeter anymore. So now yes, you can do this.
Yes, you can do this collaboration with these people. And I, I, you can have it tomorrow because now we don't need to put in firewall rules or some complex technology or reverse proxy at our gateways or anything else that the it folk will tell you about. We just say, yeah, go collaborate. So it facilitates easy ways of collaboration and look, you know, no presentation today at the moment would be especially about zero trust would, would miss talking about COVID 19?
You know, has it, if you, if you implemented a zero trust strategy just before co COVID struck us all, it's been a real business advantage. Those were the people who in March and April this year were able to literally send your people home and say, go work, go collaborate, continue doing what you are doing with all your joint venture partners and, and the people you collaborate with because actually whether you're at home or in the office, it makes no difference. And then of course there are the people who didn't have a zero trust strategy in place.
And actually I'd ask you, you know, are you still playing catch up? And I know businesses out there who are still playing catch up to their competitors.
So, you know what drove your zero trust strategy for a lot of those people playing catch up. It was COVID 19. So ultimately again, the list on your left, but what I'd like you to take away from this is actually, this is a large can be for a lot of businesses, a large scale transformation. It can take over a year. It can take longer than that large system upgrades take that.
So, you know, you are looking at a five year roadmap here to get your business properly. DePrima if you are not already properly, zero trust. So ultimately to do that, you need to align with your business strategy and you need to be sitting down with your business and saying, actually, what are you planning to do in terms of partnerships, joint ventures projects coming up in the next year, two years, five years, even 10 years, where do you want to be in 10 years from a collaboration point of view? And we will make sure that the it strategy matches that.
And with that a quick, a quick Cantor through zero trust and yeah, any questions.