KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Workforce mobility and widespread adoption of distributed data center and cloud environments have introduced significant access control complexities and threats. Organizations are questioning the efficacy of conventional, perimeter-based defenses and are now evaluating a “trust but verify” model. What are key enterprise considerations when deploying Zero Trust to enable seamless access, ensure business compliance and mitigate risk?
Workforce mobility and widespread adoption of distributed data center and cloud environments have introduced significant access control complexities and threats. Organizations are questioning the efficacy of conventional, perimeter-based defenses and are now evaluating a “trust but verify” model. What are key enterprise considerations when deploying Zero Trust to enable seamless access, ensure business compliance and mitigate risk?
Good afternoon, everyone. And welcome to this KuppingerCole webinar on zero trust. Zero trust, reality check, secure access for hybrid it. My name's Mike Small, and I'm a senior Analyst with KuppingerCole and my co-presenter this afternoon is James Gonzalez, a director of product manager management from pulse secure. So first of all, let's look at KuppingerCole a little background on KuppingerCole. We are an independent Analyst company that was founded in 2004, and we provide thought leadership and expertise to both users and vendors of it equipment.
And our specialties are in information security, identity and access management, risk management, and all areas concerning digital transformation. We offer three different kinds of things. We do research on all major topics of it in a vendor neutral way, which is always kept up to date. We provide advisory services to both end users of computing services, as well as vendors of these services as well.
And we also have a number of events that run throughout the year and next February, we will have our blockchain enterprise day and next may there is our flagship annual event in Munich, which is the European identity in cloud conference. So it as regards the webinar today, your mute, your muted centrally, you don't have to mute or unmute yourself. The webinar is being recorded and you will be able to get hold of this recording tomorrow. At the end, we will have a Q and a session, and you can enter your questions at any time using the questions feature in the go to webinar control panel.
At the end of the webinar, I will look through these questions and between me and James, we will attempt to answer them within the time that we have available. So in this webinar, what we are going to do is to start off with me talking about the challenges of the multi-cloud hybrid environment and how the zero trust access model solves this. And in the second part, James go gons will examine zero trust model scenarios. The protection mechanisms and key deployment considerations needed to ensure hybrid it, access usability, intelligence, and control.
So we can start off with the question of why do we need zero trust and the diagram that you should be able to see now gives an indication of what this is. Once upon a time, all of our it systems were held in secure buildings and there was a physical and a logical perimeter around them. What you can see now is that we have remote employees, customers, devices, and cloud computing, all of which are providing immense benefits, but at the same time are creating enormous challenges.
And this is made even worse by the use of wireless connections, as well as guest users that are introducing all kinds of new roots into the way that communications are taking place. And irrespective of this insiders, either through malice or misuse or even mistakes, still pose a real threat. And one way of managing all of these different challenges is through this concept called zero trust. So what is zero trust?
Well, zero trust is a model that was first proposed in 2010 by John kinders, fog of Forester research, who is now left. And basically he was looking at the challenges which apply to this new interconnected world. And in the old days, the, the model was trust, but verify, and those of you that can remember star wars will remember Ronald Reagan. And this was his motto for how he was going to negotiate with the, the Russians as it then was. But this is no longer a suitable model for this interconnected world, where there are no perimeters or where there is no way of knowing what's happening.
And so you have to replace this with a model, which is based on the idea that you can never trust anything, and you always have to verify things. So to put that in another way, when your computers, when your systems were connected to your internal network, which was physically secured and logically secured, you could reasonably say that I can trust what is on my internal network. Now you don't know everything is interconnected. And so you can never say that a device is particularly trusted because of the direction through which it is connected.
And so you need to always constantly reassess your true, your trust in different things. So there's a lot of confusion over what zero trust is.
Well, it is both a concept and an architecture model. It is a combination of processes and technologies, and it builds upon the standard approach to security. You still need to identify your assets. This is absolutely fundamental. You cannot secure what you don't know you have. And it is at this, this stage that many organizations actually fail. You need to understand what the threats are and assume that you are under threat and define policies, which are effectively targeted to try and reduce or mitigate the effects of these threats.
And those policies really are concerning, controlling and restricting access to these things that you've defined as being of, of importance. And it isn't sufficient to say, I've put a policy in place. You have to be able to show, be sure that you constantly verify and monitor what is happening, because there may be some way around this policy or this access control that you were put in place. So verification and constant monitoring is in fact important.
And based on this, you really need to compartmentalize the different elements of the internal systems and move the controls closer to the points where they are at risk. So if we look at zero trust in terms of identity, device and context, as we said a moment ago, you can no longer assume that you can trust an identity because you know where it is being accessed. You cannot trust devices and you, you need in this world of mobile employees and customers joining from all over the world, you need to look at the context of this.
And so what this really boils down to is you need to establish new trust boundaries. And this starts with identity and identity has become if you will, the new frontier of access control and of security. And it is the identities of those devices, as well as the users that matters. And these identities need to be constantly re reified. It is not sufficient to say, well, I checked when this chairperson logged on that they, they are the right people. There are all kinds of different mechanisms that cyber adversaries use to piggyback on identities.
And so this means that you need to have approaches, which include things like adaptive authentication, as well as analytics about the behavior of devices and of people. And this needs to include what you believe are more trusted devices, as well as the current context of those and all these need to be taken in term terms of the context of where was that device last? Where is the tra what is the value of the transaction? And where is the transaction coming from? There are clearly certain places that are less trustworthy than others.
So in terms of access, what we ha what we are going back to is this idea that was first proposed and written down in the 1970s, that is the notion of least privilege. And this was the notion of need to know, applied to systems and software and modules of systems and software that if a module or a person or a device has the minimum privilege needed, then it minimizes, it reduces the risk of that device or that person by mistake, or by malice or misuse to exceed and damage other parts of the system.
And although it's an old idea, unfortunately it is still not terribly well implemented in general. And this really needs to come from some kind of centralized policy and it needs to be applied in real time and it needs to be adapted. And it's only by doing this, that you're going to be able to absolutely minimize the access to resources in a way that reduces the opportunities available to adversaries and malware and mistakes and misuse to compromise your systems and to exfiltrate data. So in terms of networks, this, you, you cannot trust any part of your network. There is no D DMZ.
There is no demilitarized zone that you can say you are safe in. You can no longer be absolutely sure that even a VPN or an intranet is safe because everything is interconnected. And so this means that you, it makes it even more important to separate the network into what you might call micro micro areas, where you have greater control over what is in fact going through this. And one of these areas that is especially important to, to manage is the control plane.
And I think, again, this is something that has been put forward and, and has forgotten that the control of the devices that make up your network, the control of how these are configured, what is allowed and what is not allowed is something that should be separated from the normal service traffic. And often it is not organizations try to manage their devices through the same network or through the same logical network as the, the traffic flows. And that is effectively the first breach of the principle of least privilege.
So if the adversaries, if your cyber adversaries can gain control of the network management, this then allows them to open up the system, open up the network to their activities. So separating the management and control planes are an important principle of least privilege and control of the network should not be allowed or not be possible for the users of the service.
So if we now look at the network controls, once again, reminding ourselves that there is no no secure place in this network, what this really means is the network controls should ensure that everything is accessed securely regardless of where it is. And this means implicitly multiple boundaries and multiple controls, no traffic, wherever it comes from should be considered to be trusted. The control traffic must be separated from the service traffic so that service users cannot take control of the network.
Traffic should be encrypted to prevent access by unauthorized users, systems, and devices, and all the traffic that is currently flowing through the network should be examined and inspected and logged to ensure that you can detect abnormalities or at least record them so that you can investigate them further at a later date, if you need to. Now, there are several different approaches to zero trust implementation. And one of these includes micro segmentation, where you basically are coordinating a lot of little mini firewalls.
And those are more than just the host based firewalls, where you are separating down different parts of the network, so that you have hopefully in those different parts users that have the same levels of trust within that, that, that area, you can also set up a software defined perimeter using VPN tunnels, and you can have a VPN tunnel per app and per request. Another approach is to use identity aware proxys, where you can effectively manage web access through web access brokers or secure web access gateways.
And so the objective of all of this is to create zones where all the participants operate at the same trust level and share similar functions. So for example, guests should all be compartment, compartmentalized, dev development, and test should not have access to the operational parts of the organization. And nowhere is this more obvious than in the hybrid multi-cloud. And so now what we have is we have organizations where some of their applications and some of their data remains in on-premises systems.
Many of their systems have moved to cloud and not just to one cloud, but to multiple clouds. Some of these are software as a service. Some of these are I infrastructure as a service. And some of the things that are being developed in the cloud are in fact, going to be facing the customer. And some of them are actually going to at the same time, be accessing the data that's held on premises. And the only way that you can possibly manage this is to have a zero trust approach.
So this is a way of doing this to minimize the risks and to maximize the control that you have over this hybrid multi-cloud environment. So in terms of the advantages of zero trust, it provides an approach that reduces the risk of malicious or mistaken or misuse succeeding to compromise the or systems or to leak data. It does this by dynamically securing the connections between the users, devices and the resources or the apps that they are using.
It does this, it makes it easier to provision and to enable multi-cloud hybrid access within this organization that we now see where you have multiple cloud providers and organizations are using both on premises, as well as cloud systems and possibly even hosting systems. It reduces the opportunity for lateral attacks within the networks to succeed. So it makes it more difficult that if an adversary manages to get into one part of your network, it being able to leap, frog into another part of it, which is of course, what the adversaries is always trying to do.
And through all of these approaches, it improves your posture for compliance, and it makes it easier to audit and to gain insight into what is going on. So in terms of a strategy of how you might do this, and one of the, the, the main things that always comes back when we talk about security strategies is that the strategy has to be one that supports some form of business activity. So you need a long term business driven strategy. It is no good trying to build a strategy, which is based around some or cane and difficult to understand technical point.
The point is it is about supporting the business. Now, a lot of people, a lot of vendors will come along to you and say, well, what you need to do is to remove all of what you've got and put something fresh in place. It always sounds good. It always sounds very convincing when the vendors tell you it, but it's too too expensive and it takes too long. Cause by the time you've done anything, the circumstances will have changed.
And so it's really important to look from a business point of view of where zero trust is going to have the maximum impact on the business in terms of the reduction of risk, the facilitation of more risky business, more profitable business, or the requirements to achieve a greater degree of compliance for business purposes. So in summary, zero trust is an important component of secure access to today's multi-cloud hybrid it delivery, and that it is both a concept and an architecture based on always verify and minimize privileges.
It enables secure access from users and devices to apps and resources. It provides scalable control that separates data and control planes. And it depends upon success. Depends upon making sure that what you do is intended to, and can clearly be seen to deliver on business objectives and to manage costs. So with this, I'm going to hand over to James Gonzales, go, who will examine the trust models, scenarios, protection mechanisms, and critical deployment considerations. So over to you, James, Well, thank you, Mike.
There is an extremely insightful discussion on zero trust and how it applies to today's modern environment. What I'd like to do over the next, you know, 20 to 25 minutes is talk about zero trust for the modern enterprise network and how we here at pulse can help you address the challenges that you face as we've all seen and experienced firsthand, virtually every enterprise network that leverages hybrid it architectures, they, they use a broad set of on-prem cloud and SAS applications. And of course they have a pervasive mobile workforce.
So here at pulse, we pride ourselves at, at helping, you know, at having conversations with our customers on a regular basis and help them solve their most critical hybrid. It challenges in speaking to our over 20,000 customers over the years, we've found that the same set of challenges always make themselves appear from a visibility perspective. Our customers want to know what's going on on their network.
And of course by that, I mean, what devices are connected and what those devices are doing everything from core routers and switches to corporate employees, to corporate devices and employee-owned devices. And of course we can't forget IOT devices are all contributing to that. Increasingly amorphous parameter. The one change in the movement of, of, of more recent times of, of course, is the, the mobile workforce.
And as we can easily note the, the, the traditional parameter, which used to be in, you know, just, just the edge of, of the enterprise network, it now moves with the user wherever they are. And so that traditional parameter, you know, it, it really doesn't exist anymore. So originally with, with breach is becoming more common as malware becomes more focused, for instance, the, the Mariah botnet attack that, that we all know it's specifically targeted IOT devices and networks.
So customers are looking for a visibility solution that allows them to narrow that compliance gap amongst the devices at this evolved parameter from, from a compliance perspective, we know that the increasingly mobile workforce means our employees and contractors are accessing corporate data from, from personally own devices or, or by, by OD devices as, as they've come to be known.
And they're doing it more and more from remote locations, obviously contractors come from, from outside networks, but employees connect in from various locations, such as airports or coffee shops, and what happens when, when they can't access the data they need to do their day to day jobs. Well, their productivity drops. And that's just the thing that we as enterprises are trying to enable. And finally, from an availability, I'm sorry, from, from a user experience perspective, this is of course, very key to productivity.
You want to ensure smooth and consistent experience without introducing complexity. And of course you don't want to make it so cumbersome by introducing se complex security requirements. So that users end up, you know, taking shortcuts or searching for alternatives that completely bypass the security mechanisms you've put in place because, you know, they will, at the same time, you don't want to have them perform multiple logins and, and make it cumbersome for, for them to take unnecessary steps for them, just to be able to do their job regardless where they're coming from.
And then finally, from an availability and scalability perspective, you want your solutions to work at all times, no matter what, no matter if it's, if it's a hundred users that are accessing applications at the same time, or if it's just an administrator logging in to, to check in on the day to day and, and make sure that everything's operating smoothly. So your, your it staff is probably like all the others that we've spoken to. They don't have enough resources. And they're asked to do more and more complex tasks every day, including our rolling new app.
I'm sorry, rolling out access to new applications. So what's contributing to this crunch is an increasingly increasingly disparate tool set because of the traditional defense and depth approach that it has rolled out over the past several years to combat, of course, the, the ever evolving and ever, you know, more sophisticated in malware that complexity has bred users who have access to data without the right authentication, or are using backdoor or worse to get it.
We all know about that, that one executive who asks for an exception to the rule so that they can access an application in, in a manner that's different to the way, you know, other users are, are used to accessing it. And of course those, those, those create inconsistent controls. So the tool, the tool set is hard to imagine because you're going to integrate into the infrastructure. And of course, that deals with cloud and the applications in the cloud, that in, in addition to coordinating the virtual machine rollouts and getting applications on them to run seamlessly is complicated.
And it's, it's simply not intuitive. There's a lot of different moving parts and products involved and, and different kind of controls and, and configurations on each of those. So in addition to that, no matter where the apps reside, you want you as, as it and security architects want to ensure that you apply the same level of security, no matter where those apps are.
It, it can certainly be a very tough and daunting task with complex interactions dealing with this hybrid it infrastructure. So all of these factors, they, they bring into, into focus the, the ideal, well, the, what, what we consider the picture of an ideal secure access for, for the modern workforce re regardless of the devices used to access data and information. There are a few things that really make that process of accessing it fast, responsive, and secure a single client across the multiple operating systems that that users use.
And that could be those devices that they're provided by the enterprise, or they bring into the, into the network themselves across both desktop, as well as mobile experiences. And of course, regardless of the operating system, those, those devices are running.
You need a unified policy engine that controls access, regardless of the location of the user, the security infrastructure and the device they're using, including the, the apps that they're trying to get to, whether they're they're running on-prem in the public or private cloud, or even in, in SAS, full SAS environments, a centralized management solution that provides granular controls and flexible management. And of course, one that helps provide analytics as, as Mike pointed out to get a consistent flow of feedback so that you can use that information to, to fine tune your deployment.
And the solution must be flexible, scalable, and reliable. The whole idea of secure access is to encourage productivity gains regardless of the location. And having a solution that doesn't meet these criteria simply is in effective in a modern business environment as is evident. All of these are building blocks to implementing a successful zero trust strategy. And the good news is that pulse provides very effective methods along all of these, these requirements.
So then what are the elements of a zero trust and, and when, and how is it applied to hybrid it well before providing any level of access, you must first determine the identity of the user. Mike pointed this out again, and there are things such as single sign on and, and multifactor authentication that enhance security and usability. But the bottom line is that you just must authenticate every user every time, no exceptions.
Secondly, some vendors forget about the device, but you have to ensure that you verify the device itself. Pulse helps ensure that the device has the latest operating system. It has the, the right antivirus for your security environment. You do a vulnerability assessment of, of that software and, and you firewall features, you know, ensure that they're turned on before. Connection is made. That's crucial to giving a variety of devices, typical access used in your organization simply put you trust, but verify your users and their devices.
This of course reduces the, the possibility of malware infiltration and the lateral spread of that malware should, should that should a malware managed to, to get into your enterprise network. And this of course helps prevent against data loss or leakage. And finally, you also need a centralized method for distributing secure access policies, to all of the devices that are accessing applications and resources that reduces the complexity of maintaining policies across the infrastructure.
And then there's the, the data that we're dealing with or the, the users are dealing with on a day to day basis while that data is being accessed. You want to ensure that it's protected in transit, having mechanisms such as always on tunnels or the flexibility to use always on tunnels or per app tunnels ensures that by no means that the transactions are insecure at any given point of time.
And, and it reduces that the chance of bypassing the, those secure, the security mechanisms that you've put in place. So modern protection mechanisms for, for user verifications include, we said this before multifactor authentication, that consists of things such as one time, temporary one time passwords or TTPs is everyone knows, and finally calls them. And of course we know things such as ADFS and SAML are broadly adopted in the, in the enterprise environment.
So, so we want to ensure that we have solutions that, that, you know, secure and help integrate with those MCs, such as SAML. These mechanisms use secure tokens that are crypto signed from identity providers and combined these all streamline and secure access, especially for the modern application, such as office 360. I mentioned checking the endpoint prior to the connection.
So doing so prevents, rooted, or jail broken devices, as they've, they've commonly been called from accessing your enterprise network and reduce the spread of malware because those devices are especially susceptible to, to being attacked. The centralized policy feature must love administrators to fine tune access to these devices.
I mean, you have to be able to grant or deny access, but you also wanna be able to do critical things such as if you find a device that's already on the network that somehow managed to get itself into a little bit of, of trouble. You want to be able to quarantine that device so that you can inspect that device and the behavior on those devices to, to come to a conclusion as to whether it's, there's a good way to remediate it.
And once you've remediated the, the trouble on that device, you want to be able to allow it seamlessly back into the network, without the users having to, to perform any action on their side, always on, on demand per app VPN. These are things we spoke about earlier.
These are techniques for, for data protection, being able to tunnel the right data over the right connection is critical, critical, and then being able to remotely provision, and not only that, but edit configurations on the fly so that the, the devices are continually accessing data in the right manner that you determine as, as, as a security practice. And also if, if the devices are lost or stolen, you want to be able to, to wipe those devices.
It's, it's one of those critical methods of securing your data, especially your critical corporate data. So hand in hand with, with the protection mechanisms are access control mechanisms. You want to be able to craft policies that allow you to use the surrounding contextual information. In other words, you want context based policies. These policies should understand the type of device that you're using and, and the policies should allow you to scale as the network grows or, or as your evolving business needs change.
This means that the, the policy should be able to understand things such as device and user location and use as you, as those devices connect in, and you determine the context, you should be able to apply the necessary or, or the policy should automatically be able to adapt to those situations, to, to ensure that they use the correct connection method to again, ensure the, the consistent level of security is applied for that access scenario. You also want visibility into the devices that are accessing your network, regardless of, of how they're accessing it.
The authentication and security mechanism is a type and state of its of the devices, its activity. And of course, you know where it's located. This allows you to see clearly how your solution is performing also detect anomalous behavior, and then use that information to tweak and optimize your, your solution to, to make it very adaptive.
So, for instance, you want to be able to differentiate a device that's coming in from an internal network, from a device that's coming from, from an airport and be able to make intelligent access decisions, but provide the same level of security, no matter, no matter where that device is. So now that we've discussed what the typical elements of a, of a zero trust solution are, let's take a look at what is zero trust deployment looks like and what it must take into account.
So it starts with enforcing the same level of access, as we've been saying constantly the same level of access to, to cloud applications, as you would to apps and resources that are in your data center or private cloud, and across the, the types of the various types of devices your workforce uses. So this goes to, to show that it, it must be an, an evolution of your, your policies. So what you used to applying to your on premises data center, you must have a solution that allows you to evolve to the, the new cloud or multi-cloud access as we like to call it.
So it includes policies that are defined once that are centrally defined and then distributed to the various gateways that are serving access to, to the resources that that users are trying to get to no matter if they're remote local, or if they're guests or contractors. In fact, it purposely does not differentiate between a user that's on-prem versus a user that's remote to ensure that the cons the same consistent, secure access is applied.
And then you define with network access controls, or you, I'm sorry, you refine with network access controls that enforce what, what, what is commonly termed a comply connect policy that is the, the user and device in effect must agree to the policy before a connection is even allowed. So, so that obviously enhances the security and, and compliance.
So let's look at some of the use cases that are effectively handled by zero trust solutions, such as pulse, as you know, mobile workforces in gender malware and data leakage, simply by using their devices in new and insecure locations, such as airports, train stations, coffee shops, when, when you want to do something as an administrator, what you want to do actually, as an, as an administrator is reduce that exposure by controlling the level of access based on the location. And you want to take into consideration the risk factor introduced by that type of location and the user.
And of course, a device, it could be a device that you've traditionally seen them use, or it could be a new device that they're using from a new location. So you want to be able to take into consideration that risk factor that's being introduced, and you want to have control over those transactions as Mike points out over the, those networks, ensuring that it is, it is as secure as possible next with the growing rise of SAS apps.
And a lot of you are aware of that rise, but did you know for instance that as much as 75% of enterprises now use office 365, that's, that's a truly staggering number in these enterprise. They rely on those SaaS applications to provide security, but as we all know, in the security industry, those apps are designed for productivity and collaboration with just enough security in their minds. So we like to provide additional methods such as single sign on multifactor authentication and, and especially checking the security posture of the device that's accessing those resources.
So these are some of the techniques that we can help you apply to ensure a security when using modern ASAs applications from a compliance stop perspective. Well, let me give you an example here in the United States, I've heard of, and, and we've, we've read about healthcare organizations. That's still sometimes use the same network for dealing with patient healthcare information as they do for billing or retail sale.
You want to ensure that you use, or that you separate out those networks to ensure the sanctity of that data, keep the data that you're dealing with healthcare information separate. This ensures that you're putting in place effective controls. So such as you wanna separate out those networks and ensure segregation of, of not only networks, but also controls that effectively allow you to protect against things such as ran ransomware and malware infections.
So that applies to IOT devices as well, especially in the case of, of things such as manufacturing flows or energy distribution networks, enabling those networks with visibility and controls ensure you get full access and control and, and you keep access and control over those networks and devices on your network. And just like the usage of SaaS applications, most enterprise are, or enterprises are considering moving application development using using methods. And of course, DevOps teams and moving some of the analytics even into the cloud.
And you want to ensure that your users have the right access and privileges for those hosted applications. So let's examine the recent developments we've seen in network architecture, design.
These, these changes, as we know, have been seen in response to more traditional designs that have, as we discussed earlier, defense in depth approach, zero trust applies to both, but in a pure zero trust model, there's no difference between the inside or outside the network. As we spoke about the parameter is changing.
The, the users locations are moving. And so your location becomes immaterial with zero trust, everything.
And every, every user is authenticated before access is granted. And of course, trust is established as close to the resources possible. Establishing trust further away is becoming less and less secure as malware becomes more and more sophisticated and ensuring policy based access for both user and device identity and configuration, as well as using or taking into consideration and attributes such as location. These help lock down access as much as possible. There's also another type of architecture, something that Mike pointed to earlier called soft software defined parameter.
This looks at access in terms of authenticate first connect. Second that's, that's a new methodology that is different from the traditional architecture that offers a more connect first and then authenticate second method of access, software defined parameters, centralize the authentication of users and devices. And of course the enforcement of policies authentication is enhanced by combining the attributes of the user device and application effectively a user's granted access when all of these three attributes meet the criteria that you've defined.
So, so secondly, the software defined parameter or SDP splits the network control and the data, the network control and the data part, it splits these into two giving more, more weight and precedence to control and access at the control layer and less to the actual establishing of the, the data path and data forwarding. So this enables a more granular segmentation approach. You may have heard of the, the term micro segmentation. This is the ability of course, to grant access to specific applications for, for specific users or even connections to those users in apps.
And finally STP renders resources, dark, which is significantly reducing the threat surface. So, so numerous kinds of attacks such as APTs or advanced persistent threats, DDoS attacks that, that bring down access to your, to your network and malware and the spread of, or the lateral spread of that malware. These are all opiated when attackers can't see or, or identify resources to infect or leverage.
So, so that's another critical part of, of the software defined parameter. So with all that in mind, let's take a brief run through the holistic secure access suite that is called secure. We all know and love connects secure. It's the 900 pound gorilla of secure access with 13 consecutive Gartner magic quadrants prior to being folded into the firewall space connect secure, provides best in class security, granularity, visibility, and attention to detail. And it's the foundation that our solution suite is built on pulse.
Next comes pulse secures network, access control, pulse policy secure that provides visibility role based access control, and our profiling capability that enables front edge network visibility to device and application layer, oftentimes showing network administrators, device, application visibility that they weren't aware of.
It's something that you can easily take advantage of our assessment, where we, we put the, the profiler in your network and, and show you what's going on from our workspace solution, which is our application monitoring and security containerized solution for your mobile devices. Workspace effectively provides you with an additional context for MDM solutions and enables per app authentication, secure visibility while leveraging secure capabilities on the device itself.
Unlike some of our friends in the space who, who do things like tampering with, with SD, I I'm sorry with, with source code and an application device layer using SDKs, that's obviously not an, it's not an extensible kind of approach. Of course not forget pulse virtual application delivery controller, which is one of our most compelling recent acquisitions that puts pulse ahead of the game as it clouds, as it applies to cloud based virtual load balancing and app level automated load balancing and patch management, visibility, and secure control with VADC.
For instance, we can move applications from cloud to physical data center and back again, while providing layer by layer load balancing volume management reporting and granular automation. Imagine for a second, if a company, if a company such as Equifax had POS the simple Microsoft patch that went unnoticed and unattended for over four months, who would've been handled in an automated, automated and routine fashion, instead of half of the us population, having their mission critical data roaming on the dark web, it, it would've been safe and secure with just a simple automated task.
And lastly, this entire holistic system is tied together or brought together by pulse one, a beautifully designed seamless centralized management solution and visibility solution that brings together visibility, compliance, checks, appliance, health management, and visibility metrics that can of course be shared downstream to firewall and SIM tools. So keeping that in mind, pulse secure zero trust architecture leverages these products to provide centralized policy management for, for unified clients across multiple operating systems.
One of our very, very strong, compelling reasons is, or, or compelling advantages is that we have this universal client that applies to all access scenarios. So this allows the users to, to not have to worry about things such as their, their location and how to get the resources they need. The resources simply appear to them as needed and, and secure connections are stood up and torn down behind the scenes to facilitate a very simple and intuitive yet extremely secure access to, to their resources.
The same tools that you use are, are leveraged on the internal network for both as, as we pointed out earlier, wired and wireless connections with network access control policies, ensuring that they're the authorized users and devices and even things using its are protected resources at the same time, remote users come in using the hybrid it environment and ensure that they're protecting they're securely accessing workforces securing kind of their productivity.
So when pulse began researching how to offer customers, our STP approach, we knew that an evolutionary approach rather than a a revolutionary approach is more important. We simply never come across a customer who is excited about ripping existing products out and replacing them with, with new ones across the board. That's why a simple migration is needed when it's considering a software defined perimeter architecture. One that pulse provides leveraging existing investments is crucial to a smooth transition.
And so we want to ensure that all the investments that you've made you simply add, you simply enable additional capabilities on them and, and evolve to this new access model. So the thinking that we use while designing our STP architecture was we, we wanted to ensure that it was simple to deploy or a simple solution to deploy that leverages your existing infrastructure that's already in place.
And we carefully thought through all the use case that you need to move from the current stages that you're in to the future stages that you need to be in to constantly evolve and provide friction free user experiences for the new applications and, and new kind of security methodologies that you wanna bring into your enterprise network.
So we wanted, and therefore we designed a user experience that that effectively puts in place and always aware solution that protects the right level of security at all times from an admin experience, we streamlined the policy definition so that you can centrally create those policies and deploy them out your secure access infrastructure. And as always, we want to be Fu we want to help you future proof and meet your future needs. And therefore we continue to offer you an evolutionary path to where you want to be tomorrow.
So, so in summary, pulse secure offers you the best of, of both worlds. We've been providing zero day trust solutions for all these years. And we're evolving to con continue to provide you with the best in class authentication and device security posture mechanisms, and ensure that only the right authorized users have access to the resources they're assigned to, again, we have the unified client that goes across desktop and mobile and provides you with that same consistent, secure experience, no matter the operating system use.
And finally that our solution is built from the ground up for hybrid it, unlike a lot of solutions that have been that, that come from a cloud cloud first world. So we, we, again, pointing out we're an evolution to, to help your hybrid it environments, regardless of where your users and datas are. So with that, I want to thank you very much for, for tuning in and listening to us. And I will hand it back over to, to Mike to address the Q a section. Okay. Thank you very much, indeed, James, for that presentation.
So we just have five minutes left and the participants can ask questions using the, the, the go to webinar panel at the moment. I don't see any questions. So I'm going to ask you one while the participants perhaps put their questions in. And I think many people may be confused as to what it is that they are going to get from the software defined perimeter that they don't already get from their existing network stuff, because you know, people already talk about having network segmentation.
They already talk about things like multi-level security and so forth, but you are saying that your customers are getting something quite different and more secure from the software defined perimeter. Perhaps you could expand on that.
Thanks, Mike. That's, that's a very astute observation. So the way we think about it is obviously other than making users connect or users authenticate first, rather than connect first, our solution, which is an STP solution, does a few other things. So because you can set policy on a per user and a per app basis, it renders the resources that host applications effectively, it, it renders those invisible. So threat actors can't find these hidden resources unlike kind of the traditional services, which are always available. So it reduces the chance of, of being attacked.
And it reduces obviously with that, the, the chances of a malware invest well infestation.
Another thing that our policy, another thing that we do is that the policy that you, that you set applies to, to users and their devices and the applications you want, you know, you want those users to be able to get to the, the other important thing like you pointed out earlier is that it takes into consideration the, the, the minor contextual details such as the, the location of the user end device, whether it's a new location they're coming from, whether it looks like an anomalous activity, theres specific reputations associated with the locations that they're coming from, and even monitoring things such as, you know, time of day access.
This means higher efficiency when securely communicating the gateways that, that broker and encrypt these connections are only concerned about throughput. So, so we, like you said earlier, we split up the, the data and control part that allow us to effectively, you know, establish the user and device identity first. And then only after we've, we've effectively understood, you know, who the user is and the surrounding context do we do, do we then allow that device to make connection all the way through?
So the users effectively, they continue to see a more enhanced experience without having to worry about that, that backend security that we are putting in place no matter where the user is. So, so we effectively want you to think of it more again, as, as an evolution where you don't have to worry about the, the, the kind of security methods that you've put in place today with your existing security kind of toolkit, but we want to help you augment that by, by providing additional capabilities on top of it. Lovely. Thank you.
Well, I think we only have perhaps one minute left, but perhaps you could answer this question in that one minute, most organizations have already invested heavily in a lot of network security equipment routers and so forth, right? How does your E equipment interoperate with existing vendor stuff and what, what, what difficulty would they have in migrating if they wanted to use your stuff? That that's a, again, a very, very good question. Our solutions, as you know, we've, we've been around for quite a while.
And one of the things that that is extremely important to us is ensuring that our customers can take advantage of the existing investments that they've made, not only in things such as their network equipment, but also things such as their, their security kind of investments.
And this, this again goes from not just the visibility aspect, which is where we can provide visibility or more granular visibility into tying specific users, for instance, to IP addresses, to specific contexts and providing that rich information back to your security investments so that you can use that information to kind of correlate, you know, and make more intelligent enforcement decisions.
And not only that, but we also integrate with firewalls and, and, you know, other threat protection services the other way around as well, where they can provide us with insight that we can use to, to enforce using our unified client, which means that they, you need to worry about one less thing. Every user that that comes in and brings their own device is always surprised that, that they need to put one additional client to help, you know, make your, your environment more secure.
So with pulse Secure's universal client, we can intake some of that intelligence provided by external threat providers and use Pulse's universal client to enforce security such as quarantining that device so that you can inspect it for, for, you know, further investigation. Lovely. Thank you very much.
Well, I'm sorry to say that we've now run out of time. This was a very interesting presentation, James, thank you very much for this and to the audience. I would like to say, thank you for participating. Please keep your eye on the KuppingerCole website and your inbox for more details of future webinars and future events. And with that, I'll say thank you very much, everyone, and good afternoon from the UK.
