Implementing Zero Trust Principles: Crafting Your Cybersecurity Fabric

Welcome to the workshop part of the cyber evolution. So this time we only have 90 minutes. So for those of you who knows the coping a call or in general the workshops at our conferences, usually they last three to four hours, which is very intensive. Also helps a lot to understand the topic, but we thought this time we limited to 90 minutes to give you more or less the insight. But no worries. We will also talk a lot about the collab collaborative part. So really the hands-on character, that's the idea of today as well. My name is Christopher Schutze.

I'm on the one hand responsible for the co Kuppinger call information security. So our on security part but also as well for our cybersecurity strategy around events, research and advisory. And today Alexei say my colleague, you can introduce yourself. Yes. Hello and welcome. My name is Alexei, say Balaganski, I'm Lead Analyst and also coincidentally the chief technology officer at at Kuppinger co.

So, so nice to have so many people here and I hope more people are watching us online. So let's just dive into it.

Yeah, good point. With the online people, if you have any kind of question, feel free to use the chat function on the KC Live platform. I frequently try to check those questions and answered as well. And for the online attendees, if you have any kind of, for the onsite attendees, if you have any question, just raise your hand.

Important, we need the microphone. Otherwise the online attendees cannot understand your question. Alexei will walk around or I will walk around. That's the most important part.

Okay, so there is some delay. Okay, obviously not, but maybe I start to explain at least what I tried to share the agenda for today.

Perfect, thank you. Okay, so as we start at nine o'clock clock, we will have a first introduction into zero trust. In a nutshell that's the topic for today. So crafting your cybersecurity fabric by using the principles of zero trust. And then the second part is what is a good zero trust strategy? I don't know who of you already started to do something within the organization. Where are you in that part of the journey? What is your understanding? There are different opinions or multiple opinions to phrase it that way around. That's what we see if we do advisory for customers.

And then the most interesting part I think is more or less we plan one hour for that talking about how to really do it. We show the framework that we use by the Department of Defense of the United States as a foundation, our reference architecture, the fabric and basically how we approach if you want to implement ACO address principle, where do you start based on use cases and things like that. That's the idea for idea for today. And then more or less, we have 10 minutes for summary closing and next steps.

Yeah, that's the plan. But whenever you have a question, raise your hand. This format really lives from interaction, not me here being your teacher like in like at school And Christopher by the way, not just any question any, if you disagree with anything you just have a great idea to share. I mean this whole format is supposed to be as interactive as possible. Exactly. So also for the last row, if you want, please also feel free to to move one roll up in the first or second whatever. Usually we do not. We also come back to you if you want to ask questions like in school. Okay.

May maybe Alexei you start with zero trust in a nutshell. First we have some slides at the beginning but only for the common understanding. Basically Just as as a really quick refresher like why this whole thing exists. I mean probably the biggest reason, the biggest kind of appeal of zero trust as an idea is it's so simple. Like I don't know Christianity has 10 commandments, zero trust has only one, never trust, always verify. It's so easy to grasp even by non-technical people.

So everyone wants to to have it somehow and every time we are approached by a company that wants to implement zero trust, we always have to repeat the same story. Yes, it's not a product, it's an architecture, it's not just a technology, it goes beyond tech because you have to change your processes and your environments, whatever you have to deal not just with a specific part of your IT and like not just networks, not just data or anything. You have to cover everything ideally. And that's a journey. And finally, yeah, zero trust is not just done for the sake of it.

It has very tangible business benefits and some of those are quick wins like VPN replacement. Others may be more strategic and long term, but the ultimate goal is not to become zero trust. The ultimate goal is to become more productive and secure. So yeah, again, again we don't have to go through all of those the the basic kind of tenets of zero trust that yeah, nothing happens without first making an informed decision. Is the person try or is the agent trying to access a resource, the one who he really is or it really is, do they have the right access permissions?

Is the access channel properly secured? And of course like strong authentication or policy based access least privileged principle enforcement, this all kind of automatically belongs to the whole idea of zero trust. And finally I think that a lot of people forget is everything has to be monitored because without having this dynamic real time context of everything, what's going on in the environment, you just cannot make those decisions properly. So this is basically the entirety of zero trust in a nutshell.

This is how you are supposed to build it, but again, it don't translates to a lot of non-technology and arch process and strategic questions like how do I do it? Where do I apply it, where do I start, how do I continue? And Christopher, I think this is like a slide that our advisory department has developed over years maybe. So maybe you could just dive a little bit deeper into the Yeah. But basically just a few words about maybe first question to the audience in general.

What, what, are you a beginner in zero trust or did you already do something in that that direction? Maybe beginners raised their hand. So we have two and a half the others medium or expert, medium, medium and Google.

No, I would never say that. Okay, perfect. So we have a good mixture then I, I spent some some words on that slide. Usually that's what Alexei say already mentioned with a real time context data. We have different types in the organization. You have the user, you have the device you use, you have the network we u you use. So this device, I use that device in the network in a separate network of the conference to access the streaming application and share my data. That's basically the idea. And here is a lot of information used that can be used for verification.

Am I authenticate against the device, the device authenticated against the network and so on and so on. And that's basically the idea behind that picture. Everything goes into some kind of policies, understanding data allowing or more or less going in the direction of preventing access unless it's verified. And that's more or less the idea of zero trust and of of this slide in that context. And the next slide then goes more in the technology perspective. So I talked about user device and things like that and we as a technical people, I'm usually also more on the technical side.

You have a lot of applications or services running to do something like that. You have on a network level, you have a CMM system for collecting logging information. You have maybe ASB implemented, you have some kind of traffic management to optimization. Same applies for identity and access management. You have maybe some kind of monitoring, you have IGA for sure, you should have something like multifactor conditional access, whatever in that direction on the endpoint, you know your endpoints. In the best case they're also managed, you have some health state of your endpoint devices.

So not only the computer, also mobile device smartwatch, whatever you have within your organization. And then the thing from experience perspective data, you have data, we have a lot of data. The challenges, what kind of data is it? Is it a database, is it a query, is it a confidential strategy? How is this identified classified? Who's responsible for data also applies for all the topic and that that is basically the foundation. And this slide is for confusing as well. I hope I So Christopher basically you just want to say that zero trust is everything. Yeah.

So when people come to us and say where do you buy zero trust, the first answer is you cannot. And the second answer is you probably have a lot of bits already and you just have to recombine them properly. I guess this is the real messaging of this slide. Exactly. That question was already asked.

So we can, any question so far or anyone who says no that's stupid, that's completely the opposite I of my understanding. No, Come in, You don't trust.

Yeah, please verify yourself. Otherwise We'll be watching you. Perfect. So welcome to the session. We just started with a brief introduction into zero trust and we will now start with the second chapter talking about good C trust strategy. So here I like to call this entire, can you hear me alright? Yep. So I like to call this entire strategic approach to zero trust feng shui of it because just like, well the actual Chinese philosophy of it, you really don't have to build a new house to make it feng shui compatible.

You just have to rearrange your furniture, put in a plant in the corner and maybe just add some lightning and somehow you are in in harmony. Now the same should be applied to zero trust as well, right? Because you don't have to rip and replace your existing infrastructure, you just have to make it compatible with those strategic tenants somehow. And this is exactly what we are going to be talking about today. Yeah and as mentioned at the beginning, we usually use used in the past a lot the Department of defense approach here.

The papers also linked here so the slides can be downloaded on the KC live platform afterwards for sure. Usually I recommend only keeping a call documents, but this is for sure this is also a good document. It's a good foundation to work with that because it gives you some kind of framework and common understanding how to implement that.

We, so again, we can see the five pillars, user, device, network application. What changed, and this was also covered in or is also covered in our identity in our cybersecurity reference architecture is the topic visibility and automation orchestration. And that is really an important part which differs from the DOD approach to some other existing approaches because the key more or less is having the coming understanding the real time context data and be able to do something like that.

It's not sufficient, I mean it's a starting point having an central policy decision point or enforcement point, but you also need the data to verify for your policy and you need your policy as well. And that's we, we know that from, from starting with defining roles, business roles, whatever, that was a nightmare. And if you do it wrong, it also gets a nightmare with policies as well. Then you just move the problem or make it a bit more complex And that's really the the key thing of right initiative, have the right prerequisites and see what to build out of that.

And By the way, Christopher, the word policy you mentioned, it seems like everyone is talking about policies now, but people have really different understanding what it even supposed to mean. The term for some policy basically is a set of rules like firewall configuration file for others, and I think I share this approach more is a policy is only a policy when it's declarative. You do not have to learn a special language.

Ideally you do not have to run any code to define a policy and it then through automation it somehow translates into the actual decisions and enforcement controls, whatever you name it. So maybe this is something which we should focus on a little bit later if the audience has interest. Yep. Basically question is any one of you already at in the part to define policies on a certain level or are you, or still on the phase where you set the foundation for something like zero trust? Do some of you have a policy decision point implement? No. Okay.

And that's not a surprise honestly if, if we talk to, to many organizations and that's more or less the level, I mean probably all of or many of you have something from Microsoft and conditional access that's one part of the cake. But does it cover everything? I mean basically most of those stuff starts with the device and the user and not with the data and all the other stuff you can do as well, but you need some prerequisites by The way. Like again, this is boil down to the definition like keeping a coal is a small company.

We have how many like 70 people in total and we already have too many policies and too many policy enforcement and policy management points. I imagine that any larger company would probably struggle even further. So it's not that you do not have policies, you probably don't even know you have them somewhere. Any question here?

Ah, sorry, microphone. That's that point that you just made was, was effectively what my colleague and I were just discussing is that we're a relatively small organization so we have policies, they're just not necessarily written down. So at first thought you don't even realize that you have policies and we actually have more policies for other people than we do internally.

So, so it's, it's, it's always a good idea to write that down and and codify your, your policies to make sure everyone's on the same page. Okay, thank you. That's definitely true and thank you Alexei A for, for this extension of definition of policy.

I mean I created for, for the company all the policies based for the ICE and TAC certification and I mean it's just written down the enforcement point maybe sometimes missing on a technical base but at least on a beautiful Word document or PDF, there's a lot of definition and policy and I mean if if, if you want to implement always never trust, always verify, that's one policy then nobody can work and but you have zero trust. Congratulations.

Okay, so any other question here or remarks? Okay then this slide will be our main slide within the next 60 minutes basically because the idea is to go through that framework more or less. Again we have the five core pillars, user device, network system, app data and the two others, visibility and analytics and automation orchestration. And you can see here multiple items like that are relevant on a certain, maybe I have a point here that's easier. Perfect. Okay. Things like the foundation user inventory, if I don't know my users, how can I decide anything same with device and so on.

And that is we will come to the, in the next chapter is the idea really to talk with you, go through that and discuss because what I always realize if we use that slide it starts with what is a user inventory, is it an LD inventory or is it a full blown IGA solution? Depends, that's Matthias Reiner if you know him favorite answer if he if if he present something that's a colleague of mine.

Yeah, that's basically the idea with that slide we will come to back to it later and yeah, from my end I would say we can jump into the next chapter if there is no further question that we really have more time to discuss on some hands on stuff. Everything clear so far? Perfect. Yeah so basically I use this slide in different variations multiple times now and I would repeat again, zero trust has to have like a a set of minimal requirements if you do not have them, it just never works. It doesn't even make sense to to begin and those requirements are obviously identities.

Christopher just said if you do not know your users, if you do not know your well users are not the only kind of identity. If you do not know your services, applications, clients, whatever, how can you even manage access for them? For visibility it's another one. It can be a theme, it can be a, a network monitoring solution can be a combination of multiple things but well you have to have a basic context to make those decisions and finally you have to have at least some kind of policy management enforcement and again kind of monitoring solution with those two former ones.

Most companies probably hopefully do not have to struggle. Those are the prerequisites for any other kind of it as well. Policy controls is something we probably have to discuss in a more detail later. Perfect then that was just in time by the way. It's nine 20. Usually when we start to discuss with companies, with people to about how can I implement zero trust, what do I need? What is my right zero trust strategy. It start with, I start with the question, what do you want to achieve? What is the core message? What is your use? We use the word use case.

I know there you could also call it user story. It's not the full agile defined thing here it's more like what do I want to achieve? So for instance, like typical use case, I want to have my external or my visitors to access the wireless land and the internet or to access the internet.

That's a very basic thing but I can also say I want to have my people work from anywhere accessing non-critical applications and then it's starting to getting complex and we prepared three use cases but I would also ask you a bit about what, what is your biggest pain point or where would you start with zero trust if you get maybe from from your senior management. Okay, I was at those that conference they said zero trust makes everything perfect, let's do that And by the way, let's do zero trust is not a valid use case. That wasn't the intention. Yeah. Any ideas or any suggestions?

My name is Tara, you said that starting with zero trust you have to define your users at least in case of IOT device which let's say works standalone is the user is always a human or how would you define a user in then just that it can be also a human that it interacts with the device or it can be also a standalone device which doesn't need a human interaction. This really depends on the type of your organization.

If you are a company that is highly into IOT stuff, mainly developing any new stuff for the end customers here needs a highly secure development process and all of that, maybe you start with kind of that use case and include your IO OT devices as well as an identity if they work in that way. If you are a typical like keeping a call, we mainly use office applications, we have our backends and stuff like that for us this is for for a starting point to complex.

So usually the idea of the zero trust journeys start with your biggest pain point and also be a bit careful that that is what I want to achieve in this discussion here as well. Which one is realistic? So if you already or if you would take this use case, we need to verify do we have an inventory of the IOT devices, responsible persons, some kind of classification of these things and do we need to to include them, what do they access and so on Then yes sure, but this depends really on the the main purpose of your organization.

If you're just a typ, typical Analyst company, no I'm company that is working with office stuff produces documents, knowledge papers, PowerPoints, whatever. That's another starting point. If you're developing software, this is again something else. Then you have repositories, you have git, comments, whatever you use API endpoints and things like that. There's some echo. In any case, you're absolutely right. So I mean even if we somehow managed even how said users, of course you meant any kind of identity. Yep.

The point again is that whatever you want to manage, whatever you want to enforce zero trust upon, it has to be already somehow it has to have all strong identities or if you don't have them yet, like for iot use cases, a lot of companies still struggling. There are kind of crutches or workaround solutions based on proxy architectures or the edge whatever. There is really interesting, a lot of interesting solutions available on the market now we can dive into those as well. Thank you.

So, so to build on the previous commenter's question about identity, when I look at identity, I kind of look at it in three buckets. There's natural persons where you're either dealing with your employees or your customers. You then deal with the the next bucket of what I would call organizational identifiers and they're particularly relevant when you get into supply chain and and trade.

And then I think the third and more challenging is not only iot but more importantly when you get into AI instances where machines spin up for milliseconds, they're there and then they're gone and there the inventory is less of do you still have it or did it exist when it exists, what did it do from an accountability and an audibility standpoint.

So to me when I look at strong identity, those are the three buckets and as far as a use case or a user journey, maybe we can look at something that is more supply chain oriented where you're dealing with a couple of those different things and perhaps less with IOT which could be involved but potentially maybe we can use something with GS one G tens, GNS and stuff like that as as part of the use case. Speaker 10 00:25:48 What I would also like to add also in terms of strong identity but in general first what is zero trust, what is not allowed is forbidden and then what is what?

What are the typical use cases? What are, what are the critical applications? So first we need to to define this and work use case by use case and see what we actually need because we cannot do everything at once. You know the the complicated slide what you, so we need first to, to define what we actually need and what are the common use cases. Perfect remark Ivan that is exactly the idea that we or or maybe a bit bit differently. Take the use case and see what we need for that use case from this beautiful fullblown whatever.

And this helps you to build more or less than you identify maybe with if you're more IOT focused company or more office based company then you have different schemes and then you see items for all of these different points there are sub sub items and at the end you build something like an A prioritization, where do I need to start, what need do I need first or everything in parallel and that thing. And then you have your journey to zero trust any other use case idea or any concrete use case ideas.

Maybe those guys in the last row, Anyone Or the people that joined us a bit late or you, I don't necessarily wanna suggest a use case but maybe a scenario within whatever use case we go with. I'd like to touch on what it would take to build out a policy for addressing some of the more advanced cybersecurity threats. Because I find in common practice a lot of times even governments don't necessarily know what they're doing or care when it comes to reporting a zero day vulnerability or something like that.

So what would be involved in writing policies for more advanced scenarios like that? So you mean more the policy definition part Yvan Speaker 10 00:28:10 And just another remark from me, you the beginning set we need to use what we have and to rearrange it. So I think to complete the scenario we must agree or on what we, we have what is given so that we can use it. So maybe this is also a way to think well what do we have actually on tools and and mechanisms already which can implement zero trust Exactly. I think this is where we coming to this whole fabric topic.

Yeah sure. That's why I added it. Okay. Just for as we prepared also three use cases but we can build for sure something around IOT as well.

Alexei, say you rephrased this a bit maybe then you can explain it. Well again, this is more like there is a set of ideas where we could start digging into or I mean everyone has different priorities but these are just kind of things which range from like really low hanging fruits like for example VPN replacement.

Everyone needs that now especially, I mean probably not as much anymore after the end of the covid lockdown but it's still a a really critical topic which can be really easily solved Like in many companies, like really the only thing you need is a credit card and maybe like an hour to define your first policies. Or we can go on the other end and just talk about like ransomware prevention and stuff like that or regulatory compliance. These are much more sophisticated in terms of defining those policies.

It may not even like translate into fancy technology solutions in the end, but again it all depends on your requirements, your use cases or your risks and so on. So this is, this is where we really need your input, like where do we want to start?

Yeah, so idea would be from my end as I would love to to, usually this workshop takes eight hours so we need to optimize speed up a bit, up a bit from from that idea. I really want to share the methodology and also the challenges that that we have. I would suggest that we've on the one one hand use a more easy use case like maybe the boring or maybe the the external user wants. I know the internal user wants to access non-critical data from work from home, something like that as a foundation.

And then we do an a second one IOT based, could you maybe phrase an it, it exactly what you want to achieve and overthink not the most complex one as the time is a bit limited. My company is manufacturer of a medical device and I'm responsible for some predictive preventive maintenance module and also cybersecurity for all this stuff. So it all all involves a gateway with the SIM cards or with internet connection with the cloud, some data collection to the cloud, some data analysis. So basically all these three parts on on your slide applies to my case I would say.

So you don't need to talk anything specific about I ot, we can just go for your slides. I I just call it IOT because my part works standalone. So there is a, there is a human, a user working with this medical device but but like my part is standalone and is kind of considered as IOT device. Do you have a question?

Okay, So to build on this healthcare and I I'm I'm coming from the same aspect as well per with GS one and some of the others with certain medical devices, they need unique identifiers, particularly when they're implanted into the individuals. There are certain national requirements with regard to serialization. I think the thing that potentially makes this a little more IOT and complex and perhaps fun is what happens when, let's say we're talking about a pacemaker that's being implanted into a human and that potentially has code that may need to be updated.

How do, who do we want updating that code when there's potentially a zero day vulnerability? So does that make it fun or is do we go too deep into the weeds of forest as complexity? I'll give it back to you. That's a really interesting use case and I don't know if I would rely only on CEO trust here. I would say no Speaker 10 00:33:10 Full life, zero trust. I mean that's something where I would prefer something like a cable. Even if it's difficult, maybe some whatever. I mean technically a cable is also a kind of a policy decision control, right?

It's more like remote updating whatever. That's something I'm struggling. That's really cool use case. I also have a lot of something like that in my mind but I think from a complexity perspective that's a bit too deep into or that's very too specific that that's the more point.

But, but I got your point. We can look a bit at the, at the IOT stuff when we have a look at the, at the framework and go through that one use case. So if no one has the real one cool use case besides the two some more basic stuff, I would suggest that we take this one or anyone disagrees and says no that's boring. I want to go, maybe you keep the microphone here. Speaker 10 00:34:20 One microphone Table piece I, I just had a brief joke. The cable to the pacemaker is the network access protocol in this scenario. Yep. Do you want to say something about these slides Alexia?

No, it depends on which are on those would be more applicable for your use case. Yeah, I think we yeah may maybe. Okay so I wrote down the use case internal user, sorry for my writing wants to access noncritical application from home. So the typical remote work, Speaker 10 00:35:01 Is that work? Yes. Do we want also to write what prerequisites we have? What we we Can do this now? Yeah Speaker 10 00:35:08 Because I think this is like really, really interesting to know where we start. Because right now we have only the goal but we don't know where we start from.

Exactly. First thing is a little bit to visualize what does this mean on a technical base. So laser pointer and identity is no, that's more the talk. That's a different picture.

Yeah, so basically the identity by using an endpoint there should be a policy due to the home network, the open network, so the internet company network, VPN whatever, accessing an application that is more the target build picture we want to achieve. But that's another slide. So I think it makes more sense really to talk about prerequisites in that thing. I think you, you were asking in the question what is an internal user, what does this define? Things like that.

Okay so internal user I would say that's you as a full-time employee you have maybe we define that you have in Microsoft no brands, you have an account in your corporate network and can access data. That is I would say the prerequisite for the normal boring user non-critical application. What's a typical non-critical application? What's the most boring application you have in your house? Salesforce. That's a technical guy. If you would ask sales guys from us they would say no that's the most important one, let's call it.

Speaker 10 00:36:50 I would propose somewhere we can, you can book your holidays or times Travel booking app, let's call it travel booking application. That's a good thing. So It's interesting that you word it in terms of critical versus non-critical because a lot of vulnerabilities in a architecture like this can sneak in when you think a use case isn't critical. So it's almost a catch 22 That was for a reason.

Okay, anything else from home? I mean that's clear somewhere not in the company corporate network, current state as we all know is working via VPN and all that stuff, but that's not your trust as we would expect. Okay. Now the plan is to really go through the most important topics here to show you a little bit what is relevant here but I need to change the view. Does this work? I think if I click here it's also so that's more or less the maximum.

Okay, so for that use case, what kind of user inventory do we need? Anything special? So regarding to your normal company, what would you assume is relevant here as a user inventory as we are talking about the normal employee? Something like, Well that's a tricky question, right? Because I mean the, the whole idea was stated in the beginning you have to reuse what you already have and you probably already have something like active directory at the metrics, right? So what's wrong with active directory? Nothing. Is it sufficient? That's the question.

Well normal users can also have different roles and permissions. So if you have normal users, some normal users may have like readonly access, some may can submit some data, some may have readonly access but only for non-sensitive data. For example. Some can see everything, some can see only data, I don't know assign it for their user role region, whatever else.

So this, everything has to be defined. So when you, when I start to think about what is normal user, I immediately have like a lot of different cases when it may be already too complicated when I would not call it already a normal user, How would you call it? No I I mean just it is just very generic and have just, I have to be, when I define it for my application, I have to be careful to call it in some such generic way because I have a lot of granular things to be define it for for these users. Okay. Fully got your point.

And that's basically what always or very often happens, maybe we can call the user Alice, Alice is working in the financial no in the sales department. No was the was eve. Eve is a bad guy. Yeah. Back to studies. Okay so user, so back to the framework for that use case, I need some kind of framework where I can define roles, permissions per user.

That is the foundation that I need on that level we are thinking, so I need some kind of of inventory whether it's active director, active director, new tool, active directory, Azure active directory, a mixture of that or any other LD up system that's the foundation and that is something I need and I need to assign some kind of attributes, whatever that helps me to identify whether Ellis can access travel, booking, application, Alexei, anything you want to add? You're looking like that?

No, he's two microphones. That's cool. Okay. So based on that framework, what we then do usually is, I know that it's on high level but time is limited as mentioned we would mark that as a required thing and no surprise and user inventory is the foundation for everything. If I don't know my users I cannot do anything. And then it gets a bit more interesting regarding con conditional access. That's more or less the wording of Microsoft by the way here. But it means I can define specific rules for access flows. Is this something you would say you would need for such a use case or not?

You need the capability to decide that someone can access from home via a specific network. Speaker 10 00:42:29 Most definitely. This is the, this is the first gate to actually to to see if there is a risk of intrusion because of the location, because of the times and so on and you can calculate the risks.

So this is for me the first prerequisite to actually not only see who is coming in but actually risk rate this risk and also be able to block him in real time and like the really worst case scenario like disable his account and so on because the probability of him being hacked is very big. Exactly.

And yeah, And maybe we're not at this point yet, but it would also depend partially on user behavior where if they're booking a trip to New York City versus some exotic location, that is probably not typical travel for for the company in this specific scenario. That's a good use case but that's a very deep dive use case because on the one hand you mentioned use behaviors more the way I act using the website or using the computer keystroke distance, whatever.

And what you mentioned was more on the data level than doing like that and that's one of the challenge, most challenging parts here but definitely true. So if you want to achieve the highest level, if someone is doing something like he never did before, by the way there will be a presentation regarding the topic, how you detect uncommon behavior on requesting or buying something in an online shop tomorrow by Sian Fleaing. Just some advertisement here By the way Christopher like probably a silly question from my side.

I mean a much more reasonable use case here would be like a normal user should not be allowed to book really expensive travel documents, right? So yeah, like suppose normal employee up to, I don't know, $2,000, where would you put it? Like is it conditional properly? It's it's not conditional user access.

No, no, no, definitely not. This depends this kind of of analytics is then on on system level or on data level depends a bit on on the application and whether you use it then on a, in a central policy decision point.

Yeah, but That's a point from a business perspective it's a policy definitely. But where would you craft such a policy? So maybe on the policy level, Bob who's in sales or marketing, they could book their own travel but Lloyd who's janitorial services or you know something like that he, he or she should clearly not be booking travel people that are plant maintenance or stuff like that. So I think that's where the user access would come in. Exactly and the roles within their company. Yep.

So it depends a bit on the the the application that you use, how where are permissions defined and on which level. So usually if you have such such business application, you have some kind of rights management within the application maybe approval workflows and definitions like Christopher's allowed to to only travel second class in Deutsche Barn or whatever. At least not third.

Yeah, so conditional access from its founda foundation is a important thing to need something to implement like that because if I want to use the at home thing here, this could be some kind of definition that I use here. So it's not the corporate network. So the user can access but only from by only to noncritical applications multi relevant for that use case. What do you think? There is no right answer but that's why I'm asking you. We are talking about a non-critical travel booking application.

Is there the requirement to for a step above indication, The fact that we've authorized, we've agreed that up to $2,000 could be spent.

I think you know what is the threshold and for some companies maybe that is something that would require multifactor And another question is always, yeah, I mean from the business perspective maybe not, but a security guy would come over and say absolutely we require MFA now everywhere even for Gmail or whatever Yvonne Speaker 10 00:47:12 And maybe a small remark, okay now we're starting with the non-critical application but, but we do not say we, we want to implement like policies on a more general level.

So we must think away ahead and we must think okay, maybe the next application would be this one and that one and latest on the further application we're going to require multifactor authentication. So better implemented now when we have time instead of implemented later when we need it. But maybe we have more limited resources. So make a strategic approach here Fr from the general approach. I would disagree in that case because the idea is really to cover that use case. But from a strategic per perspective, you're right.

And the idea by using this use case approach is really to get the target picture after you went through 3, 4, 5 of your core use cases and then you get exactly the result. So what I usually do in that case, and that's what I did here as well, I marked it yellow, that it is partially covered to use it privilege access management, any kind of relevance in that case, maybe the right side here, Speaker 11 00:48:26 Ization level access.

What you could do here, coming back to Alex's scenario with a limited price privilege access management is not only limited to technical privileges, it also business critical stuff like within the application I want to book a first class ticket, something like that. That could be something like a privileged thing here. But I would say for that use case, But where would you put what you place delegated activities like I'm a big boss, I want my secretary to book a travel package for me. Would that be Privileged access management as well?

No, no, no. That's I think in the, I I don't know what the the, the abbreviation exactly means, but I think that's, that's part of the last point. The e-comm platforms here or you put it in user inventory as normal delegate stuff, but that is done then a very specific use case and and other use case more or less I want to have my, my assistance to book me my travels And we are here only covering the internal and that's exactly what what happens and why this workshop can take along.

But it really helps to clarify within the organization what do I need and what is my understanding besides from my c-level who mentioned I heard about your trust, let's do that. And then really breaking it down into what do we need and the next step is then we will only highly cover that, but what do I need? What do I have here? So now this is wish concert, I need to have that, that, that, that.

But then the second slide would be what do I have and then I have the gap and even if I have something like maybe conditional access does not mean that I have the right policies and things implemented to build really the, the journey towards zero trust. Okay, so for for the time being, I would keep that red. We don't need it at least for this use case identity federation and user credentialing internal user with that it's active directory, it's an, it's an on-premise application. Do we need that?

It's, it's typically included in a lot of identity applications anyway. So even though it might not be explicitly, you might not think of it as federated identity, it typically is in the background. No one disagrees. I would say it's partially needed on a certain level because if you then have active direct and Azure active directory or RFS or whatever we are in that universe, behavioral contextual ID and biometrics.

Think about your iPhone using to book a business trip or your Android phone If for example your authentication mechanism was a pass key as defined by the new standards, your secure element chip on your iPhone would utilize your biometric authentication to trigger a signature to your servers. So in a way you are using biometrics And that that is a good point and I would love to to have some other opinions. The typical, if you open your MacBook or no MacBook is not doing that.

Your, your surface windows computer, whatever there is face detection and authentication and then you're usually usually locked in. So something you trust, you accept is this part of the whole zero trust thing or do I then have access to the device? I mean for sure the, the newer technologies are not like taking a picture and unlocking the device. It's bit more suite D detection. But do you believe that or trust do you trust? That's Speaker 10 00:52:43 The question.

Yeah, but I mean in the moment where we marked conditional user access as green behavioral, it's, it's basically the same thing. We are analyzing the the behavior so I cannot see how we, It's about the, the way of using that information for authentication. Speaker 10 00:53:01 Well this is at the end, this is an outer device so I would, I would separate it from this.

I think we are again going into this deep or terminology discussions like what do you understand under conditional access Some would say we have it, we can totally look at your IP and see if you are coming from China this is it. Or like we can allow your access before 8:00 PM but not after. I would argue for me conditional services is something a little slightly more sophisticated as I just mentioned it should be at very least based on behavioral profiling and maybe on biometrics and other sophisticated stuff.

Speaker 11 00:53:39 So I think that you, Speaker 12 00:53:42 You mentioned identifying like face identification. I think you need to do it at the moment of booking and not at the moment of entering opening the device. Right? There might be an hour difference between the time you open a device and the time you do the booking and the computer or device may change hands in that timeframe. Yep. So it's not enough that you identify the device at the time you open it.

You need a specific identification for the application and for the actions you take in the application And that's what why I would say it's at least partially covered because if you open your device, you identify with a four digit pin, whatever it's possible here or with your face, your fingerprint, then you have an active session and if you have, it's all whatever you authenticate against your, again non-critical travel booking application but you're in and then it's the question, do you trust the initial thing here and is it relevant for that use case?

Which is, Which is the most important thing here. So I would edit as partially covered or partially needed for that use case in respect to the time. I would also love to jump into devices and network and system. But I think it's clear from an understanding to use that framework means I have the use case and I go through the different things here and for every single item here there's also an additional slide, but I skipped this for the complexity level because then we have, I don't know, 6 80, 90 different points to discuss. That's a bit much for today.

That's why we are on that level and then you, you get the picture more I have prepared as a closing slide more or less how does this typically look like? But we are going in the direction Alexei, I Feel like if we don't have eight hours to go through all this and to kind of work on a nice to have level like do you have a kind of a different kind of trim kind of lean methodology? Like do we have to think about must have capabilities here or Sure ba basically the must haves are marked here for for the user.

One thing that is more or less also relevant is continuous authentication because you need something like I want to be authenticated to a trusted authentication. Did something happen was if there did something bad, is the device compromised? Is the session compromised? Something like that. But this is also a relevant thing. Maybe I mark it just screen as I said least privilege for that use case.

No, I mean in general for sure that's the foundation of of everything. But just thinking about that use case, you could argue Alexei A would argue maybe you can argue that to define only what was the limit to no only second class travel trips are allowed that this is already some kind of least privilege or limited thing here.

Okay, so device, if you think about zero trust is and device inventory important and now I want everybody to say yes that was only this side Speaker 14 00:57:05 Silence disagreement And still how do you deal with bring your own device then like do you exclude those or do you have to cover it somewhere else in this methodology? Perfect. And now we realize our use case is not sufficient or not clearly defined. I did not write down by a company managed device or by my iPhone. So good point, we should have added this as well.

So maybe for us to make it easier, it's a company owned managed device. But this is something you need to have in your mind and especially, so we was cooking a call, I'm one of the few people that use a MacBook but we use some very common tool set by a company with starting with a big M And new devices like bring your own device, they are detected and then usually limited and that's what should be implemented for for all normal organizations as well. So there must be a policy surprise of defining what happens, what can I do with my own device and this needs to be done somewhere.

This is basically the second part. Device detection compliance, like I mean you have different scenarios. I take my own device and connect it to the wireless network within the company because I know the VPR two key or whatever. If you allow something like that, if it's managed and it's more or less limited on your credentials, then I know the user but maybe I just use the L. What is that in English? Where put in the cable plug plug, yeah. Ethernet. Yeah it's a plug was the word I was thinking about. And then you're connected or not.

I mean this is still valid in many organizations and you need something like other new colleague joins, they forgot to do something and it's not part of the device management for whatever reason. So you need in general and also for the use case device detection, do we need device authorization with real time inspection? Again noncritical I would say the question is maybe you already have it in place like an common EDR solution which as an optional capability can actually export the device posture as the input for the rest of your zero trust architecture.

That's a really common scenario, right? I mean if you run something like, I dunno, I allowed naming names an EDR vendor starting with a big C, which everyone else is integrating with or even the one you already mentioned earlier. I mean the big M also has some device management capabilities. Why not use them if you already have them? I mean that's the strategy by the vendors. By by the way, Could you go a little bit more into what you mean by device authorization? Do you mean making sure that your device is really what it says it is or just checking a Mac address or what?

What sort of level are you, are you trying to address by? By this point Basically it's up to you but it's at least that point. You can identify the Mac address frequently, whether it changed the device health Stage. Ideally you should have an agent probably, Right? Yeah. Because max poofing is a thing. I mean even your iPhone does it. So an agent is probably what most companies would require. Yep. Should we add it?

Yeah, no That's the the the most typical answer And again probably like the the step number zero in this diagram should have been like what do we already have which we can reuse. That is usually the next point. I really would would love to think about first what do we need for clarification?

Okay, let's speed a bit up here. So patch management, endpoint detection and response. E-D-P-R-X-D-R. So like monitoring, acting on uncommon things or things that happen that seems to be uncommon. What do you think? Alexei?

Again, it's definitely nice to have but probably it's not up to technical people to decide for the management. It's a risk they want to accept or not because those tools usually come with a hefty budget. That's by the way, typical internal discussion. Always Alexei wants it I think. Okay. It would be nice and I have to tell our CIO we need it. I mean probably all of you know that.

Okay, so nice to have means. Let's mark it yellow.

Yeah, what I would mark as green, I skipped it for no reason, is vulnerability patch management and asset management. You need some kind of device inventory, you need some kind of responsible person, groups, people, whatever for the devices. Some owner of the device. So maybe in that case me for the iPhone, whatever and some kind of health check. I don't know if you frequently read the, the threat reports and things like that from zoom to Microsoft office to whatever all the plugins you have on the device.

There are so many zero days and vulnerabilities and that's still, if people then have access on a certain level to your network to the device where most of the attacks start. Even if you are talking about non-critical applications, I mean you know what is possible in cybers or in security thinks to, to do that.

So, so my question, and I apologize, I'm an intellectual property attorney so bear with me what, what the mobile device is be literally becoming the device by which we authenticate and I've seen growing reports of counterfeit devices. Now in this use case we're talking about a corporate, so hopefully the company's buying from authorized vendors, but in a bring your own device environment, is this where you would look at potentially someone bringing in a counterfeit phone?

Is it, you know, is it this goes beyond just patching of software but a potentially counterfeit device that could be loaded from malware at the point of sale? Yes, but it's difficult. So in general I would not allow mobile non-managed devices from an organization to access anything that is more than non-critical.

Maybe the, the Well, as soon as you say that word basically you automatically imply you have to have asset management, right? Because otherwise how would you know management?

Yeah, exactly. Back to your question.

So for, for doing this on your own device, you need also sometimes some kind of agent, you have Microsoft endpoint detection protection for instance. That helps on a certain level. But really to do like with the managed devices, the checking you need to approve of the users to run some kind of agent on the device, which is then sure limited on a certain level. All other deep vendors that deliver something like that also have that. But that is then the thing usually the user needs to accept on a certain level.

If you want to have that, if you, I mean if the risk appetite of your organization is like, okay, I don't care if someone within maybe compromised violence is accessing non-critical applications, I'm fine with that, then you can limit only to things like that. But the more critical information stuff you get the the tighter the monitoring should be be here. I would probably suggest marking the one with remote access and MDM as red because even though they can be good in certain situations, it's certainly not necessary here.

But a lot of times the vendors provide very compromised mobile device management software and that itself can create a situation where even though it's intended for an admin, it it provides a wide hole in your cybersecurity environment. So for mobile device management, I would, I would mark it yellow and I would disagree for exactly the reasons to get at least the basic health state of the device.

And that well that, That's the agent that you're talking about is separate from mobile device management specifically because one would allow full remote access, the other just audits for certain software patches and such. Yeah, depends on the product as we mentioned. If you disagree with yellow.

Okay, so in respect to the time maybe so network level, I mean core element of zero to trust is microsegmentation as one gets access to a specific network, it should be as limited and as small as possible and together another network segment, you need some kind of authentication authorization mechanisms to ensure that it is possible. Because the typical people that start with an compromise, whatever phishing attack, starting credential phishing access to non-critical device and things like that, then they jump network, network device step up and all that stuff that is possible.

So for, sorry for sure microsegmentation is something important for that non-critical I market as yellow, but in for the full picture, it's for sure green for system and application. The first point this goes into the non-critical stuff, application inventory is that important? And do you maybe you raise hand who of your beliefs that your organization, you don't have to say the name has a complete inventory of all applications and define the criticality of the application and the underlying data The others have. Don't want to vote or do not have it. Okay.

And that's basically the intention why I wrote it down as a non-critical where why do I, what is the reason why I know it's a non-critical application and this goes a bit in the supplier stuff at the beginning I should have something like a screening or an identification of my new application of my new web service, of my new cloud service, whatever defining what kind of application is this and then a regular assessment or validation, is it still noncritical? And then also checking what kind of data. Is there a typical use case?

Is that, is that someone in some department says, I have a new fancy tool, I love it. Can I test it?

Yeah, sure. I just use it for test purpose. One year later I'll use this here for that customer with that security strategy. Okay. No and this is something you need to monitor. I mean there there's a lot related like detecting potential services applications not only internally, also web service based container and everything you have within your organization. Christopher, to be honest, I mean one of the tenets of zero trust, like you have to know what you are protecting. So you need to inventory everything. You already had user and device inventory green.

So application absolutely as Well is star green. And the same applies to data. Exactly. Monitoring and all that stuff and data and what you realize probably. And that's what we realize every time. Then we do that at the beginning. Every says, everybody says user inventory, we are fine device, you are, we are fine application inventory, we are fine. And if you go into data inventory or know what kind of data we have classification or data governance, basically it usually gets silent because that's a stupid topic by the way.

I mean the, the initial intention is like putting a label on a Word document like it's internal. You did this one and 20 revenue and no one knows and nobody one will ever verify. It's a nightmare to maintain something like that in an organization. Just think about the, the big financial industries think, I dunno where everyone is working here in the room, but the bigger the organization, the more complex is that topic and it's a nightmare. It's not making fun. Then for sure you have some kind of tools like okay there's an ID passport number inside. It could be critical.

There's something like a credit card number, whatever. Well I mean on that topic alone, we could totally make a whole day of a conference probably. And you are very welcome to check our latest research on that topic as well.

So yeah, I mean there is a lot of tools available. You, you know, talking about data security platforms and even data security, posture management specifically for like your cloud data, lot of interesting stuff. It potentially could have relevant for zero trust as well, but most people don't think that way, which is a shame. Exactly.

So a lot of this stuff in data is really relevant and coming back to the discussion we had earlier about the amount or what was it about the, the the booking limitation or something like that where I ask where's responsible, I mean depending on the kind of application, typical SAP SAP's not a good example. Salesforce for, for instance for sure you have a certain level rights management, but do you have an overview of of that thing? Is it integrated into a big picture?

I mean you can do this on a crazy level if you do the full central approach and have a user where does Christopher have access on what kind of data and break this down, it's getting crazy. And then even if I need some kind of deputy because I'm sick on vacation whatever and someone needs to do my tasks on a certain level, then you should know that I know and you all of you should also, or I'm pretty sure know as well. Data is is difficult especially data enterprise, data governance for sure. There are also tools around that like DLP things, access control and basic limitations.

But most organizations are really working on non-critical application. I mean you can modify for sure things like not allowed to send sensitive or yeah, sensitive as the most critical label. For instance a document as an attachment via mail. But that's just a, that's a policy. But It's, the problem is basically if you go to the word policy for a second, like a company can institute a very simple policy like for example, you employees are only allowed to access data of their own, let's call 'em customers, patients, whatever.

How would you do that if you don't know not just who your employees are but also who your customers are, where their data is stored, how sensitive the data is. Like if it's a regulated industry like healthcare, it's not just your internal policy, it's automatically something like imposed by the government. How do you possibly, how do you apply zero trust from those requirements? It's again, kind of it's it's a topic worthy or a separate full day workshop probably. Exactly.

To bring it a bit to an end here, the, the most important thing is at least that I have a basic control about my data, maybe a specific share where only a specific group of people have access. That sub starting point, maybe groups within the application accessing or booking or doing specific things, booking in a specific region, whatever. And in general for zero trust and, and this things is have data encryption and rights management. This is the most important thing here.

Yvan, Speaker 10 01:14:08 I want to make small remark. I mean the whole use case for me, I mean normally we have all, let's say commercial applications for big vendors like for example SAP Concur for travel, travel booking and then we have roles and rides there and SAP certainly not going to change something in the software because our boss decided something.

And that's why maybe in in terms of access to an application, there should be put let's say a concrete end to send, okay, we, we end here and from here these are predefined roles and rights which you might access and but in policies. But, but they, they are, they're not our responsibility. They they're pred fine. They come from the vendor and and that's it. We cannot change them.

The problem is that in many are, well maybe not in this particular use case, but in many others, especially in the cloud, you are not allowed to think that because even if it's the other vendor who is managing your data, it's still your responsibility anyway. Speaker 10 01:15:13 But, but I cannot define a policy in a lot of cases because the roles and rights are, are predefined. The vendor is has his software sold to a million people and he's not going to change it for me, I have to live for what he offers.

Well again, look at just how we have this whole thing with our sovereign clouds for example, like AWS and Microsoft Oracle, they have to build their separate, separate cloud infrastructure for Europe just because of G-G-D-P-R compliance. And the same in a way applies to all SA applications.

If you, if the, if like if you have your data that has to be stored here in Germany but you want to use Salesforce, well if Salesforce cannot do that for you, well you don't use Salesforce so that, or you have to invent some kind of workaround maybe like transparent data encryption gateway or something like that. And this is also a part of this exercise if you'll probably not for such a non-critical use case we are talking about today. But as soon as you start dealing with real sensitive data, you have to take all this into consideration. Exactly. Okay.

So I think from a process perspective it it should be clear, important hint. So on the one hand it's even if it's not copying a call, again a really good document by the department of defense with the explanation and also the next steps but also the slides will be available with the details. Then in the attachment part where it gets clearer, I prepared one slide which is more or less an example of how something like that could look like. So we started like defining do I need that for that use case?

If you do this with, I don't know, 5, 6, 7, 8 use cases, you usually get a really good picture about that And then the part starts where you can go through it. Also on the detailed slide, maybe I show one of them like one of the detailed slides like conditional access. If I want to have real good zero trust or starting point it, I need rule-based dynamic access or advance enterprise roles and permissions and on that level what you want to achieve maybe also budget.

You can then go through your what you have and go through it what is already covered, what is partially covered and what is not covered within your organization. And this is just an example about where for instance, user inventory is fully covered. That is there the company has a device inventory, they have microsegmentation the basic stuff but no MI microsegmentation application inventory.

They have something but not sufficient for all the use cases they have data labeling and tagging is yellow as probably for every organization, at least on a policy level it is there no DLP but needed and data access control is there. And also the specific use cases like we need a specific PDP policy, decision point or lock all traffic, things like that is there. So a CMM system like collecting data from different sources, normal analytics is there but not for everything nor threat intelligence nor automation and things like that.

And with this knowledge, so again you start with the use case cases, do this exercise, then go into the next slide, see what do I have from the things I need. Then you get more or less the level of maturity and with that level of maturity you can build out something like a roadmap that is just a stupid example like starting with mission, scope definition, ANA analysis and then implement the most important things on a specific timeline. That is the usual outcome here.

Coming back to to the roadmap, the framework by DOD also covers and helps you a bit because you have for all the different layers maybe I going presentation Speaker 10 01:19:32 And you make a bit larger. Yeah That's better for, forgot that I was in the wrong view. Sorry. Okay. Here this slide shows for the specific things like for the user, my zero trust target level. So this foundation is user inventory. Having something like user privileged access and advanced zero trust would be con having conditional access MFA pump identity integration and user credentials and so on.

And using this step by step you get the target picture that was by the way, sorry the the other way around the target picture for this here to really see what is needed, what do I have and what do I not have. And that is basically the core message here like breaking it down and with this thing it even gets a level deeper. If you are bored on that level, which is usually enough, believe me, you then can implement a concrete timeline, a plan that helps you in the direction. Yeah.

Alexei, anything to add here? Well again, kind of, I have a question. How do you combine this long term strategic overview with quick wins? 'cause there are definitely some things which you could implement really quickly. Do you have to feed them all here or is it something that you would could of use to show your board for example that yeah, zero trust is something tangible. If you want to confuse your board and you show that slide. But for budgeting this does not really help really usually.

So asking for budget an extract of this slide maybe even on a much higher level is the starting point. Quick wins is a bit difficult because this really depends on what you have and what you want to achieve to do. I mean copy a call is an identity centric security Analyst company more or less and surprise your trust is also starting with the identity on a certain level also including IOT and that stuff.

And I think if you have a good starting point with everything around IGA, so the user repository and devices, that is a good starting point and then you need to start to implement things depending on, on the use case you want to achieve. So a general answer is not there.

Sorry, it depends. As Mathias would say, I would say just starting the conversation is a good first step because if your organization is just going about things with with no thought about it, then you're going to have a bad time.

But, but when you get everyone thinking about what does a phishing attack mean? What is, what is ransomware, what what does all that mean? Then at least people can start being aware and maybe you can progress to the point of convincing your board that it's a good investment E exactly. That is also one point that I added here, mission and scope definition. I mean the statement at the beginning that I said okay, my one of the C level heard about zero trust and asked me to do that.

It it's a bit provo provocative in in that case but also helps and that was the slide Alexei a talked about with the ransomware and what you mentioned. It also goes, can go in the direction like what do I want to achieve?

Okay, ransomware is still one of the most critical things that happens to organization in 2023. How can I prevent and how can I make my whole organization more secure? How can I deal with people working from home work from anywhere, whatever. These are the typical use case. I mean this use case no matter it's whether it's a non-critical application and from home or from the wireless LA Deutsche ban or at the airport. That's a typical day.

We work usually or the people in the business work like going at the conference and if you solve problems, make it more feasible or touchable and improve security. On the other hand, that's also a good budget argument at the end because if you do it right then it's not more expensive than doing it wrong and paying a lot of ransom In the worst case. Any other question remarks? Any opinions about the framework and the approach where you also say no that does not work for me.

That's that is too complex that this, this is strange or maybe for the people that joined later, any feelings about that? Speaker 11 01:24:40 How do you translate this to products? So what do I need to buy to implement it? Because that's like the high level description of what I wanna achieve, right? Good question. It was not prepared. I skipped it a bit in respect to the time, but the idea you have multiple things you need to do.

I mean maybe most of you know the identity fabric co a call has we extended this three years ago also with the cybersecurity fabric offer your organization. So ma, no matter what, it's an identity device data application network. So covering also IT OT stuff, services around recovery, protect, detect and response. And if you translate this into the concrete capabilities and services, so bundle this stuff, you end with multiple products, that's then the next step. And by the way at when will the next workshop start at 10, I guess not at 11 probably.

There is an workshop by Mathias and Christie they will exactly talk about how to then find the right tool based off that here because you end usually really with, okay, I need some, some kind of capabilities around user inventory lifecycle conditional access. So I need a service for identity lifecycle and identity lifecycle services. Then for instance, one big blown IGA solution or multiple smaller ones or maybe only Azure active directory with some iden Microsoft identity.

And by the way, I think one of the kind of slightly less obvious advantages of this fabric approach is that sometimes you get multiple capabilities with one purchase basically. Yep. You can apply them across various use cases. I mean this whole story about ransomware protection for example, just by our replacing your VPN with a zero trust network access solution based on that software defined architecture.

I mean not only you achieve better compliance and productivity for your users, you automatically reduce the kind of the mere possibility for hackers to pivot around your network because you do not have any local network anymore. So that's like killing two birds with one stone. And the same applies throughout the entire concept of cybersecurity fabric, kind of reuse, recombine, re reduce kind of overlaps and duplicate investments as much as possible. Exactly. Okay. If there are, and we have three minutes left, There are no other question, no remarks.

I would add remarks that when implementing zero trust, maybe one of the initial steps would be if you work in a regulated environment like I do in medical devices and maybe, I dunno, financial industry or something like that, how this zero trust you, you are going to implement how it'll apply to existing regulations. I know the cases when big German manufacturers of medical devices failed to get FDA approval in USA for example because of lack of cybersecurity. So this is in regulated environment. This is very important step Definitely.

And it depends on on the organization, but sometimes the, the regulatory requirement is the the foundation of starting something like zero trust. And sometimes it's also the other way around that you cover specific reg. So that would be the best case. You do something and fix before the auditor finds something or the regulative authorities find something. But most of the time it's the other way around. Helps again to get budget for sure and solve the topics.

I mean honestly I'm also more into like I want to have a secure organization and things like that, but sometimes you need arguments for budget to fix it And sometimes actually the vendors do some of this work for you because the products are already certified. So even if it doesn't automatically translate into your certification, at least it simplifies the whole process a lot. Right. Perfect. And I would say, oh no, I would just end on don't get your budget, spend a million dollars on implementing zero trust, security and then become a victim to having your login credentials.

Be admin and password. So That was the closing board. Thank you.

Okay, so I would say thank you very much. I hope you had some interesting time. You got some insight into the methodology. I'm here the for whole conference. If you have any kind of question, ask me, ask Alexei or just reach me out via male teams, whatever you want. Thank you for participating. Thank you for the interactive interaction and have a good conference. Thank you.