Why Small And Medium Enterprises Should Care About Zero Trust Security
Watch this on-demand webinar where guest speaker Chase Cunningham, Forrester Principal Analyst and Corey Williams, Centrify Senior Director of Products, to learn how a Zero Trust Security approach can be applied to any sized enterprise.
Chase and Corey will also discuss how:
- Zero Trust Security strategy is the optimal approach for small and medium enterprises
- Modern security technologies are easier than ever to acquire and deploy, especially for “born-in-the-cloud” organizations
- Next-Gen Access integrates many of the foundational capabilities you need to achieve Zero Trust Security
View Full Video Transcript
Why Small And Medium Enterprises Should Care About Zero Trust Security
Chase Cunningham: Thanks for joining, folks, and we'll get in to some of the stuff around Zero Trust here, but really the crux of this webinar and on my end is to sort of talk about where we see things from the Forrester area in the market and sort of if you were at RSA or if you've been looking on LinkedIn or pretty much anywhere right now recently, you've probably seen Zero Trust showing up somewhere. So we're gonna talk a little bit about some of the updates to Zero Trust, some of the changes, and how it applies. And then we'll move on from there.
Chase Cunningham: So talking about Zero Trust in small and mid enterprises and moving beyond the FUD. If you're not familiar with FUD, basically what we're talking about is fear, uncertainty, and doubt. And this is a bit of an abstract point to make, but bear with me and you'll see the relation. So we have kind of a FUD problem from my perspective in this security industry right now. And what I mean by that is things are not necessarily as direct as they would seem.
Chase Cunningham: So let's sort of wrap our head around a different piece of the concept. So this has nothing to do with cyber security, obviously, that's a mosquito. But when we're talking about FUD, this is kind of where I see a lot of people get misconstrued in the problem that we have. So most people when you see a mosquito or hear a mosquito, you probably think of a couple of things. Number one, that this is annoying. Number two, that it might cause me to itch or something like that. But you don't usually sort of freak out and have the immediate emotional terror response to a mosquito. It's more of a problem, a nuisance, something that you're aware of.
Chase Cunningham: Contrast that when you see this image, which I used to be a diver, I'm freaking terrified of sharks. I don't really think that there's anyone out there that has seen or heard that score from the movie Jaws, you know the dun-dun dun-dun, that when you get in the water somewhere, especially if it's in the ocean where you know there's a possibility that one of those things is swimming around out there somewhere, doesn't have a deep-seated emotional, physical often response to thinking, seeing, hearing or even considering the reality that there might be a shark in the water.
Chase Cunningham: So here you have something that's very small, just pokes a hole in the skin, takes some of your blood and flies away, not really that big of an issue. And then you have a shark, which can be 20 feet long and weight thousands of pounds and cause hate and discontent and just destroy stuff. But the reality of it is, when you actually get into the problem around these two individuals, if you break down to how many people actually die from interactions with these entities, only about 15, maybe 20 people a year die directly from shark attacks. Whereas almost three quarters of a million people die from interactions with mosquitoes thanks to malaria, bloodborne diseases, and things like that.
Chase Cunningham: So the point I'm trying to make here on the FUD is that we have an issue in industry of people being focused on the shark, right, because sharks are big and bad and they kind of got the terror factor and they're scary. But mosquitoes really are the bigger problem. And mosquitoes are harder to handle because they are small and mobile and move around and they can cause a lot more death.
Chase Cunningham: So the last sort of point here on the animal kingdom really is it's pretty simple actually strategically to figure out ways to solve the FUD problem around these two animals just like it is with leveraging strategy like Zero Trust of if I'm scared of and don't wanna be attacked by a shark it's pretty simple, I don't get in the water. Mosquitoes, if I don't want be a victim of a bloodborne pathogen or something like that, I take my malaria pills and I use some bug spray and I sleep under a net. Couple three things, I've negated the threat, but I don't have to worry about the fear, the uncertainty, and doubt that those things can pose. They're there, they're realities, but I found a pretty quick way to get around them.
Chase Cunningham: So the other issue that we have when we're talking about sort of small and mid size enterprises across industry really is that this is kinda how things typically wind up. You have one or two or three, if you're lucky, individuals that are running the entirety of the network. They're maybe your security team as well. A lot of times you see cross pollination between those two groups going on. And it doesn't scale very well, it's kind of hard to do. And if remember the movie Jurassic Park, nothing worked out very well in that scenario. You had this guy that, you know, was trying to steal dinosaurs and we all saw how well it worked out for Samuel L. Jackson, and if he can't survive what hope do any of us have?
Chase Cunningham: So point being here, small and mid size enterprises obviously it's a matter of resources, it's a matter of budget and things like that, but the truth of the matter is, is most of the time this is what you wind up. So there's gotta be a better way to approach this issue and it's mainly it's gonna be around the strategy, not the technology, not how many people you throw at the problem.
Chase Cunningham: And so Forrester went out and actually looked around and said, "Can we figure out if security is kind of at an industry level becoming easier or more difficult or is harder to do?" And we got responses back that basically said that security itself, being secure, doing security related things, is becoming more difficult, not simpler. And from the industry perspective that's sort of counterintuitive because if you were at RSA this year or Black Hat or pick your big security conference, 600, 700 vendors in the space touting everything from artificial intelligence to machine learning to threat intelligence, to you name it, you would think that we found a way to lick the problem. And it doesn't matter if it's a big, giant enterprise or a mid size company or a small enterprise, everyone is trying to do different things in the space, but the reality of the problem is is that technology itself thrown at singular problems does not solve the solution ... does not provide a solution, it just is adding honestly to the quagmire.
Chase Cunningham: So you've gotta have strategic capabilities and you've gotta be able to focus on when so that you can actually do things better. And that's why Forrester's Zero Trust model has really come into its own.
Chase Cunningham: For small and mid size enterprises, too, the problem is not something that goes away. It's funny that when people think of big, giant breaches that have occurred over the last few years, you know the billion records and things like that, it doesn't start with the big, giant companies. It doesn't start with the mondo enterprises of the world because those folks are actually doing relatively decent job of staying at least in line with threats. They're throwing lots of resources at it. They've got lots of budget. They're buying lots of technology. There's all kinds of working groups and things of that. They have the resources to combat the threat across the spectrum.
Chase Cunningham: But when you break it down and actually go back and look at where big time hacks, big time breaches, big time compromises actually started, they started with small mid size businesses and contractors and third and fourth parties. Target, everyone knows that the one came from an AC or HVC sort of vendor. Anthem had a similar thing happen. Home Depot as well. And then the Office of Management and Budget, OPM, which everyone you'd like to reference started because third parties weren't doing things the right ways.
Chase Cunningham: So the point here, sort of industry wise, is that while big businesses can do big things, small and mid size enterprises are having to do things differently because, honestly, in a lot of scenarios it's the small and mid size enterprises that are the point of origin of compromise. So it's almost more important that small and mid size enterprises are able to come up with a good security strategy to put in place because those businesses don't want to be the ones that are known for the origination of these type of events. I'm pretty sure that the individuals that wound up causing the initial compromise in Target are still licking their wounds off of that one.
Chase Cunningham: And just go a little bit further into how big the problem is for small and mid size enterprises in this space, National Cyber Security Alliance did a study with Ponemon and it actually found out that 60% of companies are unable to sustain business six months after an attack. So if you're thinking about a small and mid size enterprise, sometimes margins are tight, sometimes the budget is not necessarily growing the revenue, things like that. If that small or mid size enterprise is involved in a big time compromise, a big time law suit, a giant breach, the things that have shown up in the news, most of the time, according to the study and it's back up by data, they go under after six months. I would be interested personally to find out if the company that was the originator of the compromise in the Target is still around. It would be shocking to hear that they were, to be perfectly honest.
Chase Cunningham: So I mean it's kind of interesting to me to see that small and mid size companies, while they most often are the points of origin, while they are the originators of exploitation, they're trying to do what they can with what they have, but when they get hit, they're the ones that wind up going under. It's not the big companies. I mean if you look at Yahoo and Anthem and all these major companies that have had giant, mega breaches and all the negative press they've gotten, they haven't gone upside down. They haven't gone under. It's the small guys, it's the mid size players that are the ones that suffer. So this is super important for small and mid size business to have a capability and a strategy to be able to combat these type of things.
Chase Cunningham: And you know, not to be the harbinger of doom or anything, but data also suggests that the bad guys continue to come back. 86% of the time customers that have had more or one attack, had more or one unique attacker in their environment, 49% of the time they were attacked again within one year. Well why is that? Well that's for a couple of pretty simple reasons. Number one, the bad guys found a target that they like. Number two, when they do find targets that they like and they get access to those environments, they find ways to dig in and move laterally and usually that's with bogus accounts or shared accesses or really bad role based access control and things like that. And they'll either reuse those accesses, they'll sell them on the underground, or they'll find ways to set up future exploits and future beach heads.
Chase Cunningham: So for the small and mid size enterprises, if they don't have the capability of responding and remediating and mitigating that threat completely, the odds are that the bad guys will come back. So it becomes a continual process and there's a need for a continual strategy to drive security so that you can keep them away, keep them out.
Chase Cunningham: So, you know, just sort of being a little bit more scientific about the nature of those threats, about the attackers that continue to come back, we went out and asked them so how were those compromises started? How did the bad guys get in? Almost all of the attacks that we were able to get information on, which was from all over the world from big, mid, small enterprises, didn't matter. You see what was the avenue of exploitation. Usually it was either ransomware, phishing, or social engineering. It wasn't stuff in just one particular area, it was across manufacturing, utilities, financial, didn't matter. But look at those three attack groups. What is the common thread for how the compromise started? It's users. It's accesses. It's accounts. It's people and individuals and things clicking and interacting with stuff that it shouldn't interact with.
Chase Cunningham: So from the perspective of strategic capabilities, strategic concepts and things to gravitate towards, yes network security is super important, yes data inventory, data categorization, encryption super important, however, if you're trying to make careful, calculated, strategic gains in security space, one of the most immediate things, in my opinion, that you can do is address the elephant in the room, right. Address users' access control, access management, and accounts. If you can put those simple things in place, no matter the size of the enterprise, big, small, medium, whatever, you will get immediate benefit from it because you're negating the avenue of compromise. If you can your enterprise, your organization a little big harder for the bad guys to go after, they'll go somewhere else. The goal in cyber is not to be perfect. The goal in cyber is to be better than the person next to you so that you are not the one that gets targeted.
Chase Cunningham: Just a couple more points on sort of the data around this is when those breaches do occur, when the ransomware, the phishing, the social engineering and those type of things fall through, when the bag guys get accesses, when they start compromises and go deeper in the network and all those things, the misconception a lot of people have is that it just sort of happens and then it sort of dies off and goes away. The reality of it is, is we went and asked them, we asked major enterprises and mid size enterprises, like, "What do you do? Do you actually respond?"
Chase Cunningham: And to the point of the graphic here, you can see they do respond. They do do lots of things. They will go and they will try and hire additional staff, which back to the point of the Jurassic Park guy there, it's really hard to get qualified, adept security people, they're already employed somewhere else. So you're trying to get something that you can't necessarily get your hands on.
Chase Cunningham: They'll buy more end point security, or AV, which is useful as well, but the truth of the matter is is they're always dealing with trying to sort of patch holes against things that are being targeted with new ways of exploitation, file as malware, and all those things as well and it's really hard to do.
Chase Cunningham: They'll increase spending on network detection so you're trying to dig deeper into the network and find things that you think you can use for intelligence purposes.
Chase Cunningham: They'll get more auditing going on. And then a lot of times they'll also try and look at prevention technologies further out in the networks.
Chase Cunningham: So it's not that organizations aren't doing anything. It's not that they're not trying and it's not that there's not investment going on, be they big, small, mid, the reality of the problem is they're trying everything without any real strategy behind it. It's a shotgun approach to hit a selected target and it just doesn't work. If it did, we wouldn't continue to have the breaches that we have, we wouldn't have the compromises that we have. Organizations would be getting better. And we don't see that. If we did see that, we wouldn't continue to have the major breaches and things like that that show up in the news all the time.
Chase Cunningham: So last couple points here really on the problem space, you know, when you think about where the bad guys win, what do they do when they get in? What are they after? Well if you look at the data, the data suggests that they're after a couple of big things. They're after credit card information. Why? Because they can take that information, put it on the underground, reuse it, sell it, you know, basically stealing the information and money from people at any point. And that's a problem for the banks.
Chase Cunningham: But the next thing that they go after is PII and account data. Why do they do that? Because that stuff on the underground is much, much more valuable than what you get with a credit card. A credit card is usually a one hit thing. If you've ever had an alert from your credit card company, it'll tell you, "We noticed that you're buying stuff in Kuala Lumpur and you're not supposed to be there. So would you like to contest this purchase?" Problem pretty much solved. When you're talking about identity PII information, access credentials, usernames and passwords and things like that, that's stuff that doesn't get changed that often depending on the system that's in place. A lot of us have resets over 90 day periods. Well 90 days is a long time for someone to be in a network with the username and password. So it can be bad and that's why they go after that stuff.
Chase Cunningham: So it's not really new that they try and use this, but the point to be taken away from this is they're coming after those things still the same way that they were years ago. And to me it's befuddling to see that people spend lots of money on employing an AV and network and et cetera et cetera when in reality if you wanna combat the threat, you wanna mitigate the damage from the types of activities that are taking place, you fix account. You fix access management and you fix users. If you can do that, the other stuff becomes gains that you can make a little further down the way.
Chase Cunningham: And ultimately when you focus on those other things, the networks, the end points, all that other stuff that's out there, yes it's useful, but really what you're doing is you're building up this sort of barrier fence here that you've got barbed wire at the top and you've got some metal around it, but the moment that someone walks right through there, it's negated all the security that you put in place. It's a little bit comical, but I mean the truth of the matter is, if perimeter based security, if old paradigms, if old concepts continued to work, we wouldn't be where we are right now. We wouldn't have 600 vendors at RSA. The truth of the matter is is that new ways of thinking, new approaches, and leveraging concepts and guides like Zero Trust with frameworks like ZTX is where you can actually gain ground and make a difference in the space.
Chase Cunningham: Let me tell you why that actually matters. So if you're familiar with the old Zero Trust, which my good friend and mentor, John Kindervag, sort of put out. His big thing was let's focus hardcore on network security, we'll focus on micro-segmentation and data integrity, and we will negate threats to the enterprise that way. Great, absolutely John's correct, needed, it's still a key piece of Zero Trust and ZTX, but to me that was sort of like when you got to a personal trainer and you say, "I wanna get buff," and then they say, "Well let's go do some weight lifting." And you start weight lifting and if you're like this poor guy, you probably wind up in the hospital because it looks like a really bad idea anyway. But the point of it is is you just try and like lift weights and work out more thinking that you're going to get buff. And if most people have been through that cycle, nothing really happens. You might get a little bit more muscle. You might get a little bit better. You might get a little healthier, but the truth of the matter is, you're gonna stop. You're gonna stagnate.
Chase Cunningham: And so where we've gone with Zero Trust now is with ZTX. And we introduced that framework in January. And the point of ZTX is to actually make Zero Trust more focused, more academic, and more implemental. So what we're talking about there is the difference between the trainer side and what you have with The Mountain there, the world's strongest man on the right, where we go into that trainer and we say, "I wanna get more buff," and the trainer says, "Well wait a minute. Like buff is not good enough. Buff is something that's gonna happen by default. What you need to do is you need to have this many carbohydrates, you need to drink this much water, you need to sleep this much, you need to lift this much weights. These are the steps you do and this is the duration of the program. And if you do that, along that way you have no choice but to get stronger, get buffer, get more athletic, more muscular."
Chase Cunningham: So that's the difference conceptually between old Zero Trust, which was work out, get buff. Sure, probably doable, but not really that prescriptive. Or new ZTX. Let's follow this path, let's do these things and we'll have those other issues happen by default.
Chase Cunningham: And so we build this framework and really you can see the components of the ZTX, the Zero Trust eXtended Ecosystem right here. So we have seven sort of pillars, with Data at the center because obviously that's the thing that you protect in any network, in any security scenario because the truth of the matter is no one breaks into banks to say that they broke into a building. They break into banks to take money, the same reason that they break into your network is so that they can get access to data.
Chase Cunningham: Then you have other pillars like networks, devices, people, workloads. And then you have capability sets that integrate with all of those. Automation and orchestration, visibility and analytics. And the point of this framework is to say if you're organization is not ready to do Zero Trust data, fine, don't worry about Zero Trust data now. Focus on Zero Trust people, Zero Trust workforce, and do that. You can't do Zero Trust workforce or people? Okay, fine, let's do Zero Trust networks. So the point of the framework is to say the same conceptual guide that have been around in Zero Trust for awhile are applied within this framework and you pick an area that you can focus in and start getting wins so that you can take that back and leverage those wins on the next step.
Chase Cunningham: And just to really show a couple of things around the use of this framework and sort of some of the research areas that are coming around and the benefit from it is to say we've got research actually going on in this space to say look if I had a $100,000 could I use ZTX, or the Zero Trust eXtended Ecosystem, and figure out how to apply it to the budget that I have right now? Sure. So you can easily sit there and say well I'm typically allocating 25% for my people, 25 for workloads, 25 for devices, and 25 for networks. Start leveraging the capabilities that you have. Map it to the framework. Implement those and move forward. It actually is really clear to see who does what where, where you put the budget, and then where the resources go. But the reality of it is is that it's a framework. It's modifiable, it's adaptable, and it's usable within your particular area of concern.
Chase Cunningham: And just to drive that point home, you know in that same model, let's say that 25/25/25/25 didn't work for you. Fine. Look at what you need, look at the budget allocation that you have. Figure out where you're able to make gains, make wins, do the best at. And divide that up and use it there, so maybe it's 30% for workloads, 10% for network, 35 for device, and 25 for people. That's absolutely fine. The point of the matter is that the framework is there. It's built around those capabilities. It's built around the functional pillars that are within the framework itself. And it's made to be malleable and usable by any size enterprise so that you can apply the concepts within Zero Trust of don't trust anything, users, workload, data, network, access, whatever, don't trust it. Put capabilities in that place and then start getting gains and winning and doing better.
Chase Cunningham: You know and just the last piece on that, if you were putting the money together and you were focusing on people and workloads, great, I'm gonna use encryption technology. I'm gonna use IAM and MFA and I'm gonna do endpoint and logging. Sure. Those apply within that framework. Those apply within the capability sets. Those are parts of the pillars. Put the money that you need allocated, assign it to the capabilities, find the technology, map it and then move forward. And so you can see pretty quickly how Zero Trust has evolved from straight up hardcore network and sort of a micro-segmentation and allocation type of capability data security, to a comprehensive, academic, programmatic application of Zero Trust concepts across the entirety of the enterprise.
Chase Cunningham: You know the last real point on this here is Zero Trust identify within that framework is easily modifiable. You can see that we're talking about functionalities. We're talking about the populations that are affected. And then the resources that actually get touched by doing that, leveraging the capabilities within the framework itself. So without sort of nerding it up and making it way too academic, the point of this last slide is to say Zero Trust has been around for awhile. ZTX is the evolution of that. And for small and mid size enterprises, you have to have a strategy in place which should be Zero Trust, you have to have a framework to leverage to achieve that strategy, which is ZTX. And then you should be able to pick the pillars, such as IAM or a Zero Trust identity, and mix and match it and use it for your specific use case so that you get wins, you get gains, you do better and you're able to go back to leadership and say, "Look this is what we're doing. This is why it matters. Here's the fix." And you just keep going along that process.
Chase Cunningham: And if you follow along with the research and with Zero Trust is and ZTX, all of the things that you're trying to do in security get solved by default because you're following strategic processes, leveraging capabilities, and driving it forward with a framework that makes sense.
Chase Cunningham: So that being said, that's my piece on sort of the industry and Zero Trust. And I'll turn it over to the Centrify team now for their portion.
Corey Williams Thanks, Chase. Yeah, this is Corey with Centrify. I wanted to talk to you a little bit today about our perspective with Zero Trust. Zero Trust is something that maybe is starting to be elevated in conversations and come up from a lot of different vendors and so you may be hearing more about it. But there's many of you maybe that aren't as familiar with Zero Trust. And I think it's worth kind of stepping back and taking a look at some of the basics behind Zero Trust.
Corey Williams: The core idea behind Zero Trust is that a user connecting to a network, let's say through a VPN to the corporate network, shouldn't imply that that user is trusted at that point. If you kind of remove the idea that connecting to a network successfully equals trust, then you kind of get the real basic sense of Zero Trust. There's a lot of elements to protect, but access is one of those. And so if you assume for a second that the users inside your network are no more trustworthy than those outside your network, it solves ... if you can solve that problem, it helps you address a lot of things. It helps you address resources that don't sit behind your firewall, right, because I can apply the same approach inside my network as I do ... outside my network as I do inside my network. So if we get away from trusting the boundary as the way of separating good guys from bad guys, then we're left with things like the access itself to different services and resources.
Corey Williams: So some of the ideas behind Zero Trust is to grant access to services based on what we know about the user. And what we know about the user should be more than just the password that they present. We should know more about that user's context, and we'll get to kind of how you can do that.
Corey Williams: We should know more about the device that they're coming from. So just because a user can provide you some evidence that they are who they say they are, if they're coming from an unknown device from an unknown location, that should raise alarm bells. And so knowing more about their device, both whether or not it's associated with that user and whether or not it's in a secure posture, is a very important element as well.
Corey Williams: And then finally, having not just an identity that's assured about the user, but also that the accesses and privileges he has within your environment is limited to just what they need and just for as long as they need it.
Corey Williams: And so when you take those principles together, you kind of flip it on its head. Rather than trust but verify, that kind of old saying, it's never trust and always verify. I think that's a good way to think about it. And it kind of eliminates some of the problems you have with stolen credentials, and phishing, and so many of these other kind of attempts to ultimately get access to your data, yes. But usually in the interim it's to get access to a credential or to a higher level of access or to move laterally within your network. And so this issue of being able to continually verify the user and validate their device and limit their access is important.
Corey Williams: And so the way that we kind of look at it in terms of how do you build an approach to Zero Trust from Centrify's perspective is you start with these four pillars. Go to verify the user, and I'll kind of describe what I mean by that. Always validate their device. And then limit their access and privilege. And these things we can start to look at technologies and processes and people to do, but one of the key things is to not just implement some technologies here, but to collect events and information from these users and devices and access attempts and resources so that we continually learn and adapt the policy and to make real time decisions and to alert the right people. And that's where newer technologies like machine learning can come in and provide a great approach.
Corey Williams: So let's talk a little about this, about verifying the user. There's ... The big issue is that we rely too much on passwords. And those passwords are self managed by users, it's frustrating for users, they don't wanna have to use them, they don't wanna have to change them every 90 days, they don't want them to be different across different applications. And so you can remove some of that frustration of the end user by using technologies like single sign-on. Now single sign-on is great for two reasons. One is it's much more convenient for the end user. And two, is instead of transmitting a password across the network it's using these one time tokens that are generated that can't be easily reused and it provides a much safer mechanism. It also prevents the user from having to know and self manage a bunch of passwords across different applications.
Corey Williams: But by itself it would be a little bit dangerous, right. Because now it's only one username and password that gets compromised and I have single sign-on access to everything, well by itself that would be a bad thing. But if you combine that with concepts like multifactor authentication and conditional access, then you get a better level of assurance before you give them sign-on to their environment through the single sign-on. And so multifactor authentication is a great way to do that. Now must of us are familiar with multifactor authentication either because our bank is now pushing it on us, or because we have an enterprise experience with an old hardware token that's generating a one time code so that I can VPN into the network. That's most people's kind of view of multifactor authentication.
Corey Williams: However, there's been a ton of research and development in the last two years that has greatly improved the experience and the smarts of multifactor authentication. So that now multifactor authentication is only put in front of the user when the situation, the context of that access attempt, requires it. So that you can make decisions like well the user is on their device and on the corporate network during corporate business hours, accessing the same app that they always do and they've already securely authenticated to their device. Maybe I don't prompt them for another factor of authentication, maybe I just give them silent sign-on because the risk is low enough. It improves the user experience.
Corey Williams: But when I do need to prompt them, then they have options for a convenient factor that's pushed to their device because we know that device is associated with them. Or that they're able to choose which mechanism is most convenient for them at the time and they can have multiple ways of providing a second factor of authentication. So those improvements have both made it possible to implement multifactor authentication in more places, but also make it less of a burden on the end user.
Corey Williams: Now all of this would be a little bit difficult if you didn't also have some knowledge about what is typical behavior for a user. And so being able to understand what a user normally does means that I don't have to write a specific set of rules for each user. So a sales guy that travels up and down the east coast, I would normally expect him to see him accessing resources from a Starbucks on his cellphone. But maybe in my accounting department, I wouldn't expect people to be accessing my finance ledgers outside of the corporate office. And so you can have a different profile that's generated based on each user and that profile is based on each user's individual behavior.
Corey Williams: And when you combine these three things together, you get a much simpler implementation. You don't have to create a lot of rules. The behavior's learned over time. The end users get a better experience. So it actually allows you to layer on some of those verification pieces that you want to approach a Zero Trust stance. But do it in a way that it doesn't burden IT. So that they have to be constantly becoming experts in the technology and writing rules and the users have to be constantly prompted for additional factors of authentication. And it's the combination of these three technologies that allow that to happen.
Corey Williams: So okay great. We verified the user. Well a big key piece of verifying the user is understanding that that device that he's using, A, that it's associated with him, and B, that it's configured in a way that represents less risk to the enterprise. So a phone should be configured to have a screen time out and a PIN code to unlock it. And the apps that have corporate data should be managed in a way that if I remove those corporate apps, the data comes with it. And that they can't easily copy data outside of that environment. And so those kind of things allow me to have a better understanding of the context of that device. Not just that it's managed, but also it's location and it's posture in terms of when that access attempt comes in.
Corey Williams: And device context becomes very important. We would eliminate a ton of these foreign and state actor like attacks if we only allowed devices that we knew belonged to a user to access our resources. If we had a magical way of doing that then we would prevent a lot of that remote attack that comes through. And so device context becomes a very important piece. Along with the security posture of that device.
Corey Williams: And there's also another small piece that I think gets overlooked. And that's about how much privilege an end user needs to have on their laptop or work computer. Yeah maybe they need to connect to their home network or they need to be able to add a printer, but should they really have local administrator privileges on that system? So that's one issue. A second issue is that for any organization of size that has to manage a lot of endpoints, they often will create a local administrator account that's just for IT use. Now we unfortunately see in too many enterprises, a big chunk of you here on the phone, who are using the same username and password across all of those local administrator accounts for convenience of remotely administrating your users' desktops.
Corey Williams: That represents a huge risk. And so being able to manage those local admin accounts in a way that they all have unique passwords and that there's security around being able to access those, as well as limiting the local administrator privilege for the end users is a very important piece of being able to trust that those devices are able to connect to the network. It also greatly limits the lateral movement and the problems related to some types of malware if you can rein in the local admin privileges on your endpoints.
Corey Williams: So a third pillar, limiting access and privilege. Now this is where you start to get into an area of ... that's very specific vulnerability. If a user ... I mean we already do this with physical security, right. Everyone is issued their own badge to access the office complex. If a user comes in we know it's them. And they don't have access to every door inside the building. They can't go into the server room or into locked storage. And so we already kind of have this physical notion of separating out and limiting access and privilege that users have. We need to start do the same thing with our infrastructure rather than allowing our IT administrators, whether they're employees or outsourced or managed security services or IT services, they shouldn't have or be using these shared accounts that have unlimited access.
Corey Williams: And so these privileged accounts should be pulled away from usage and instead users should be logging in as themselves and only when they need privilege. It's given to them in a granular way. And that's the idea of getting more granular and creating role based access among your IT resources. And this'll greatly help limit some of the lateral movement for bad actors who do have limited access.
Corey Williams: You can further ... You can take that to kind of to its extreme, right, I mean it's not just narrowing down the type of access or the systems the user has access to, but it also can be taken to its extreme where, I mean, right now those of you who are IT admins on the phone listening to this webinar, they don't really need access to anything right now if they're paying attention to this. And so why does that access sit there dormant waiting for someone to exploit it? Instead remove the access completely and only grant it when it's actually needed. And this can be done in automated ways to allow users to request access, maybe to an application or maybe to a server or maybe to a specific command that they need to run. And have that either automatically or manually approved through a centralized system that can look at the context of that request.
Corey Williams: And so for example those who are a little bit larger organizations, maybe you have an IT service management system, like ServiceNow, leverage that environment to both understand who's accessing what systems and to approve those accesses in a time limited way so that they're removed after that access is no longer needed.
Corey Williams: And then finally audit everything related to privileged access within your environments. And this is important not just for forensics to understand what went wrong or who might've done something within your environment and to provide that accountability, but it's also to help you to spot trends and to look for weaknesses and to provide greater granularity of events to the machine learning layer, which can start to spot patterns in access that may on its own look benign, but as a whole represents a risk to the business. Simple example of that is a user who normally is only accessing a handful of systems all of a sudden starts accessing all the systems. Or starts doing it an unusual times. You may not see that in an individual attempt, but you can start to see that across a set of attempts.
Corey Williams: And so basically these three pillars of verifying the user, validating the device, limiting access and privilege will generate a whole set of events in real time that can be analyzed both to build the user profile for understanding what they're typical behavior is, but also to look for trends and to alert users and even to take action on behalf of the system to mitigate that risk that might be identified. And that's where machine learning comes in is to build those profiles. And so you start to think about ideas like machine learning and artificial intelligence and one of the key use cases is to in real time decide whether or not a user should be allowed to have that access or whether or not additional factors of authentication should be brought up.
Corey Williams: But it also can provide that ongoing analysis that allows you to spot trends and weaknesses and risky events that need to be addressed. And so it's that kind of glue that holds together these different pieces of technology to provide that insight. And one of the challenges with machine learning is that that's a lot of data that gets crunched on over time. And trying to integrate various systems from different third parties can become a challenge because a single sign-on system reaching out to a third party access solution that is relying on a third party user behavior analytics solution can add too much latency to that login to make it worth it, it'll actually make the user's experience worse. And it wouldn't be able to be used in any automated environment because it would just be too slow to respond to an API call.
Corey Williams: So having these integrated together is a kind of a new key feature in something that I refer to as, and others refer to as, Next Generation Access, which we'll talk about here in a sec.
Corey Williams: But what I wanna do is kinda pause for a second, take a poll question, just among a ... We only invited folks who come from organizations that are in this sort of mid size and smaller range. So you can kinda see how some of your peers are doing. And what I wanna do is just ask some simple questions around your Zero Trust technology adoption and kind of some of the things that you may have already done. So I'll go ahead and put this up here. This is not comprehensive, it's just a few examples.
Corey Williams: Which of the following are you currently using in your environment? For example, are you using multifactor authentication for both application access and system access? If that's true, pick that. Oh I think these are meant to be check boxes. Well this'll be an interesting one. Conditional access, if you're using conditional access ... Wow this is not gonna work, is it? Because can you pick more than one? Oh you can only pick one. Ah, that's our fault. We screwed up the poll. I'm sorry.
Corey Williams: What I wanted to be able to do was to understand which, out of a hundred how many people were actually using these different ones. But what I'm gonna get is a distribution instead, which is not gonna tell us a whole lot. That's okay. I'll save us three minutes and move on to the next slide. Just a few of you who did answer, did answer you used a lot of multifactor authentication, that's good to hear.
Corey Williams: Okay so if the goal is to secure access to apps and to infrastructure, so across all of your resources, both on premise or in the Cloud, or in some hosted environment, and to be able to do that only from trusted endpoints, and to do that across all of your different users, not just your employees but your IT users, your privileged users, maybe outsourced IT, your customers, your partners, your suppliers, all of them need to be verified before you give them access to your apps or infrastructure. And so this may sound complicated. And I understand that there's a lot of capabilities here and you might think that you would need to go and implement this using technology from different companies or that was assembled together, integrated by a third party, and it sounds expensive and complex. Well that's the great thing about what we call Next Gen Access.
Corey Williams: Next Gen Access actually combines these capabilities into a single integrated solution that provides you an end to end comprehensive approach integrated into the same UI so that you don't have to learn different skillsets across different products in order to implement Zero Trust. And even better, it coexists with existing parts. So if you've already got a multifactor solution that you like and that users are used to, you can substitute that in, but fill in some of the other gaps with Centrify's Next Gen Access platform. And even better, if you are kind of looking to have a more strategic approach and implemented Zero Trust approach, you might think well I don't wanna give up the best features that are out there. And so maybe I need different vendors to do that and I'm wiling to accept some of the integration costs and some of the extra skillsets that are needed. Well the good news is that you don't have to give up the best of breed capabilities in order to adopt Next Generation Access.
Corey Williams: Centrify provides a single unified platform across applications, endpoints and infrastructure to implement the pillars that we just talked about. And we do it in a way that doesn't sacrifice the best of breed capabilities. You can see here with our partner Forrester, that they have looked at these different areas of privileged identity management and identify as a service and enterprise mobility management. They've ranked vendors across a set of capabilities and a set of key performance indicators and Centrify is named as one of the leaders in two of these three markets. And we're the only vendor that shows up in all three. And we provide it in one integrated approach.
Corey Williams: And so I think when you look at Zero Trust security, it may seem like a daunting project that requires a lot of forethought, but in fact you can start to implement it as Chase said today by filing in the gap of your most urgent need, but by partnering with a vendor like Centrify that can take you all the way there as you look at filling in other gaps or consolidating vendors across the different capabilities that are provided in Zero Trust.