Jennifer Minella, Founder, Principal Advisor, Viszen Security

Demystifying Zero Trust

Security
 Jennifer Minella Headshot
mages shows a presenter in front of the large screen with a teal background.  People are in the background.

Jennifer Minella, an internationally-recognized authority on wireless security, demystifies Zero Trust.

You’ve probably heard the term before, but what exactly is Zero Trust security? In this presentation from the Juniper booth at the RSA Conference, security expert Jennifer Minella does everything from break down the Zero Trust lingo to explain the various solution suites available. She will even show sample evaluations and how they fare against Zero Trust principles. 

Show more

You’ll learn

  • What the journey to Zero Trust looks like 

  • Frequent use cases for Zero Trust 

  • Three different Zero Trust architectures that cover broad use cases 

Who is this for?

Security Professionals Network Professionals

Host

 Jennifer Minella Headshot
Jennifer Minella
Founder, Principal Advisor, Viszen Security

Transcript

0:05 i'm going to be talking about zero trust explain so i'm going to kind of be demystifying all of the different

0:11 acronyms and the words the products that are out in the market today and then if you are interested in what

0:16 juniper is doing in that space you have a lot of people here that can help you with that

0:23 so the first thing i like to kind of talk through and level set with organizations is kind of what the journey looks like with zero trust

0:30 because when i do consulting and i do events and forums and i talk to people there's one of two paths they're going through

0:36 either the organization has set a board level strategy or non-technical stakeholders

0:41 have set a strategy and the organizations then kind of made a high level statement about zero trust and the

0:47 rest of the teams are going to spend the next 18 to 36 months figuring out what those projects and those products are

0:53 going to be so that's kind of like the high level plan about half of the organizations though

0:58 we're jumping in and saying we're going to go ahead and just solve some point problems with some point projects that

1:05 are going to get us towards zero trust but not as in as structured way uh as some of our peers might be doing

1:11 and so those are the two paths in the zero trust but regardless of which way you're doing

1:16 when you get to the position of making those decisions about what you're going to do and then you eventually get into

1:22 solutioning for it it looks a little bit like this and i'm not going to walk you guys through all of this we're going to this is a

1:27 discussion it's a short session but it is it is important you know we do always talk about starting with

1:33 visibility i think what's different with zero trust is we're not just talking about asset visibility we're talking about

1:39 divisibility and data and classification of data we're also talking about visibility on a much more granular

1:46 granular level of privileges and accounts non-person entities api

1:52 keys so the world of visibility for xero trust and how those things

1:57 interoperate is much broader than what we've had for visibility just for compliance in the years past so i'm not

2:04 going to dive too much into that that's your nickel tour there the next thing is doing an assessment and i think

2:10 one of the questions organizations have or professionals have is what does zero trust even mean so i am

2:16 going to walk you guys through a little bit later a little bit of this assessment gap analysis solution to give

2:22 you some examples of okay i'm sitting here and i'm supposed to do zero trust what does that mean how do i start how

2:28 do i actually what's a template for me to put on a piece of paper and figure out what i need to do and then prioritize that work

2:34 and then we'll talk about tracking progress and again i'm not going to dive too much into that part um there's two methods for tracking progress um one is

2:41 more structured with the formalized maturity model um and one is a little more ad hoc where we're assigning a risk

2:47 based value to the work we're doing down here so

2:54 the use cases for xero trust are obviously myriad the ones that i'm still seeing a lot right now are these

3:01 so vpn replacement things like privileged access management possibly for your internal teams and again

3:06 this stuff can be on-prem or in the cloud and then we get into things like third-party access and

3:12 byod where have some type of privileged access for non-managed endpoints

3:17 access to control data then that is kind of one of the low hanging fruit items if you are meeting compliance requirements

3:23 you can kind of down scope put some stuff in a little bubble and zero trust protect that

3:29 and then of course cloud access control which we've been doing to different degrees for a long time

3:35 and then workload segmentation so i'm going to explain how any of these things and the rest of the

3:40 xero trust uh solutions fall into three main buckets and then i'm going to explain to you

3:46 why the products don't cross over because of the mechanism that they're using for enforcement policies so

3:52 something interesting to note is in talking to organizations a lot of them are going to have three different or

3:57 maybe two or three different products and solutions for these top three

4:02 use cases here and then i've talked to a couple of organizations in fact i met one um this week during a roundtable who

4:08 actually their organization decided to commit and they are doing this this this

4:13 and that third party access all with the same solution which is unusual but it can happen

4:20 so the the three kind of pathways into the zero trust regardless of whether

4:25 you're doing a strategy or a project-based solution low-hanging fruit is let's just carve

4:31 out those things that we know are easy wins for us it's a low lift things like third party

4:37 or contractor access or privileged access management we're not impacting the entire user population so the cost

4:44 is lower the impact is lower it's usually an easy decision and if it's one that doesn't fit with your long-term

4:49 strategy you can back out of it without a huge loss the next thing is we're getting into refresh cycles and so if

4:55 you're starting to to lift and shift things into the cloud and you're doing things like vpn

5:00 replacements so you're already purchasing and making decisions it's easy to slide in your zero trust

5:07 strategies there and then back to that sort of critical data and application protection if you

5:13 do have types of data assets that are in scope for compliance it's really easy to

5:18 carve those out we've been doing it a long time with pci right when we scope a pci network now we

5:24 have cmmc and d4s and things like that so great use cases for zero trust and easy wins there

5:32 so i promised i was going to share with you the three main buckets and i think this is really when you understand that

5:37 you're walking through this floor here everybody's product falls into one of these three things

5:43 so the user to resource is probably the most common use case right and it doesn't matter

5:49 where the user is and it doesn't matter where the resource is for this bucket process for this for this bucket purpose so there are going

5:55 to be some products that are going to work better on prem and some that are more cloud native but a user to resources there's a human and usually a

6:02 traditional operating system like a laptop or a phone and we're talking about accessing resources on-prem or in

6:08 the cloud then we get to device device and so for context here the ztna type products

6:15 fall under the user to resource solution then we get into device to device now this is really your

6:21 network-based micro-segmentation i'm being very intentional about saying network-based micro-segmentation because

6:27 we'll talk about workload segmentation next and so really the products that operate

6:32 in this device to device so these are let's just say headless devices this could be anything it could be a ot an

6:38 operational technology environment it could be biomedical devices it could be other iot

6:44 type devices or other kind of assets that don't necessarily have a traditional operating

6:49 system and don't necessarily have a user attached to them most of the traditional network access

6:56 control products and the evolution of those fall into here and therefore

7:01 most of the vendors that came out of the networking space and had those sort of knack-like products have focused a lot

7:06 of their attention in that product space and then the third is service to service

7:12 so this is workload micro segmentation so most often when people talk about micro segmentation they mean workload

7:19 segmentation or data center micro segmentation so that's server to server service to service application

7:24 application or serverless architectures and microservices and so as you can kind of imagine here

7:31 the the product landscape and how we implement these these three buckets is very different there's not a lot of crossover between

7:37 them makes sense so far okay all right now here we get into oops

7:44 sorry we got some wrap around going on there okay here we get into the lingo i'm i'm telling i'm going to tell you this so i can tell you the next story in

7:51 a second we have some common language here so don't don't worry about everything going on here what i want to point out

7:57 is is really two things number one if you have worked with any type of network access control or

8:04 trusted computing group concepts or frameworks in the past for the past 10 or 15 years

8:10 this is the same language these are the same words the same phrases the same acronyms the same everything so if

8:16 you've worked in that space this is going to be very familiar the second thing is that we have several

8:22 ways to control that access

8:29 out of those three buckets what this model is showing us is that user to resource

8:34 it's a it's a visual representation of that right there's a user that's accessing a resource um this model

8:41 with obviously different graphics on it could also depict device to device or we would have a different visualization for

8:47 workload segmentation so let's just kind of look at what's going on here and these things that wrapped around

8:53 accidentally these are policy enforcement points which is just what it sounds like it is

8:58 the point at which we are enforcing a policy in or initiating the connection

9:05 or the data path and so what this what this model is showing here is we're

9:10 using agents so let me demystify what most of the products out there are doing and then

9:15 i'm going to roll back a little bit to some of the network stuff so i'm going to use agent broadly

9:22 for something that's on the end point which might be something that's dissolvable or a non-persistent agent so

9:27 not necessarily something you have to install but something that's living on the endpoint even if it's temporary to initiate this

9:35 so a policy enforcement point and you're going to see a matrix and a table in a minute that'll give you a few a few ways

9:41 to mentally connect these things so there's a policy enforcement point shown here where the user is and then

9:47 there's a policy enforcement point shown up here where the asset is in this particular case in the cloud

9:53 we have infrastructure and platform as a service assets up there and the policy enforcement point

10:00 can live on that asset directly so maybe on a server or within an application um but

10:07 it can also work in what we call an enclave model which feels a lot like vpn so what that's going to do is there'd be

10:14 kind of like a policy enforcement point here that's living as like think of it as a gateway

10:19 firewall-ish type of thing and that policy enforcement point is then get granting access to a group of

10:26 resources in that enclave model behind it so again we can have this kind of one-to-one ratio of things but we can

10:32 also have a one-to-many ratio depending on the architecture needs of the environment

10:38 same thing happens when we get down here on crap we're gonna have something that's an agent and again i'm using the term agent

10:45 a little bit loosely here so bear with me we can have just like we have servers and applications in the cloud we could

10:52 do this down here as well which would then eliminate what we do traditionally with dmz

10:57 so you can install things directly on those assets and then get very granular with the control whether somebody's

11:03 accessing it co-located on crown or somebody's accessing it remotely

11:11 the depiction here of the hardware and i'm going to kind of refer to these

11:16 as zero air quoting zero trust enabled firewalls or zero trust enabled

11:21 networking devices which might be switches or routers so these are gonna be maybe the same type of hardware

11:28 platforms we've been used to but they're going to be outfitted with some code that lets us do integrations for example

11:34 with apis so that they can execute the enforcement from whatever

11:41 the policy engine is now in the in the grand like this framework

11:46 mecca perfect world there's this master brain mine kind of curtain

11:52 policy engine and it's supposed to be the policy engine

11:57 the reality is is that as they're working through these use cases you're going to have several policy engines you're going to have several points in

12:03 the infrastructure that are still making access decisions at least for the foreseeable future now maybe one day we'll get to that like you

12:09 know giant brain but for now just be prepared that you're going to have multiple sources of truth

12:15 as it were for these different implementations to some degree so when we get down here to the hardware

12:20 now so now we have this xero trust enabled hardware where that piece of hardware can take instructions from this

12:27 policy engine and allow or not only just allow or deny that traffic but do things

12:32 like tunnel terminations possibly traffic inspection and sampling and get more granular with that least

12:38 privileged concept so instead of just okay you're on a vlan or okay here's an acl that level of control is much more

12:44 granular than that at this point so that's the model here

12:52 really crappy thing about xero trust is so in my world xero trust is very real like we do this we're doing these

12:57 projects uh we're implementing these these products um i think the challenge for most people

13:03 is everybody every vendor everywhere for everything has taken whatever they do

13:08 and they just slapped a zero trust sticker on it so now you've got you literally have zero trust everything i've talked to vendors i i really hate

13:14 when they do this um you know being an engineer myself it's very misleading to people so i talked to one recently and

13:20 you know it's like zero trust this and zero trust that and i said but what are you doing to zero trust well oh well you

13:26 know we could feed into this other thing and i'm like well that's that's not really helpful actually so this is a little bit problematic because

13:32 we already have a lot of confusion around what the different solutions do and now we have the zero trust toasters

13:38 um my friend mitch made this for me because we were on a cso talk and i said something about zero trust toaster so

13:44 now this is floating around so from a product perspective and i'm going to have a couple of graphics a

13:51 little bit of you know venn diagram on this um in jen's head i lump the products into

13:58 not just the three buckets but also whether that solution architecture is

14:03 designed to be cloud-routed and cloud-native or it's more on-prem

14:09 there's a little asterisk because there's exceptions to a lot of these things but what you'll see over here are your sasses

14:16 your ztna your casby's your secure web gateways semester land stuff that of course

14:24 translates over to on-prem as well so this will make more sense

14:30 when we get to the to the table but let me explain cloud routed really quickly because this is

14:37 one of the other points of confusion with a lot of products is that cloud routed means that

14:42 regardless of where the user and the resource are the tunnel for their communication is

14:49 going to go through the cloud through the internet through the cloud through a point of private presence out out progressing and

14:55 then ingressing back in somewhere which is totally cool if the user is not co-located with the

15:01 resource right users at home users remote new resources in the cloud whatever

15:06 that falls apart a little bit when suddenly the user is co-located with the resource because now we're kind of hair

15:13 pinning out and coming back in it falls apart a lot when we have applications that are heavy and high

15:18 bandwidth or latency sensitive and we're pushing stuff out and coming back in that model doesn't work and so that's

15:25 one of the things i like to explain because that is a huge determining factor whether a product is going to work for you because

15:31 some of them in certain architectures only do cloud routing you can't get a direct connection

15:36 between this and this the way that this graphic is the big thing do you have a question okay

15:43 and you guys if you have questions please like let's make this interactive i hate just standing up and talking for

15:48 for 30 40 minutes straight all right so we've got cloud routed we can also get direct i'll show you a

15:53 little chart a second so from the kind of venn diagram obviously there's

15:58 other stuff that's not on here but i just kind of want to pull out the normal things we're

16:04 seeing every day the stuff you guys are seeing when you're walking around the show floor here and so ztna just to sort

16:10 of clear this up about what what that is we always talk about zero trust is not a product zero trust

16:17 is not a product zero trust is not a product and then somebody said well there's zero trust network access

16:22 which isn't network access and actually this is a this is a cloud access solution and i like sunil and his

16:30 workshop this morning said it really should be zero trust application access that is a

16:35 better name for this technology so what the ztna solutions do is and and why they're different than

16:42 some of the other stuff we've had is the ztna products all follow the cloud security alliance software defined

16:49 perimeter framework and just to distill that down and give you a

16:54 visual for that what we're aiming for is sort of what i call a lights-out model

16:59 so or they call it a dark house you're aiming to not have

17:05 indicators of the presence of your assets publicly

17:12 on the internet so functionally if you're you know if you're a network or a

17:17 security person functionally what we're talking about is

17:23 so normally if you have applications that are accessible remotely there's all kinds of things that indicate to the world that that exists there's public

17:30 dns entries right so that applications can talk to each other and users can access things like vpn so you have all

17:36 of these things that are telling the world you have these assets and these resources and then what you're doing is

17:41 you're putting a gate right before that and and supposedly you know allowing access

17:47 uh or not based on things like you know credentials what ztna and the kyle security alliance

17:54 sdp aims to do is to say no no don't don't even let them know they exist

18:01 don't don't show the world you have these things open connect to a trusted resource

18:06 that's in the cloud and then let that trusted resource connect to or let the users and devices

18:12 connect to that trusted resource that's floating out here and that that

18:18 brain that engine is going to make the decision about that user that resource and if they're allowed to get to the

18:24 asset then it's going to broker that connection for them so as a user even as an authorized user i don't know and i

18:30 don't have direct access to an asset to whether it's on-prem or in the cloud i don't i don't even have

18:36 visibility if i'm a malicious person and i'm scanning i'm not going to see it so that that

18:42 in a good way obscurity is what zta is aiming to do and i kind of liken it to

18:48 driving through the country like in a wooded area out in the middle of nowhere with the roads doing this

18:53 and our current model is you drive through at night and you see driveways and you see mailboxes and you might see some

19:00 light from the from the house peeking through the trees and so you know there's a house back there

19:06 what ztna aims to do is no driveways new mailboxes no lights on the house you see nothing when you're driving by

19:12 okay so that's all those products and then we have things like sassy where it's a service set and then there's this

19:17 the subsets of sassy like sse and whatever acronym one of the analysts came up with yesterday i don't remember

19:24 so we have all of that stuff there which overlaps ztna quite a bit and in reality it's possible the sassy bubble might be

19:30 bigger than the zta bubble right now we have cloud brokers we have the secure

19:35 web gateway we have endpoint detection response and then we have the sd-wan stuff so if we look at this

19:42 pretty much if i could draw all of that

19:47 relates to the user-to-resource use case model that first use case model all of

19:53 these are designed to protect a user accessing a resource the workload micro segmentation is its

19:58 own suite of products specific to segmenting within data centers or

20:03 between data centers and then we have network segmentation where all of the network access control

20:10 the advanced authentication servers and services and then the new kind of zero trust

20:16 network based micro segmentation products all fall and so we have all the stuff we were doing before and now we have a

20:22 little bit of a new breed of some of the micro segmentation um that does stuff a little bit differently than traditional

20:28 mac and then sd-wan kind of straddles because it has a user-to-resource aspect but it also has a device device aspect

20:38 so here's jen's private nasty little draft

20:43 chart but i've had a lot of success using this i've started sharing it more so in private consulting

20:49 with organizations and or with their vendors this has been really helpful and so if

20:55 we go back to that concept of the three big buckets we can see why the products don't

21:02 overlap very much when we start to look at this so back to the acronyms we saw on the drawing we have a policy enforcement

21:09 point type very loosely and i'm addressing um

21:14 mostly user to resource and and device to device uh a little bit of what's down here gets into

21:20 some of the mechanisms of that workload micro segmentation but i'm not gonna that is not my area of expertise i'm not

21:25 even gonna pretend um so from those other two models what we have is software or appliance and the

21:31 appliance can be physical or virtual so what this starts to look like as we go down the tables on the software

21:38 enforcement point type just like i showed you guys on that drawing we can have an agent

21:44 loosely agent could be dissolvable agent on the resource an agent on the requester

21:50 an agent unless the dissolvable agent on the requester or some combination of the things above so you can start to see

21:56 here that depending on the product if you're talking about a managed endpoint

22:01 and a corporate managed asset this looks great if you're talking about byod and maybe contractors you want to

22:07 start looking at maybe something that's agentless on the requester side on that user side yeah

22:13 okay and then we get into how is it enforcing it now there's other aspects to things like building tunnels and

22:19 encryption but in general we're controlling that access or initiating that access and

22:25 sustaining it through external routing possibly dns captures and then we have other things on the

22:31 host with firewalls and routing we can do between those agents and then the control granularity and

22:37 there's ellipsis here because i'm always learning about new solutions and new products slash the vendors are coming

22:42 out with new mechanisms so this is a this is kind of a living document so then we get into how granular can it

22:48 be and then kind of the uh the secret little thing over here that people forget about is the direction

22:55 because when we get into especially ztna type products not all of them can initiate in both

23:01 directions meaning maybe you can have the user initiate to that asset but that resource that server can't

23:07 initiate something back out anywhere so that's great for some types of access and it's horrible and won't work for

23:13 others right okay so that's the world of the software enforcement then we get down into this

23:19 appliance-based enforcement and again it can be physical or virtual so we're back in that world of and when i have

23:24 something here like a firewall it could be a virtualized firewall it could be a hardware card well like you're used to right

23:31 and we get into so again remember that anything you see in here this hardware that's listed as a

23:37 enforcement point has to be my air quote zero trust enabled piece of hardware not

23:43 you know not the firewall you bought 10 years ago i know you love your net screens

23:48 and they're still floating out there but you're gonna have to upgrade you've got older stuff

23:54 all right so then we get into things like micro gateways so when i said that now we have in that device to device we

24:00 have some vendors that have popped up with sort of novel ways to do things so as an example there are some vendors out

24:07 there that are doing what i call a micro gateway which means they for lack of a better

24:12 a better description they kind of hijack they become the source so in a vlan

24:18 you point them to this box so you point a whole network of this box and it's going to then be the default

24:24 gateway for the endpoints on that network it's going to serve dns and it's basically going to serve

24:33 so that endpoint can only get to that zero trust micro gateway box and

24:39 then that box makes a decision around can you access something else and so that's a you know a layer three

24:45 enforcement mechanism here but it's different than what we were doing with mac products before so my point in this

24:50 really is just that we have some new stuff that we with the same hardware and same

24:56 like levels of enforcement with layer two layer 3 that work functionally different than what we were doing a few years ago

25:02 so we have all that stuff then we get more into those enforcement mechanisms your normal stockier right because we

25:09 don't have suddenly magical firewalls that can suddenly do well okay sometimes we can

25:15 do agent level control on a firewall that's a bad example but probably not in a lot of the switches and routers we

25:21 have so we get into these pretty granular mechanisms and some of them are pretty robust we can do things like the

25:28 vxlan and other network virtualization functions it kind of overlays things like sdn and sd-wan and then our normal

25:35 stuff we've been doing at layer 2 and layer 3 vlans acls all of that jazz

25:41 and then same thing there we get into that control granularity um the other piece that we're sort of

25:46 layering on is that access decision from this policy engine that's sitting somewhere

25:52 is we're trying to again that kind of perfect world picture of zero trust is

25:59 we're trying to get better context of what's going on and what we've been doing for a while already is a device

26:06 posture things like that right so whether it's vpn or network access control one of the things we've been

26:11 doing is what is the posture of the endpoint you know does it have any virus installed things

26:17 like that we've been doing that but now we're kind of talking about let's get more mature with that let's take that to

26:23 the next level and let's look at the posture of other things so maybe the posture the

26:30 security posture or the risk posture of the network and it could be the network where the user is it could be the

26:36 network where the asset is or it could be the internet in general so these are where some of the threat intel fees are coming into

26:42 these we might talk about the posture of the user is it was that user's account

26:48 compromised has it shown up on the dark web and then we can start to overlay some of this other stuff so some

26:55 of these are going to be pretty generic blah blah we've already been doing it and some of this though we're really ratcheting it up a notch from

27:01 what we've been doing and then we of course get into things like least privileged control and that access is more granular and then of course the

27:07 data path mode we talked about earlier with the drawing it's kind of routed not cal routed so the questions you start to

27:13 ask are okay what is my use case out of the three buckets user resource device the device or

27:19 workload micro segmentation that's where you start then you get into

27:25 where are my if it's users if where are my users where are my assets and resources is cloud routed okay is it not okay

27:32 and then how am i going to do this with an enforcement model is software going to work can i install agents can i not

27:38 what's the level of granularity and which ways can we initiate and then for the on-prem stuff you've

27:43 got all of this down here

27:50 so i promised i would share a little bit of the content i do for how to actually get started um and sorry

27:58 these are kind of silly examples but i wanted to just pull something that you know anybody whether they worked in

28:03 identity or network or security could kind of wrap their heads around so these are the examples that i pulled

28:09 here so this is just an evaluation of okay we're we're taking what we're doing now

28:15 and we're starting to map it against the zero trust principles so we've got things like here's joe or maybe this is

28:20 a group of users um it's a sas application model because we're going to crm that's hosted somewhere else maybe

28:26 that salesforce yes it's encrypted no we're not inspecting or brokering it not really

28:31 applicable for ztna because this is a public service and then we get into least privileged multi-factor and are we

28:38 factoring in any type of posturing to this decision now obviously there's more principles of zero trust uh so this

28:45 table could keep going we could have a lot more columns here but these are these are the the handful that most

28:51 organizations are starting with when they're evaluating their their policies for user to resource for device to device so then we get into

28:58 some of the privileged access management stuff so we see here an internal it operations team

29:04 so people that have kings of the kingdom internally uh both on-prem and in the cloud

29:09 environment and then we're talking through yes it's inspected um still not doing any of these things in

29:16 terms of brokering or ztna of course we're doing multi-factor and yes we have some

29:22 endpoint posturing through the vpn system and then we have here uh third-party vendors and in this example is you know

29:28 siemens uh in a healthcare environment this could as easily be anything it could be an

29:34 office that has managed printers and a third party is managing the printers or any application environment or any

29:40 endpoints in the environment so now we're looking at okay so that's an on-prem model in this particular example

29:46 these things are living on campus right yes it's encrypted no we're not doing

29:51 those things i'm not really following least privilege because we're dropping them on a network that has access to

29:57 this but that network has access to other things as well so so that's the model of what we have so

30:02 this is kind of like i know it's very vanilla 101 but it's just a starting point to wrap your head around so then

30:08 you start to figure out what are the red flags here where's your low hanging fruit yellow flags orange flags maybe there's

30:15 some there's some stuff that jumps out at you now what matters here

30:21 is very organization dependent so when i'm doing consulting calls with my clients or i'm doing consulting calls

30:27 through ions like the one thing we get asked all the time is

30:32 what is everybody else doing what is everybody else doing what is everybody else doing what are my peer organizations doing and we all hate that

30:38 because what works for one organization and what's appropriate for one doesn't necessarily translate to the other even

30:44 if it's the same industry even if it's the same size organization the network architectures the tools and

30:51 frankly the people resources they have vary so greatly so even all things being

30:56 equal if we walk into a shop and you've got like a hotshot cloud person or a hotshot this you're going to be able to

31:02 do things in your organization that another organization that doesn't have that talent can't safely do themselves

31:08 they're going to outsource it so we kind of look at this and then we get into making some

31:13 decisions about what the risk impact of that is and i'm not going to get into

31:19 that here but we start to assign values and it is we're taking something that's

31:26 that's qualitative and we're making it be quantitative so maybe maybe we get

31:31 maybe when we fix this that's 10 points of value and maybe when we fix that

31:36 it's it's five and maybe when we fix that it's three and so we can start to kind of have these these models of

31:43 measurements of instead of just percent completion jen hates percent completion for risk and security metrics i don't

31:50 care that you rolled out 80 av to 80 of the endpoints i don't care that you rolled out multi-factor

31:57 to 72 percent which 72 based on from a risk profile

32:02 perspective right so i like risk-based metrics and impact-based metrics

32:08 so then you get into the actual solution mapping of you know these are the scenarios you saw from earlier

32:14 this is our access our network model and then what are some of the different solution suites

32:20 that could serve you here and then this is fun because obviously this is a truncated version of this exercise but

32:25 what you start to get into as you list through which of the alphabet soup can solve these problems and you prioritize

32:32 these problems that's where you start to figure out where the product overlap can happen because you can get product

32:37 overlap it's just you shouldn't look for the one silver bullet to solve all of your zero trust problems so now you can start to

32:43 see oh okay well like i showed you guys on that one screen with the six blocks and i said usually organizations have

32:49 three different solutions here and i just talked to somebody yesterday that yes yesterday that did four of those

32:55 blocks with one product and one deployment and yes it was painful but they did it so here's where we get into that mapping

33:02 uh and the nice part is instead of just sending off different teams to do

33:08 different things and each person or each group coming back with some product

33:13 and implementing it in a little bit of a silo and then realizing stuff doesn't work together and you're managing a bunch of tools

33:19 that's another challenge most organizations hit at some point this is nice because you can at least

33:24 take your top priority projects and see if you can kill a few birds with ones down there

33:32 so the one thing that has juniper on it so that you guys can kind of wrap your head around the context of what you can see

33:38 here in the booth from the sassy and sse juniper just announced this this week

33:44 some of their additional solutions in that space the entire juniper secure edge

33:51 in the casper world ssr up here and then they do have cloud workbooks so one of the things i told you guys is

33:58 you're not going to find one product that does all three buckets

34:04 what you will find though is there are some manufacturers some vendors that do have different

34:10 products that solve each of those buckets and in some cases if we get back to that

34:15 user to resource and device to device use cases you're you're going to have a few products that

34:21 overlap those two things a little bit but what i'll tell you is that from having worked in that space for a while

34:28 where we are right now it may change where we are right now the the solutions that do user to resource

34:34 very well do not do device device very well and vice versa so it kind of depends on which one is

34:40 your cheeseburger and which one is the prize on the side with that um so as as we mature as the technology matures

34:48 we're going to get to the point where those things converge a little bit but don't be shy and don't look for one one specific product to solve them all

34:56 all right i've been talking a lot that's all i have for you guys in terms of slides thank you for your time and

35:02 i'm happy to answer questions

Show more