 Hello, I'm Steve Nunn, President and CEO of the Open Group. Welcome to Toolkit Tuesday, where we highlight the various components and leading experts of the Architects Toolkit, a collated portfolio of the most pertinent technology standards for enterprise architects. During the series, I'll be calling on a number of recognised experts who will bring their particular insights on how to most effectively use the various tools in the Architects Toolkit. We'll have a mix of interviews, panel sessions and pre-recorded presentations along the way. While all standards of the Open Group are designed so they can be adopted independently of one another, the greatest value for an organisation can be derived when they're used in unison. The sum of the parts should be greater than the whole. In the Architects Toolkit, we have collated a portfolio of the most pertinent ones for architects, together, all in one place. For most of these tools, certification from the Open Group is also available, so practitioners can demonstrate that they have the skills required and recruiters can take the guesswork out of the recruitment process, all backed up by our Open Badges programme. Hammer time. OK, not a golden hammer story, but actually for once giving the hammer some much needed credit. Hammers hit nails 99% of the time it works. Sometimes the nail can bend, the wood split. A simple online search using the terms hammer innovation will show up a variety of weird and wonderful ways you can improve the process and the tools. But fundamentally it works most of the time. So, my point. How much time do we, as architects, spend seeking to improve the hammer, the tool? There's an argument that a bent nail is actually the thing to look at. Maybe we need improved nails rather than hammers. But actually what I'm really getting to is this. All this hammer or even nail innovation actually gets in the way of looking at the really important part. And that is worrying about what it is that we want to do with what we are actually constructing. The business outcome. Welcome to Toolkit Tuesday everybody. I hope wherever you are you're keeping safe and well. Great to have you with us today. Thank you for taking time out of your day. And thank you upfront to Paul Holman of IBM for another great EA minute. And I never thought I'd, as a Sheffield United fan that Paul is, I never thought he'd talk about the importance of hammers. And that's given I'm a West Ham fan and that's great to hear Paul. Thank you for that. Couldn't resist it. Welcome wherever you are, as I say, we have the topic today is zero trust and the importance of it. And we have two great speakers to take us through that before we do just a quick word on how we do questions, a bit of housekeeping. Please use the Q&A channel to ask questions of our presenters today. That's where I'll be looking to to see if any come in. Usually there are plenty. We won't get to all of them possibly, but please, please use the Q&A channel and to get to the Q&A channel. If you don't see it already on your screen, click the three dots in the bottom right hand corner of your screen and that will give you the option to click on Q&A and there you are. You can ask the questions that way. Please use the chat channel and some of you already are I see to communicate with the other participants in the broadcast today and we love hearing where you're all from you'll see some of that happening. So please use the chat channel for that and the Q&A for questions. So just before we dive into today. Two weeks ago, we had a something a bit different on Toolkit Tuesday, we were able to join our Togoff user group live from Edinburgh. So if you haven't seen that recording yet and you weren't able to join us either either live or in person there in Edinburgh. Then please do go look at that. There was some great presentations during that and the first two of the Togoff user group we captured for our Toolkit Tuesday audience. So moving to today, zero trust and we have, as I say, two great speakers to introduce it. The first is my colleague, John Limford, who is the forum director for two of our forums here at the open group, our security forum and our open trusted technology forum. And John supports the leaders and participants of those forums in utilizing the resources of the open group to facilitate collaboration and follow the open group standards process to publish their deliverables. Joining John today, and in fact, starting off the presentation today, Nikhil Kumar, who represents the architecture forum as the zero trust architecture working group chair. Nikhil is the president and founder of applied technology solutions in a visionary organization creating the future of technology solutions. We're in good hands on the subject today folks. So a warm welcome from Toolkit Tuesday please to John Limford and Nikhil Kumar. Thank you for having us, Steve. Welcome. Zero trust and as we kick off this conversation, zero trust is really one of the most important things that I see in the, when I speak to folks who are dealing with information security and digital transformation. And so today we're going to talk about it. We're going to take this opportunity to introduce some concepts and kind of start answering the why, why are we doing this? And this is the kickoff for a number of different webinars that we'll be talking about and John will give some insight on those. John, do you want to add something to that? No, I think you covered it. So let's just go ahead and get going. As with any discussion, it makes sense to define what it is we're talking about. So critical to us is defining first of all, what is zero trust and what is zero trust architecture. Zero trust is an information security approach that focuses on data and information security. And this is across the lifecycle of that data, the entire entire lifecycle of that data asset. And yeah, you should have that security there on any platform and any network. It's not just data and information. We also need to consider all of the other assets in your environment as well. And you also need to make sure that you've got that asset security across the lifecycle of the asset as well. When we talk about zero trust architecture, then we are looking at how you actually go about implementing your zero trust security strategy. So critical here is that you need to have well defined and assured standards such as those that we're providing in the open group through the ZTA working group, as well as technical patterns and guidance for organizations. It's important to realize that zero trust is the information security framework for the digital enterprise and that's important to understand from a perspective, especially for those who are senior leaders in the security or in the enterprise architecture space. It's important to realize that this cross cuts across the enterprise and it's not just one product, one solution, one little bit thing somewhere. This is across the board. And so we'll talk a little bit more as we go through the presentation, but that's just as a context to remember. So how did we get here? Well, zero trust isn't exactly a new concept, even if the term has become kind of the hot word of the 2020s, the beginning of this decade. If we look back to 2004 late 90s, early 2000s, that's really where these ideas got started. Back then we had kind of two conflicting approaches to this. We had network access control architectures sort of your traditional castle and moat approach where you've got really strict security on the outside, but once you're in, you're kind of free to move around. On the other hand was the Jericho forum, which put out in their Jericho forum commandments to all the additional publication, the notion of deep remotorization. So back in the early 2000s we had one group focusing on the fact that, yeah, maybe your network isn't the end all be all of security and you shouldn't just trust that when they're inside, they're only going to do good things. Moving forward then in 2010 we had Forester through John Kindervog coined the term zero trust. Even if it came into popular use in the early 2020s, the term's been around for a decade or so now. Then moving forward to 2014 we had Microsoft advocating for assume breach as well as for assume continuous growth. So you've got to be able to keep up with the enterprise as it grows, but you also need to account for breaches happening and having happened. If you're looking at an attacker being in your network for say 60 days, you need to be able to continue on even with that presence there. We also had the Google beyond court publications happen around this time focusing on being able to work anywhere. We then get moving forward to 2016 conditional access looking at being able to meet these evolving and adapting business needs to where we are today with ongoing initiatives around zero trust and password this. Access and work on zero trust from a variety of sources, including the open group, NIST, the world economic forum and US executive order. That's about a year old now. Just to add a little comment there. How many of you maintain. A file or scratch pad where you write your passwords down. Just kidding, but that's true. Even today. And that's 1 of the reasons why we move towards. Multi-factor authentication and password less initiatives. And as you'll see what happened is this zero trust journey really sort of started. In our context in 2018. When we had a cup of coffee with me and Jim Hytale and we said, oh, well, we need to do something because this is something we're seeing across the board. And it started really taking off and we started the whole open group activity. We authored the zero trust core principles. That is a very similar piece of work. I strongly recommend anyone who's on the call for attend and see it. Read it. And that, and we worked closely with NIST at that point of time and that. That core principles translated out in the US CEO executive order. By President Biden work now almost a year or 2 ago. And that led to the larger adoption of zero trust. And as John has spoken, he's talked about all these different attributes. I think you can move on John and we'll talk a little bit about the with them. So, you saw in the last slide, all the different reasons why we're doing zero trust, right? And, you know, we're like, okay, this has been our evolution. Why is there that evolution? Why is zero trust important today? It's because we're dealing with changing business models and drivers. The first distributed sales company, I would say in the world. At least in the way we know it, you know, the Sears robot catalog was available with any in any pioneer town and it went along with the stage coach. So it didn't change because when shift occurred to the digital era, Sears struggled with it. And the classic enterprises have all struggled with that transformation. Institutional knowledge became irrelevant or became obsolete very rapidly. Channels of communication changed very rapidly. The relationships between partners influencers sales channels. Your vendors and your own subsidiaries started evolving very rapidly. And that led to an evolving ecosystem. You need it. You're dealing with continuously changing technology landscape, the cloud, artificial intelligence. Things are changing continuously and you have to deal with all these new assets entities and growing complexity. Regulatory geopolitical and cultural forces have really started changing the dynamic. Think about GDPR or for on the other side of it. The concept of privacy in China for global corporations. They're both impacted by that globalization. De-globalization are shifting to and fro very rapidly. Who would have thought about a war in Europe, right? So these things occur and are occurring at a dizzying pace as things change. Disruptive events like COVID and 2008 crisis also have been really unpredictable and coming out of the blue. Finally, the shift to remote work started before as beyond Corp started before, well before. COVID, but got accelerated by COVID and organizations are understanding the value. And allowing people to have a better lifestyle, you know. And the quality of life and the ability to do these things. So these were the founding reasons, the fundamental reasons. In this new digital era, but why we need zero trust. And you know, as we go to the next slide, we'll talk a little bit more about. What does that really translate to? It translates to zero assume trust. Let's take that as a cornerstone, right? It doesn't mean that you don't trust anything. But you don't create those bars. And then, like John mentioned earlier, once you're inside those bars, you can do whatever you like. And that's how we got so many breaches. But you say that, look, we transferred that security to the asset. And that allows us to deal with those things which are important in this digital era complexity. Velocity and disruption. So those assets that you have, if they're protected the asset level and the relationship is between the consumer and the asset, then that really helps you to define things in terms of policies. Again, that becomes adaptive access control. Data centricity, you know, breaches occur all the time. We know it with, and they have been occurring with a greater crescendo. Well, as threats base keeps growing, right? So data centricity becomes important. If I use techniques such as tokenization homomorphic encryption, et cetera, based on what is acceptable, et cetera. I can basically reduce the value of the business value of the assets being stolen to the attacker. And so that enables us to operate much more effectively, right? And you can basically move much faster. Some standards organizations and some entities, industry groups have already started moving on that PCI start a long ago. And this allows us to reduce the threat space, another corner stop, right? Finally, assuming breach. Well, you have up to 60 days in some lines of business. For example, the higher ed sector. For which the attackers on your network planning and attack after 60 days that launched their attack. So they know everything probably the monitor the network as well as you do. So you need to be able to easily and quickly throttle down the blast radius for use the impact and the scope of the attack. You need to be able to apply lease privilege software engineers have done that for the longest time. We always like the law of the meter and said, okay. We encapsulate and know your neighbor. We need to do that in information security lease privileges and old information security concept. But now it becomes across the board enterprise wide. You need to think about fishing training. You need to build out systems. You need to gamify what you do. All these things now are necessary in order to work in this new modern digital enterprise. And as we go to the next slide, we'll show you how when we talk about zero trust has been a strategy. How do we get there? So at the top low role, you'll see business assets threats and risk. And basically, this is about the business. So those business assets. And the threat space in which you operate determine how you build your security architecture. Risk is how you kind of a gauge what is acceptable and not. And that translates down to capabilities. To a roadmap and operating model. And so these zero trust capabilities allow you to align with what you do. The mission and vision aligned with your organizational business mission vision with your technology mission and vision. And with your security overall enterprise mission vision, if there's any gaps there. The roadmap is how you kind of roll this out. It's a strategy that you're implementing and the operating model is basically about what kind of a company are you. And what's your company structure and how does the business operate. Otherwise you're kind of swimming against the tide. And you'll see down below we have design and build and how do you actually translate that your enterprise and solution architectures and make that roadmap real. And how do you deal with the people, you know, there are folks who are going to administer things the folks are going to build things out. How do you make it more efficient? How do you deal with a continuous change. And the open group has actually initiated a lot of industry standards and activities to enable that after what we did with the core principles of the commandments. And those are a risk model as your trust implementation model using a three pillar model structure. There's an information security model coming out focused on zero trust and there's a zero trust reference model. And these different things will be coming out in our standards process. I think a snapshot is due in the spring or summer of next year. And that'll really help people start translating this to reality. So we are providing that. Successive of how to execute. John, if you want to go to the next slide. So you've heard about a little bit about what's coming a little bit about sort of what that in state looks like, but how do you start to move toward that. And that's where you can take advantage of what we have already done. Chiefly here, we're looking at the zero trust commandments. These commandments we acknowledge are in many cases aspirational, which ones you prioritize are going to depend on the type of organization you are the types of goals that you're trying to implement. But we also need to point out that these are guardrails. So these aren't hard stripped fast absolute rules. We're not saying go the complete opposite direction and do whatever the heck you want. Instead you should use these commandments to help influence your decisions and guide you through your journey towards zero trust, especially as you're going through your digital transformation. So these provide that shared vision and shared understanding. These are something that you can print out the single page version of these. And plaster your walls with them. Use these to get everybody on the same team with where you are going. And we've covered a couple of these topics a little bit already. There are a few others that we want to call out. Chief among these is enabling pervasive security. You want everybody on your organization on board and part of the team sport that is in this case, cybersecurity. So you want these zero trust norms and cultures integrated throughout your entire organization. We've already touched on utilizing these privilege, but we do really want to make sure that that is there and that you are removing privilege as soon as it is no longer needed. We don't want to see these privileges continue through people as they move throughout the organization. If you really no longer need access to something, you shouldn't have that access anymore. And then of course we want to try to simplify security as much as possible. And we want it to be sustainable. We want people to be able to use the security that is in place to accomplish their jobs to achieve their goals and not feel like they need to try to get around the security measures that are in place. We want to avoid it shadow it and we want people to be able to work efficiently and effectively. We want security to keep up with the agility of the organization as it proceeds and progresses and adapts. Anything you want to add here. Sure. So I think what I would always like to call out is that while these are aspirational, when you start and execute your zero trust journey, always think about the commandments as those guardrails. Which allow the entire enterprise to align together to make it into a simple communication across the enterprise as John put it. The thing that you stick up on your wall or in your virtual wall so that you can, you know, actually look at it and say, hey, you know. Are we doing these things. And this should be in your security communications that go across the enterprise as we move forward. Perfect. So, what's coming. Well, Nikhil teased at the beginning that we do have a series of webinars planned. These are in the works in development. We don't have an exact timeline for these just quite yet. So watch this space to hear more about them. Keep an eye on communications from the open group, but we are planning at least for more, more in depth focus areas here. So on the driver's requirements capabilities and our work on that zero trust reference model. So you'll be able to learn more about that risk model the ism model as well as the corresponding architectural capabilities and building blocks that go with them. We have 1 on identity and access management. Lots of chatter in the space about how. Theoretically, that's all zero trust is it's not all zero trust is, but identity and access management are absolutely foundational to zero trust. We then have 1 planned around zero trust security operations. So tying your modern security operations into your zero trust architecture. And then as well 1 planned around zero trust and the hybrid of everything environment. So these should be good more in depth topics. You also already have full access to everything that we've put out in published. So our zero trust core principles, white paper and the commandments guide. We have a previous webinar that goes into much more depth of those zero trust commandments and that top link there will take you to an overview of what the ZTA working group is actively developing right now. Chief among these is the zero trust reference model that we are taking that snapshot approach. So as Nikhil said, we're expecting that 1st iteration to come out early to mid next year. We also are now working at actually consolidating the core principles and the commandments into a standard around which ideally will be able to build an individual knowledge based certification program. So keep an eye on this space and if you are a member of either the security form or the architecture form of the open group, or if your organization is a gold or platinum member of the open group, you can start participating with us right now. For contact information for when these slides are made available. We both absolutely welcome you to reach out to us via email or to connect with us on LinkedIn. And at this point, I think we're happy to take some questions. John you kill. Thank you both very much. And I know how hard it is to cover us a topic as as broad and important as this in in a short time, but you've given us a great baseline. So thank you very much for that. And so a few questions. One of the things that that is difficult about zero is and you've kind of alluded to this a bit. It's kind of everywhere. You know, it's mentioned everywhere and it's a little confusing to some to say what is zero what is zero trust architecture. So what's causing that confusion. If I was a network provider. Building on that network access model, and I was selling product for that. What would I define zero trust as defined it in the context of zero trust segmented networks, right. Right. So there is some of that legacy. There's also the cause there hasn't been the ground rails and the structure and the terminology and and the space was not properly defined. That's also been a cause for that confusion because everybody kind of defines it the way they would like to that. Right. And so that's why, for example, the core principles paper was so pioneering because it started setting the stage. That's why it translated into that executive order. It started laying that groundwork across the world. And and and that's why we're doing some of the things like we're thinking of glossaries and standard reference models. That's helping sort of clear up the cobwebs and clearing up the, you know, whatever I want zero trust to be is what it is today. Right. So, John, if you want to add. Just to kind of continue what you were saying that we are, we are seeing some clarity start to come in here and continuously seeing now people say that zero trust is holistic in nature. It's not just zero trust network access. I know that that term zero trust network access used to be kind of the hot word to get around to doing full zero trust. But I'm also now starting to see it used as kind of an intermediary stage. So people are saying you move from your current stage to having zero trust network access to your end goal of a full zero trust architecture. Right. Okay. Question coming has just come in. Are you aware of any key findings from zero trust assessments and audits conducted and published in in 2022. Or a second part of question as cyberspace hacking has advanced as well. Are there any key pointers to enterprise zero trust initiatives. So, let's go with both of those questions. You know, again, there's been a bit of buzz, and we actually have conducted and I don't exactly know, John and I would probably circle back and when we will publish that survey that we did. We studied both the industry in the academia and provide on the product vendor side too. So, there were some really interesting things that came out of that. It was a lot of alignment, for example, and things which frankly, I didn't expect like effective computing being important for people. The need to be able to incorporate zero trusted different areas. The shared vision of it of the department position of things. Things which are a radical change for the traditional security architect and frankly the, you know, the tech side to enterprise architects. The other thing to call out was we've started laying the foundation right so we're starting to make. Sorry, what is the second part of the question for Steve. It was, it was basically as a cyberspace hacking as well. Right. So, right. So there are major initiatives. I mean, I mean, I can give out individual customer information, but there are major initiatives. Which are going on across both in the industry as well as in the government sector. The different agencies to implement zero trust. And a lot of what we've talked about today organizations are rapidly pursuing and how they're doing the modern sec ops. How they're implementing data centricity. How they're shifting to asset level assessments. How they're preparing for last radius reduction. There's a huge adoption of that going on across the industry. Now, the part of that is obviously the velocity standards are needed. And that's part of what the open group is really engaged in because people struggle. How do we actually define this right. And that's why we're putting down the three pillar models. So how do I actually execute on these things. And so, these are all things that we're seeing at least in the industry. I'm seeing a lot of movement on it right now. I would say zero trust is starting to come up age. There's a huge movement in it. We will see more. I'm sure. So, we're nearly out of time, but when I'll, I'll come to you first on this, John, how do the deliverables that you're working on here on zero trust kind of integrate into the broader works from the open group. Next question, we are actively following what's happening in the digital practitioners work group. We're making sure that what we put out takes into consideration the glossaries and roles that they are already developing. As Nikhil said, we're planning to integrate our own specific zero trust definitions into that now snapshot version of the glossaries and roles document. But then as well, I know that there are security consideration areas in the DP block the digital practitioners body of knowledge. And we absolutely plan to incorporate zero trust work into that. And then of course, the toga standard. So making sure that anything we put out on architectural principles capabilities building blocks we're making sure that everything aligns with the toga approach to these things so that there is harmony. These can be actively used together. Great stuff. Thank you. And I know that in the in the presentation, which will be made available on the open group YouTube channel in there. There are some links to the documents that you referenced. Another way to get them is to go to the open group homepage open group.org and go to the library on the top top bar across there, go to the library and you'll find them in there. And also, to, to mention there are some, there are some questions coming in, particularly around use of zero trust in the healthcare industry and things like that, which we, we can't get to in the interest of time. But your contact details are in the presentations and I'm sure you'll be happy to take those questions if if the any members of the audience contact you afterwards. I'm sure you will. Absolutely. One question Steve is, I think a lot of folks have asked about being able to access the webinar before and after and I think maybe you can respond to them. Yes, absolutely. And that, well, that's, it will be available on the on the open group YouTube channel this like this recording and the slides and therefore all the links will be there. So people both who are here who want to go back and see those and some people who've registered and we'll look at it in a time zone more, more amenable to them. We'll be able to get that. And when we come to the webinar series that you've sorted as John said look for more information from the open group on those because that's going to be a great series. But, but for now, folks, we have to respect people's time on Toolkit Tuesday and and including the two of you. So thank you very much. John Lindford and Nicky Kumar. Appreciate it. Thank you for having us. Thank you. And so that's it for this week. In two weeks time, we will shift our focus to the Archimate modeling language. And the tip of the iceberg what to expect and what's next for the Archimate 3.2 specification. And to do that will be my colleague Kelly Cannon and Leo Smarties from the architecture forum to the Archimate forum here at the open group. So that's two weeks time November the 15th. Thank you all for being here today. Two of you with questions that we didn't get to I hope there will be answered by our speakers. I know they're always very, very keen to do that. So I think you can expect that. Thank you for joining us and taking time out of your day. I'm Steve Nunn. This has been Toolkit Tuesday.