 Everybody, welcome to Frederick Coutts. Thank you very much for coming. He's going to give our second keynote. He is joined by Ed virtually in heart and in spirit. I was not able to make it out over here. I just want to make sure you can hear me OK? Perfect. So we're going to talk a little bit about economics of zero trust. So when people think of economics, they usually think of things like supply and demand. But while that is important, I want you to consider for security the concept of risk and reward. So when you're starting to look at, should I make an investment? Should I make a particular move? Should I get up and drive to my work? You're saying there's a risk involved. You're making an informed decision for the possibility of receiving a specific reward. So what you need to look at when you're starting to look at zero trust is what is in it for the attacker, for the person who wants to break into the system? While there are people who are doing it for exposure or so on, most of the advanced persistent threats that we see tend to be, or also the people who are looking at running script kitties or similar, tend to be the people who are looking for some reward. They want to go mine Bitcoin, or they want to go X or trade something out. And so you have to look, what is the reward of breaking into a given system? And in deciding whether they want to break into that system, they're going to look at what is the risk? Like what is the chance of me being caught? If I am caught, then what is the penalty for being caught? Like this being caught mean I just get kicked out of the system? Pretty low risk versus police show up your house and arrest you, much higher risk. And then based upon that, you want to look at what is the opportunity cost with that? So when you start looking at advanced persistent threats, like even they have to look at the total cost, because we think of them as having these massive quantity of resources, certainly more than any most individuals have. But when you start to look at, like if you're a nation state looking to see about attacking a specific target, even nations have limited resources and they have to consider, well, if I spend time focusing on a specific area, then I don't have those same resources cannot be applied in other places. So even with them, they have to consider the opportunity cost. So when you start thinking from a defender's perspective, you have similar things as well. Like what is the value of what I'm protecting? Like what is the value and opportunity of what we're trying to do? And what is the risk attached to that as well? So in risk, when you start looking at that risk, you're looking at not only what is the impact, but also what is the likeliness that something is going to happen. And you tie this down to how much value is lost when an incident occurs. That value loss is what's called an exposure factor. And so these are the type of things when you're approaching it from the defender side that you tend to look at. So the cost of the defender, when you're working with infosec teams or security teams, you very often see this particular or some variation of this. I have an incident that happens. What is the value of that particular system? And what is the exposure factor? Remember, how much loss is there? Or what is the penalty if there is an incident that occurs? So for a single event, it can be difficult to quantize this, but at the same time, this is something that people will spend the time trying to work out, is like across all of my infrastructure, if I lose a hard drive, what is the value of that? If a microservice is broken into, what is the value of that and what is the value lost? Or what are the additional penalties? And then how often is that going to happen over the year, which gives you the annualized loss expectancy? So over a given year, we can expect to lose this much over various incidents and so on. And that gets us down to the final thing, which is the real value of the thing you have is not just the value itself, but the cost of maintenance, the cost of what happens if there's a security incident over time. What is the loss in that? So when you start talking with infosec people, they're looking at it from this using this. Like if you go and take a CISSP exam, this is literally the kind of stuff that they're looking at is these type of values. And so as developers, what we have to consider is what is the cost of what we are producing? It is not just from the cost of development, but what is the cost of operations? What is the cost of management? And if we cannot keep this cost of management down, then they're not gonna take our products. They're not gonna, if the cost of SPIFI Inspire or the cost of Zero Trust is too high, then it's not gonna be applied. So we have to consider that as a whole. And so in Zero Trust, there's three primary areas that we can focus on where we can apply our efforts. The first one is identity, which everyone here, I assume you've bought into or you're here to learn. Congratulations. The second part is policy. So identity and policy are two different things. People often will conflate them, say authentication and authorization. Or actually, you wanna keep the two of them as two separate ideas. Authentication informs authorization, and authorization makes the decisions, not the authentication. So we have the second thing here, policy. What can we do? The third one we have is control. It used to be listed as automation, but it turns out there's a much more fundamental concept. Why do we automate? We automate so that we can control things at scale. So we want to make sure that we can control what we are doing and make sure that we loop in the humans at the right moment so we can make decisions that get automated across the system. So whenever you're focusing on Zero Trust, you wanna focus on these three particular items and make sure that you establish a good foundation for each. So we focus on identity. If you establish a good identity story, that can become the foundation for the rest of your system. And what policy should I apply? Attach them to the cryptographic identity, attach them to something like Spiffy. And over time, that identity becomes very robust because if you think about how do we identify systems today, we identify them based upon IP and port combinations in most environments. You look at the network access control list, they're IP and ports. They're not looking at what cryptographic identity did you bring to the table. So this needs to change because if we can move away from IP addresses and ports towards cryptographic identities, that means we can write policies that are declarative that we're able to say these systems are allowed to talk to that system and they become much more robust. You can actually re-IP your entire system underneath and it continues to work. You're able to connect to other companies who are running a similar system and say, okay, I'm gonna bind to this CA. I'm gonna bind to these specific set of identities in the other environment, which allows you to treat internal and external systems with the same policy engine. So the difference is no longer technical how do you treat internal and external. It becomes what is my policy that I can drive? And this becomes incredibly important for multi-cloud and hybrid because if you think about Spiffy, Spiffy becomes an identity you can use everywhere. Everyone can land an estimate if you can pass the attestors. So if you've ever worked on an Amazon environment, you have things like the document identity or if you're in Google, you have things like workload identity. It ties you to the IM account of those environments. They don't nicely jump over from one to the other or if you're running in hybrid. So if you use those to attest into a Spiffy identity and that Spiffy identity becomes like water, like dial tone as was mentioned in the previous talk, then this becomes something that you can rely upon across the infrastructure. And that means that when you have a workload that you need to drive and you need to work out what do you wanna do with it? You're not asking low level questions like what cloud am I on? What security things have I tossed into that? You're saying I have drew the issuance of this identity and continuous maintenance of that identity. You are attesting that this particular identity meets your requirement. So one last part as well is that we also wanna focus on open source standards because when you drive down the cost, this is something that can become very expensive, especially when up with a lot of different identity, a lot of different types of identities. So we wanna focus on open standards that allows us to amortize the cost of the maintenance of identity across multiple groups, across multiple end users can amortize across themselves. So for example, we ended up putting together a support for a DAWSKMS. Now anyone can use it. Now anyone is able to rely on that. And many changes that people make in other orgs will get the use of that as well. So it also helps you reduce the reliance on a single vendor. And as the community matures, you also find that that will give you the talent, that you'll see the talent begin to increase. So with that, that comes to the end of my presentation. So I wanna thank you all for coming over and learning and for collaborating. And we will see you throughout the rest of the conference. Take care. Thank you.