 We're switching gears a little to zero trust architecture, and we're going to get a great kick off today from our first speaker on this topic, Nikhil Kumar, who is president of Applied Technology Solutions and a longtime member of the Open Group. Nikhil is founder of Applied Technology Solutions. His areas of expertise include digital transformation, security, SOA, cloud computing, Internet of Things, and enterprise architecture with extensive experience in the insurance, finance, and healthcare sectors. His other focus and passion is in precision medicine and life sciences. Today, Nikhil will have an introduction to zero trust architecture. So without further ado, a warm welcome from the Open Group. You'll have to imagine it, Nikhil, but warm welcome from the Open Group and over to you. Thank you, and thank you very much Steve for that excellent introduction. And without any further ado, I will get into talking about zero trust. So change is hard. And when we, as companies in the world, deal with digital transformation, change is really disruptive. It's all pervasive. It's changing how we do business and our business models. Dealing with this change requires risk and security to be dealing with growth and operation. So it's not sufficient to be able to run the business as is. It's not sufficient to be able to continue evaluating risk, to be continuing conducting audit as is. So these are critical things which are different from our traditional role as security experts and as organizational security teams. Change is pervasive. Almost everything that's happening in the digitized world today is impacting how we all do business. Change is driving how we deal with manufacturing. For example, industry 4.0, Andra spoke very well about how we deal with evolving supply chains. How, for example, in the retail sector, Sears Robux and Company, which is there for almost 200 years, shifted from being a catalog company to a bricks and mortar organization. Today is struggling to adapt to e-tailing. This continuous change is driving key, shows some key characteristics and is driving the way business is done. It's characterized by its velocity. It's extremely rapid. Business models change. Standards change. It's characterized by its complexity as we move to new technology platforms, as we move to evolving relationships. Organizations have to change the people process and technology to deal with this. And why does this matter? Because as we talk about velocity complexity and disruptiveness, traditional business models and traditional security models will change. These drivers include multiple channels and omnichannel communication. A very rapidly evolving ecosystem of partners, public and internal actors. So today's client is working from remote. He doesn't come into the office anymore. He doesn't come into your store anymore. Today's client is connecting over a laptop, on the phone, over an audio device. Today's client could be an artificial intelligence agent. It could be something using effective computing or HCI in order to create intelligence user interfaces. These ecosystems and relationships are rapidly evolving and they are a different aspect of this transformation that we see. Today's business partner is tomorrow's supplier is the afters entity which is incorporated within the company. Today if we have, for example, in the utility sector, if we are dealing with somebody providing green energy and John across the street is connected his device and speeding his data back into the grid, his electricity back into the grid. There are limited controls that you can have on the security of his device. So how does your net, how does your environment, how does your network get impacted? So in this evolving era, we have a new ecosystem and environment that we need to prepare for. Geopolitical and regulatory changes are also disrupting what we do. They're driven by two things. Some of them may be geopolitical. The other is also driven by the fact that finally we're starting to see the internet and technology in the world starting to mature a little bit. So where in the past, for almost three or four decades, it was the Wild West out there, you're now finding individual regulatory regimes based on geographies getting established. GDPR, CCPA, privacy by design. These are all evolving drivers that we face today. And if you look at the distribution of it, whether you're in China, whether in the United States or in Singapore, they're very different regulatory regimes. So how does a company which sells in these areas, let alone a multinational, how does it operate? So we need a different thing as we evolve, a different cybersecurity regime as we evolve to meet these changing scenarios. Then we have disruptive events. COVID has come and to quote Satin Adela from Microsoft. In three months, we have done what we're planning to change in terms of digital transformation in two years. I might not have fully exactly quoted them. Remote work is here to stay. The frequency of disruptive events, Y2K, 9-11, the 2008 crisis and now COVID, they are becoming more and more frequent. The ability to grow and operate in an unprotected network, that's what Zero Trust is about. So there are two different words here, be able to grow and to be able to operate. And that's important as we think about Zero Trust, as we think about cybersecurity in an era of digital transformation. So if you were to look at a number of the online definitions of Zero Trust, they talk about the ability to operate in an unprotected network, but that's not enough, the ability to grow in that network, that's also important. It's a new security paradigm that requires a strategy. So when we face that strategy, we need to have a way to address what that paradigm is, how to deal with that paradigm, how do we take and take on these conversations along the journey. Data in this era is the ultimate risk. So when data is the ultimate risk, we need to be able to protect the data, but we also need to be able to protect those parts system, which manipulate that data, which utilize that data, the applications and the APIs that we've got to deal with. So Zero Trust is about all of those key things which characterize the modern digital age. Parameter-based networks just don't work anymore. That traditional model just is not sufficient. So into this era of the digitized enterprise, we need to address what drivers we face today, involving business models. We talked about the partnerships and ecosystems, changing technology drivers where we deal with AI, we deal with the cloud, which is now moving to an API-centric world. We deal with IoT in an almost unbelievable smorgasbord of different devices. And we're also dealing with evolving and lagging regulatory standards. So now just a public statement or submitted and got it approved for publication on Zero Trust in the utility industry and NERC, the National Energy Regulatory Commission. They were open about not having their standards up to speed with Zero Trust. They've actually published something about that. There'll be another year or so by which time they will publish on it and by then things will have evolved even further. So how does a company and organization manage that for that? They have to look at their evolving environment and they have to complement and supplement the standards that exist. They have to be ready for disruptive events which are unpredictable in nature. Those feed the requirements for Zero Trust. Increasing agility, complexity and these are exponentially increasing. Where you had 10 APIs or maybe a hundred. You have 2,000. You have legacy applications, new applications, so on. Where you have a need for dealing with disruptive events. You can't predict COVID. The shift to remote work is almost permanent and guaranteed to stay permanent just because of fiscal reasons, because of convenience reasons, because of environmental reasons. We've talked about new and lagging regulations and how you need to recognize that that isn't gonna be sufficient anymore. New threats and real-time responses need to be treated. You have to start realizing that the threats are many times from within. Need for measurable controls and automated audit. You can't spend six months or two years or three years conducting a PCI audit if your company has changed by that point of time. These capabilities or these requirements lead to new capabilities. So what are these capabilities? Adaptive identities. You need to be able to operate and you can't spend months or years trying to get the identity of somebody who's evolving in your organization who was a contractor yesterday and employed today, works for a subsidiary tomorrow. Because now left you're working in the insurance industry and is now left and has become an influencer for you. You can't do that manually. You need to have self-service. You need to have many ways to deal with the structure of identity. The way you deal with complexity is through threats, co-production and risk avoidance. So in a zero-trust world, we need to have architectures which are capable of addressing that. The way we do that is through data simplicity as opposed to trying to secure the network everywhere because it's hard to predict and sometimes not even feasible because of legacy platforms. Those things that need to be protected need to be protected using zones so that you have variable levels of protection. You make sure those crown jewels are properly protected. Policy driven access control so that we can actually deal with how things evolve and how things change in an agile fashion. With new applications providing the plug-and-play and that agility. Automated audit. We've talked about real-time threat response and the ability to support unpredictable consumers. It could be an API, it could be an AI. You've replaced a human business process flow with an RPA. Could be a person using different channels. This is what zero-trust architectures must support because you need to be able to operate and grow in an unprotected network. In the past, we used perimeter-based security models. It was pretty simple. We knew who our partners were, we conducted audits, we were able to secure them. We knew what the ecosystem was where everything was clearly defined. Today's world, not so much. Not agile, you have so many different systems to deal with. What network are you gonna set up? How you enforce the next new standard for encryption? Does your legacy platform support TLS 1.3? How do you deal with cost? How do you deal with complexity? You added 300 APIs last week. How do you deal with audit? In this world, it's hard to use the legacy approach. But this was kind of foreseen. Earlier on, Jericho Forum in the 2000s came about with the approaches to result this. There were a number of publications that came out of the Jericho Forum. And later, Google, for example, brought up Beyond Corp as another example. People started recognizing that change had to happen and COVID precipitated this change. So this has been a slowly evolving process which has really picked up speed today driven by the disruptive change that is going on. So what does a zero-trust world and an enterprise look like? It's an omni-channel-based platform. With policy-based access, real-time APIs and data, so that your connectivity, and there could be different communication patterns to be used. It could be APIs, event-based, it could be near real-time, so on and so forth. But there is almost direct interaction between producer and consumer because you really can't predict who the consumer is going to be. There's the need to be able to protect data and use flight and rest, right? And so tokenization, encryption, format-preserving, encryption, classification, data protection models, all of those come together to define that future. You need those rapid, near real-time responses and rapid detection systems, a modern SOC as opposed to traditional model. You don't have months, you have hours, minutes and days. You need to be able to do your audit and quantify risk using a modernized system. So OpenFair, for example, provides part of that capability. And we'll be talking about that today as we go forward in the following sessions. We talked about strategy in order to be able to take the journey for zero trust. We talked about how we addressed and made that paradigm into a strategy that we could realize. The SOA for Business Technology Guide to the Open Book published earlier this year, I mean, the Open Group published earlier this year. That provides, for example, one of the paths that you can follow a framework to address this. And it's based on three pillars, strategy, operational model and operating models. The strategy pillar addresses strategy vision based on a business capability, architecture and technical capabilities that evolve. That allows us to incorporate security across in a roadmap that we can manage over time against business capabilities that can change while retaining agility. So that's the growth and operate part of it. The second part is your operational pillar and that operational pillar is how we change the engine when the plane is still flying. The operating model addresses two things. It addresses the ability to establish governance GRC models, but it also provides an ability to focus using an understanding of your business model. Finally, to close out, I'll speak a little bit about a playbook for zero trust, a simple one. What do you do with, how do you approach zero trust? How do you address that complexity? Eliminate what you don't need. Replace unsensitive, I mean, sensitive data with unsensitive or obfuscated data. Encrypt what you can't get rid of and that you need to support and share. And for stuff that you can encrypt which you need to share, place it inside of a vault, secure environment, secure trusted zone. So with that, and having introduced some of the key concepts that zero trust is about of having introduced the fact that this is the ability to operate and grow in an unprotected environment where phishing may be a bigger threat than a brute force attack, where we can depend and live and work on a network-based approach. Having laid that foundation, I want to give a little idea of what's coming up next. We're establishing an industry-shared understanding of zero trust as part of what the open group does. We're soon going to be publishing a zero trust core principles, white paper. And Mark is going to talk a little bit about that in a few minutes. Publication on the landscape for zero trust and coverage of landscape papers on a number of extensive surveys that we've covered and used against both academia, industry and vendors. A reference architecture and standards, a practitioner's guide and a community for zero trust in the form of a LinkedIn group, which we would all love you to engage and join. To share your feedback, your comments so that we can engage the public and the industry in helping defining this future. Now, with that, I would love to have questions and answers. We've talked about how the questions and answers will really be addressed in the follow-up. So please submit all of your questions and answers and the moderators will pick that up and give us feedback. And we will reach out and get back to you. Thank you very much, everybody. And with that, and with no further ado, I would like to say thank you. If there's anything else you wish to ask, go ahead with the questions up and I will answer. That's great, Nikhil. Thank you. As a reminder, yes, we'll deal with all the questions in the panel session at the end, but you're right on time and giving us a great intro to the zero trust architecture topic. So thank you again, Nikhil. Warm round of applause. Thank you. Thank you.