 Hello everybody. I'm Nikhil Kumar, president and founder of APTSI that's Applied Technology Solutions Inc. We've been in business for a couple of decades and worked a lot in enterprise architecture, security and other domains. I'm also the co-chair of the Zero Trust Working Group of the Open Group. We've all had a number of conversations today on Zero Trust. I'm going to walk you through an actual example. How does all of this really come together? Digital transformation is hard. Organizations in the digital age face that every day. There is no alternative but to change. This change is hard in terms of people, in terms of process, business model, technology, so on and so forth. To be able to undertake that change in a manner where you feel secure, you're not worried about the next ransomware attack, the next breach, so on and so forth. It's critical for those who are going to succeed. It's going to be a way in which organizations are going to get differentiated. That's where our security partners, our technology partners and our business partners all need to work together. Let's start understanding these key drivers of the new cybersecurity world. Changing business models and drivers. These are critical. Companies are changing how they do business. It's been happening for the last decade. It's not this year's effect. It's happening all the time at a faster and faster velocity because the way we do things are now digitized. You don't need to wait six months to make something happen. You need to wait two days, three days a week. What does that mean? It means that organizational, institutional understanding is lost because you entered a new business domain because the market forced you. And now all that institutional knowledge, which helped you understand and deal with risk, with security, has to be rebuilt or is not there. So being able to deal with that change and being able to support that change is a key responsibility of information security in this future world. There's an evolving ecosystem. Today, you don't sit and deal with tier one, tier two partners. You're dealing with multiple calibers and layers of partners. Some of them are fully capable. They're large Fortune 50 companies like you or 500 or 1000. And some of them are small businesses. You know, you're hiring an influencer for your sales, so on and so forth. What level of trust do you have there? You're a utility company and somebody is feeding energy back into your system. You're a small business who is now participating with a large bank. So you have this evolving ecosystem and the ecosystem also has different channels of communication, velocities of communication, which matters because now there are many different entry points and threat points. You have a changing technology landscape. So you know what, like today you're doing your cloud project and you're doing your cloud migration. That's going to be hugely disruptive. And you're going to be in that hybrid cloud situation. By the time you're ready for finishing, you move towards one vendor. You suddenly find that you've got to deal with multiple vendors, just like, for example, DOD did with the rebid. And then you're dealing with regulatory, political and other changes such as cultural changes. You're dealing with artificial intelligence and data. Science is becoming part of the course, becoming part of our day to day life and changing and disrupting the way people work. Processes are done and technologies are done. More opportunities for threats. Regulatory change, if you're a multinational company, is huge. Geopolitical change is huge. Privacy laws are changing. Information security policy controls are changing. You need to be able to adapt to them or you can't do business maybe in your largest market. And so being able to deal with the, we're dealing in the world, which is Balkanizing and going multipolar from a global world. But your client base may still remain global. So how do you deal with all of that? Cultural changes such as nationalism versus globalism. Changes such as a shift to social media. Evolving age, gender differences, community differences across different zones in your client base. All of these now come and impact almost all businesses irrespective of size. So being able to deal and all of these introduce new threats. The ability to deal with disruptive events such as COVID-19, 2008, the advent of new technologies. The annual occurrence of a 500, once in a 500 year storm or hurricane or weather event. And the shift to remote or hybrid work. All of these are going to keep happening and happening as we shift to a more digitized telemedicine, tele digitized and digitalized world. As AI becomes part of the course, comes part of our language. And the characteristics of this are you need to be able to change and adapt really fast. So agility or velocity of change. The other thing is adaptability. You need to be able to change how you respond to new different market drivers. The ability to deal with disruption, things which are really unpredictable. And then the ability to deal with increased complexity because this isn't making it simpler, it's making it more complex. And even if you want to say, you know, I am going to mandate that you use this technology at the stack. What happens when you buy a new company and you do an M&A? And one of their things is they use a different stack and that's why you bought them. What happens if there's a disruptive event, like in the retail industry, and you have to deal with the new technology, whether you like it or not? You have to be willing to change and that is going to be impacting the success of those organizations that survive or don't survive. Today we're going to talk about ACME Corporation. It's a global enterprise. It's a multinational impacted by a lot of the geopolitical and regulatory impacts. It supports multiple lines of business. We're just going to talk about wealth management, retail banking and benefits management. They just entered benefits management. They were classic old fashioned bank. And when they entered benefits management, they suddenly found that their ecosystem has just started evolving. So for example, into their ecosystem come third party administrators. A growing number of different kinds of clients influencers to make sure because your benefit sales cycle is now across the individual as well as the organization. So you now have a huge variety of different stakeholders in the conversation. By the way, this applies to healthcare and any other force part of the business as you go. And the number of threats are evolving rapidly because you're dealing with these multiple national entities in one country. For example, VPNs are not allowed in the other country. Almost everybody likes to use VPNs. And you're starting to discover that that perimeter centric approach you took just doesn't work anymore and you're at a loss. You have your cloud migration project in flight. And because you're dealing with lost resources and you want to be able to support things, data analytics becomes really important. And you're using AI so that you can provide 24 by 7 access through your virtual agents and chatbots. All of those things are happening. You need to be able to support tele-experiences. And as you go to effective computing, it gets more and more and more advanced. All of this disrupted by COVID. Today, March 2020 or whatever, you suddenly had to move everybody online. And what kind of protocols did they have in their basement? None. So we're going to talk about something else now, right? We're talking about zero trust, which is this new cyber security paradigm, which allows us to deal with this change. What is it? It's basically saying that you work on data and information security across the lifestyle of that asset on any platform or network. You're not limited by that because you know what, even if you want to and you want people to work in your office, by the way, they are also accessing things from their cell phone and the cell phone aggregator on your email aggregator has been broken. Or just like what happened a few days ago, there was a breach in the print driver. Or as happened with SolarWinds, there was an insider breach. The perimeter doesn't work anymore. 50% or almost 50% of breaches are coming from inside, not outside. You need to deal with new security capabilities, deal with what your data is and how you deal with this and assume compromise and assume breach. Huge difference than the way you thought about before. And the way you do that is you start approaching things by reducing the threat space and reducing the blast radius. That's important. What is reducing the threat space mean? It means you have complexity. You know what's going to grow. You try to classify it and focus on what you really can protect your crown jewels. Reducing the blast radius is also critical. Reducing the blast radius means you assume compromise. So somebody's on your network intending to do malicious things against you. But you want to limit the impact of their actions to a small part of your environment. That's critical. You can no longer keep playing whack-a-mole. You can't keep running after the last threat. You need to think about what happens with that second new threat and you need to know you can't predict every threat either. So the approaches we zero trust takes is data centricity. What you do is you replace high value information with low value information. We'll stay away from technology aspects of that. What you're really doing is saying here's something high value. You credit card number, your social security number, some PII, PIFI, or just information of business value. It doesn't always have to be PII or PIFI. It may be something like the quality of the clock that you sell, or maybe a trade secret that you're hiding or you're protecting would not hiding would is a bad word, but protecting. You want to replace that with something which if a malicious actor steals it, it has no value to them. If they conduct a ransomware attack and lock down that system, well, you can just reboot the system with new data or new information. And you've limited the last radius to maybe one instance, one implication, one application, one microservice and so on and so forth. You need to deal with asset centricity. So you need to make it granular enough that you're going to be able to protect an individual asset or an individual group of assets. You need to think about it in different ways. You need to think about a network of one. The reason we do data centricity is because we want to be able to share data seamlessly. Partners are going to evolve, jurisdictions are going to change, complexity is going to grow, and dependencies are going to grow as we depend on different groups of people on processes and technologies and regulations. So you want to be able to share that without having to change everything every time. You need to be able to deal with this across the life cycle of that information or that data because data is an asset. We want to be able to protect the data across the life cycle because let's take credit card number as an example. You authenticate that the card people are now authorized to use the card. The card expired, but does that really mean that the card expired? No, it didn't because you need to be able to hold it for fiduciary reasons, for legal reasons. So the provisioning and the deep provisioning of that asset, from that point to that point, you need to be able to manage it, know it following the regulations you want and supporting privacy controls like the California Privacy Act or CCPA or meeting with GDPR and so on and so forth. And again, jurisdictions count, right? So how do you do this? You tokenize, which means you basically take your higher value data and substitute the data. We talked about that. You use security zones, which basically use simple attributes. Data classification, level of trust, classify your partners or your entities, users into groups. The kind of business process you're dealing with and the manner in which it's getting accessed, some other attributes, but a limited number of attributes. That lets you have some areas which can be breached and the information can be lost and some areas which are critical like fraud and other areas where ACME is going to protect the crown jewels. Now let's say one of the merchant banks or the merchants, which deals with ACME, is breached. If they have tokens replacing their credit cards specific to that particular merchant, what's the impact? The impact gets localized to that particular merchant. So let's say 100 million cards are breached. You can reset the tokens and you're able to operate. And in the other scenario, you have to replace 100 million cards, which you could go to about let's say a couple of dollars a card. You're looking at a 200 million dollar cost. Those are just simple ideas of what you need to think about. We've talked about the life cycle. So realize that data centricity is a critical thing to be able to support agility and adaptability, disruption and complexity. It's one of the fundamental pillars or legs in zero trust. Asset centricity basically means you don't think about protecting the network, but you think about protecting the asset because as the network evolves to support change, as you become part of a company, your company evolves, the next org chart evolves, you sign a contract, you include TPS, you just have that evolving set of relationships. As your ecosystem evolves, you want to be able to do it simply at the level of an asset instead of waiting and trying to add the complexity of the overall network. That's what asset centricity allows us to do. One of the key things it allows us to do is it allows us to deal with disruption and adaptability. You can deal with these changes of the ecosystem and you can deal with sudden disruption quickly. You can literally turn on a dime. And it also, because you start thinking about an asset in terms of a network of one, you start thinking about using policies to manage it, right? And you need access control can then be having the security zones. And then you can have further levels of detail based on individual entitlements and different credentials being provided. This also reduces the blast radius because if there is a breach or compromise, an asset or at worst, a zone is breached. So this brings us to the Zero Trust Reference Model and we've talked about how ACME has been going through this journey. So ACME started off, it digitized, it supported data centricity and it started moving to asset centricity. All of its different stakeholders had, let us say, keys of your security zones and you had it based on trading partner levels. And you had external entities have their own security zones and you switched tokens. Now you were ready to deal with one class of breach and one class of threat. Now you went towards asset centricity so that as you moved and you did your cloud migration project, all your assets or your microservices, for example, could deal with change. You added data streaming because you know what, you needed to stream that information and you needed to still send those flat files. So you were dealing with both data centricity to manage the flat files and other issues and you're dealing with asset centricity to manage controls based off of access control policies. You added to this self-service because you added those two million influencers who just won't need to log in and connect to certain things and you were easily able to do that by classes of access control. However, this results in complexity and that's why we talk about adaptive access control where technologies evolve so that you can group things, do self-service and apply things such as AI to predictively build out access controls. You have the concepts of identities and networks where you have digital identities which are really using something similar to a party person organization model which are not locked to a particular organizational structure. And that helps a lot when you have these distributed identity access management environments. We've talked about these elements for a bit now but think about the other things that go hand in hand in the Zero Trust Reference Model. You have threat intelligence, you need to be able to predict tomorrow's threat or at least to be able to monitor the changes in your network, in your environment as malicious actors are monitoring your compromised network. And so being able to use artificial intelligence, to be able to use data analytics, to be able to look at volumes of data and to be able to respond proactively is a shift that's occurring. And to be able to see things using unsupervised learning which you didn't know before. Modern SOC, so the modern SOC, what does that do for you? Modern SOC basically allows you to do real dev sec ops where if there is an expected breach or you can proactively monitor it and trigger incident response and work with your dev teams and your engineering teams, you can ensure shift left. Finally, you have that ability to do two things, risk. Remember in Zero Trust, risk is opportunity as well as cost. What does that mean? It means because I have a Zero Trust environment, I can enter new lines of business with less fear, which means I have a competitive advantage over my competitor. Risk and in order to be able to do this quickly, I need to be able to do on demand audits and other similar things. So these are some of the key things that we need to consider as we move forward. As you see, things are not going to change. You're going to have these, at least for the next decade or so, things will always change. But these things are all there. You need to address them. You need to deal with them. And that is why we think about Zero Trust as a framework, as a security framework, not as a technology. And we think about Zero Trust as basically two things. It's a cyber security framework and a strategy. Today, we just described kind of how it applies. A larger conversation would talk about the playbook, the strategy that you follow to get there. Thank you very much, everybody. And you can reach out to me at my email Nikhil Adaptic Solutions or on my phone. Or you can reach out to the Zero Trust Working Group or the LinkedIn Group. Or if you're a member of the Zero Trust, I mean of the Open Group, you can come in, as I said, to the Zero Trust Working Group. Those who are non-members can join through the Zero Trust LinkedIn, as well as we are sending out a survey to all leaders. And we would love your input as you deal with change so that we are responsive to your needs and we are able to communicate with you very well. And all of you will get complimentary information from the Open Group. Thank you very much, everybody, and looking forward to your questions in the panel.