 Hello and welcome to the open groups space reference model for a zero trust reference architecture. I'm Mike Lloyd singer chief architect for information risk management at nationwide. I'm a member of the open groups working team on zero trust architecture and will be spending the next 15 minutes or so walking you through a base reference model to help guide you on a zero trust journey. Before we get to the base reference model itself. I'd like to quickly step you through why zero trust. What zero trust is and its characteristics. The open group has already published a zero trust core principles white paper and will soon be publishing a zero trust commandments document if you'd like to dig even deeper into the what's wise and how. So why do we need to think about zero trust. Well the modern digitized world of business and computing are complex and continuously evolving. This is driving a need for a fresh approach to security. There are modern work use cases such as the normalization of remote work. This started with widespread Internet availability. The move to the gig economy and then has greatly accelerated with the work from home driven from the COVID-19 pandemic. We also have a rapidly evolving partnerships and competitors in the business space. Rapidly changing communications patterns through social media chat bots and the like and evolving national interest and regulations. We also have security modernization imperatives a drive towards automated policy enforcement to address changing processes and models and an agile manager at a minimum cost. Adaptive identity management to respond to rapidly changing roles responsibilities and relationships. And then a large focus on data centric and asset centric approaches better focus security resources by limiting the scope of what they protect. As well as better monitoring assets and responding to threats regardless of the network location. Overall there's a need to honor well established best practices while also challenging established assumptions that no longer work. Such as an over reliance upon your users being located on a specific physical network to reiterate just some of the drivers that continue to drive this evolution are changing business models and drivers. An evolving ecosystem a changing technology landscape regulatory geopolitical and cultural forces disruptive events and the shift to remote work and online learning. So then how do we respond. What is zero trust. Well first of all zero trust is not a single capability. It is not something you can buy as a standalone package from a vendor and consider yourself victorious. It's a mindset shift with the core concept being that you should no longer implicitly trust your network. Beyond that various definitions of zero trust go in slightly different directions but in general zero trust is an information security approach that focuses on your data and information security throughout its entire life cycle on any platform or network. Zero trust security capabilities enable organizations to secure data and information and your applications API's really any data integrations on any network including the cloud internal networks and public and untrusted networks. Zero trust is implemented through a comprehensive strategy and provides a security framework based off asset and data centric security policy driven controls modern identity management and security zones or domains. Zero trust provides organizational flexibility agility and adaptability in addition to the traditional security assurances of confidentiality integrity and availability. Two important characteristics of zero trust are reducing the threat space and reducing the blast radius. For threat space the fewer things are to protect or the less the amount spent on their protection the easier it is to support the agility adaptability and address disruption and complexity that the business man. For blast radius zero trust expects assumed compromise or assumed breach. This underlines the ability to localize the compromise and reduce the time spent and cost on each compromise. Current perimeter centric approaches failed to provide the agility and adaptability required by the digital enterprise. Some of the building blocks for zero trust our data centricity replacing high value data with low value tokens allowing us to reduce the threat space and impact compromise and asset centricity granular protection of assets that allows us the agility and ability to reduce the blast radius. Keeping in mind that all data APIs applications and systems are assets and a network of one. Instead of a perimeter based network where every device and asset behind a network is considered secure you're now looking at it as each asset having its own policy based controls. And then we move on to the reference model itself. The open group will be working to define specific reference architectures and reference implementations to dive deeper into the details, but I'd encourage you to start using this base reference model right away to help inform you on the next steps to take on your zero trust journey. The base model is purposely high level enough to give you a context of which you can add new capabilities and processes to move your organization towards a goal state of zero trust. So stepping through the base reference model will start with number one over with data and information. This represents the focus on the characteristics of data centricity. We then move down to number two, the applications and systems that protect the data. Over to step three, the integration and information flows, whether that's via API's event streams or other data transfer mechanisms. So moving into the heart of the modern zero trust architecture, your identity and access management along with centralized security policy decisioning and enforcement points. On the model here you have I am represented as step four with policy enforcement represented on step five. As you look to the left of number five, you'll see that we are enforcing policy on both the people and the devices that people are using. And the confidence that you have the right people authenticating. This is usually tied into your HR systems, you've done your HR vetting to trust this person, your HR system needs to know enough about your internal users to know, for example, how much to pay them. And so you build upon that trust. You also need to understand the health of each device commonly through various endpoint health check tooling. As you go up to step six, you'll see governance showing the need to have visibility and management of your policy. We then move down through to step seven threat intelligence. And then your threat intelligence along with your asset logging and behavior analytics is all feeding into your modern security operations represented by step eight. And then finally in step nine, you have your secured zones, segmenting your assets into a small of a blast radius as possible. As a side note, with this model, we're not tracing through a single end to end transaction here. So the numbers and the order are a bit arbitrary, but we are making a point here. In a zero trust architecture, your segmented or secured zones are no longer the first and only part of your security strategy. They become a part of the larger architecture designed to strengthen your ability to enforce policy as close to each of your data assets as possible. And finally, we have another view into the base reference model. This time we have the runtime architecture. This is representing many of the same items you had before, but again, with the runtime architecture view starting with your omni channel or multi channel user layer and working down through your ecosystem surrounded by governance on the left providing your visibility and policy. And then finishing through with your automated audit or compliance commonly through these days looking at continuous control monitoring types of capabilities. One thing to keep in mind is what you've just seen here is the reference model and step two. So this is what we've talked about today. The open group is also produced strategy around business and strategy risk and compliance, and we continue to build upon this model with upcoming work on reference architecture with each capability as a building block associated with standards and reference architecture is diving down into specific reference implementation. I encourage you to keep up to date with these artifacts by visiting the open group security forum at the link provided. Thank you very much for watching.