 So, we've been right on. We're going to have a conversation now between two experts in the field. First is my colleague in Hytale, who is the Chief Group for Business Development and Security at the OpenWare. Jim manages all the security and risk management programs and standards activities in that area. He holds several security and risk certifications, including CISSP, GSEC, and of course the OpenFare Foundation. And a warm welcome back to the virtual stage for a longtime contributor, Steve Whitlock. Steve is a retired cyber security professional who continues as a volunteer supporting both the US government and the Open Group. Prior to that, he was Chief Security and Technology, Chief of Security, Strategy and Technology, forgive me, for the Information Security Solutions Organization in Boeing Defense, Space and Security. And before that, he was Chief Strategist for Boeing IT Information Security. In this role, he provided strategic support for Boeing's long-term information security capabilities, including tracking emerging technologies and the changing threat landscape, as well as helping to influence the direction of the information security industry in support of Boeing's global presence. In the discussion today, Jim and Steve will focus on the origins of Zero Trust and the work and influence of the Jericho Forum on the current ZTA project. So a warm welcome from the Open Group to Jim Hytale and Steve Whitlock. Over to you guys. Thanks, Steve. So although the term Zero Trust is really a new buzzword, its origins go back quite a while, 13 years ago or so to some of the early Jericho Forum publications. So I thought having Steve Whitlock here on this discussion, having you here would be particularly useful because you were there in many of the early Jericho discussions and you're still a part of the security forum. So welcome, Steve. Thank you. So I guess I'll start the Q&A by asking you about some of that early Jericho work. You know, the Jericho Forum was thinking about the failures and limitations of the perimeter security model very early on. So I'm curious how you relate some of that early Jericho Forum work on deprimidization to the current Zero Trust thinking. What's your perspective on that? So let me describe a little bit the origins of Jericho. In 1998, Neil Postman gave a talk called Five Things We Need to Know About Technological Change. And his fourth point was technological change is not additive. It is ecological, which means it changes everything. And the internet was one of those changes. The internet, essentially, when enterprise connected, they replaced the physical perimeter with a virtual perimeter. And in the early days, you could put a firewall in and just sort of be protected. But if businesses wanted to leverage the internet, it sort of stopped working both from a security and a business perspective. Some of the business ideas and the Jericho Forum was originally formed by a collection of CISOs in London that were business focused. But a hardened perimeter strategy was at odds with their current and their future business needs and that it was financially unsustainable. From a vulnerability perspective, if you're going to let email in, or if you're going to let web traffic in through port 80 and 443, then the perimeter is not really helping very much anymore. And it's still okay to have something for a noise barrier, but a determined attack will just ride in on port 80. The Holy Grail for many organizations, at least the one I represented with fine grained access control for data and applications between enterprises and enterprises that didn't necessarily have leverage over each other. So there had to be negotiation. Essentially, if you can solve that problem, most other scenarios are a subset of it. The Jericho Forum began by illuminating the problem with a series of publications and they called the problem deep remiturization. They didn't really have a name for the solution, but Zero Trust is sort of a name for the other side, the solution side. So there was some uptake with a set of core principles and then eventually an architecture focused on secure collaborations with an emphasis on identity and access control and data security. Zero Trust seems to be following a similar path. There was some uptake after the Jericho Forum launched. There's some products and some vendors as well as some end users, but I would say it hasn't been a complete success and the issues that drove the formation have not gone away, if anything, they've intensified. And so it's great that there's interest in Zero Trust architecture to carry on and try and solve these problems. I guess I would say, well, the Jericho Forum may have been a little bit ahead of its time. The emergence of ZTA is evidence that businesses still need a way to collaborate securely. So what we're seeing here is a few of the Jericho Forum publications relating to deep remiturization and pulled out of there some of the key points out of some of those. Out of the many publications that were put out by the Jericho Forum, which ones do you think were the most relevant in kind of forecasting the world we live in today in terms of leading Zero Trust architectures to deal with the issues that come with deep remiturization? So maybe the best place, and I apologize for not getting on the list is, and all of these are available on the Okra Group website, by the way, but the best place is probably the Jericho Forum business rationale for deep remiturization published in 19, I mean, and it lists both business drivers and business benefits of a deep remiturized strategy, and it discusses why the change is disruptive, and I think some of the disruption is the reason why it's been slow to catch on. I think those drivers and benefits are still current, even though it's a pretty old publication. The next major document is one listed here, the Jericho Forum Commandments, and it lists, I believe, 11 specific commandments. These are really principles for designing your security systems and your architecture to operate safely in this world. That was followed up a little while later by a set of commandments focused on identity and access control. The trust ecosystem is a look at the systems and a trust taxonomy, and that was followed by a collaboration oriented architecture framework as well, some of which made its way into the web environment. If you go to the next page, I don't know how to turn the slide. There we go. Okay, so while we focus on a second set of commandments or principles on identity and access control, the other big piece was data security. And we did end up with a draft of eight data security principles, but we didn't have enough time to or didn't finish organizing the evaluating and improving them before the Jericho Forum shut down. So they ended up, there's just a draft that's out there or maybe it's not out there. So we did take that experience and publish a paper called The Need for Data Principles, which has a pretty good roadmap that somebody, I don't know if GTA is interested, somebody could pick it up and start from that. And some of these were put together and published in another open group document called Protecting Information, Steps for a Secure Data Future. I think it's W142. Much more recently, the Open Group Security Forum published a list of 20 principles, or we call them axioms. The difference between this and the Jericho Forum work is the Jericho Forum specifically focused on the differences that the loss of a perimeter made in security. Whereas the axioms is focused on a broad security architecture. So it includes a few of the Jericho Forum principles, but it includes a much broader set that are designed to give you a complete, you could generate a complete security architecture from it. We didn't want to publish one of these thousand-page books you've memorized. We wanted a set of core axioms or principles that you could follow for almost any situation. And this was, by the way, joint work with the Sanford Institute. So you're kind of switching gears a little bit and talking about zero trust in the marketplace, if you will. You see today a lot of vendors talking about having solutions that deliver zero trust. What's your perception of the current zero trust solutions are better landscape? I think solutions now are better than they used to be, but I don't think there's a good enough focus on protecting data in transit and as it's offered on by your business partners, whether they're suppliers or customers. And I don't blame the vendors totally that they can't make products that people won't buy them. So there needs to be a better commitment investment on both vendors and customers, what's essentially a new paradigm or a new way of doing business securely. There aren't any products out there. I would say there's not yet widespread acceptance. Okay. And I mean, it seems like those products and solutions fall into two, you know, pretty broad categories. One is focused on identity and access management and others that are focused more on data protection. Any thoughts about which of those areas is further along in terms of maturity? I definitely think identity and access management is farther along. We've had a lot of industry initiatives. We've had government initiatives like us and stick. One of the Jericho forum founders Paul Simmons founded the global identity forum. Bridge certificate authorities has allowed us to use crypto more widely. We've had credit cards and other cards with chips in them are much more common. It's data security where I think we're lagging quite a bit. We need a more fine grained approach. Sort of something similar to a DRM, but it has to work between different vendor solutions. And they have to allow different levels of data access based on user and data attributes. You can't assume that your customer or your suppliers are going to buy the same security products. So interoperability is key here. And that means standard protocols and APIs. And that leads nicely into the final question, which is what can what standards work is really needed here to move things forward in your view and what can standards organizations like the open group and others do to help enable and realize the promises your trust. We need to encourage vendors to build products that are scalable and secure, but also interoperable and the open group has a number of supplier members. And we need to encourage organizations to realize that some of these changes will be challenging, but they will better support their future. And we have another number of large end users that with their purchasing power can can help support that. And I realized the open group doesn't do protocols. I was pretty active in the idea that the open group is a good organizational place for pulling together other APIs and protocols. And a lot of the pieces are there and creating an architecture and a holistic comprehensive view. And I would just say that that I would encourage organizations both suppliers and customers to get involved and bring your challenges and potential solutions to the open groups activity. If we don't know what your exact problems are, we might miss something and it's got a piece of the solution that would be valuable. So more involvement at zero trust architecture work in the security form would be great. Okay, that on that note, we'll go ahead and end. Nikhil did do a great job of outlining his ETA project. So if you're watching his presentation, we would have picked up on the various pieces of the project are planned. And we encourage it again involved either by reaching out to Steve Borscher handles membership for the security forum or just getting involved in the LinkedIn group to make your voice known. So with that, I'll hand it back. I guess to you, Steve. Thank you, Jim. Thank you, Steve. Great to hear your voice again. Mr. Whitlock. And thank you for your for your insights and yes, anyone interested in getting involved in that in that project. The details are on the screen and they'll be in the post event documentation post event materials as well. So, thank you both very much. That's a random applause.