 double-act presentation on the role of zero trust and zero trust architectures in digital transformation. Our two presenters, Mark Simos is the lead architect for Microsoft Cybersecurity Solutions Group, where he's part of a group of cybersecurity experts, former CISOs and former regulators, who provide advice and guidance on cybersecurity strategy and technology. With Mark, we have Altaz Valani, who is director of research at Security Compass, where he manages the overall research vision and the team. Altaz is a regular conference speaker who conducts ongoing research in the software security domain. Prior to joining Security Compass, he was senior research director and executive advisor at Infotech Research Group, senior manager at KPNG, as well as various positions working alongside senior stakeholders, to drive business value through software development. And I'm not sure if we have both of you gentlemen yet, but I'm going to hand over to Altaz, I think, who's definitely with us. So a warm welcome from the open group to Mark Simos and Altaz Valani. Over to you. Thank you very much. Should Mark join us? Not a problem. We will certainly get him to speak to his slides as well. Thank you for doing double duty. Sure, not a problem. It's a pleasure. So thank you very much everybody for attending the session today on Zero Trust. What we're going to do is really look at three stages to our presentation today. We will start with an introduction where we will walk through the context in looking at where Zero Trust and Digital First intersect. And then we'll walk through a case study. We wanted to keep this presentation very practical. And so we'll walk through the stages that an organization would go through, starting with a leadership offsite meeting followed by security planning, an initial business case being built for Zero Trust, followed by a current and future state analysis, IT capabilities to achieve secure digital, and then transformation using Zero Trust. And finally, from a case study perspective, how an organization might receive a call to action. And finally, we're going to conclude with the involved. Please feel free to join us at the security forum in the open group. We'd be happy to have your participation in there. So once again, the presentation is really intended to be a walk through in a very practical way of how an organization might go about building the Zero Trust. I won't spend time going through the bio data. We've already heard that. I think so looking at where we are today in terms of our context, we really are facing a situation today where we have evolving business models. And when we talk about evolving business models, it's really around looking for opportunities where there are, where the landscape is affording new creative opportunities to provide value to end customers or to businesses. In so doing, we have emerging partnerships as well. And some of these partnerships, for example, involve working with competitors. And we also have rapidly changing technology where we have cloud, microservices. A lot of these emerging technologies, serverless, are shifting us towards this direction when we're looking at how things can become more and more digital. We also have regulatory geopolitical and cultural forces at play. And this we heard earlier was, is related to things like not just security, but privacy and legal and even looking at things around ethical foundations as well. But for the purposes of this presentation, we will take a look at what this means from a security perspective as we explore zero trust and looking at that angle. There are a lot of disruptive events happening. We know, for example, when we take a look at what we're doing with, what's happening with COVID, for example, that's one example. But there are many other such examples where we've got to explore risk. And so we want to be able to enable the business from a security perspective, but also at the same time help them manage the risk. And the paradigm shift to remote work. What used to be inside the perimeter, as we heard earlier, is no longer the only way to do things. The paradigm has shifted. We've got a lot of people working on the outside now. And so we need to rethink this perimeter-based model of security and consider how we might use zero trust. So what we've done at the open group here is we've come up with a definition of zero trust as an overarching cybersecurity paradigm to help address the concerns that are talked about earlier. And really what we're looking at is the ability to operate on any network and even that includes public or untrusted or zero trust networks, in essence. And this is what we're trying to achieve. How do we continue to help the business move forward in this kind of paradigm given the confluence of events that we're witnessing? So getting into the case study itself, what we'll do is walk through a story. Initially, we have a CEO and the CEO wants to engage in digital transformation. So the goal here is how do we grow revenue and contain our risk within three parameters. Number one, the remote workforce. Number two, we want to look at cloud adoption. And number three, we have this continually evolving supply chain. This part of our supply chain today may not be a part of a supply chain tomorrow. We may have contractors today, no contractors tomorrow. We may be working better today. We may decide to end that at some point. And so we have this executive team that gets together and decides that we want to now go forward and enable this particular strategy. So as part of this discussion, the CSO and the Chief Risk Officer give some high level understanding of our current and future state. We currently are using a network security paradigm, which isn't scaling and will not really enable us to get where we need to go. In terms of the future state, we want to move to a data-centric model where we're bringing security to the data, to the assets, to the applications themselves. And as a result of that, we want to adopt zero trust. The other thing to keep in mind is that this is going to be a journey. It's incremental delivery that we're looking at. So while we are on a digital first journey, we also want to make sure that as we deliver each of these plateaus that we're looking at when we implement each of these elements of the journey itself that we are incrementally delivering this value over time. So as we plan this digital transformation, we want to focus specifically on security. So now that the offsite is done, we have the CSO, the Chief Risk Officer and the CIO taking a step back, they go, they hold their meeting now and they start to talk about what it means from a digital transformation perspective with the lens of security. So step one of this process is they go through this discovery of the current state of the security toolkit. What do we have today? It could be a combination of firewalls we may have from an application standpoint. We might be doing things like threat modeling. We might be doing things like code scanning, penetration testing and looking as well at other things that we put around our infrastructure and our applications in order to maintain the level of security that we're looking for. But this is all about the current state of where we are today. The next step is to develop an incremental zero trust roadmap. So when they have this discussion, the goal is where do we need to go and what are the deliverables that we want to have that will get us there without going too far and giving us enough leeway where we can incrementally go in and make these deliverables from a zero trust perspective. The third step is to determine the scope of the application rationalization for zero trust. So normally when we talk about APRA, you want to make sure that you're rationalizing for a particular endpoint. In this case, we would be rationalizing for zero trust. So looking at the current suite of applications and trying to determine which applications do we need to retire? Which applications should we upgrade? What do we need to integrate? Things like that. And so this is all about making sure that when we rationalize the applications against the life cycle that we've got of each of these applications, the goal is within the portfolio of applications that we have that it is continually providing business value. And the fourth step is identifying the right metrics and the OKRs to align with business risk. And the goal here, of course, is when we talk about incremental delivery, OKRs are a great way of going in there and aligning the results with the objectives that have been set by the higher level executive team within the organization. And by identifying the correct metrics, we are now able to incrementally measure what we are going to do in order to deliver against that roadmap for zero trust. So these are the sort of the steps that we would go through in helping us to consider how security can play a role as we intersect zero trust with the digital transformation. So as you can see, the goal is always to make sure that we're enabling the business. But at the same time, we also want to make sure that we are managing the risk. And if anything comes up, we're able to articulate that in a way that makes sense from a business standpoint. So failure and success really is determined by four things, four key things. There's the business agility and the ability to move quickly while managing risk. I spoke about that earlier. And we also want to be able to enable this remote workforce and the ability to move forward with the cloud migration strategy, which is where we are when we talk about a digital transformation. We have to deal with an increasingly complex and dynamic environment. So as we move forward, we take a look at microservices, for example. What does that mean when we measure this from a success standpoint? Going back to the points that we had mentioned earlier, how do we rationalize? How do we go in there and gradually ease the current application portfolio into something that will allow us to gain greater agility and measure this with OKRs. So each of these four areas will help us to drive success of this initiative. And on the right hand side of the bottom here, it is really driving towards an MVP roadmap. And we want to ensure that we've got four key perspectives that we always have in mind as we consider this roadmap. Certainly security as we take a look at where Zero Trust can play a role in enabling the future state of the organization around digital first, but also taking a look at operations, taking a look at the financial side of it. How do we determine the effect of ROI as we go through each incremental stage of getting us to that final state and taking a look at our systems as well? So from a systems perspective, really exploring what do we need to do that we might perhaps need to add in addition to what we have at this point. This overall, this chart here really gives us an overview of the steps that the CSO, the CIO and the CIO would walk through and to come up with ultimately an MVP roadmap to help us incrementally deliver. So looking at the CSO now, the CSO takes this back and the CSO works through what are the things that I need to consider in order to build a strong business case for Zero Trust. So we've got at the very beginning, there was the executive decision that we're going to move forward with digital transformation. We had a high level roadmap. We had a separate executive team that stepped apart and started to take a look and determine what are some of the big areas that we need to take a look at from a program standpoint. And then the CSO now looks at it from a Zero Trust perspective specifically to defend why Zero Trust might be able to help the organization move forward. So the first thing is that Zero Trust will help digital transformation because we're looking to operate in a world now without trust. The perimeter-based defense mechanisms that we had in the past are no longer scaling. We want to take actions today to ensure that we're protected tomorrow. So it is a forward-looking business-enabling paradigm where security is at the forefront, is at the executive table providing insight and input into what can be done to ensure that the business can move forward with confidence. The second is around the architecture, which will allow the business to both operate and to grow. And this is really about avoiding the risks and the threats and really looking at this proactively rather than reactive mitigations where we find that something went wrong and now we have to step in and we've got to try and fix that and usually that adds a lot of pressure and slows down the business. So the intent here is to keep the business moving at the pace that is expected but doing it in a way that provides the security assurance that this is going to be okay. We also are looking at reducing the threat surface area by looking at zero trust and bringing security to the assets themselves rather than creating offense and bringing the assets into that paradigm. We're really kind of looking at the other side of the coin and by doing that we're able to go now and bring security at a much more granular level. It also allows us to work within an untrusted partner security model and so by looking at the policies that we can create we are able to go in now and to integrate within a partner ecosystem which can be quite difficult to do if you think about creating a universal policy within a perimeter based model as you try and bring partners in and the partners leave and so you've got to sort of figure out how you're going to manage that. It also allows the rapid integration and decoupling of both inter and intra organizational boundaries. So we oftentimes hear today about things like enclaves. We hear about how we could go in and we can provide even within the organization certain boundaries and provide just controlled access to given assets and then extending this and going really between organizations now as well. So this is what zero trust would enable and this is part of the business case that gets built in by the CISO. Really looking at this as a proactive approach which will allow security to bring risk management which really avoids a lengthy compliance engagement which is typically done where everything comes to a standstill and you've got to figure out are we in compliance, are we not but if you go in and you reduce the surface area that you're considering you can now go in there and start to create policies that are much more fine grained and so we are able to go in and we're able to achieve the level of compliance and in so doing roll up into risk assessments and risk management that provide the business with the assurance that we are in fact not in breach but we are in compliance as we go through all within a digital paradigm all within agile DevOps continuous delivery and finally better understand and quantify the risk. So this model is compatible with OpenFair which is a proven industry-reputed approach looking at ways to extract data that we can use and by looking at the telemetry into the zero trust assets we're able to extract out information that is related to security which we can then roll up within Fair to provide us better guidance and information more accurate as it relates to risk and the risk assessment process. We also have the enterprise architects now that get involved and the enterprise architects will help us identify the current and the future state and really looking at where we are today looking at the current risk approaches largely based on mitigation it's looking at trying to go and shift towards this threat surface reduction model and really not around proactive avoidance really where we're moving forward and trying to get on side with where the business wants to go moving away from a reactive to a more proactive but as of today we tend to be largely reactive and making sure that we enable the business by coming back with a response that says yes we can assist you with that rather than looking at ways to block the business from moving forward because we need to try and force it into a given paradigm of security around some perimeter or something like that. So in the future what we want to do is we want to consider how we can solve, how we can enable the business not why we can't do that try to look at ways to quantify the reduction of loss and try to move towards being more proactive shifting the paradigm from network centricity to data or asset centricity and if something comes up then we know that we're able to go in there and provide evidence as to why the approach is going to be able to help us because we are able to go in and set policies at a much more granular level and this is driven by policies. So the goal here for the enterprise architects in this model as we walk through this case study would be to go and to take a look at the current state and the future state and to determine now what are some of the things that we need to do in order to bridge these gaps which rolls back to what the CISO was looking at from his or her perspective around how we can enable the business and taking a look at the security tools and the application rationalization that was the discussion that happened before which ultimately then also rolls up to the executive decision on moving forward with digital first. So the CIO looks at this and then identifies what are the IT capabilities that we would need to go in and enable this. And within the security form we've identified these particular IT capabilities starting with a data centricity looking at how we can go in and enable this from a people process and technology perspective so that we can afford and provide the necessary level of granularity from a security perspective. We have threat scope reduction and risk avoidance looking at once again at both enabling the business but also helping them to manage the risk looking at secured zones from a secure zone perspective it's ensuring that we've got the right people accessing the right assets at the right time on the right devices and this is all being driven by policy driven access control and then we've got the ability to automate the auditing capabilities so everything that goes along with that what are the reporting structures that we would need what are the integrations that we would need to enable this how are we going to be able to go and translate the business level metrics into something that we've got our development teams and operational teams would be executing against and doing all of this in real time or near real time response in a digital first model we want to make sure that we're moving as quickly as possible and that we are in fact transferring information digitally while at the same time providing the necessary assurance across all of these assets that we are now protecting so the call to action would then be from the perspective of zero trust to identify what's the scope in terms of time, the cost, the resources and this is where the incremental delivery would come into play what do we have time for as a phase one what is it going to cost us and who needs to be involved with that second would be to identify the funding in order to implement zero trust what is it going to take to go in and rationalize our applications are we going to need to include something new into our ecosystem that wasn't there before and looking at funding and measuring that against the business value that would be provided against zero trust the third would be aligning our objectives and our key results and making sure that we are really making sure that we are enabling where the business is headed with the remote workforce with the idea that we want to go in there and look at our supply chain and seeing how we might be able to enable a rapidly evolving ecosystem around that and finally assigning accountabilities and dates for execution from a delivery standpoint so incremental delivery making sure we've got the right accountabilities we've got the right OKRs we've got the right funding in place and we know what the scope is and each of these would then tie into where the CISO, the CIO, the chief risk officer would go in and contribute towards this to help us then make a business case and a roadmap for the executive team in the end I would just as we exit from the from the case study now just wanted to also let everybody know that as part of zero trust we would like to have lots of people get involved and to make a difference in what we are doing we've got a zero trust link there you're welcome to come participate at the open group we also have a security forum where you can participate in other projects as well we have a survey that is right now going to be coming out we've done one survey we have another one that's going to be coming out soon watch the open group blog and email please do participate in that because I have a LinkedIn group so at the end I would invite everybody please come in participate and let's help to evolve zero trust moving forward and with that I would like to open it up if there are any questions from anybody thank you Alters wonderful walk through there and you said it was going to be practical and it was a set of practical steps and very understandable and useful so thank you for that and again thank you for covering for Mark as well we do think we've made contact with him but you've gone through it all by yourself now so a few things coming in congratulating you on the presentation so thank you for that a question that's come up do you see that zero trust is inevitable as a direction for as an approach for security in the world of digital transformation that we're all in now yeah we do we saw this as a journey and the current pandemic has in fact accelerated this as we go forward with digital first and that being the mandate in many organizations across many different industries how are you going to be agile and nimble right we've got to extend what we have been doing right now around a perimeter based model to start to control the individual assets as well and so zero trust fits very nicely into that kind of a paradigm and so as we continue to explore this and as we partner with others in the industry and other working groups as well we're finding that this is the approach that lends itself very well to a digital first mandate right and I think we're going to hear later in our session today about some of the digital standard activities that are going on in the open movement and this is great because it's kind of pervasive I mean security needs to be part of everything and it's great that we've got that activity going on there and I second your call to action you know we need that we have some great minds already working on this inside the open group but we'd love to have more and there's lots to be done but in the interest of time out as we're going to move on but thank you once again warm virtual round of applause for Alta Sfilani thank you thank you