Implementing Zero Trust Architecture

[Music] um so we start with basically looking at why zero trust is again in focus so you know zero trust has been around for many many years for almost 10 years we'll be talking about zero trust uh but it's back in focus recently uh we'll talk about what is zero trust so if you are new to the concept we'll touch about what the zero trust concept is about uh we'll talk about why zero trust is abused so essentially why is it had why has it become a marketing term just a buzzword and you know how what is the reason behind it and we talk about why the why is the existing parameter based security broken what are the zero trust

principles uh what are the five pillars of implementing zero trust uh we'll talk about zero trust capabilities and the maturity models uh and then finally we'll talk about how do we actually go about implementing zero trust within the enterprise so what's the journey for zero trust looks like and talk about some key considerations for you to you know consider and then wrap it up with a summary and then we can have a q a session so zero trust uh back in focus so you may have heard on the 12th of may the u.s president he issued an executive order which directed all the u.s federal agencies to adopt zero trust architecture so why is the u.s president talking

about zero trust and we know this basically happened after the colonial pipeline attack that happened uh after which the the us president then issued this order and very clearly in the order it was mentioned the federal agencies they now need to adopt zero trust and we're seeing more and more organizations and governments around the world moving towards zero trust so just in october just a couple of months ago singapore announced that it's with basically a cyber security strategy which states that the singapore government will move towards the zero trust model and what we have seen uh the what recently with the covet 19 pandemic that has been really the catalyst to you know accelerate the

adoption of zero trust across the world where the organizations are trying to provide secure remote access to the employees the employees are no longer within the network within the in the corporate office so they're working from anywhere and they want to provide an alternative for their employees to securely access the their applications so this basically has been the recent focus since the last couple of years and with the recent types of attacks that are happening with the colonial pipeline attack the solar winds we are seeing more and more focus back on the zero trust so much so that now people are saying it's no longer a nice to have it has been there for almost a decade right

when in 2010 forrester coined this word zero trust but since then people have tried and failed and tried to actually adopt zero trust the technologies have been evolving but now even the u.s president is talking about it the us government has saying it's not going to adopt zero trust so it's now become a necessity it's pretty much here and i think it's a area which we all need to uh have a good grasp of so what is zero trust so we know that you know there are lots of interpretations of zero trust i think i'll just take the the definition from nist so nist basically has this document sp 800 207 which describes zero trust as

being a collection of concepts and ideas designed to minimize the uncertainty in enforcing accurate least privileged per request access decisions in information systems in the face of a network being viewed as compromised so you can basically consider what this particular definition though it's a mouthful uh if you if you just dissect this definition what it is saying is that firstly zero trust is an enterprise security model yeah it's a it's a concept it's ideas uh you can call it a methodology you can call it a strategy you can even call it a mindset that's based on a set of principles but it's not it is not a particular product or a technology so don't be you know going that this

zero trust particular solution is actually going to solve all your zero trust problems zero trust is basically a set of uh enterprise security model with based on a set of principles but it's not a particular technology and the idea behind zero trust is that you remove any inherent trust from the network or from the users sitting behind the network or anywhere devices and applications so there's no implicit trust in the in the in the network and the trust needs to be explicitly established and continuously verified so what does that mean uh you know in security trust is a very important concept if two entities they need to talk to each other they need to exchange information they need to trust

each other previously what had happened was that we trusted the network the corporate network so if you are in the corporate network you can send information the user is considered trusted the devices is considered trusted but now we are saying that that's no longer the case as we will see in the next few slides how the the technologies have changed the parameter is no longer there and we're talking about attacks which are happening inside our network so the trust needs to be explicitly established we're going to remove the trust from the network but if you're not going to trust the network how are we going to establish that trust that would be based on a strong set of authentication that

needs to happen not just considering a password but considering a range of factors your identity your device your location your behavior and making a dynamic risk based decision or whether to allow the access or not to allow the access that is the concept of you know zero trust so keep in mind zero trust does not mean no trust in fact it actually increases the trust by actually evaluating a range of factors not putting any inherent trust in the network or any entity in the network so why is zero trust abuse why is you know we seeing uh this becoming a marketing term it's because firstly there's a lack of understanding about zero trust so many

many of the security leaders the sizers they lack understanding about what zero trust is and how do they begin the journey where to the start uh they what they are doing is they are basically selecting a particular product or a technology and they are then looking for the problems that they need to solve so they're selecting a solution before they have identified the problem or the use case that they need to solve secondly it's basically there's no industry standard or specification so that nist document the sp 800 207 is the closest to an industry guideline around zero trust there's a lot of vendor material available but there's no real industry standards or specifications until now

more will come now with the u.s government saying that's now adopting zero trust we're seeing more and more uh standards and specifications to come in the future each vendor providing its own interpretation so obviously each vendor wants to sell the product they try to describe their own way of solving a specific problem and obviously we know that zero trust is such a vast area there's no single vendor that can provide all the capabilities to implement zero trust and the fact that zero trust basically encompasses such a large number of technologies we are talking about securing the identity the device the network the application and the data there is no one product that we will be

able to solve this because there's such a large number of capabilities there's a lot of confusion about you know where to start and what particular area to target and also there are various ways to solve the same problem so you need to provide secure remote access to your employees there are various ways in which you can do it and that's the resulting in a confusion about zero trust and the last point it's an emerging market so even though the concept has been there for 10 years we are seeing new and new technologies coming in uh the technologies are evolving the solutions are evolving and that's the reason why there is this um continuous basically you know confusion

about which particular solution to adopt so why do we need zero trust what is the problem so let's talk about that so traditionally we had more a parameter based kind of a security model where everything resided in the corporate network so you had basically heavily investing on your perimeter so you were investing in your firewalls your ids ips your vav solutions and so on and everything that was sitting inside the network was being considered as trusted so we had devices we had applications users data all sitting inside the network and as long as they were within the network we considered them to have the same level of trust so it's pretty much like a flat network and

anything outside the the the parameter it was considered as untrusted so the investment the focus was on the perimeter controls but the problem with that was firstly we started to see lateral movement we see if the parameter is breached which we see very often once the attacker is inside your environment they can naturally move into your environment into your network uh and basically not have being able to access all your all your applications and data using let's say compromise credentials the second thing was that the insider threads so this particular model did not look for insider threads so essentially it was pretty much a flat network and what we started to do was to create more and more segments to solve

their problems so we started to add more firewalls in our environment we created the security zone models where we have let's say a production environment and non-production environments with firewalls in between the users were put into their own land networks then we had a three-tier architecture where we had the dmz the applications and the database all sitting in their own security zones but pretty much they were all kind of macro security zones right so all applications sitting under one macro security zone all databases sitting in a one so basically if you compromise one you pretty much have access to hop into all the others so this solution was basically having these problems with the current threats

that we are seeing the second uh another thing that you see basically is that the anything that's inside the network was being considered as trusted so there was pretty much like a binary uh kind of interpretation of trust so either you're untrusted or you are trusted whereas we know that the concept of trust is that there are certain levels of trust yeah the trust there's no one binary level of trust even in the in the human society we trust different people differently based on our relationships and our interactions with them so this model did not work and what we started to see was that we our technologies started to evolve our users started to move outside the

network and they were you know working remotely they were working from anywhere users wanted to access you know applications and data from over the internet uh we saw more and more uh unmanaged devices like byod devices being used by the users the business applications they started to move in the cloud we saw more and more sas applications being used so your microsoft 365 your dynamics a lot of these business business erp crm solutions uh salesforce being used as sas solutions we saw more and more data moving into the cloud storage like onedrive dropbox and so on and the applications they were no longer being hosted in your server rooms in your data centers they were moving into

the public cloud and the this whole parameter started to disappear it basically was dissolving so that was the the the technologies where the application uh technology started to change um we are seeing a environment where the parameter is no longer relevant in fact the parameter is disappearing and then we are seeing because of this change more and more increase attack surface because of the distributed nature of applications the data and the users that pretty much increases the attack surface uh which now needs to be protected so how do we how do we move towards a zero truss model where we don't rely on the network and on the parameter controls instead we provide more uh

trust based on the identity and on the data centric side of things so we talk about the zero trust principles the first zero trust principle is never trust always verify so we say that we treat each user device or resource as untrusted irrespective of their location in the network yeah so every user a device and resource has to be verified before they are given access to a resource and the second thing is that we not just basically create trust based on a single credential on a single authentication factor but we are going to use a range of contextual factors whatever is available as much as possible to create the the trust and to be able to identify

what is the risk of providing access so providing strong authentication with multi-factor authentication of the identity authenticating the device looking at the way the user is coming from in terms of location the behavior is that a normal pattern for them to access this resource making dynamic risk-based access decisions and doing that on a continuous basis that is basically the kind of nirvana where we need to reach for zero trust the second principle is applying least privilege access so essentially making sure that people the resources or identities are only being provided least privileged access so fine grain access policies ensuring only the least privileged access is being provided and the third very important principle is assuming reach so we assume that the

environment that we have the network is already compromised we assume that the adversity is already present in our environment how are we going to protect our resources our users our devices in that environment how do we verify all the connections encrypt our traffic so we assume basically that we are working on the internet pretty much the corporate network is pretty much your internet and you're continuously monitoring for suspicious activities that are happening so these are the three very key principles of zero trust and i think if you take away one thing from this presentation remember these three principles never trust always verify applying the least privilege access and assuming breach and what we are going to do is we are

going to take these three principles and then we are going to start applying it to these five pillars of zero trust these are identity device application network and data and then we have on the horizontally across them we have visibility and analytics automation and orchestration and governance to be provided around them but the five pillars are these identity device and so on and what we need to do is to apply those three principles to each of these five different pillars so essentially what it means is with with an identity we never trust any identity never have any inherent trust in an identity we always verify which means we need to have strong authentication on the identity of

the user or a system uh identity that's trying to access your resource similarly second thing we need to provide least privilege access to the identity so that even if that identity gets compromised even if it has multi-factor authentication it gets compromised we are restricting the blast radius we are restricting the attack surface to only the access the least privileged access that that identity provides and thirdly we are assuming breach we assume that the credentials will get compromised which we do which we see every every now and then um the we need to assume that breach has happened and then how can we basically have controls to protect it so similarly these three principles of zero trust we

need to apply to each of these different five pillars of zero trust the next is about looking at the zero trust capability maturity so if we take these five pillars and then we identify okay what are the different capabilities that we would need to actually protect them and then map it against the levels of maturity so if you see on those columns level one level two level three these are like a levels of maturity that you need to achieve for each of these different five pillars and again every organization will have its own uh requirements and its own maturity model where it needs to be so for example uh every organization is different and if you are in a highly

trusted let's say you're a defense organization you want to be at level three you want to be highly highly secure in terms of you know all these pillars whereas if you are let's say a smaller e-commerce platform you may have a different uh maturity requirement so if you look at the identity the goal is to provide strong authentication so we are not relying on any single factor of authentication so we're not relying on any passwords we want strong identity authentication using multi-factor authentication to combine with least privileged access provided to that identity and the best would be to have continuous verification based on a combination of factors not just the identity not just doing the

multi-factor authentication but looking at the behavior of the user the device that they are accessing from location and the risk of you know that particular access and then making a risk-based dynamic risk-based decision so for that we start off with let's say the level one would be at least to have single sign-on in the organization so every uh you know users have one identity which one you know set of credentials which they're using to access that's the least level right you need to have we don't want users to have hundreds of different passwords which obviously will get compromised having identity lifecycle management so the process to work for automated provisioning and deprovisioning and identity federation where they where we

can you know federate with our cloud services so that they are using the identity of the the organization the second level would be to have multi-factor authentication so providing strong authentication uh using biometrics and you know those kind of things providing privileged access management uh ensuring that the privileged access is well protected and having identity governance with processes to evaluate the identity that you know the access that was provided to the user on a regular basis and the highest level the level three that we would be looking at is having password less authentication so using your trusted device your biometrics to to authenticate having a continuous risk based authentication where you're looking at the strong authentication the

device the location of the user the behavior to make a risk-based decision and having just-in-time access for you know if they need some privileged access we provide just in time and just enough access for them to to access that resource so this is the kind of maturity which we need to have and this is one example of a capability maturity model the various capability maturity models available uh i think recently the us government also issued a capability maturity model for xero trust the it's the cyber security and i think the infrastructure agency uh which has recently published a draft of a capability maturity model so you can use any capability maturity model and map where your organization sits currently

and where do you want to be after whatever number of years or whatever your target state is and then identify what capabilities you would need to actually achieve that so that was example for identity we will not go through everything for all these but let's just quickly go through the goals that we have for each of these different pillars so for device we want device authentication we want device security posture verification and we want the enhanced endpoint visibility to ensure that only the trusted devices can access resources so we have enough endpoint telemetry and endpoint visibility that we have enough trust on the device that is accessing our resources if we talk about applications we want

our applications to be secure by design as part of the xero trust we want to have continuous security testing which is built into the development and the deployment process for that application we want access to the applications to be based on a strong user and device authentication and using least privileged access so these what are the type of technologies that we will be building that's basically you know defined over here and again it's pretty much for every organization would have their own needs and their own requirements so if you talk about let's say the level three it would be having automated application security testing which is built into your ci cd pipelines you break the build

if you know if it doesn't pass the security testing you have continuous verification of the user's access based on identity device and location to provide access to your application we talk about the next pillar which is network so we consider the corporate network is untrusted so it's pretty much our internet is now on the new corporate network right so where we are users accessing the sas applications and your cloud applications directly over the internet even your corporate network we consider same it's untrusted and we need controls implemented to ensure only the authorized entities can communicate with each other irrespective of the location so we will look at ingress egress traffic filtering and monitoring secure web gateways

that's level one right where we had uh want to control what's the not sound traffic that is coming into our network and we talk about level two it's encrypting the traffic cloud-based web gateways internal network segmentations and if you look at the more advanced the level three kind of controls we would need is micro segmentation maybe basically have such small segments that you know if a user needs to talk to let's say five applications those are the only five applications that they will be able to reach in the network and they will not be able to you know connect to any other uh resources in the network that level of micro segmentation um is possible with this kind of controls we

have network access controls to authorize what devices are connecting to our network visibility and threat monitoring so essentially having controls to have a visibility into the traffic in the network being able to decrypt the traffic that's coming uh that's you know both the north south traffic and the east west traffic within our environment and identifying threats based on let's say machine learning models and the behavior of the the entities that are residing in our network and then we have controls like ztna zero trust network access and per application vpns to provide secure remote access from you to users who are sitting outside our network the data is pretty uh the goal for us would be to protect the data at all

times regarded regardless of its location so whether the data is sitting in the on-prem repositories whether it's in the cloud repositories on the end-user devices byod whichever wherever the data is the protection resides with the data itself and we have this things like discovery and classification of sensitive data so we know what our sensitive data is where the sensitive data resides and having strong access controls and visibility on how the data is being used and the movement of data and for that these are the different types of you know controls that we that we would be implementing now bear in mind these are five pillars uh usually most organizations they start off with identity as we say right

identity is the new parameter as the network parameter is dissolving the identity becomes the more the core focus so they're more the more solutions that we have for zero trust they are more identity centric they're more device-centric so having a strong view of your identity and a strong focus on the device that is very important so more and more organizations would focus on these two pillars first applications and network if you want to change your applications and network obviously that would be more disruptive to the business if you want to do more network segmentations and so on that can break your uh environments as well so if you are doing a good job with the

identity and device you pretty much make these application network and data they are more kind of uh defense in depth right so if you do a really good job really strong identity solution and a device authentication um that really reduces the risk of your uh environment and then you can have some of these controls with application networking data to reduce further reduce the vulnerabilities but the focus should be identity and your device security right so um sure how much time i have left but uh talk about how do we embark on this zero trust journey so essentially is it what you start off with basically so a lot of security leaders they're not sure where do they start in the zero trust

journey as you saw in the last slide there's so many different technologies there's so many different pillars uh the first thing that any organization should do is to incorporate the zero trust in their strategy so first to be able to you know assess their own maturity within the zero trust journey where do they stand today what is their baseline and then from there they should identify okay what are the use cases that they need to prioritize what are the problems that they need to solve what will be the quick wins that they can do for their organization that for from a zero trust perspective and towards so that they can move towards their target state remember the target

state will be different for every organization as i said i mean you can be a nuclear power plant your target state will be completely different from let's say if you are a retailer supermarket or an e-commerce platform right so your target state has to be unique for every organization which means that your zero trust journey will be unique for every organization so you start off with identifying your what where you are currently what is the target state you need to be and then identifying what are the initiatives and investments required to reach the target state and then you create a roadmap of how you will deliver and achieve zero trust over that period of time

so start off with the strategy and then get the executive and board members buy in so business should see it as an enabler you need to basically the security leadership should be able to convince their executives and board members why they need to move towards a zero trust journey why has it become a necessity how does it enable the business the business may have certain you know priorities in terms of digital transformation uh in terms of you know moving moving into the cloud so we need to basically explain to the business how xero trust would help them achieve those you know strategic outcomes sorry ali is that uh from a time perspective am i doing well or how much

time do we have left yep we are almost there okay so let me just quickly finish up the slides in next five minutes thank you um providing clarity and the outcomes to the executives so that's the second point we discussed and then inculcating the zero trust mindset and culture within the organization so you start off with basically incorporating zero trust within your security standards your architectural principles making sure that anything new being developed must comply with those zero trust principles as much as possible as much as whatever the security controls that you already have in your environment make sure everything follows the zero trust principles that's basically starting off with the zero trust journey next let me say what uh the step would

be to identify your use cases and requirements as i mentioned you have done your strategy now you need to know what are the use cases that you need to prioritize you can't solve all the problems at once so you need to prioritize which ones are going to give you the most benefit so do not select a product first before you have identified your requirements and your use cases that's very important and i think that's one of the mistakes which we see a lot of security leaders making today focusing on identity and device security so as i mentioned today right that device is basically an identity this is your new first line of defense right the

parameter no longer exists so users are using their identity to authenticate with business applications residing in the cloud so identity and device should be your first line of defense it should be your priority to have strong identity and device security and this provides the most security benefits and also improves the user experience and it will be relatively less disruptive as compared to having network and application transformations happening to start with if you are moving towards cloud using cloud native security controls would really help to accelerate the adoption of zero trust because we have native controls available within the cloud that help us you know achieve zero trust like you know you have least privileged access with identity and access

management controls micro segmentation with security groups and so on and identifying and prioritizing critical assets so you need to know what are your key assets that you need to protect uh you can't basically start with protecting everything so when we start off you need to know what are the high value assets that you need to protect with the zero trust solutions in terms of key considerations remember that technology is evolving so if you do choose a particular vendor solution uh that solution you know you don't you don't know how long that would be available in the market because the technology keeps evolving so make sure you choose solutions which provide for vendor flexibility and you avoid any vendor

lock-ins in your in your architecture remember the cost is going to be a factor this is implementing zero trust across the enterprise across the five different pillars is going to be a costly investment it's not trivial so you prioritize your use cases you choose your use cases that you want to implement and then you pilot to demonstrate the benefits to your business some of the solutions can cause business disruption like network segmentation so you need to be careful of what you select as a solution and make sure you do not choose your most critical and the high value application to pilot i basically saw one at one one in one bank basically trying to secure their payment

gateways and they said okay we're going to have micro segmentation for the payment gateways that created a lot of anxiety within the uh within the executives because they thought if this breaks the whole payment system stopped working so make sure you don't uh choose such high value assets to prove the technology and to do your pilot uh kind of deployments there will be a lot of legacy solutions in your environment which may not support the modern zero trust technology so be careful you may have not you may have not you may not be able to implement zero trust everywhere and we may just need to wait for these legacy solutions to retire or you know you

choose some other type of technologies to protect them and finally the stakeholder support is very important throughout the journey right this is going to be a long journey you're implementing zero trust throughout the enterprise ensure the stakeholder buy-in throughout the journey demonstrate benefits to them to get the business ownership and lastly it is a journey right so it's going to be an incremental process to move towards the target state so every organization will be unique and they will have their own uh kind of a journey towards achieving zero trust so to summarize basically the last slide zero trust is an enterprise security model of choice it's not a specific product it's not a specific technology

it's basically based on a guiding set of principles we talked about those three different principles are never trust always verify applying the least privileged access and assuming breach we take these three principles and we apply to the five pillars of zero trust which is identity device application networking data and then we identify okay what capabilities and controls do we need in our environment to achieve a particular maturity in the zero trust journey remember we start with incorporating zero trust in the security strategy so we identify avr in the security in the zero trust journey perform a maturity assessment and then define your target state know the use cases know the requirements before you jump into any products or any

solutions we have to be very clear what your requirements are before you select a solution and lastly zero trust is going to be a journey it will be a gradual process but zero trust is here to stay you're seeing the us president talking about it you're seeing other governments and entities talking about it each organization will be unique and will have its own journey so i think that's the that's the last message that you know make sure that you plan it out and you show the benefits and the how it reduces risk to your to your business and to your stakeholders i think that's pretty much wraps up my presentation and i think if you have

time you can take any questions uh thank you that was really that was really good topic i would say as i mentioned in the start you know it's a hard topic and whenever you know you talk to the vendors and the solution providers i think zero trust is the thing you they are talking about but i think it's good you know when we discuss the five pillars of zero trust including identity device application network and data so the question we have as you already mentioned in your slide that if an organization go to that journey to have a zero trust implementation meeting the five pillars that would be a costly journey is it absolutely it will be quite costly

actually if you choose all the different fi all the five pillars at once yep so is it possible the question is like is it possible the organization is not mature much mature in the security maturity as well in the budget as well to getting from the board you know buy-ins and the budgets and all that stuff they can tick the box like two pillars or three pillars out of five and they can still say you know we are like a sort of a compliant are we meeting the zero test architecture or you have to be fully compliant like meeting five pillars no absolutely you have to choose your own use cases and you have to know what

is important to you every organization will be different if you are talking about let's say a nuclear power plant where it doesn't have any internet-facing users has very highly critical applications the network-based security the network pillar will probably be more important for those type of ni but if you're talking about a more cloud-centric uh environment or more cloud-centric uh organization then the identity and the device because the users are accessing from anywhere uh the application those pillars would be more important so you need to choose your use cases and absolutely you're right nobody will be able to be hundred percent across all these five pillars in fact we haven't seen anyone in respect of how much

budget they have to achieve 100 throughout the environment so what we need to do is to basically progress step by step incrementally and choose what are the areas where you need to invest and as i said most organizations right now are focusing on identity and device the two reasons for it one the solutions here are more mature the identity solutions are more mature the device solutions and we have good solutions available to provide risk based authentication and based on the device security posture and these basically two pillars can help you reduce a lot of the risk within the organization which means the other pillars like application network and data they pretty much becomes defense in depth they become

your network becomes less relevant if you have a very strong identity uh kind of uh solutions so absolutely we need to very good question and we need we need to choose the use cases thank you the next question is is it the same architecture applies on the industrial control systems or operation technology architecture as well because mostly these specific ics the plc infrastructure and card infrastructure most have the legacy environment so does that apply to same isis environment as well we can apply the same principles the xero trust principles will always apply irrespective of the use case and irrespective whether it's an i.t environment or the ot environment so even for those sporty scada environments

where those legacy protocols and legacy applications running you can apply the same principles but the controls the technologies and the solutions will be different so for example if it's a ot environment which you want to isolate or have some kind of a protection we have other types of controls or network-based controls let's say one-way diodes where we can you know protect the or isolated provide an air gap environment for the for the starter systems so your controls may be different but the zero truss principles apply there there will be possibilities where they are as i mentioned legacy applications but you can't apply zero trust because they don't support the zero trust technologies and you know those kind of

things for which you will need to have more compensating controls built around them but yes absolutely uh the principles apply to both ota and id environments thank you the next question we have the by continuously verifying trust within the network i assume that we will be always verifying the communication between two devices first and doing it each time will degrade the performance how zero tasks architecture affects the performance of the systems it's a very good question and i think that is one of the concerns uh that we have uh if we are doing continuously verification of the the information does that impact the performance uh again basically it can uh depend on different types of solutions so if you're talking

about a human user trying to access a particular application uh they basically go through some kind of a trust broker which will identify what's the level of trust in the identity and in the device and being able to provide a risk-based decision and it could be that this is happening in a different let's say a control plane and the data plane are separate so you are connecting to directly to the application through the data plane but in the control plane at the back end it's again continuously checking whether the device posture has changed whether the location of the user the risk has changed so there are solutions that can be built but when you basically talk to your vendor ask them

that question of you know how does it impact the performance of my application if it's doing continuous verification is there any way in which it can protect it so there are different types of solutions there are end users initiative solutions they are gateway-based solutions and different solutions will have different ways in which they can do continuous verification cool and the last question we have the they understand that zero trust architecture would be a costly thing but don't you think if a single machine how it changes the threat landscape if an organization has implemented zero trust architecture like if a zero machine single machine is compromised would not that be possible to attack other machines in the same vulnerability in

the same environment if it not zoned properly and that is exactly the problem we are trying to solve that you know we assuming breach the third principle is that you will be breached you will have machines in your environment that are compromised endpoints that will be compromised and that's where we want to make sure that we never trust any device right we always verify so even if one device has been compromised that device only has access to firstly a specific applications they cannot access the whole network they cannot spread ransomware or malware into all the other environments and then every time this device tries to make a connection to a resource we are trying to authenticate based on a number of

factors the identity of the user the the device security posture if you have let's say a security uh endpoint solution let's say an edr solution running we would try to see if there any alerts coming from that particular device uh and making a risk-based decision whether to allow access to that device or to that from that from that device and then uh so so that that's exactly what we are trying to do is to you know we assume that the devices will be breached but we don't want to we want to reduce the blast radius from that device we don't want the malware to spread in what into the environment by providing least privileged access and always verifying

based on a number of factors not just on the uh one factor of you know the user's identity cool thank you that was the last question we had and thank you so much for presenting and besides and taking our time for that one it was really good topic and i would say close to you know everyone's heard because this is the buzzword which everyone is discussing and you know you explained it very well you know what is the zetas architecture and why organization should be going carefully thank you very much my pleasure and i'm excited to look at to hear all the other exciting presentations today thank you have a good day bye

you