The Evolution of Zero Trust: Next Gen Access



Nick Fisher: Good morning. How are we doing today? See a lot of coffees on tables, that's a good sign, probably smart. My name is Nick Fisher, I am the Security Product Marketing Team here at Oktane. I've had a lot of conversations with you guys over the past couple of days here at this conference and what is clear to me is that this is a self-selecting group of forward thinking individuals and organizations who are thinking about a modern approach to enabling their business.

Now, with that comes the need to think about a modern way of securing your business. The concept of Zero Trust came up a couple of times in the keynote this morning from Freddy and a few others. And I get asked a lot about Zero Trust and how identity fits into this modern security model. So I'm super excited for this session today because we're going to be joined by Doctor Chase Cunningham of Forrester Research, who's going to talk about how Zero Trust has evolved and the latest about leadership allowing that security model.

And then after that, I'm going to bring on Ayo Obasanya from Funding Circle and we're going to talk about how they've implemented Zero Trust as part of their security strategy. So let's get to it. With that, I welcome Doctor Chase Cunningham to the stage.

Chase Cunningham: Thanks. I wasn't at the party last night but I did fly in around midnight and I'm pretty sure from about 18,000 feet, I saw half of you making trouble so I feel you for drinking coffee. So, yeah, I'm one of the principal analysts with Forrester, I cover security and risk. We're going to talk through some sort of concepts within the industry itself, we're going to talk about the problems that we see with what's going on in the space.

We're going to talk about his whole thing about next gen access and then we're going to really run you through Zero Trust and the evolution of Zero Trust. How many folks in here, other than this morning, have actually heard of Zero Trust before?

Oh that would make John Kindervag so happy. He would be a very, very happy guy. So, the way that I look at the industry really is I think that what we have is a FUD problem to start with and bear with me. This is not technology, that's a mosquito for anyone that's wondering. But what we're talking about is fear, uncertainty and doubt.

How many folks went to RSA this year? Right? I was there, 600 plus vendors, and a lot of what you get is talks about the fear, the threat, the bad stuff that's coming, right? Malware this and North Korea that. And Chinese hacking there and et cetera, et cetera. Like, it's bad, we all get it. Is anyone not aware that smoking cigarettes is bad for you? We don't need to be told that again and again.

The reason I talk about FUD and bring up a mosquito is, this is how simple the solution in security can actually be if you think about it in a little bit different manner. So when you see a mosquito or you hear a mosquito, it's really not that terrifying. Most of the time what do you do? You get pissed off, probably, cause you're worried about it biting you. But you find it, you'll slap it, you'll spray it with something or whatever else. It doesn't cause fear, necessarily. Doesn't cause uncertainty or doubt, you're just like, "That damn mosquito is coming around again, I got to get rid of this thing."

When you see that, if you're getting ready to get in the water, the fear, uncertainty and doubt level goes through the roof, right? Like, I literally get into swimming pools and I still, for about half a second hear that theme. Right? And it's not because I've ever encountered a shark but it's because Jaws scared the crap out of me as a child, like most of us. And because of the fact that it's a really bad thing for me to think about being torn asunder by some giant fish swimming around.

But when you break away from the fear, the uncertainty and doubt of getting in the water and things like that, what I should actually be scared of is that damn mosquito. That mosquito is problematic. Almost a million people a year die from mosquito-borne illnesses but how many of us are terrified or have fear, uncertainty and doubt about a mosquito flying around you?

Sharks kill about 15 people a year, however, come on, I promise you, when you get in the ocean, wherever you are, for a second you think like, "I wonder if one of those things is swimming around here?" It's the same thing. So you've got malware and all of the bad stuff and all the nasty things that you hear about in the news. That's the shark, like we're all scared of the shark, the fear, the uncertainty, the doubt of that animal swimming around the water when in reality, the mosquitoes, the small things that are the problem. Now here is our simple solution to cure this issue.

How do you get rid of being afraid of sharks? What do you not do? Get in the water, right? Problem solved. How do you get rid of mosquitoes? A net, some spray or a malaria pill. Not that hard to get away from the FUD, that's what we got to start doing in the industry and stop thinking about all the bad things all the time. We get it, it's bad. Let's move past that. And that's where Zero Trust comes into this strategically.

The problem that we have along with folks not adopting Zero Trust, really, is what we have here, Jurassic Park, right? Unlimited resources, they literally created dinosaurs, they had no expense spared and they had one dude running all of IT. And if it didn't work out for Samuel Jackson, how well is it going to work out for any of us? But this is really what you run into? I mean, on the average, when we talk to organizations, their IT organization is a very, very small part of a larger infrastructure.

So, you're trying to do all of those things, anti-malware, email, phishing, all these compromised things, encryption, DDOS, whatever and you've got one or two or three people running the entire network. If you don't have a strategy behind it, you're never going to get it right.

Just to drive the point home a little bit further on this, we actually go out and collect data about this and we went and we asked in 2015, is security getting better? Are we solving this problem? And a lot of organizations said, "Yeah, we kind of think it's getting better, but it's not solved yet." Now, if that was 2015, 2016ish time frame, when you went to RSA you would see that there was probably 400 something, 500 vendors maybe? Fast forward to 2017, 2018 timeframe, when you go to RSA and there's 600 plus vendors in the space and you ask the same question, are we getting better at security, are we solving the problem?

53% said, "Actually no, we're getting worse. It's getting harder to do this." So it's obviously not a problem of the technology that's available. If there's 600 vendors in one space, selling security solutions and we haven't solved the issue technically, then that means we have a problem strategically, it has nothing to do with the technology that is available. I promise you that if you get the right technology and apply it in the correct ways with the correct strategy, you can solve the majority of the problem.

I will never tell you that you will be 1000% secure but the goal in security is not to be 1000% secure. The goal for me, in security, is to have my network be harder than yours so they go after you. This is a zombie marathon, folks. If I'm running and you trip, I'm not stopping to tie your shoe.

The common threat, if we still break it down, where does the problem actually exist, why aren't we fixing this, why do we feel that 53% of us still say it's getting worse, what's the common thread in there? Well, it's us. We went out and asked, we said, "Where do threat vectors come from? Where do you get exploited? Tell us what causes compromises?" Across industry, manufacturing, retail, financial services, public sector, health care, they all came back and said, "Ransomware, phishing and social engineering."

What is required to make any one of those things actually cause a problem to a system or network? Everyone in here should raise your hand cause it's us. We're the problem, people. So again, strategically, it's not that hard to figure out where we go after things, what we should fix.

Driving along to that, it really is the shotgun approach doesn't work. So we have organizations that get breached. Has anyone not heard of the breaches that have occurred in the last few years? Last year it was a billion records plus, I believe, stolen. It's not that organizations aren't doing anything. We were still sitting there wondering, "Well, if people are the problem, what do we do to fix that problem?" Cause breaches occur, and bad things continue after the breach. Are organizations just sitting there and not doing anything?

And they came back and they said, "No, we're doing stuff. Lots of stuff." And it typically goes like this. They start hiring more people, they try and do two factor and then they do lots of things around prevention, anti-malware detection, those type of things. Then they'll go off and do more auditing because everyone loves doing audits, right? Audits solve the problem.

They'll spend more stuff on detection and then they'll actually outsource. And then finally, the last kerfuffle here is, they'll do more detection, more endpoint, right, it wasn't enough to do endpoint. It wasn't up to detection, now we're going to buy endpoint detection stuff. And then we're going to buy internet response programs and then we're going to offer two factor to the last group of people that we think we should offer two factor to which is actually our customers and users.

It just doesn't work cause you wind up doing this. You're chasing point based solutions to solve a strategic problem and all you do is put your fingers in the dam. If you're lucky, you might slow the water down a little bit. So it's really not a problem of does the technology exist. The technology is there. It's not a problem of is it an issue that we don't understand. No we understand it. It's a problem of where do we apply the technologies with the right strategy and the right ways to solve the actual problem and make those strategic games, get those wins.

When you really think about security as it stands today, this is what you wind up with. And I'm retired military so I'm pretty sure I saw this guy on my last appointment. This is actually what perimeter based security looks like when you break it down. If you've ever logged into a system and you've had to go through those tedious things that make it hard for you with multiple log ins and multiple this and multiple that and then you've got [AB 00:10:29] running over here and you've got network stuff causing problems in your VPN or whatever else.

You wind up with really great rings of barbwire but sooner or later, you wind up tangled in the barbwire, trying to get through that and then, who wants to use that security solution? If it's not easily implementable, if it's not something that you can leverage and it doesn't fit the strategy that you're putting in place, you will wind up like poor soldier [shmaketely 00:10:54] here, trying to figure out how to use barbwire.

So getting into Zero Trust. We all understand the problem, what does Zero Trust actually do for us? Why should we subscribe to this methodology and this practice? Well, in 2013, John Kindervag, who was the analyst at Forrester running Zero Trust sort of introduced the concept and it was really focused on the network and he basically said, he's from Texas just like me, he said, "Don't trust nothing in a network." Which is great. But, it wasn't really enough.

So John was still doing that and then running around and reaching the gospel of Next Generation Firewall and network security and fixing those issues but it kind of stayed there. So Zero Trust is moving well beyond that. We've got people coming up doing a talk about Zero Trust. What we're actually asking you about is does this meet your strategy? Is this stuff that you're doing? And just to prove the point that it wasn't just Forrester telling the strategy, we went out and asked, "What extent of your organization's security actually looks like Zero Trust?" Cause we wanted to make sure it wasn't us putting a strategy out there.

And 75ish% basically came back and said, "Even if I don't know exactly what Zero Trust is, those are the things that I'm doing or I'm trying to do or will be doing to fix security as it stands in my environment." So that was validation to us that John's initial point in Zero Trust of not trusting anything on the network and trying to fix things strategically with the right solutions at the right times and the right technologies was there and it was validated by organizations all over the world, saying that they were doing it even if they had never heard the term Zero Trust.

The old Zero Trust was John's implementation of hardcore network security. Next generation firewalls, micro segmentation, isolation control the network. And that was kind of it. It just stopped there. John was great about preaching that gospel, he still does it today, the network is absolutely critical. But it was the same thing as if you went to a physical trainer and said, "I want to get Buff." And they said, "Well, let's go to work out."

That will help, it'll do something, it'll get a little bit better, but I pretty much think this guy is going to go to the emergency room as soon as the session is over. But I mean, if he sat there on that ball and he kept doing squats all day long, sooner or later, by default, he would have to get a little bit better. That's what the old Zero Trust was. Was if you focus on the network, and you do network type things, you'll get better in some instances. But you will have a worse secure network but we all know that there's bigger things than just the network to secure, especially strategically.

So we had to evolve that and we said, "Okay, well, let's take the personal trainer thing and sort of move that forward and we want to develop muscle and athletic strength. That's The Mountain by the way, there, lifting 1,100 pounds which is impressive. But the thing about that is, when you look at those guys that perform at that level, they don't just go to a personal trainer and say, "Make me buff." They go to people that have PhDs and understand strategically with a framework of how to actually do this and get bigger and stronger and faster. You will eat these many carbohydrates, you will sleep this much, this is how much protein you take in a day. This is how many reps you do, et cetera, et cetera. This is how much water you drink.

That's what we've done with Zero Trust and move it into ZTX. We have a more formalized framework that actually applies all the things that you have to do to get better and secure and I'll show you where that applies to in just a second.

So, back to that point we made earlier. What are the bad guys after? Is the network really where security should reside? Will Zero Trust and its old iteration fix the problem that we have strategically? Probably not because here we are in 2018 and where the bad guys still go after when they get into networks. Yes, they go after payment card information, because they resell that stuff in the underground and make a lot of money off of it. They go after healthcare records, yes, because they sell that and make money off it as well. But really, they go after PII and they go after authentication credentials, passwords and usernames. Why do they do that? What do you get when you have a username and password on a system, especially when it's going to be good for at least 89 days before they change the login?

They target PII and credentials because it allows them to get deeper into the network, it allows them to do things as a validated user and for those of us in here that run, manage, maintain, build apps and things like that, we are the targets that they want to get so that they can laterally. It doesn't really make sense for bad guys that have limited time, limited resources to try and go after things that do not directly benefit them. If we're going to solve the problem of where the compromise actually starts, where it exists and where it begins and where it allows lateral movement, we've got to focus on where we fix the issue that the bad guys were going after.

Chase Cunningham: It's fixed the issue that the bad guys were going after. So authentication is now key to any zero trust strategy as well as the ZTX evolution. Stolen and recycled passwords are always an important issue, poor access control management leaves people with access to everything and authentication strategies have not necessarily evolved in the last 15 years. You probably have a password and username in here, right? Did you have a password and username fifteen years ago? It hasn't changed that much. How many folks have got some crazy biometrically enabled like face scan thing that you log into stuff with? One guy in the back, okay, sure. Your phone, right? All right, well I'll give you that one.

But in truth it really hasn't changed that much. It's mostly the same thing. On most enterprise systems, you get in with a username and password and credentials and then you do things within that system based on what you're allowed to do, or in theory, what you should be allowed to do. Because no one in history has ever gotten to the system and dumped creds and move themselves up to an administrative level and then start doing other things. Right?

The reason that we're pushing next generation access into zero trust and ZTX as the framework is because it makes sense and it solves that problem. When we think about the FUD and getting away from the FUD, not worrying about whether or not it's a mosquito or a shark, but spraying some stuff on and not getting into the water. What we can do is apply next generation access into that system so that we can do these things and actually fix the problem. Strategically. Technically. Correlation between accessors and users.

If you are logging into a system, you should be able to do what you need to do for your job, for that session, for that asset, and that's it. And when you're done, you should be pushed out and the session should be terminated. Should be correlated as well. Single sign on for users. Why do we want single sign on for users as part of next generation access? Because it makes security easier.

Like if you have SOO, you don't have to log in five, six, seven times. You have SOO, you just keep doing what you're doing and it keeps going. Life gets easier. Everybody likes easy security, easy security breeds wins. Easy security breeds better security.

Multifactor authentication. MFA is one of the single most important thing is that you can implement to fix security. Period. Does everybody remember about five, six, maybe seven years ago, we used to go the gas station, just zip your card and then drive away with a gas. Well then they said, well, we're having all these fraud things going on with credit cards and people stealing things and they implemented where you have to put in your pin number or your zip code. They saw a 97 percent reduction in fraud in one day with that one simple thing.

So I mean, if you can put something that simple, multifactor authentication, even if it's at the credit card level into a system, and drop the threat vector by 97 percent, why would you not do that? That has to be part of next generation access.

It's got to have some form of machine learning or automation, because what we went back to in the beginning, right with Newman's sitting there trying to run Jurassic Park, he can't do that himself and if he does, he probably writes his own scripts in his own things that you don't have command and control over and it does bad things. We don't want that to occur.

And it's got to be integrated at the security and the network layer and it's got to be aligned with the ZTX ECO system. And I'll show you why that matters so much to be aligned with ZTX because strategically we're trying to say this is the technology that integrates with the solution that solves the problem based on the framework.

People in data re the perimeter. The network perimeter does not exist anymore. Think about it. When you go home, when you take your laptop home, you just brought the company, enterprise network perimeter home with you. And then everybody at some time or another, I know I have kids in my house. Sooner or later they need to do a homework assignment. They jump on your machine. They do something. You don't sit there and watch. Lord knows what they click on. They could actually introduce the threat just by doing their homework. People are the perimeter, data is the perimeter. That's what you need to focus on.

Identity is what drives all of that. I need to know who's doing what when they're doing what, why they're doing what, and be able to have command and control and response capability to fix that. The network is where the threat exists, but to fix it, you focus on where you can make the greatest gains and that's by fixing identity.

So where that applies to ZTX, which is the evolution of zero trust, right? So we're going from going to the personal trainer and working out to now, how do we formulaically strategically with the framework, fix this issue. How do you take this to the people in leadership and management and say, this is what we're going to do? Well, we're going to do, we're going to follow zero trust tenants, we're going to use the ZTX framework, and the first thing that we're going to focus on is next generation access because we can get the greatest gains and start winning in that space. And if you've ever run stuff in front of the board, when you start getting small wins, you can go back and get bigger wins and it just keeps going. If I can fix identity and I can fix the people issue in the framework, that's an easy win. Then I can go back and say, well I fixed that. Let me fix data. Well I fixed data. Now let me fix networks. And you just keep going on and on from there.

But this is why the framework is this because it's easy to see how vendor technology fits into this framework for a usability problem that solves that issue, right? We're talking about Octa because we're here right now. Octa's integration is very easy to see how it fits within ZTC. It applies to networks because it can do firewall and can control multifactor authentication and it can do authentication for identity on prem and off.

Visibility and analytics. Identity contributes to log info, partner detects anomalous behaviors, and the user moved into a high security group. Where does that solution from that vendor apply to their framework? Easy to see right there, ties directly in. Workloads. Privileged accounts must authenticate with identity and they can use SSO. Easy to see where it applies, where it's used, the problem that it fixed and it's easy to go back to the leadership and say, this is the vendor solution. This is the problem. This is where I want to put them. Same sort of things for devices. There's plenty of things out there that secure devices, but guess what? They all require identity which requires next generation access to fix that issue.

And the last and most important part of this whole thing is the data side, right? If I can secure the data and I can keep the bad guys out from getting the data, it really doesn't matter to me that they're in the network. From a strategic concept, if I can control access, if I can control identity, if I know who's doing what, where, and I have a framework that I can leverage that's clear and concise and shows where the vendors fit, where the problem exists and how I fix it from day one, I can keep them from getting away with my data. And that's the single most important thing in security, right? Is to keep them from getting the data. No one breaks into a bank to say they're in a building. They break into a bank to take money. No one breaks into your networks to say that they're in a network unless they live with their mother and have nothing else to do. They break into your network so that they can get data and go off and resell it. If you have control of identity, you have control of access. You leverage your framework and you're focused and you start with small wins and go forward strategically. You almost can't go wrong in this.

That being said, that was a lot of stuff to ingest in 22 minutes. I'll be around for questions afterwards, but that's really where we've come with from the evolution of focusing entirely on the network and doing network security and next generation firewall, to where we are now, where we're focusing on enabling the broader spectrum of controls, leveraging vendor solutions and technologies and figuring out where they fit into a framework so that they can be applied to fix the problems that matter first. In my opinion, that's identity and access management.

Nick Fisher: Thanks Chase, that was great. This concept of next gen access resonates with us a lot at the. You saw that in the presentations in the keynote this morning, the vision and the roadmap around contextual access management. So, to talk a bit more about this, we're going to bring up an Okta customer, Funding Circle. Ayo from  Funding Circle has joined us from across the pond, so, why don't you join me on stage. Give a round for Ayo.

First off, how was the party last night?

Ayotunde Obasanya: It was great. Had such a great time. Hope everyone had a great time as well at the party.

Nick Fisher: See a guy with two red bulls on the table, he probably had the best time out of all of us. I'll party with you tonight. All right. Why don't we just start by you giving us a brief intro of Funding Circle and your role there?

Ayotunde Obasanya: Yeah, sure. So, when Funding Circle was started, we realized there was a problem where businesses found it difficult to get access to funding to grow their business. And we saw the investors were having a bad deal as well. They weren't getting good returns on their investment. So we had a simple idea. We said, well, why not connect the two together? So essentially what we did was we built a marketplace lending platform to connect both investors and borrowers. So that businesses would have quick access to funding to be able to grow their business.

And since then we've been able to lend for about 40 thousand businesses globally. We've been able to lend up to $5 billion and by doing that we've injected about a 100 thousand jobs globally, by creating that funding. So for us it's using the best breed of technology, allowing credit worthy businesses to come into the platform to be able to essentially get fast access to funding.

And in my role at Funding Circle, what I do is help the business achieve their goals and objectives in terms of our IT strategy, making sure that we use best breed of automation, we're efficient, cost efficiency, IT governance, ensuring that we drive towards employee productivity at all times, making sure that they work within a secure framework, being that security custodian, and ensuring that the two areas I look after, which is our corp IT and out development operations teams essentially align with our goals. And for us, we're currently right now and that's in the United Kingdom, in continental Europe and United States. So that's a brief background about Funding Circle. Just making sure that we continue to grow that platform so that businesses can continue to grow their business, support local communities, and essentially be what would they want to be and have a great future for themselves.

Nick Fisher: That's a great mission. Thanks for that. We've talked a lot about next gen access, access management. Paint a picture for us around what access management looks like at Funding Circle, how employees access, what devices they use, on premise, off premise and even maybe external partners you guys might work with.

Ayotunde Obasanya: Thanks Nick. So at Funding Circle, I think, you know, in terms of the way employees, we're today, we're about 800 employees globally across the world. And I think the way employee interaction and connectivity has evolved is, first of all, we're a cloud first company so we don't use the traditional Microsoft exchange. Most applications with applications where employee users are on the cloud. So we're g suite customers. So what that means for us is while we have data on premises, a lot of that applications they need access to actually sits in the cloud. We have a combination of different end user devices from the MacBook’s to Dell computers and we have a lot of remote workers as well. And because we're a global company it means that a lot of people travel all over the place. So for us it's very important on how we secure their identities as they move around across the world.

Nick Fisher: Yep. And one of the tenants of this next gen access as around network agnostic, and it doesn't matter if they're connecting from a Starbucks WIFI or on premise, that you want to enable access to these resources regardless.

Ayotunde Obasanya: Yep.

Nick Fisher: Yeah. So what prompted Funding Circle to move more towards the zero trust security model?

Ayotunde Obasanya: So, I think over the last 10 years we've seen that security essentially has evolved. So if we step back a while ago, traditional security meant protecting your perimeter. So you would have traditional firewalls protecting your perimeter and threats from common inside into your network in terms of using the single model security trust model. And then you move towards a dual trust security trust model, which is once you get into the network, right? And you have access to the crown jewels. You had a second layer. We quickly realized that the threat access we have today from phishing attacks to social engineering wasn't going to work because you needed to move towards, I guess the first part is was a micro services architecture where you need to be able to contain the lateral spread, once you have an insider threat.

Now where this becomes very challenging is it's one thing when you're able to protect your internal and corporate infrastructure, but what happens to all the cloud applications you have, cities all across the world in different countries on different cloud platforms. For us, we're a data central company and that means our protection is we need to protect our data at all times. We need to make sure we protect against Pii. We need to make sure that that data is secure in transit and at rest. And ensure that our employees, wherever they access that data, they access iT in a secure fashion. We make sure that they only have the right privileges they need to be able to interact with that data.

So for us, we quickly realized that we had to come up with a new security model that was next gen access to make sure that regardless of wherever employees are across the world, they were able to access that data in a secure fashion.

Nick Fisher: Let's double click on something you mentioned there around enabling basically the right people to have access to the right tools at the right time. Can you maybe talk a bit more about some of the policies you guys implement, how you think about separating your maybe your user groups and what they access and how maybe you use tools to help with that?

Ayotunde Obasanya: Well, I think one thing that's helped is if we start at the identity layer, you know we talk about people. So we've talked about people being one of the key factors, you know, once an attacker tries to access your information what they're looking for is your username and password, your credentials. And they need those credentials to be able to access the data. So for us, what we've done is we have our active directory that's federated to Octa. So Octa becomes a universal broker for us that manages identities across our organizations. Based on that is when we map them to the right user groups, based on their applications. So we create a strategy to say users are put into groups based on the applications they need access to. And then we also studied the data flows in terms of how they interact with those applications. And that essentially drives the policies we're able to define for each of those applications. So, if we start to talk about leveraging IAM which offers an example, we can start to use context to say well, based on where that user's located, based on what they're trying to do, start to build policies around that, introduce multi-factor authentication, SSO, and essentially use that information to decide what they have access to, make sure they have access to that data application in a secured manner, and very importantly as well, we have a record in terms of audit logs, in terms of what they're doing; that access gamut.

Nick Fisher: You mentioned setting up policies based on maybe where the user is located, if they're on the network, off the network. One thing that actually came up in the Keynote this morning was sort of this trade-off between usability on the end user's side, and security, does it have to be as zero-sum game, or can you improve security without sacrificing usability too much? Can you talk a bit about maybe how you leveraged some of the more adaptive MFA features to prompt for MFA really only when necessary?

Ayotunde Obasanya: Well, I think one of the ways you could do that is, one of the nice things with MFA is we know that when you're in our offices we know it's secure. We know we've got firewalls, we've got network segmentation, we've got the right protections, we know you're physically in the office, so basically in those instances, we say, "Well, we authenticated you, we know where you are, we know you're in a secure environment." Based on your IP information we can put a policy to say, well if you're in the office we don't require MFA because we know you're in a secure environment. Well, the minute you step out and say, "Well, I'm going to go to Starbucks.", or you're going to work in your remote site, we said well, we know where you are right now, you're not in a secure environment, we need to challenge and introduce a second multi-factor or third multi-factor to challenge and make sure we really know you are who you say you are before you can access our corporate applications. So that's one clear example of how you can use adaptive MFA.

Nick Fisher: Because you could put a second factor in front of just every single authentication-

Ayotunde Obasanya: Exactly.

Nick Fisher: ... that would be secure, but your users would yell at you, and you'd get a lot of-

Ayotunde Obasanya: Yeah, of course. You take your risk based approach in terms of how you determine that.

Nick Fisher: So, is there an example where your zero trust approach, maybe like micro-segmentation, had protected the organization? Can we talk about that a bit?

Ayotunde Obasanya: Yeah, so I think one thing we've seen is once you have all the right tools, and you have the end point protection, you have the anti-malware, you have the anti-phishing, you have all the right tools happening, you find yourself in a situation where a user has done something you're not supposed to do, and there is a compromise on one machine, and usually you would literally panic and say, "Oh my goodness, this person is on the network." But because you've provided the level of micro-segmentation, we have device authentication for every device, certificates, we've got port access isolation; so all that means is where you drop into a network, you just don't have access to everything.

Based on your identity determines what level of access you have to the network, and with the micro-surface segmentation, what that means is, if there's a compromise, it's contained. It's only contained within that segment, it doesn't have access to either the middle tier where you have your critical applications, it doesn't have access to your secure data, you're very easily able to identify it and essentially tackle it, and essentially wait it out. So I think, if you didn't have zero trust, it meant that that lateral spread could not just go to one location, where if you have site to site networks, or VPN networks, that could spread across globally to all your organizations, and then you have a significant compromise and potentially, depending on what the threat actor is trying to do, a significant data breach as well.

Nick Fisher: Yep, got it, thanks for the sharing. We talked a bit about the people component in the zero trust framework, and how that's sort of a critical component in the new zero trust extended ecosystem, can you just talk generally about how access management and you think about people as part of your security strategy, versus maybe some of the other components?

Ayotunde Obasanya: Yeah, I think when you think about it, I think President Obama said this yesterday; he said, "No matter how big or small your organization is, it's made up of you and me. It's made up of people. People drive your organizations, people drive value, people are key to productivity." So, in terms of how we think about access, we always need to start with people; and I think that's where Okta helped us ensure that it's that security broker that ensures that every present organization, regardless of whatever application they're trying to access, always has a single identity with single sign on, with being that universal directory and security broker being able to provide us a behavioral analysis, and understand how users essentially interact with applications. It ensures that whenever we roll out policies for our people, we're doing that the right way. So people in the finance department might require different set of policies from people in our development environment, or people in the legal departments will need a different set of policies, compared to people in senior management, because we've been able to understand the application workflow, and essentially tailor how we provide policies based on their interaction of those applications, which I think is really great.

Nick Fisher: Yep, and actually let's focus on that a bit more, like how you actually started creating those policies for those different user groups. I think it'd be helpful for this audience to understand, even when you were just getting started, how you segmented the user groups, how you looked at risk levels across those, and access management. Can you maybe just shed some more light onto-

Ayotunde Obasanya: I think in every organization it starts with people work for different teams, are in departments or sub-departments, so you start there in terms of HR, you kind of work out where people sit in the organization, so you kind of build a framework organization. And then you then need to map that down to resources, what do they need access to? Do they need access to shared files? Do they need access to printing? Do they need access to applications? Do they need remote access to applications sitting in data centers? So you kind of start to map essentially people to resources, and the underlying data. Now, the underlying data is your risk factor, so you kind of say you've got people on the side, you've got resources on the side, and then you've got your critical data or critical assets you're trying to protect.

So we have a very strong data classification policy where basically we kind of say, "Well, this is sensitive data, this is confidential data, well this is public, it's not that critical." And essentially, we then start to build the policies around that, and then those policies are then defined in groups, and then those groups are assigned to applications; and when you then have to start to build work fields around that, in terms of how you introduce that in terms of onboarding and off boarding of those applications. And then we then start to think about building strong audits or login across those critical data assets as well to make sure that when people do access that critical information, we know when they access it, we know why they've accessed it, there's a time stamp and there's a record, and if possible we alert on that as well. So that's kind of how we built it over time to where we are today.

Nick Fisher: Got it. After you set up these initial policies, did they evolve over time after some tuning and seeing how well?-

Ayotunde Obasanya: Um, yes. So they definitely evolved because when I think about it, you have different type of applications.  You've got your on premise applications, and then you've got your cloud applications. Now, what we've started to see is right now in Okta we have over 100 applications within Okta today, and when you think about that, that's huge. How do you secure access across a hundred applications? And what we're starting to see is interaction between applications these days, it's no longer on premise talking to cloud, it's now cloud to cloud.

So, you would have an application like maybe Namely, as an example, talking straight across to Litmus, which is a learning management system, and then talking to Okta, which is your security identity broker, and doesn't touch your own premise infrastructure whatsoever. How do you gain this ability of what's going on within that space? If you take an application like Dropbox, as an example, you have personal Dropbox and you've got Dropbox for business. How do you ensure that you're not having people PII for information, transferring our data for the Dropbox from business into their personal Dropbox accounts? So for us, we've had to evolve the strategies and things like cloud access security brokers, so making sure that we now have another layer on top, or the interactions between cloud to cloud, between API, interaction with Okta and all the applications, audits, making sure we can do behavioral analysis as well, and then start to define policies based on the behavioral and contextual information we get as well. So we've really had to just evolve based on how our employees and consume applications today.

Nick Fisher: Got it. And let's actually talk a bit more about those integrations, cause what we saw at the end of Chase's presentation is the people component of zero trust and Okta's. Zero trust goes beyond just that people component, right? There's a whole ecosystem around that. Can you talk about maybe how you use Okta integrated with some of the other systems? You mentioned CASBs, and you talked a lot about using audit logs; are there other ways you integrate Okta throughout your organization?

Ayotunde Obasanya: Um, so the other ways I think we integrate Okta is, one of the things we're starting to push through is to have Okta as a master, so integrates with our HR as a master, to make sure that from the onboarding and off boarding in terms of the joiners and movers process, our HR departments have essentially the privilege essentially to say, "Look, we've got a new user in the organization, they've put all the details in there, and essentially pushed those records all the way through down to provision of the users, or the groups, or the e-mail accounts."

Everything that you usually would do in the back, and that the IT team would have to be responsible for manually, and then start to think about taking that data, and start to push that through to other systems as well, to start to take actions in that information as well, because right now we're building this global cloud, might need a VPN solution as well. Kind of like traditional Palo Alto and all the VPN, and that's also going to use Okta as well; so, you then start to see where Okta is your identity management for your VPN users to gain access into our corporate assets or offices. At the same time, it's able to push that information into your cloud access security broker as well. At the same time as well, it's able to push us information into your login, and alerts, and infrastructure so we have to take action. At the same time as well, we have identity systems on the fiscal infrastructure that are also interacting with our data. So then you have this behavioral and contextual framework you've built where that identity follows you everywhere, and we're able to take action and determine what's going on at any point in time, whether you're on your mobile phone, whether you're on your computer, anywhere you are in the world.

Nick Fisher: Got it. They're about to play the Oscar music and wrap, and get us off the stage here soon, so we'll just finish with a forward looking question. What are your plans to evolve your zero trust model over the coming years?

Ayotunde Obasanya: I think one of the things that was really exciting I heard at the conference that was announced today is having YubiKeys as another factor of authentication for our employees, so that's going to be really critical for us. And also to start to employ user remote access management to put MFA in front of our critical servers, so if we have our IT administrators trying to log into back end servers, we can have Okta as a front end using MFA as well, and I think we're going to start to see the trend whereby we start to go to the no-password level of evolution, where people can start to use either fingerprints, or facial recognition. We're starting to use that behavioral analysis to say well, if I know where you are, and I have all the information I have about you, do I really need a password to be able to challenge you? So I think that's the next evolution we're starting to think about.

Nick Fisher: Yep, great. So I think that's going to do it for us today, round of applause for Ayo and Chase, thanks for sharing your story.

Ayotunde Obasanya: Thank you, thank you.

Nick Fisher: Appreciate it. We're going to stick around for about five, ten minutes or so if you guys have questions for us, but thank you for joining, and that will do it for today. Cheers guys.

As breaches fill the headlines, more organizations are adopting a Zero Trust security model and its key principle of "never trust, always verify." Modern implementations of this model are focusing on "Next Gen Access," where identity and authentication can greatly enhance your security posture with less complexity than network-based solutions. Join guest Forrester Principal Analyst Dr. Chase Cunningham, Ayotunde Obasanya of Funding Circle, and Nick Fisher of Okta as we discuss how companies today are having success taking a Zero Trust approach to security.