[AUDIO LOGO] Hi, I'm Rob Byrne, a field strategist at One Identity. There's a lot of talk. These days, you'll hear people talk about the enterprise attack surface. So the enterprise attack surface-- think of it as the sum of all the entry and exit points to your organization.
So we're thinking about users. We're thinking about users gaining access. We're thinking about data perhaps flowing out-- so users accessing and data moving around through those access points.
Now, you might be wondering, well, that sounds like a surface to me. Why is it an attack surface? Well, of course, when we expose those entry and exit points to the outside world, it's not just people we want to come in who are trying to come in or data we want to go out that's going out. It's all kinds of other actors that are out there trying to get access.
So you have to imagine that this so-called surface defined by these set of access points is being constantly, gently, or otherwise probed by people who perhaps we've not imagined will be. And you might be thinking as well, well, that's well and good if it's a physical resource. I can see a building, and I can see the gates. But the digital world, you might think, well, nobody really knows-- or maybe the IT guys do.
Of course, you can go on the internet, and in 10 minutes, any organization, you can have the full list of public access points to our organization with open source freeware tools. So don't imagine that your enterprise attack surface is obfuscated in some way. It's totally visible to everybody.
Indeed, the enterprise attack surface is not a static thing. It is actually expanding. And again, you might say, well, why are organizations expanding an attack surface? That doesn't make sense. Of course, they don't set out to do that. What they actually set out to do is to take advantage of modern trends and movements in technology and ways of working in business.
So think of it this way-- the kinds of things that are driving this expansion are business desires to enable remote working. So we have to allow those remote workers to gain access to these resources. Movements to the cloud, where we've taken all our cloud resources and put them up in traditional on-premise resources and put them in the cloud so now they're accessible up there for us and for everybody else.
And then an extremely important area here is the whole supply chain optimization, and that desire of organizations to more intimately integrate with partners and to grant access to resources and share information in a much more agile way. So all of those things are creating this expanding surface, which is also an attack surface.
Two more things I would mention would be the rise in the number of devices that are accessing these points. This is also gaining access there. So IoT devices-- we've now got these devices. And each of those is an access point. And then finally, although there are many other examples, the world of social media.
Traditionally, you might have one telephone number for a large organization, and you'd go through an exchange to get to anybody. Well, now you can go on LinkedIn and find all the contact information, not to mention all their employment history. So all of that information is going out there and is accessible. And this really all contributes to the expansion of these access points that are available.
Why would you care about the enterprise attack surface? Indeed is it of something of concern to you? Well, it should be of concern or people should be aware of it, at least-- anybody in modern business or IT needs to know about this. And we need to be interested in it and take cognizance of it because it's having a profound impact on our cybersecurity readiness, and it's raising ambient risk levels for our businesses. This is why.
And when you actually sit down to look at the kinds of risk, it's across all the major categories of risk you would traditionally analyze-- that's to say, physical, digital, social areas of risk, with interesting overlaps between those where you might say, well, you can get the digital risk if there's access points and people can gain. What's that got to do with physical? Well, let's not forget we live in a world where digital controls the physical-- satellite constellations, telecom networks, the brakes in your car.
So there's emerging, and then the social world is no longer just cocktail parties, of course. It's the whole world of social media, profoundly digital. So there's a merging going on, a convergence of those things as well. And if you're wondering, well, there's an expanding surface, I actually think the image is somewhat flawed. Because you think of a balloon, perhaps, growing. It's not actually what's really happening.
What's really happening is the balloon has been broken into lots of mini balloons. You think of micro balloons, if you like. And so rather than having to look after that one balloon, if you stretch the analogy, there's lots of micro perimeters, as we call them now.
So the one traditional perimeter has been broken up into lots of micro perimeters. And that, of course, is bringing complexity into our environments and making it very hard for us to adequately secure all of those perimeters everywhere all the time. How can we do that is the challenge I think that we're facing.
Of course, organizations are not remaining idle in the face of these risk challenges related to the expanding enterprise attack surface. And just to give you a feel for the kinds of evolutions in technology and capabilities that we can take advantage of, I'll mention some areas. So this would be areas like Secure Access Service Edge, so let's call this SASE.
It would be technologies like secure browsers, which is bringing the security right home to the endpoint to try and get security there, wherever the person is. It's in the cloud-- things like cloud infrastructure, entitlement, management. So just to take a moment. And because people tend-- when they think of access points, they think about network security. And the network guys or colleagues in network security have done some great stuff.
So they've fixed largely the problems with VPN, with an evolution to zero trust network architectures. They have, I would say, strengthened what was traditionally a web proxy to be a secure web gateway. And they've built in threat detection, malware detection. Great work, network guys.
And of course, the CASB world, where they have that deeper integration and knowledge of SaaS applications. And they can even look into data, for example, on Dropbox and do data classification. These are all very powerful network-centric technologies. It's really a convergence of network data application security. I think of it as an exchange.
So we have all these micro perimeters. How are we going to secure that? It's a mess. Well, you put an exchange, and you have appropriate controls. Well, you might think job done, we can all go home. But there's something very important missing.
What's missing in the story? Let's imagine the lord of the manor, who used to live in a castle, and now has secured all his peripheral villages, rides up to one of the villages one day. He finds that, yes, it's very good. It's now surrounded with its own micro perimeter fence and protections.
And he bangs on the door. And they say, who are you? He says, well, I'm the lord of the manor. I'd like ingress to my village. Well, we don't know anything about you. We don't know who you are. How do I know you're the lord of the manor?
And that's exactly the problem. Because the network security guys build that secure infrastructure. They've got all the capabilities in place. But they don't have-- yes, I'm going to say it-- the identity context that they need to validate that person or, nowadays, that thing, that device that's trying to gain access. And they don't have the full enterprise context of that entity that is trying to gain access.
And so identity is the thing, of course, that's missing here and that we need to bring to this context. So the role of identity here is indeed to bring organizational and enterprise context to what is otherwise purely network asset endpoint application URLs. That's, from a people point of view, a rather sterile environment. Now we need that additional identity context.
So the way I would like to frame it for you is to frame it-- what identity brings in terms of a zero trust approach. So it's three things broadly, in a vulgar way. Three things that zero trust is going to ask us for. Firstly, to validate an identity or an entity that's trying to gain access.
And straight out of the gate, you're into authentication services. I need to authenticate it is the lord of the manor. I need to have adaptive multifactor, like in the digital world. I'm going to need this. And what's very interesting to me is a lot of the times, the network security colleagues will acknowledge that. And they'll say, absolutely. That's what you need to do.
But they stop there and they're missing a lot of other aspects. For example, the notion of privileged authentication, because privilege is also an enforcement point that requires authentication. A reinforced authentication with additional requirements-- for example, to do with enhanced auditing or session recording, hardened appliances, and so on.
So authentication is not just its own federation. They've got a SAML ticket. No, it's also taking into account extremely important identity context aspects, such as privilege. And I'll just say one thing, particularly in the context of the remote working driver for this expanding service-- the remote privileged worker.
How are you going to secure those guys? And what are the security controls you're going to bring to bear there? Because they're not the normal ones. So that, again, is the kind of thing identity service is pulling in.
So that was the first one. The second point is that zero trust calls on us to drive towards a least privilege model. And again, the Trusted Exchange that's doing the network level security has no idea why these entities have these permissions and if it's appropriate that they do so. That's what the identity services, particularly identity governance, is bringing to bear, all the time applying user behavior and policy-based dynamic workflows to drive down that level of privilege to just the minimum that's required.
And again, it's a no brainer. OK, well, you mentioned privilege before. Is there something special going on here with least privilege and privilege? Yes, there is, because the logical extreme of least privilege is just in time where you don't have any privileges. There is almost zero contribution to the attack surface in that case and until the time that you need it.
So the window, the attack surface is almost those little micro perimeters that are coming and going. And they're only popping into existence when you really need them. And that's in an ideal world where you would want to get to. And that's something that only Identity Services can bring us.
The final point for continuous monitoring of the environment from a security point of view, which is more or less the third thing that zero trust calls on-- again, identity is going to bring in all kinds of risk signals related to perhaps in-flight attempts to compromise, in-flight attempts to compromise particularly privileged accounts, or indeed, anomalous privilege behavior. And again, enriched with organizational and enterprise information, such as, for example-- well, is this a third party? What's the certification level of this employee? Is the guy leaving next week? And linking that to various kinds of behavior.
And then that's within the identity ecosystem itself. But it's a very important move and trend. And again, responses expanding attack surface from identity point of view is the integration of traditional services like access management and governance and privilege into the wider risk signals from the ecosystem. And we're talking there about the world of identity, threat detection, and response.
And at One Identity, we have this week partners that we're working with to integrate our products with those solutions so that we can act on those wider risk signals. So all of that's coming together-- all those three areas of zero trust to protect us against this expanding attacks. And that's identity's contribution to that world.
In summary, the enterprise attack surface can be a great way to frame and to understand, to think about and help you formulate some responses to the kinds of risks that we've been discussing here. And at One Identity, what we're doing is we're working with organizations to help them build identity security strategies into their responses to this expanding attack surface and to mitigate those risks while crucially enabling their businesses.
And maybe a word or two about the idea of enabling a business. You might say, well, where's the enablement? I hear a lot about security. Well, think about remote working. Your team-- hey, guys. Would you like to work at home a couple of days a week? That would be fantastic, boss. OK. I need to talk to the security guys, the identity people to help me with that.
Hey, would you like the latest iPhone? Yeah, I would, but I need to work on it. OK. We can put the security on that. So these are ways that we enable businesses and we help users to get their jobs done. And it's also a way to perhaps leaven the bread of the security bread that we're positioning on.
What we're seeing, what we're hearing is that organizations are coming to us asking, hey, how can identity play a role and identity related security strategies? What role can they play in helping to respond to these risks that we're seeing with this expanding attack surface? And what we're seeing as well is that they often want to take a zero trust approach, which is what I outlined earlier. So that's what we're seeing. And if you'd like to hear more about that, then give us a bell or give us a shout out.
[AUDIO LOGO]
14:44
