Zero trust architectures: Moving beyond perimeters

let's look at uh securing architectures our next family discussion on zero trust architectures moving beyond parameter in a world where traditional parameter defenses are no longer sufficient zero trust has emerged as a strategic approach to secure our digital environments the traditional approach to cyber security relied heavily on the concept of parameter inside the Fortified boundary everything was considered trustworthy while anything beyond it was it was deemed as untrustworthy however the rapidly evolving threat landscape and the rise of remotor has rendered this parameter Centric model obsolute attackers are finding new ways to infiltrate and exploit trusted networks necessitating a fundamental rethink of our security strategies with that being said I would like to invite our panelists to share

their expert strategies with us let's put our hands together for kishan kendre head information security at blar limited Shri Shankar Guru jalam general manager cyber security at Simmons hey Kamal Sharma vice president and ciso at ASM technology it will be moderated by Smith Gonzalez managing director and principal consultant cyber Smith secure private limited well good morning Amad here in The Happening city of Amad and guys uh coming up with one of the incredible panel and this is about zero trust architecture moving beyond perimeter well as the name sounds interesting the panelists over here are also seasoned and experienced who come from different sectors and domains sharing their vital decade old expertises and experience so it's quite

interesting for us to understand the way this technology that is zero trust the way it is evolving and what are the challenges and gaps this panel that we are going to present it to you we're going to comprehensively discuss about the ways Enterprises and corporates today can adopt it and I also see youngsters over here so how young youngsters can potentially gear up with the set of tools and understandings about this technology to go ahead and communicate with their stakeholders to see how this framework can be adopted so with that I would like to introduce the set of distinguished panelist uh starting with Mr kaml who comes from the ASM Technologies it's Kamal comes he he

is the person who has been extensively worked on areas of product building areas of helping Enterprises to secure their uh secure their uh networks and infrastructures it's pretty great to have you here then we have Shri Shanker who is the GM for the cimen healthcare and we all have been looking at cens the way it is growing the way it has been making a significant dominance in the healthcare industry it's great to have you then we have kishan kendre who is the ceso for blue star and kishan is going to ensure that the panel remains chill because because he comes from Blue Star so with that being said let me come to kaml and begin with the first

question so as we are discussing zero trust architecture or let me put it this way zero trust technology so in order to begin let me ask Kamal a very interesting question what exactly do you see this zero trust technology this which is being evolving we had earlier something called as OT operational technology which people now call it iot so what is the whole overview of this zero trust and how do you see this technology thank you uh for having us here and thank you uh the ones present here to to hear us about uh the zero trust architectur s there is a lot of confusion in terms of what zero trust is you just talked about you know zero

trust technology lot of people use that as a term uh zero trust Solutions another term use zero trust framework another term use and people look at zero trust products so I I think there is a need for understanding what actually zero trust is and unless we understand that we have a challenge of uh not moving to the next step so zot trust is not a technology it's not a product it's a framework it could be a strategy and it could suddenly be a solution uh which primarily revolves around the principle of believing that any device present present in your network infrastructure is potentially compromised and adversary is present now having said that as a principle uh and let me take you back to

70s zero trust is not new thing the first time uh the first known breach what we talk at MIT it happened in late 60s early' 70s where uh in MIT and one of the user actually so there were resource allocation that you can use resources only for a particular time and what this person did is he did uh found a bug he uh he put uh his own settings in it reconfigured it that whenever he reaches his time limit it automatically the counter sets to zero I think that's the first time a network uh breach as it was recorded in 1975 MIT came with uh the foundation principles of cyber security and there they talked about

authenticating or rather mediating every transaction so zero trust actually goes to that times though the the term was coined in sometime in 2010 um so it's it's about basically taking that principle that you need to uh authenticate every user you need to authenticate every device you need to authenticate every Network flow I think that's the base principle and then rest you can fit whatever Technologies you have in place you need uh various Technologies various products and and then based on that you can fit into to yours come up with the solution which works uh to your organization well that's an interesting perspective uh sh Shar would you like to add on this yeah I think uh he's covered

extensively on what I have an interesting question for you when it when it comes to zero trust so I see a lot amount of people coming up with different set of products on the zero trust architecture and when this so I've been looking at different products and it becomes quite difficult for the seos to have a differentiated factors among them so how do you see to this is my question to you super thank you uh for that question so um as Kam said zero trust is a framework for implementers and for decision makers and for your Senior Management it's a strategy and for someone to sell zero trust they would have to sell a solution not a

product because you know you bring a device or a a product bring it home plug it in it works product but a firewall cannot be like that you bring in unless you configure it the way you need it for your business it is just a device it's just a product that's dumb so you need a solution along with that and the same goes with zero trust you cannot make a product and say that this is a zero trust product a product is not alive till the required solution for the particular domain for the particular industry or the particular specific business segment that they're using it if that is not there your product is as good as a brick

so you put that brick with the right kind of cement which is your solution and present it so for if if you are looking at the youngsters and asking this question then I would say good you're focusing on the product focus more on the solution where it fits in else you'll lose the context that's a very interesting perspective about the Product Industry of the zero trust so with that I move to kishan and kishan I have a very interesting question for you in terms of the zero trust technology and the way its adoption so what do you see in terms of corporates uh and Enterprises now since the adoption of zero trust if you see in us I'm able to see a lot amount

of Enterprises are quite actively adopting it in fact in UAE for the fact as well how do you see in India what is the mindset of this zero trust is this the buzzword able to connect with the board what are your views on this uh before that uh I will always try to give an example so people can relate to that why does Ferrari have the brakes so everybody used to I given this example many times everybody I get an answer everybody says about uh so they can break it they can stop it but I have a different perspective where you can say that so Ferrari can go faster and faster so in a in a business language Ferrari Ferrari

is your business and the security is the break so the business can run faster and faster now with respect to the zero trust one one as the name suggest zero trust trust everyone but verify before allowing otherwise you'll not be able to achieve and it it's it's a worst word now Industries are open to adop in India it totally depends upon the business requirement of your organization how do you how the business wants to grow further is totally depends upon that how do you connect with business and how you want how they want to run fast or one of the major challenge which I see with respect to the traditional VPN where all the traffic will

consolidate to a single place and then internally travel to a multiple locations and then coming back which is a a tedious job to manage and everything with respect to the zero trust uh specifically with the small branches remote locations having all this setup is not in a practically possible scenarios so this this particular zero T helps to build that and you'll be able to achieve your more and more business uh and the India means lot of organizations are following zero trust model to improve their businesses you can say that I'll give a classic example specific to a if if I need to open up a office in a remote say a smaller Village say on aabad in Maharashtra in m in

Maharashtra which is a small place but having everything they're setting up from router firewall office and everything I can have a single Asian based Asian install on their machines connected through a zero trust Network to a corporate that's it I'll be up and running in a week's time Max to Max even less than two days only time taken is to build up your network bandwidth internet bandwidth rest and it's lesser cost I don't need to manage it also again see one of the major challenge which I see every organization has invested a lot in the Technologies but they are not utilizing them properly every organization will have almost 10 to 20 Technologies or beyond that also but they have to

utilize zero is one of the good framework or a strategy as Kamal mentioned which will help us to improve better and better so this is this is my perspective John no you have highlighted the key key areas let me put it right from the affordability towards the implementation and the challenges that one has to consider so with that I move to kaml and kaml you have been part of various product designing for various Enterprises so what I want to your company so what I wanted to understand is preliminary from the overall implementation side of the zero trust that what are the different types of areas where the zero trust uh can act is a solution responsibility to make people

aware about it all of us as a cyber security Community leaders what he just talked about there are some things U which are very standard stuff which are available if you let's say if you're using pki infrastructure in your organization you would use normally when you use TLS it'll be one way you will go to a client will go to access a server the server uh will get verified but the client never gets verified if you can Implement Mutual TLS which is very simple to do each of your end device can be authenticated so at least one pillar of your you talk about user devices and then the network flow right so if you implement Mutual TLS

your end your your device actually get authenticated without much of the investment uh Microsoft Defender has a you can Implement a policy where you can enable IP SEC authentication again and that's a default thing in your Enterprise uh who are using Enterprise version of the Microsoft right you can effectively use again to authenticate each of your device uh using Microsoft Defender uh it does gives some challenges in terms of you will only have then visibility of the connection but because it's already encrypted and the encryption can be all the way up to your AES 256 and so you won't know what traffic is Flowing so it does give challenge in terms of monitoring but at

the same time you are addressing one side of the story uh of course you're monitoring then you'll have to take it to the end point so um so we as a company we do uh work with many cyber security product companies uh as their extended teams to develop products and these are the aspects we consider so one is each one of them are taking the monitoring to the end point it's no more at the network level because if you have to encrypt data end to n which becomes your from your end point to your server to your application then you can't monitor what is happening and if that one device is compromised and whatever data is being sent whether

it's malicious or not you can't verify that has to be done at the end point so so overall again it will come back to the solution uh you can have different ways of implementing it and depending on what you implement uh you will have to pick the right monitoring solution at the endpoint level I I think that would be the key to take it yeah well that gives a broader amplification and understanding of the framework thanks Kam for the greater insights so with that I come to Shri Shankar and Shri Shankar I have a very interesting question for you now this question is particularly from the products which are there on zero trust what do you what

would be your opinion for the products the young startups in the space of zero trust what should be their goto Market strategy for a fact that this technology is adoption in India is also new and it's evolving the people for them to understand and relate is also taking some amount of time so how do you see and what are your opinions on this okay let's uh there a very practical quiz so uh when you when you see when you buy a off thes shelf product I mean your expectation is that okay I do little tinkering here and there and it should work for me but for a person let's say decision maker out a board I go and say

okay I need so much money and I'm going to put zero trust okay good why do you have to do that you'll explain the benefits and then okay if you put this will it address everything okay have you covered all the risks okay go ahead now when you are presenting are you as a practitioner aware of all the risks if you do not have a comprehensive vision of what is and what is the required mitigation and what is the requirement for the future if you do not do that Technical and business assessment of what is required you should not even Venture into zero trust right because you put something you try to do some add-on you try to do some tinkering

that's not going to be zero trust and also it's like I see many companies I can I keep talking to many people so what I realize is someone said H we have put sd1 we to zero trust great but when will you be zero trust uh maybe after two years now what will you do when you keep doing these things in bits and pieces or not having an overall agreement with your board you're not one you're just distributed all and you're opening up many more vulnerabilities so the key to the equipment manufacturers is that please mix with your people people who are selling they're not your customers who you can just visit once in a we mix

with them interact with them be on their site do their assessment help them do their assessment then suggest a solution based on your product I think that's the way to go very very interesting so as rightly highlight the people should be the people who are selling zero trust product should be operating on ground and they need to spend time with their customers to understand their problems that is how I can s it just to add on to that you know financial company is very different from a retail very different from a of company so they must be sensitive to that as well while they are uh getting into the specific businesses that's a very interesting Viewpoint so

with that kishan I come to you with an interesting question since we have discussed about Shri Shankar has tried highlighting some of the areas or these specific challenges I want to understand from you as well what are the core challenges that you see in this uh technology adoption of this so basically adoption in of the zero trust architecture or products in India uh so before that uh I would like to add one more Point specifically to that question uh what exer or what organizations to do to build the zeros technology I can say one more thing like uh they should discuss with the to the industry understand their use cases what they want to achieve with the zero tust and

what can be achieved with the zero trust uh to see one of the major challenge to each and every organization is the attack surface is now previously it was only to to data center now there is no there is no boundaries to the attack surface now which we wanted every organization wanted to again reduce back to a smaller thing and zero trust is one of the area which is helping us to reduce that so that is one of the point organization should considering before in putting any zero trust now coming back to the Technologies uh again again I will emphasize on the use cases which is need to be failed by the businesses one of

the major use case which I can say the why why do we we use to have the VPN because to access the internal application but one of the challenge with respect to the VPN as soon as you land into the VPN after that the the whole W is yours so I used to say that whole area is yours you can play anything and everything you to do but with the help of the zero trust you can minimize the or reduce the access to the internal applications only to the required people and from there you cannot move laterally inside these are the one of the this is the one of the better users and then every organization

as said previously mentioned every organization is having men 10 to 20 Technologies you want to consolidate that also now has talked about the SD van think about the why do I need the SD van if I have the zero trust where I can do the all the works which is needed for my internal and one of the thing is which I wanted to say most of the organizations are Outsource their operations to the third parties now I don't know that is is it the real uh person who supposed to work for me is working or someone else is working it so that's one of the challenge which I'm having it so zero trust will help me only the required

application will be managed by that person and nothing else can be uh disturb or uh what you can say that interpreted by them and I wish I don't what to do and then uh multiple see lot of developers gets a request I wanted to do everything from the home but I want to access the internal resources it's it's a challenge to give that I'm open now there is the concept of the boid how do you allow third party person to access your applications and download the data so you can you can leverage the zero trust Technologies like there are I don't want to name any zero trust Technologies which are in the current market but uh some of them are

quite well so only one of the challenge which I see with them with respect to the operational Technology Solutions which I will come back later once we discuss on the OD part so that's one of the challenge because or I can just explain it now itself see uh for a manufacturing Industries the support for this OD machines is from a remote locations and they don't they do not stay in the same country they are from some other locations other countries but I don't know what he does when we provide a VPN to him I don't know what he's doing it with that is he doing a good work or not I don't know about that I want it to be

be secure on my infrastructure so zero trust will again help in that area to give the access but I'll be able to monitor it I'll will be able to and uh I'm I'm sure on that or maybe we can have a debate on that the people who supports on this OT technology they use the older laptops they will not have any EV installed on their machine or are install on them they gets infected because of that's the reality of the market so there zero test will help you into that only give application access to the application really rightly pointed you need to continuously go with the latest adoptions and have to be prepared it's it's true in it world but

in OT world the lifespan in it world the lifespan of a system is 1 to 5 years but in OT is 1 to 15 years at least or it can go beyond yeah to as rightly mentioned because see underlying operating system or Hardware upgrading is not an issue but the associated application it cost the hardware or the application cost in one lakh rupees I'm just taking an example the associated application it might cost you a COR the company will not be ready to do that ultimately it comes on the business so with that I have one more interesting question now I see a lot amount of Auditors pentesters and compliance people in the audience so this question

then uh Kamal I want to ask you a very interesting question and that is now this is from a ceso point of view that often answer to all the questions of the auditor is zero trust what is the uh way your network is being defined so we say we have a zero trust based architecture deployed in organization and for Auditors since zero trust in itself talks about verification validate validation it becomes a oneliner statement that they vure but what really does a auditor has to do to ensure that the framework is actually implemented right or how can you validate the claims that are made by the Enterprise okay first I add to what they talk about see

we need to for the startups who are trying to sell products in the name of zero trust as I said it's not a product you might fit into a solution you might have a full solution may if you for that big and all area I think one important thing would be to have the right Services partner with you if customer would appreciate it only overall as a solution it has worked for them so in Rush of selling the product uh don't go for whoever know in this market there are 20 guys I I'll partner with 20 and at least five of them will go and sell my product it will not survive in the longer term

it's not a it's not an iPhone which is an independent device uh you don't need day-to-day service on it this is something integrating with multiple products around in an organization and if you don't have good Services partner ultimately credibility you will also lose credit uh coming back to the Auditors and with due respect to the Auditors present here or outside we have a challenge that the the majority of the auditing uh Community auditing Auditors at such don't come from technology background majority of them come from uh Financial background from Banking and so on they are great Auditors logically to reach to the conclusion that these are the area that you have issues but if you

don't have technology background it would always be difficult uh to deal with the guys who are ending technology they will take you around in circles so forget about zero trusts auditor needs to build the basic technology skills today if you go you have an ISO 27,000 audit for the company you are 60 70% of the auditing questions will only revolve around HR and admin because that is what Auditors understand unfortunately or fortunately that's what it is and we as cesos we prepare for those areas than actually technology to face those audits so forget about zero test as I said we need to build technology understanding with the auditing Community it's changing I'm sure lot of new generation

Auditors who are coming in are actually coming in from technology background uh and I think we are on that path to get there soon that's a very wider perspective with that I come to Shri Shankar and I have a very interesting question for you and this question is basically what I see with large amount of Enterprises is they invest in product which is pretty good and when you are investing in various products zero trust being one of the key areas how do you see that when these Technologies are going to be deployed on Prem or in the organization which the organization is betting on basically to rely in terms of reliability of uh preventing breach

preventing ransomware attacks and all then I see a lot amount of pentesters over here and red teamers do you see that the should organization also consider testing different solutions and uh Stacks that are already deployed on their infrastructures for vulnerability and for from a dimension of an Hacker's point of view to see when an attack going when an attack happen it's not a single line of failure it is multiple lines of failure and zero trust exactly talks about validate verify but if this technology can be bypassed with having some command and controller or the sophisticated APD attack so do you see that sense of realization in corporates to not just invest in products of zero

trust but also have the due diligence and verification done so what's your take on that uh yes there is a lot of uh Trust on zero trust which is not good because you have zero trust okay good who can validate who can authenticate that it has been a comprehensive way of implementing maybe you have not covered some aspect maybe you have left certain layers open maybe you have not implemented with a long-term in View and change is a very very uh required element in everyday operations and ke changes keep happening has that been in compliance with zero trust when you do not look at these aspects I just mentioned one or two there may be many

more there will be and this is where a constant evaluation will have to happen and that is where our pentesters that is where our evaluators that's where our tactical it Auditors will have to uh jump in so what's the principle where what's your crown jeel what's the principles of protecting it test that and if you constantly keep doing that that should be the guiding principle for your red teams and they will be good ultimately validate even zero trust don't trust even zero trust that's the thing that's a very amazing view let me put it this way so with that uh kishan I come to you with a very interesting question and now this question is about managing passwords

okay so what I see is that the biggest challenge that I see with cesos or cios or Enterprises is that we are surrounded with passwords everywhere so and this passwords are uh continuously coming up recurring and then what I see is that this technology called as passwordless which is based on zero trust which is evolving when this technology is evolving and it is growing how is the Enterprise adoption uh towards being passwordless is considered in the Indian market perspectives and what is your take on that and what are the things that uh product companies of pordes have to consider to uh to basically position their products and uh Push It Forward into Enterprises that's an interesting

question uh and difficult to answer because uh every organization will have in applications every application will have their different path gr challenges to manage them see a complete life cycle of a user user management it's a difficult task or previously there is identity and access management of the solutions but to deploy them the cost it's not cost effective cost is very high the second part is with respect to completing the integration with the different applications and then manage and to manage this that's a difficult now every CES will be very happy if I don't man need to manage a password of any application or a passwordless will be a very good option that now there are

me in the organization there are very old people who doesn't remember the password even for 45 days when they need to change that so passwordless will help it the adoption to the Indian market is less compared to the other countries where can say that specifically toward was the IT industry that do you also think that it is heavily dependent because the C pushes the product but it is the IT team and the network team or the development team which they have to bet on the implementation probably and that's where the delay or the synchronization Gap is in terms of implementation because as rightly mentioned by you and all the panelists that in order to deploy this products

people have to configure it rightly and then it should be subject matter experts correct that's that's one of the see even if they help you out to deploy these Solutions but how do you how do you work with the application teams internal applications which are if if there is a legaly application you'll not be able to do the passwordless with them so you are to think see now traditional ways are gone in cyber security you are to think out of box or you are to bring the Innovative password is one of the one of the area where you can say that's Innovative way zero T is again one of the in uh innovative ways traditional

ways are gone now that's why and then and the passwordless deployment or the adoption will increase going forward so with that uh we uh uh we'll come up with my last round of questions to the panelist uh so uh we'll have to be a bit quicker on this considering the time the limitation so a final rapid fied question that I would have is how do you see the transformation of zero trust uh framework or architecture coming into Indian market with this things like the data protection Bill and all which has come up in picture which has made the organizations reconsider their cyber security Investments so in terms of that what is the mark what is the timeline

you're looking at will it be in the next year or in the next two to three years what is it I think we have a long way to go uh we need years if possible any particular years from your so that's a rapid fire question for okay quickly the how many I mean many of you are from the larger companies but my experience is today the smaller companies do not even have active directory where are we talking about zero trust right we need to find ways to have cost effective Solutions the smaller companies even startups we work with they're not ready to invest so much of money because till you at breach security is not the

priority so I I think it it's uh if if you really go to Z trust I think we are still 3 to five years away uh for the mass roll out stuff it will happen in the larger companies uh but I think we have still long way to Shri Shankar what's your take and then I want to ask you one year if you focus on security per rupee awareness next two to two and a half years it happens wow so with that um that is about capacity building and about what so what the community I see a lot amount of Young Generation over here the pentesters the cyber security enthusiastic who want to be the next

level of leaders and for them zero trust becomes one of the bridge to to go forward into the Enterprises and connect so what is it that they need to do in order to uh bridge that capap learn the traditional Network best don't learn zero trust and traditional one then move on I think yesterday we were having a discussion another traditional NK move on to zero trust only after that oh wow that's an interesting view one final question to uh Mr kishan and that is about how do you see the way zero trust is evolving it would uh impact uh the shadow it systems or the vendors the consolidation of the technologies will happen so they they will be forced to

collaborate more with each other which I will say true but but now that's that's the need of our and many many oems are ready and they are forced to collaborate with each other they are already doing that the xdr kind of techn the framework which came where many organization in zero trust also everything cannot be achieved by a single solution it can be achieved by a multiple solution uh over the period of 3 to 5 years which I believe small small things will happen immediately with respect to the data privacy Bill the conent management and everything can be done they have to do it within the next two months time otherwise the fine will start I believe

with within next one month it will be applicable to everyone so the time is not there that's a b statement that's that's that's the reality actually just want to add what s said we were discussing this thing and to my young friends who are getting into cyber security and you're talking about know about zero trust at high level okay but nobody is going to hire a pressor to do a zero trust architecture you will be hired to do pen testing you will be hired to do uh sock monitoring analysis and so on you will probably be hired for some GRC works I still believe to do GRC you need lot more experience you need to

understand business so so focus on absolutely Basics learn the networks learn operating systems how they operate uh how they can be breached and that's how you will become the best security uh professional and then you can go to our you know zero trust or dlps and the rest of the world wow so you mean to say be a domain expert and add a flavor of zero interest on top of that uh we'll have to uh we'll have to open up questions for the audience with that uh yeah but final conclusion only one line me the service service industry again there is a resource issues are there when you talk about the zero trust how do you manage them that's one of the

challenge which you have to see it it's not only you deployed it that doesn't mean that you CH challenge you have got infos High over here so you can definitely hire resources from infos High yeah that's that's one of the sponsors over here true true and then and one more me the management continues it's not like that's one time deployment the operation also needs to be move on that's that's one of the area people can look into that so with that uh we come to our end of the round of questions that I was able to put to panelist I must thank them the way they were able to provide their varieties of uh views

from their expertises and different sectors that they come in it's really great to see uh different insights that we discussed in order to summarize it let me just just give you a wide Clarity we started from the use of what exactly zero trust is how it can be implemented to the Strategic challenges that enterprises faces right from the budgets towards the Practical areas that vendors has to consolidate in order to ensure that how the technology can be implemented its uh challenges and second most important thing that we discussed was about from the auditor's perspective that what an auditor has to learn and improve it's not only focusing on the compliance or the uh probably the

generalizing English but also getting their practical hands uh dirty to ensure that they are able to get the relevant questions so with all that amazing insightful incredible Insight from the panelist I would like to thank them for giving their views like to thank amazing crowd who is over here it's always great to be in Amad and get that curious crowd asking question so with that we are open for questions we'll be happy to uh answer your questions U the panelist would be quite interested and keen on answering some of the challenges and pointers that you have even any opinions would be fine sure so we can uh we are available over here you can uh reach out

to us and we can definitely answer your questions so with that I would like to thank besides amabat for inviting us uh giving an amazing amount of hostility means a lot conferences like this are acting as a great pillars for the community industry Academia and the Young Generation to collaborate thank you so much