Leadership Panel: Authentication Meets The Zero Trust Ecosystem
A leadership panel led by Kurt Johnson and guests discusses how to harness the power of endpoint detection and response and next-generation application access in authentication to close vulnerability gaps and accelerate zero trust. Special guests:
- Doug Good, Senior Vice President of Sales Engineering for the America for Palo Alto Networks
- Chris Kachigian, Senior Director of Global Solution Architecture for CrowdStrike
- Aubrey Turner, Executive Advisor of Ping Identity
- David Manks, Vice President of Global Strategic Alliances at BeyondTrust
Transcription
Kurt
Hi, everybody. I'm Kurt Johnson, Chief Strategy Officer and head of Strategic Partnerships and Alliances at Beyond Identity. And I have the privilege today to serve as your moderator for this panel discussion around Authentication Meets Zero Trust Ecosystem.
About the program thus far, we've been discussing the increased urgency and importance to take a more proactive stance against this increasing rise in threats that are taking advantage of stolen credentials and misused passwords, but as well as the alarming rise in attacks that are bypassing traditional forms of multi-factor authentication.
And at its core, it really shows us the urgency and importance to increase the visibility and assurance not just on who is gaining access but what is gaining access to our resources, applications, and networks. The device, is it authorized? What's the state of that device? And is there any vulnerability or risk coming with that device as well?
And critical to support this network of applications and resources to really understand the behavior and the privileges of these users, from our day-to-day workers to some of our most privileged resources and privileges into the accounts and the administrators. So we recognize, in order to do this effectively, it takes a village, that more and more it's important to bring together these previously disparate worlds of security and identity together in a way that brings an ecosystem that can harness the power and strength of critical components in investments and things such as endpoint detection and response, EDR and XDR technologies, zero-trust network access, SASE solutions, our identity platforms themselves, as well as privileged access management, and bring this alongside a phishing-resistant platform for authentication that truly can help us understand who and what is gaining access.
So while the variety of security and identity solutions is critical to really protect our organizations, it allows us also to take these significant steps that we need to better shut the front door and protect against these attacks by, again, the phishing-resistant stronger forms, what we're calling Zero Trust Authentication. To discuss this need, we have assembled a true all-star cast of individuals from companies that are proven and recognized leaders in their respective markets.
So with me today is Doug Good, Senior Vice President of Sales Engineering for the Americas at Palo Alto Networks, David Manks, VP of Global Strategy Alliances at BeyondTrust, Aubrey Turner, Executive Advisor at Ping Identity, and Chris Kachigian, Senior Director of Global Solution Architecture at CrowdStrike.
Welcome, gentlemen. Thank you very much. And I appreciate you joining me here today. So to start, I was wondering if you can each just take a quick moment to introduce yourself, your company, and your role. And I'll start on how you're looking on my screen with you, Doug.
Doug
Yeah, thanks. Great to be here today. I'm Doug Good, the senior vice president of Sales Engineering at Palo Alto Networks. Palo Alto Networks is a cybersecurity provider in network security, cloud security. We get into the operational side of the house and also back that up with threat intelligence and response. And I really appreciate you having me here today.
Kurt
Thank you, Doug. Next, David.
David
It's great to be here. My name is David Manks. And as you had mentioned, I'm vice president of Strategic Alliances and Technology Partnerships at BeyondTrust. BeyondTrust is a leader in intelligent identity and access security. Our integrated products really help organizations with their most advanced privileged access management-specific initiatives that help organizations to reduce their attack surface, really make for a more scalable, more secure environment.
Kurt
Great. Thanks, David. Aubrey.
Aubrey
Yeah, thanks, Kurt, and I appreciate you having me on today. And so, again, Aubrey Turner. I lead the executive advisor practice at Ping Identity. And you know, in terms of Ping, our focus and our mission, what we do is protecting the digital user journey, helping to deliver frictionless experiences. And really, from a zero-trust perspective, that means becoming the identity control plane, in sort of really simple terms.
And I know we'll get into that a bit more. So, yeah, that's a little bit about me and a little bit about Ping.
Kurt
Thank you. And last but certainly not least, Chris.
Chris
Hey. Well, thanks for having me on today. Chris Kachigian, so senior director for Global Solution Architecture at CrowdStrike. And in my main role, we have here, basically, the technology side of the interface, with the rest of our technology ecosystem. So all different tech partners, my team helps just, again, deliver better-integrated solutions, get better outcomes.
From the CrowdStrike side of the house, we're basically the leader for endpoint security. We focus on, basically, stopping breaches, right? And effectively, again, we exist here to create technologies to give our customers better security outcomes. And with some of the rest of the ecosystem we've got assembled here, I'm looking forward to doing that today.
Kurt
Thank you, Chris. Yeah, and to kick things off, I mean, as I mentioned, nature of this program, we've been talking a lot about zero trust. We've been talking a lot about zero trust specifically as it pertains to authentication. But given that each of you kind of bring a different perspective or come at this from kind of a different outlook, I'm wondering if each of you can just talk about what does zero trust mean to you, and what does it mean to the solutions that your companies offer?
So I'll start, you brought it up in your intro, Aubrey. So let's start with Ping. Really, what does zero trust mean to you and your organization?
Aubrey
Yeah, Kurt. And I'll kick it off by saying, and I'm sure, you know, all of us have had that zero trust conversation with a customer, and it's kind of that old joke, right? Ask 10 people what zero trust means and get back 20 different answers. And so, for us here at Ping and sort of my point of view, really that old adage of trust no one, verify everything, and from Ping being an identity security company, it means identity-centric zero trust for the very simple principle and reason.
If you think about the zero-trust journey and getting to least privilege, there's really no way that I'm aware of to get to least privilege without identity. But with that identity-centric least privilege approach, you know, we realize and fully acknowledge, and that's why we're all here on the call, right, it is a team sport, right?
Nobody, again, to my knowledge, can deliver a zero-trust story. And a kind of running joke that I have as I talk to engage with customers, if anybody tells you they can give you everything from a zero trust perspective, don't trust that person. But you know, kind of taking that zero trust and really evolving it into sort of a dynamic continuous adaptive trust, I think this is where sort of all these partnerships converge is in that continuous adaptive trust model.
But you know, identity-centric zero trust is really where kind of Ping hangs its hat, so to speak. So that's kind of how I look at it and kind of Ping's perspective.
Kurt
That's great. Kind of continuing along that theme, I'll switch over to you, David. You know, from BeyondTrust's perspective, trust is in your name. What does zero trust mean to BeyondTrust and the solutions you're offering?
David
Yeah, exactly. And Aubrey summed it up great. You know, you'll find lots of definitions around zero trust, whether it's a model, a framework. But I love the aspect of the never trust, always verify. The aspect of continual verification is so important in this model.
And really I look at it back to that least privilege access, right? It's about verifying every user. It's about validating their devices, validating their access. Are they accessing the right resources, systems, data, and applications? And then the ability to intelligently limit and continuously ensure that access on an ongoing basis, being responsible for our technology alliances and integrations at BeyondTrust.
That team sport, our ecosystem model is just so important, because that's exactly what organizations are looking for, and so looking for that unified integrated solution all working together, all helping to address their security needs at various aspects and at various levels throughout that authentication and secure access, specifically, from BeyondTrust standpoint, ensuring that their privilege users are secure and only getting the right access that they need at the right time.
Kurt
Excellent. Appreciate it. Doug, let me shift to you, certainly, from Palo Alto's perspective.
Doug
Really nice summary so far, and I think that, you know, you heard the word continuous multiple times. That's a key piece of this. It has to be continuously enforced. It can't be a set it and forget it. I think really the only thing I would add is, you know, this applies to the user, the device, the application, and the data.
We have to make sure we're taking all of that into consideration. And regardless of where the application sits, regardless of where the user happens to be, right, we have to be able to deliver this on a continuous basis regardless of location, travel, you know, and whether that application is internal or external, if the user is mobile, at home, in the office. It needs to be pervasive across the entire platform.
Kurt
And finally, Chris, from CrowdStrike, what does it mean to you?
Chris
Yeah. That's actually the best part about taking this question last is I can say yes to everyone's comments, and such has been so far. But from our side, it's really...you know, it's trust nothing, block all, and, you know, allow by exception or a policy or attestation, right? At the end of the day, that's what a lot of the stuff with zero trust, at least what our customers and us resonate with.
You know, from the CrowdStrike side of things, another aspect we kind of look at is, you know, again, I think it's going to be a recurring theme, right, the continuous verification, right? Always verify access all the time for all the resources. And you know, from our lens, right, it doesn't matter if it's across, you know, an endpoint device, a cloud workload, the identity or the data element, right, that stuff has to occur.
And you know, from our side of the household too, it's, like, you know, when things do go awry or wrong, we're always preparing for breach and stopping that breach. What can we do as an ecosystem, right, to limit the blast radius, minimize impact, whether it's an internal or external risk? And then last little bit of this, you know, again, automating all that context collection and the responses that we can work across the entirety of the ecosystem, again, to deliver those better security outcomes.
Kurt
Let me flip that around a little bit. In the conversations that each of you have with your customers, you know, what is their sentiment around the term zero trust? Is it resonating? Is it a buzzword from vendors? Is it something they're embracing and a concept that even if they don't necessarily agree with the terminology, are you seeing it?
And maybe you can talk a little bit about, you know, specifically, what you're seeing within your customer environments. And, Chris, you had the easy, go last, say yes about everything else. I'll let you start now.
Chris
Sounds good. Appreciate it. So, yes, it does resonate. And I think it was Aubrey that made the same earlier, it's, like, when you ask someone what is it and how to do things, it's, you know, 10 people, 20 responses. And what makes it interesting is that everyone tends to agree with the concept, right, of continuous verification and, therefore, getting authorized access. The interesting part with the customers is depending where they're at, either in how they deploy and operate or through a security journey or transformation, it's going to be different across the board, right?
I still have some customers that really resonate in the old-school network access control. I mean, I plug my device in or get a Wi-Fi control, a Wi-Fi access point, and boom, my validated device has all things like, "Hey, CrowdStrike's installed," or other tools are installed, we meet security hygiene, right?
And then we've got others where they're kind of fairly mature along, say, like, a cloud transformation journey or one of those shift-left transformation pieces where they're going to be more toward, say, like, cloud technologies, and in their particular mind, it tends to not necessarily lean toward just accessing an overall network because they're already assuming the network, you know, is fully compromised in a [inaudible] hostile environment. They're now looking at it as, like, "Well, actually, we want to make sure that that user is good coming in, there's no, say, vulnerable active, say, exploits running on a particular system, and they're trying to access, say, cloud services through certain gateways and other pieces, again, for continuous access of these applications and make sure that people aren't overprivileged in."
Like, you know, for example, HR people can access HR data. And you know, I think, that all being said, when we're doing stuff across the customer base, we have to be able to bring not just our particular piece of work across, again, that tech stack so we can deliver solutions, because, again, not one is going to be, you know, the end-all, be-all for every single customer. There's just no way.
Kurt
Excellent. Shift to you, Doug. I mean, obviously, you know, coming at it from early on with the whole zero-trust network access, how have you seen, you know, the term resonate, evolve within your customer conversations?
Doug
Yeah, I think two pieces there that I'll just add on. One is, you know, there is some confusion. Aubrey said it earlier. You know, if somebody comes and tells you they have zero-trust solution, "Just deploy my solution and everything is taken care of," that's an indicator that you're probably talking to the wrong person. But over time, that confusion is starting to clear up, and customers have realized that this is an integrated solution.
It's a framework that takes integration between multiple partners to implement maybe a better way to put it. And they've realized that this is also a bit of a journey, and so they're figuring out, "Where do I start? Where do I get the best bang for my buck? And how do I get my way through that transition." I think the other piece that's evolved is, early on, zero trust was kind of...you've heard the word continuous multiple times today, for example, and early on, it was more about, "Oh, let's just check one time, assume everything is great after that, and just make the connection if it was to a user, to a private application," for example.
And we've realized that this has to be continuous. We have to have continuous trust verification. We have to have continuous posture checks. We have to have continuous inspection, right? This has to be an ongoing event. So it's not...even once you start to deploy, it's not a point-in-time-type activity, and we've moved to this new definition, zero trust, that really fits the environment today and addresses the threats we're seeing today.
Kurt
Excellent. David, let me turn to you.
David
Yeah. I love the journey discussion, right, because each organization is on their own unique journey, depending upon where they are within their zero trust cycle. There are some organizations that are dealing with, you know, a specific attack. Maybe there's a ransomware attack or some sort of a breach. So they're coming at it from a very different angle than other organizations are.
But I think to the original question, is this resonating with organizations? Is this a real thing? Absolutely. We've done a number of research studies, and 97% of the organizations that we polled have all said yes, they're on a zero-trust journey. They're at various stages.
What's interesting is really only about 25% of organizations feel like they're on the path that they need to to address this zero-trust model. And I think the other important aspect is there's no really end in sight, right? We've spoken about continuous access. Well, I think this journey is continuous as well, right? It's about always making sure that you're leveraging the most current technology, that you're integrating all of the solutions.
And when I say integrated, it's currently integrated today but then also future-proofed, ensuring that you're testing and validating that integration today and in the future as well. So I think all of those elements are so critical and unique, depending upon each organization's needs.
Kurt
Yeah. I think there are some great points from all of you and in the conversations I'm having. I'll catch different perspectives. To your point, David, 25% feel they're on the path. I've had some customers in one breath will say, "I hate the term zero trust. It's a buzzword from vendors." And then in the very next breath says, "Oh, my board is asking me about it. I'm using it to get budget."
So it's kind of like there's kind of a hypocritical kind of way of thinking around here of use it when you can and, you know, put it to shame when you can't. But another interesting comment I heard was from, actually, an organization dealing with HR management, and they said, "We just talk about trusting our employees," and how IT and security are saying, "We don't trust any of you." So, what else can we say? So somebody came up with, like, the term ultimate trust.
Is that the better way of doing it? But at the end of the day, it's all about what confidence do we have here. So with that, I'd like to shift the conversation a little bit, you know, talking about the role of identity, specifically, in this. And I'll start with you, Aubrey, because you said it in your intro, you know, the whole notion of identity centricity at the core of a lot of this. Like, in the past, these kind of are different organizations, different groups.
We had our identity groups. We had our security groups. Hopefully, they talk now and then or they reported to the same area. But clearly, coming together more, I'd be curious, coming from your perspective. How have you seen, you know, the role of identity in all of this? And in pursuing a true zero-trust journey, how has that changed? How has that evolved over the last few years?
Aubrey
The more CISOs than ever own identity, and identity has kind of moved from sort of the C or D list to sort of A or B list in terms of its importance, in terms of how we do business, how we enable A to B, B to C.
Kurt
Excellent. And, David, kind of coming at it from your perspective, certainly, in the lens you've had on privileged access and third-party remote access, talk a little bit about how you've seen that shift recently.
David
Yeah. Definitely, over the past several years, identity has evolved. It's becoming more of a board-level discussion for sure. And really it's been a result of the more and more and more approach or challenge that organizations are dealing with, right? More users or more identities, more applications, more data, more locations than ever before, right? So organizations' IT, security, never been more challenged when it comes to dealing with securing these identities.
So, of course, you know, we know that we started with perimeter approach, the moat and castle. Been trying to focus at the end device itself. I mean, of course, now extending to the much broader approach around identities. And then identities in themselves have also broadened in the term as well, right? You mentioned privilege accounts.
So I've got my standard identities, and then I've got, within those, what specific privilege accounts I need to gain access. I might be looking at vendors or third parties, and then I might even be inclusive of non-human identities as well, RPAs, IoT, service accounts, so all of these challenges. And then, of course, you know, over the past several years, that has escalated these challenges even more so, probably accelerated the need for these approaches by the past, you know, two, three years, escalating that even more so.
So I really think, you know, we've seen a significant evolution of identity, and we're going to continue to see that broadened concept of what an identity is and how to secure that.
Kurt
Yeah. And certainly coming from the perspectives of Palo Alto and CrowdStrike, traditional security vendor, but each of you talking more and more about identity, I'll start with you, Chris. What does identity really mean to CrowdStrike, and how is it fitting in your strategies?
Chris
Well, identity can be many things, and obviously, it was David that brought up all different places where I can go. A couple of pieces to start with in this area, so what our customers say they deal with most to begin with are the device identities and then user identities. Specifically, devices are fairly easy to profile identify for what they are or where they're coming in from and their health or hygiene or attestation.
What becomes really interesting though as of late is now the refocus, I should say, back onto user identity. And I'll just go back and make reference to one of our threat reports we just released, and we stop breaches. Well, 82% of breaches that we had to respond to over the past year, there was a compromised user credential, user identity that was involved in that.
I'll say that again, 82%. So clearly, a bigger shift has to go over towards the user identity side of house controlling what they are, what they can do, where they're coming in from, whether it's using your passwords, MFA, all those pieces. And you know, as we continue to evolve, I think they'll become, as an overall security industry, much more prevailing, right? And quite frankly, just having control of the users, having the visibility and actually being able to go back and enforce corrections and actions back to the identities or even where
On a per transaction basis becomes extremely important. And if we can't do that, we're not going to be able to solve, you know, some security challenges. So that all being said, yeah, user identity is probably the hottest portion at this point in time. And pretty soon next, I got a funny feeling, there'll be RPAs and other pieces they'll become as people go with more and more automation, try and help, you know, this process at increased speed.
Kurt
Absolutely. Doug, any final thoughts from your perspective from Palo Alto?
Doug
Just a couple of quick points, yeah, to add on. I think Chris nailed a lot of the points I would have made. But I would add, you talked about device identity and user identity. I would add application identity to that too, right, really truly ID-ing the application that's being accessed and doing that in a way that is not as simple as just trusting ports and protocols, right? So it's really application layer 7 identity.
But on the user identity portion of this, you know, I think what we've seen happen and what's going to continue to happen is better integration, and that's critical because we've talked about how just doing zero trust takes full integration, takes a solution. We've seen better security, you know, addressing phishing attacks, man in the middle, credential theft.
And believe it or not, better user experience, right, as we move to passwordless and some of these more secure technologies that are actually improving the user experience in the process as well, which has been a difficult balance at best.
Kurt
Thank you very much. It's been a terrific conversation. Doug, David, Aubrey, Chris, thank you so much. Thank you for your partnership. Very excited to work with you to bring passwordless phishing-resistant MFA to our joint customers pulling in risk signals from Palo Alto and CrowdStrike, leveraging to protect the applications and resources behind the Ping environment, and the privileged resources and remote access for BeyondTrust environments, and then discontinuing those sessions when something's changed.
It's the only way we're going to get there. And working together, we can help our customers on this zero-trust journey, and hopefully, one day, we can help them get zero-trustified. Thank you very much.