Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises looking to implement a Zero Trust initiative.
But once an enterprise has decided to go forward with Zero Trust, the challenge becomes getting started.
In this episode, we’re joined by Dr. Srijith Nair, Chief Strategy Officer for Axiomatics, to discuss how enterprises can use dynamic authorization to implement a Zero Trust initiative as well as what’s next for Zero Trust.
Kelly: Hi and welcome to this episode of Dynamically Speaking. I’m your host, Kelly O’Dwyer-Manuel.
I’m pleased to share that with me today is Dr. Srijith Nair, who is the Chief Strategy Officer of Axiomatics, and someone with deep experience in the dynamic authorization industry both from the vendor and from the customer side.
So, welcome Srijith, thank you so much for taking the time to be with us today.
Srijith: Thank you, Kelly. Yeah, it’s it’s great to be here. I’m happy to be in this conversation, which is turning out to be rather interesting for all of us.
Kelly: Glad to hear that! And so as you as you know, during our last episode we spoke with your colleague Jim Barkdoll about the growing adoption of Zero Trust by both government agencies as well as private enterprises and that’s something that I wanted to dive deeper into with you today.
So to that end, you know we know that Zero Trust has been around for many years, so why do you believe we’re now seeing more attention to this methodology and broader adoption by global enterprises?
Srijith: it’s a great question, Kelly. It’s probably because of a couple of things coming together.
The first one is the fact that as the last few decades have gone past the security and the maturity of the cybersecurity environment that enterprises have been working in has kind of gotten better so people have gotten the basics done the basic hygiene the identity and everything and they are seeing that they need to up the game a bit more in order to survive the constant threats that’s happening.
So, the the fact that the challenges are higher but at the same time they have the kind of the foundational level of security said that allows them to explore more, conceptually interesting ideas like Zero Trust, but at the same time which can have direct, practical benefits to enterprises very interesting.
Kelly: Very interesting. And to that end, I guess when we’re talking about the benefits of Zero Trust, we’re seeing more and more vendors tout their technologies as being integral to Zero Trust.
So, as somebody working with a dynamic authorization vendor, how would you say dynamic authorization is different and and what does it bring to a successful Zero Trust implementation?
Srijith: Sure. Yeah, you’re right. I mean, everybody that has a security product out there probably has a story to tell which connects it to Zero Trust, and probably a lot of them are right in the sense because Zero Trust, just by the nature of how you define it, it’s, it’s a rather loose term. It can mean a lot to a lot of different people, and it means a lot of different environments you’re working in.
So, if you’re just looking at different maturity levels, again, um, probably you start off with a very simple Trust model which talks about network segmentation, which is what it used to be a few years ago.
But you can see that over the last few years that has gone beyond that and it’s gone beyond the pure, deeper militarization concept that the Jericho Forum came out with decades ago and then the kind of network authorization which came and followed after that.
It’s getting more and more clear it’s becoming more and more clear that you need to think about Zero Trust in a holistic viewpoint across networks, across applications, and all the way probably even to data because at the end of it, what you’re protecting it’s not just the network, you’re protecting is your applications, your APIs, and at the end of it, the data as well.
So, within that context, authorization has got this unique role because it’s central to anything that happens within that security-defined environment.
When you’re trying to access something, or when your customer is trying to access something, you’re gonna have to make a decision about whether that access should be allowed or not.
And at the end of it, the security of your service, the security of the environment is defined by that, and authorization is core to that and that becomes just so much more integral to cause a request because of that.
And, dynamic authorization then is very, very interesting because that dynamic nature of that authorization is what is so-called to Zero Trust.
Because Zero Trust keeps saying keep doing your authentication and your authorization because that’s what changes the context changes and you cannot rely on something which was computed six months ago, even one day ago, but you need to dynamically look at all the environmental changes the context behind your access and make decisions based on that.
Kelly: That makes that makes good sense, for sure, for sure. So, let’s say, uh, my enterprise has decided we’re going to embark on a Zero Trust initiative. What is the best way for us to get started with dynamic authorization within that purview?
Srijith: Yeah, it’s sometimes not an easy answer honestly, just because it changes a lot with the environment and the the enterprise that you have with your definition, right?
So, if you are a company which is just trying to understand what is Zero Trust and you’re just trying to figure out what is the best way to have that move that needle, that from the zero to the something, you probably are you’re better off looking at one or two very critical solutions that you want to protect or critical assets you want to protect, and then figure out what that protection means for you.
And then change the structure of how you’re exposing that service and then make it easier to do authorization and authentication around it.
What I’ve seen a lot of customers struggle with is look at Zero Trust in this entirety and then just get really frustrated because it becomes a multi-year program, and a multi-year program with a lot of vendors, with a lot of moving parts just adds the complexity of what you’re trying to do and you’re probably not going to figure out an easy way of going from something, nothing to something that quickly with so many components you want to move around, right?
So start small, start with a high impact product or a project, and show the value of it, not just to the security department but also the business. Business could be the linchpin of what you’re trying to achieve in that sense, right?
Kelly: That makes complete sense. So now I’m going to ask you to look into your crystal ball and as Zero Trust, you know we talked at the beginning it’s been around for a while even though now we’re starting to see really the the realization of the promise of Zero Trust, if you will.
So, with that in mind, to your mind, Srijith, what’s next for Zero Trust? Where do we go from here?
Srijith: Yeah. Zero Trust has predominantly been about enterprises.
It’s about protecting your employees, um, in order to achieve, to be able to work in that environment in a safe manner. And you, you’d see the likes of Google talk about Beyond Trust Corp, which is like the corporate aspect of it, right.
I think the first thing that’s going to change, that is going beyond the corporate environment and think about it from a production point of view, because more and more customers are going to use services or in the Cloud, and you we have been talking about as an employee, how do you access it securely, but at some point very soon, people are going to think about how do you provide those services securely in a very dynamically changing environment?
We are moving between Cloud, your brokerage access between clouds, so that Zero Trust network and authorization concept needs to go from the corporate environment to a production kind of environment.
So, that’s, I think the first change that’s gonna happen. And probably the next thing is very specific to authorization but
I feel, and I think this is where security needs to kind of push itself to one higher level is to say that it cannot be a cost center anymore it needs to be a business driver, and Zero Trust will merge in the different frameworks and push towards showing that it can actually be a kind of a business enabler rather than just be a pure security strategy.
It’s always going to be a security strategy but not a defensive at all, but it’s also just going to provide you with value which is specifically probably around authorization saying this is the best way to do certain things when you’re trying to expose a service for your customers.
Kelly: Wow, that makes that, makes great sense and it sounds like there’s a lot of exciting times and a lot of learning to be had as as we move forward, which is fantastic.
That’s, that’s really what IT security has been about, I think certainly for ages.
So, I think that’s all the time we have for today, but I wanted to thank you, Srijith for your time and, and for an engaging conversation! There’s lots of interesting insight that I think people will get a lot out of as they ponder how to best use Zero Trust within their organization.
So, thank you very much! We appreciate your time!
Srijith: Thank you, Kelly. It’s great being here!