Leading technology advisors and service providers World Wide Technology, Optiv, Climb Solutions, and GuidePoint Security discuss the key zero trust initiatives and strategies their customers are driving in 2023, their short-list of small steps that have a big impact on reducing the attack surface, and the immediate steps they are recommending to stop breaches before they can start.

Transcription

Bill

Hi, I'm Bill Hogan, Chief Revenue Officer at Beyond Identity, and we're here to talk about zero trust and, in a practical sense, what it means to our customers. Joining me today are four of the preeminent identity and access management practice leads in the marketplace. 

I have Charles Bass from Climb Channel Solutions, James Bonifield from Optiv, Kevin Converse from GuidePoint, and Jayson Ye from Worldwide Technology. Guys, if you don't mind, if you could just introduce yourselves and also just let's kick things off with, what does zero trust mean to you and, in turn, you know, how are you shaping that to the marketplace? 

Charles, why don't we start with you? 

Charles

Sure. Thanks, Bill. So, I'm Charles Bass. I'm the Chief Marketing Officer and responsible for alliances and marketing at Climb Channel Solutions. We're a technology distributor focused on emerging, you know, data center technology. And so to me, this is a play about, you know, meeting a need in the market and that there's a huge opportunity. 

Everything we do in our company is essentially an emerging brand. So, what we do, you know, as a company is we're focused not on Cisco but on Arista, not on NetApp but on Cloudian. We see Beyond Identity as a huge opportunity to go into the identity space with a different, better solution. And that's candidly what we're about. We've got 7,000 VARs in North America that are trusting us to go find the next, kind of, game-changing play. 

Bill

Terrific. Thank you. How about we shift over to Kevin? 

Kevin

Yeah, hi. I'm Kevin Converse. I'm the Identity and Access Management practice director for GuidePoint. We're a value-added reseller focused just on cybersecurity across the United States. So, for us, zero trust is a big opportunity to get in and help customers really establish where they're at in their program and build a mature identity program around a zero trust framework. 

Bill

Excellent. Thank you so much. We're also joined by Jayson Yee. Jayson. 

Jayson

Hi, I'm the IAM practice manager for WWT. And zero trust is we find that as a component of just really good security, and our goal is to address everything under zero trust so that our platform is wide. It's not just security. We do get into different elements so we can have a lot of depth and capabilities around that. 

But really most importantly isn't so much what zero trust means for us. It's really what it means to the clients and really figuring out... Like, no one really has a zero trust project. What happens is they want to achieve zero trust, and they have some well-defined projects that will get them there. 

So, really that's the trick, and that's what we try to do for our clients. 

Bill

Excellent. Thank you so much. And agreed. You know, we've got this convergence of identity and security authentication. Doing it well is going to clearly play a role there. As we shift forward, we do want to hear, you know, what the customer's mindset is. We're going to hear a lot about that today. 

James Bonifield, how about from you, my friend? 

James

Hey, so I'm James Bonfield. I am one of the practice managers with the Digital Access Management practice at Optiv. So, for me, I think when I think about zero trust, I really think about how security and zero trust as a concept has continued to evolve over the last 13 or so years, and how as programs get more mature, the concept of zero trust continues to evolve and, kind of, take in more aspects of security, whether it's incorporating device posture, risk signals, things like that, and really understanding that it is not really a target to hit but a continued journey that you need to move along with, with your customers and with your technology partners. 

And that's where from Optiv's perspective, one of the things that we really focus on is aligning customers along a capability maturity journey with zero trust and the solutions and the non-technical aspects that it takes to get them there. 

Bill

Yeah, great foundation for the conversation. You know, building upon one of the comments where, you know, there aren't really zero trust projects out there, right, but it's a mindset. It's evolving to be a way of life. There's a DNA that has to build in terms of the overall approach, but let's put ourselves back into customer's mind here...customer set. 

James, you want to take first crack at it. What are the objectives that the customers are laying out, which zero trust will resonate with? I'm talking to the customer. You know, how are you arming and equipping them? What are their objectives where this topic plays today? 

James

Sure. So, I think broadly there are two ways that you can, kind of, enter the zero trust conversation. One is kind of a top-down where you've heard a little bit about zero trust and you're interested in seeing what applying a zero trust strategy looks like. So, you're, kind of, starting from that foundational, "I know it's important, but why is it important to my business?" 

And then I think we often see, kind of, a bottom-up approach as well where clients will have specific problems that they're trying to solve, whether it's around increasing security while decreasing friction. It could even be something as simple as password resets, right? And starting from those foundational problems, that evolves into, "Well, don't just solve these problems tactically. Build a program and build a plan around solving them a true zero trust plan." 

So, I think, kind of, to your point, a lot of it is where is the client coming from or the particular program you're trying to solve for, and then you can use that information to plot where they are and where they need to go. 

Bill

Sure. You know, one of you guys want to take a crack at defining zero trust? I mean, it means a lot of different things to different people. Jayson? Kevin? One of you guys want to take a crack at it? 

Jayson

Sure. Yep, I'll take a stab at it. So, zero trust, it's been around...like, what was just said earlier, it's been around, like, 13 years. So, it's one of those things where it does have a definition, but it's complex because there are three different organizations that take it very deep. 

There's NIST, there's Gartner and Forrester that are really talking about what zero trust is in their opinion. But really what I think it's going to reveal itself to be is, how does that apply to our client base? What are our clients really looking to solve? And part of that has to start from the beginning with why is zero trust important now when it's been around for so long? 

And part of that is the messaging that's been coming out. It's kind of a buzzword. And I used to have this approach where...well, you know, zero trust is marketing term, and it's really not. It's really a collection of best practices that we should have been doing in security all along. We're going to focus on around constant verification, authentication. We look at assumed breach, meaning that you have enough visibility inside your organization to understand when things are going differently. 

And then these privileges. Everybody's going to agree that these are all things we should have been doing, but let's go through and really figure out how we're going to get there. 

Kevin

Yeah, sorry. I was going to jump in there too. I would say the big thing that we see is the technology just wasn't there before. So, being able to talk to all the different devices from your identity, from the authentication into, like, a network endpoint or endpoint management system, having that back channel being able to communicate was, kind of, a key piece of actually setting up a zero trust framework. 

I think some things are out there in the past, but they really didn't have the complete picture and they're still, kind of, moving that direction. 

Bill

Yeah, along those lines, the point I was going to bring to that is this maturity going on in the security landscape where we need to know what and why it happened and what could be said to not have it happen again. Charles, why don't you take a crack if you don't mind, on, you know, what is zero trust not? Like, what are the big misconceptions out there about this zero trust phenomenon? 

Charles

Yeah, I would say, Bill, I would start, and again from a disti perspective, we've got brands that represent, you know, firewall products and brands that represent endpoint data products. And candidly, there's a lot of players in the space in those two kinds of areas. But, you know, I would say that, you know, a Zero Trust Zuthentication play is well beyond that and using, you know, data in maybe a real-time way to lock down not just identity but also devices. 

I think it's not just the old way we've always sold, you know, security products to our partners. 

Bill

So, Dr. Cunningham, who we heard from earlier today, had a quote which caught my attention, "Identity is the first thing most companies look to when starting zero trust initiatives." Interesting. Couple of facts, data points that are put out there as well. 

Verizon breach report says 82% of breaches cause at the beginning... They start with credential theft. CrowdStrike came out with their own report, which also 82%. A large, not-to-be-named SaaS mature company, 98% of breaches attributed to credential theft. The question that I have to you, like, where's the urgency to solve this problem which seems evident, right? 

It's a big chunk of the problem attributed to this tricky little thing called credential theft. Anybody want to take a crack at addressing that? 

Charles

Hey Bill, it's Charles. I'll take a quick one at it. I'll let the guys with more technical backgrounds go, but I will say from our perspective at Climb Channel Solutions, we fell prey to a very sophisticated phishing attack in our finance group where they cloned a PC, got into identity, and then sent fake invoices out. And I would say that, you know, part of our interest was you and the team and the product but also to use it internally. 

You know, we got a hundred brands on our line card, but there's nine that we're looking to use internally to go make our systems better. And so that may be an interesting point for you guys looking forward. We see it as a radically different play. 

James

Yep. So, I was just going to say I think one thing that I see a lot is companies I think have a perception that it's a lot more difficult to get started when they go down their Zero Trust Authentication journey or even more broadly down their passwordless authentication journey. And they, kind of, think of it as a zero-sum, sort of, I have to either go fully passwordless or I have to remain with knowledge-based authentication, right? 

And there's this trepidation of knowing that a lot of mature passwordless and Zero Trust Zuthentication, you know, you've got your device posture. You've got your network signals. You've got all these signals flowing into your decision engine around authentication, and they think, you know, that's so far from where I am now, that I just can't even invest the resources into something like passwordless authentication without realizing, you know, not to be, kind of, cliched here, but it really is like a journey of a thousand miles with a single step kind of thing. 

You have to start somewhere. 

Kevin

Yeah, I was just going to say... I'll agree with that. I think that's what we see too with customers as well is like where you start the journey. Oftentimes they try to bite the whole thing off and try to go completely passwordless or start the journey there, and we find that that's just not a great place to start. It's finding where it fits in, where they have resources, and who can actually step up and take on the challenge of changing that authentication model for. 

Jayson

So, zero trust isn't something you solve. James was talking about the programmatic approach, something you really live towards. So, if you really adjust to that mindset first, you'll realize that you can have incremental gains and still be making inroads to your goal of zero trust. And really your goal is not zero trust, it's just to have tighter security. 

But, yeah, it's really adjusting to the mindset that, "Hey, we, we can have incremental gains and reap some benefit from that." 

Bill

Let's double-click a little bit further on that. The FIDO Alliance made out a statement, "To achieve zero trust, you'll have to completely rethink authentication." So, can you guys give your interpretation of what the FIDO Alliance is indicating here and how you're making these adjustments in your practices and what you're bringing to your customers? 

Kevin

Yeah, I would say the big thing that we talk about with customers is really the level of effort it takes to manage the certificates, right, when you switch that model. So, looking for ways to, kind of, simplify that process and make it easier to manage those, it's typically where we start, and then with other customers, it's really like having the manpower or the staff available to make that change. 

That's usually the biggest hurdle for them to get there. 

Bill

Sure. Jayson, if you could... 

Jayson

Here's where I think they're getting at. For a long time, the focus of security has been the perimeter, right? And now we're talking about shifting the attention from the perimeter down to the identity and really focusing on where those users and entities can access. So, I think that's what they're getting at. And what that the legacy model was for authentication was you take one challenge and you're in. 

You're through the hard outside candy shell and to the gooey center. You just, kind of, rove around. The newer model and what zero trust demands is that you're constantly authenticating and making sure that this is the right access, and the people and the users are who they say they are. 

So, I think that's where they're going at with that. And I do agree that this is a more secure model. 

Bill

Kevin, you made a point where, you know, customers are thinking they may have to tackle more than really we collectively are capable of today. And they have to take, if I interpreted it correctly, steps towards that. Can you talk practically in terms of what you mean there and give a couple examples? 

Kevin

Yeah, sure. So, when we talk about managing passwords or how customers log in, right? So, we're talking about that part of it. So, typically when you switch over to this other authentication model, you're looking at going from a password where someone can reset it at a help desk with potentially a certificate in the backend, it has to be managed. It requires a different skill set. 

So, sometimes we see that customers struggle with making that transition or being able to support that model. So, it slows down the adoption of that program. 

Bill

So, you guys run the practices for your respective firms, and, I mean, collectively you're seeing some of the biggest challenges, you know, far sooner than most. What is it that you think the customers should be thinking about more? So, what should they be doing now? 

James

I think one thing that we are trying to get a little more prescriptive as, as an organization when we go to sell and we talk with our clients in terms of the problems they're trying to solve, is be a little more prescriptive in terms of the solutions, in terms of really the core problem that they're trying to solve. So, I'll use, like, a really specific example. So, we often have clients come to us who have failed an auditor or they need to ensure that, say, their SOX compliance apps are covered by MFA. 

So, they go out and they buy basically...you know, I won't use any specific names, right, but an authenticator app because they're trying to mitigate that risk. So, what we're trying to do as an organization is really get in earlier into the sales as a practice and really be prescriptive and say, "What's the problem you're trying to solve?" and then lead with a zero trust oriented solution rather than solving the specific narrow problem that might be the pain point now or at least having that conversation to put them on the right track. 

Bill

Kevin, I'll go back to you again. I'm going to, kind of, keep double-clicking on this point. 

Kevin

Yeah, I would say what we see more often is customers don't really know where to start. They've got a journey in front of them. They know it's a long step, a long process here, but really where to start is where it always goes with us. We try to look at it as a program instead of as a bunch of tools that solve a problem. So, we try to build out what it looks like to actually accomplish the goal. So, putting those pieces in place, building maturity around those, those initial steps until you can get to a point where you can achieve your goal here, which in this case is zero trust, but in small increments is, kind of, the journey to get there. 

Jayson

We really need to understand how they're using it and show them how to get the best ROI out of it, and then show how it matches their organizational goals. And that's really what we're heading for is to earn that advisory and that consulting role. So, we can make sure that we're looking out for our clients. 

Bill

James, I'd love to hear from you on this again. 

James

Yeah. So, you know, again, at the risk of repeating myself and some of the really good commentary we've had up to this point, it really is a programmatic approach where we start with the people and the processes and the pain points before we get into the conversation around the solutions. Even a really robust and mature solution like Beyond Identity. So, we tend to be a lot more successful in our prescriptive approaches when we start with the problems and we get really specific in terms of defining their user personas, the ways they're accessing different technologies, and then we layer in how Beyond Identity or really any kind of problem we're trying to solve for around zero trust can specifically solve those solutions. 

Bill

Any parting comments that you'd like to share? 

Jayson

Contact people that have done this before. Get a hold of us. Go connect with your representative and let us help you. We've been through this. We've seen organizations of your size and your type. And we have a lot of experience that you can draw from. So, engage with your consultant or your advisor, and we'll help you through it. 

Bill

James, we'll let you be the parting shot on this topic. 

James

Yeah, so I would say the key to me really is to future-proof your solution and go with the solution that can meet the continuing-to-evolve definition of zero trust, integrates well with the other solutions that you need to get there since any kind of a zero trust solution, whether now or in the future, is going to require many systems communicating and working together and really getting something even though you don't necessarily need to solve for everything at one time, something that gives you the flexibility and the power to solve for everything as you're ready is a really important first step. 

Bill

It's great points. We know we don't solve the whole problem. Working closely with the likes of CrowdStrike and BeyondTrust and Palo Alto Networks, they also know they don't solve the whole problem. You folks here in the channel, the integrators have the ability to solve it end-to-end. And that's why the role that you play is so critically important to the customers at large. 

And together we'll make the market more secure, we'll improve user experiences, and then we'll have happy customers and safer customers moving forward. So, thank you all for your time. We really appreciate it. And with that, I hope you enjoyed tuning in today, and there's lots of great stuff ahead and we're here to serve.