MARK SIMOS: Hi, my name is Mark Simos.
Welcome to the Microsoft 365
Network Connectivity Series.
My role is to be lead
cybersecurity architect,
building guidance and
reference architectures,
reference strategies, etc,
for our customers as they're
working to adopt security.
And so our first topic in this
series will be zero trust.
And Les, would you like
to introduce yourself?
LESLEY KIPLING: Thanks, Mark.
Hi, everybody. My name is Lesley,
and I'm a chief security
advisor for Microsoft
and, in fact a long-time
forensic investigator, as well.
During this session, Mark
and I will really be trying
to explain the concepts of zero trust,
what it is and what that means,
but equally focus on some
of the architectures today
that we feel are not fit for purpose.
And to do that, we're going
to start with a story.
Along came COVID-19 and lockdowns,
and unfortunately that had
a huge amount of impact
and potential destruction to the industry
because essentially we had
everybody suddenly working from home.
That meant we faced diminished
network and VPN capacity,
degraded user experience,
and in fact reduced
audio and video quality.
So I do know that there was an
awful lot of people out there
who were very unhappy
about working from home.
Fast-forward a few months,
and essentially we believe now
that remote working is
going to be the new norm.
The good news about that is
that it unlocks business
benefits like reduced cost,
it increases efficiencies,
and it allows for more flexible hiring.
Of course, we found that collaboration
and communication tools,
as I'm showing you on
the screen at the moment
which is the uptake for Teams,
right about the March time
frame when lockdown came in,
we realized that they were obviously
required for productivity,
but equally so is modern
network architectures-
so much so that in fact,
slow is the new broken.
And what do I mean by
slow is the new broken?
Well, traditionally, many IT organizations
really have both segmentation
and containment strategies
primarily using firewalls
that filter the IP traffic
by protocol and port walls.
These designs typically
include a production intranet;
an extranet, or otherwise known
as the "DMZ," or "demilitarized zone";
and sometimes, additional
network segmentation
within the production network.
The key focus though is to
ensure that all remote traffic
is routed over the corporate network
generally due to security requirements
about being able to capture
that network traffic at multiple layers.
An example would be a full packet capture
or specifically using SSL decryption
to be able to decrypt the traffic,
to be able to see what traffic
is going over the network.
The counter-approach to this
would be to tend to push this inspection
into the client layer,
therefore adding more agents
in a best-of-breed world.
And the net result is that most of these
is a failed strategy that
is difficult to implement,
costly to the organization,
and yet is repeatedly proven
easily evaded by attackers.
So if you remember,
port 80, which is the
firewall bypass port,
VPNs are frequently leveraged by attackers
as a means to attain access
into the organization's network.
Also, on top of that,
latency drives users away
and incentivizes shadow IT.
So essentially on this slide
what we're trying to get across
is really the connectivity principles
that are required for thinking about
using modern applications and specifically
software-as-a-service
applications, in fact, like M365.
So there's more detail there on that link.
I'd encourage you to go
and have a look at those.
But essentially, we want to take
a different approach to security controls
and avoid duplication because
it bottlenecks the traffic
and adds latency without
necessarily adding security.
Where we're going to be focusing today are
with the rest of the conversation
is really on point number 4,
which is modernizing security
for those SaaS applications.
So now I'm going to hand you back to Mark
to be able to talk about
maybe the traditional
approaches to zero trust,
why zero trust is born,
talking about the landscape
and maybe then how we start
to think about modernizing zero trust
and network architectures going forward.
Back to you, Mark.
MARK SIMOS: Thanks, Les.
So, one of the interesting
things about zero trust
is, it's kind of a newer buzz
word, as people like to say,
but it's also got very, very deep roots
that go back decades.
So it really helps to
understand what zero trust is,
to understand where security started
and what we've tried in the past,
because ultimately, the goal of security
is, you want to keep safe your assets-
important things like your data
and your critical applications
that you need to run your business
or your nonprofit or
government agency or whatever-
you got to keep those valuable assets
away from the attackers.
That's really the goal
at the end of the day.
And there's a lot to it
because IT got pretty complex pretty fast,
with lots of different
users and roles, etc.,
and different devices and you name it.
And so the first attempt
to sort of address the security question
was, Hey, why don't we .
. . we own these wires,
we own the building, we own
the physical facilities,
let's go ahead and say this
new network that we have,
let's put a border around it,
put a firewall there so that
these attackers can't get in
because that was kind of
how the first one started.
And this sort of gave birth
to the trusted network security strategy-
that we're network based;
it seems simple, economical;
and, hey, we'll get to the security
and we'll do some more
stuff within the network
because it seems like an important thing,
but we really never got
to it, to be honest.
So then, what happened over time
is, we really started to see
that the assets themselves
didn't quite fit this
assumption or this paradigm
that all the things we care
about are on the network.
First part being the network assets,
bring your own devices,
work from home, mobile,
everybody's working from
home at this moment in time,
and were really happening,
and so a lot of these assets
were on the network or are now.
We're also seeing that
to adapt to the cloud
and to just hyper-scale
just millions of cores
and all sorts of services
and all that kind of stuff,
the protocols had to be
really adapted and tuned
in particular ways for
how end-user devices
connect to Office 365, for example.
And these aren't the same POP3
and IMAP services of times past.
These are really much more sophisticated,
advanced, specialized things.
And so, this is really outpacing
the tools and the expertise
that's out there in the marketplace
to do kind of that
network-oriented security.
And then, we also saw the
attackers themselves shift,
and we'll talk quite a bit
more in the next slide,
but we're seeing them moved
to phishing and credential theft.
And if you try to do all of those
kinds of newer attacks with the network
or try to detect them and investigate them
and respond to them or mediate them,
it gets very, very difficult
because those aren't really tuned for,
and you always end up
with way too many events
that might have something to do with it,
and it just really
overwhelms your SOC analysts
and your security analyst
that are investigating them.
So let's take a look at
the attack environment
because that history kind
of helps frame why we needed
to kind of do something
different than the classic model.
Well, let's take a look
at what we have today
because this really
helps kind of illustrate
what zero trust is really meant to solve.
These are fairly current
prices of what it costs
an attacker to actually buy a piece
of an attack on the dark web,
kind of the much more obscure
and out-of-the-public-eye
version of the internet.
And so this is where they go
and they buy things like
a compromised account;
they can buy ransomware toolkits;
they can buy zero-days,
which are very expensive.
And you'll notice that these
things tend to be fairly cheap-
a compromised PC, anywhere
from 3 cents to $1.80.
Those that the identity
attack kind of raw material,
the compromised accounts are very cheap.
So if I'm an attacker
and I want to try and get into a company,
I don't feel like paying the $10,000 fee
for somebody else to do it for
me in the bottom left there,
the compromised accounts for $150 US,
I can buy 400 million.
And on average, for reference,
it's about a 1% hit rate
in any different company
that a user name and
password pair match a user
in an enterprise organization.
And so for $150, I can get
effectively 4 million chances
with that 1% rate to
get into that company.
Why would I bother scanning and exploiting
and doing all this old-school
stuff when I could do that
or I could just send a phishing email?
And so the attackers are
really adapted to that world.
And so we have to make
sure that the things
that we're thinking about for security
under the zero trust umbrella
are really focused on
that problem as it is.
So now onto the definition
of "zero trust."
And this is something that
it's a little bit confusing
to folks because it's new.
So new things are always
a little hard to get your mind around
because it's kind of a
new model, a new paradigm.
Typical fashion, there's
a lot of different vendors
and folks with different stakes
that are trying to define it.
The thing that we've come
to realize at Microsoft
and our work with The Open Group and NIST
and a number of other
organizations, as well,
is that zero trust is actually
an overarching strategy.
It's an overall formal
strategy for security-
some would argue the
first one we've ever had
as a security industry.
But it is a formal strategy.
And so a strategy is not something
you rack and stack into a 19-inch rack
and screw it in and bolt it in.
A strategy is something that affects
all the things that you do
and kind of realigns us.
Some of the changes are
big, some are small,
some are just perception-how
you look at things.
But it's a strategy to focus on protecting
those important business data and apps,
very much aligned to the
business and the mission,
on a public or untrusted network,
kind of acknowledging that reality
of that kind of hostile
network that we're on
because we don't have that safe
firewall boundary around us anymore.
We can't consider it safe inside of it.
And this leads to then the second layer.
So this is another thing
that confuses people.
It's not only new, but it's multilayered.
So the strategy is going to result
in a couple of different
initiatives in most organizations,
the first of which is
productivity security-
so, things like I am
logged in to my laptop
and I am doing work on a regular basis
[from home, nowadays],
and kind of, how do we
do security for that?
And this is the area where, quite frankly,
the technology is most mature,
and zero trust and its value
proposition is clear. It
essentially led to some confusion
because some people thought
zero trust is identity security,
it is productivity and productivity
security is zero trust.
Zero trust is actually more than that.
We've realized that the same sort of
hard outer shell of the
network thing doesn't work,
also leads us to SOC modernization,
where we have to do detection,
response, remediation
outside of our network.
And we know that it's also going to affect
data center access
and kind of how we do isolation
segmentation within it.
We know it's going to affect
and touch IoT and OT, as well.
So zero trust is a very big-picture thing,
where we're focusing most
on the productivity security today,
but we wanted to make sure
that folks are understanding
that this was a broader piece.
The cool thing about it,
and my personal favorite
part about zero trust
is it's not and or, right?
It's not IT versus security.
It's not business versus security
like things have gone in the past.
It actually benefits
everyone, everyone wins in it.
It sounds a little silly, it
sounds a little over the top,
but the truth is, zero
trust actually helps
both security and productivity.
And the core for this
and the reason for this
is because we're no
longer trying to create
a safe space in the network,
and then pull the assets
and the users and everything into it.
We're actually taking the
security things that we've learned
and going to where the users
and the business assets are,
and we're actually securing
them where they are.
And so this creates massive benefits
because it takes a lot of the friction
out of trying to force
people onto a network
they don't necessarily want to
be on at that moment in time.
And it also increases security
because you have high fidelity
right there with the asset,
where the action is
happening types of insights.
So security gets better.
So you get that lower risk
of those compromised
users and endpoints, you
get much better visibility
into what's going on.
You don't have these
weird kind of blind spots.
A nice centralized view of risk
through the access control mechanism,
like conditional access.
And then, it also increases productivity
because users can work wherever they want.
And those are normal users, IT users;
the SOC, we're finding,
is working from home
and they're really loving
the same kind of flexibility
when the SOC folks actually modernize.
And everybody can choose their own device,
and based on the trust level,
we're going to give you access to it.
So it's a much better system overall.
SSO, your access denied
is not just a hard block,
it actually tells you, Hey,
you need MFA. Punch it in.
OK, I went to my phone, good.
And of course, passwordless benefits all.
So that's one of the things
I really, really like about zero trust.
So anyway, I've rambled on enough
about how much I'm
passionate about zero trust.
So, Les, any thoughts here?
LESLEY KIPLING: And you
know, Mark, that's actually
a really interesting point
because we have a concept of data gravity,
maybe especially if we're talking about
security operation centers,
which is essentially to be able
to keep their analytics where the data is.
So instead of moving the
data all around the place
and expecting analytics to
be able to find that data
and be able to run analysis across that,
essentially now what we're doing with this
is basically saying,
we want to put security
closest to the user, as well.
So instead of that overhead
of trying to move the user
to where the controls are,
thinking about keeping the
controls around the user.
And I think that's a very powerful point.
And one of the other points
to mention there, Mark,
is that you said that
trust is earned, not given
from a zero trust perspective,
and that changes a little bit the dynamics
and the language that we had at Microsoft,
which, if you remember, was
essentially something along the lines
of "trust but verify."
These days, what we're saying is
essentially "don't trust anyone."
So I want to say that the vector
of evolution for zero trust
is really for everything
and not just networking.
And there's an empirical relationship
between attainable trust and the overhead
of trying to apply those security controls
and, of course, performance, as well,
which I think is a very key
point just to rehighlight.
So if I go back to what we
are doing at Microsoft now,
and here I'm going to talk about
the first step that we had,
which essentially is a
typically flat network,
which is something that we see
a lot of our organizations use out there.
And really this is a way to be able
to showcase the Microsoft journey,
thinking again moving about
away from the legacy
network security controls
and towards something that
I think is really more
around the modern
capability using zero trust.
And the reason for doing
this is, zero trust,
like anything, like any journey,
has a maturity model
that goes along with it.
So you think about the
pre-zero trust days,
you're basically talking about
device management is not
necessarily required;
you get single-factor
authentication to resources;
and you have the capability
of enforcing strong identity,
but in many cases this is not being used.
So the first four, if you like,
maturity steps in that model
is verifying identity and doing that
with a strong identity
enforcement capability.
Verifying the device because
the device health is key
to thinking about how we do this stuff.
Verifying the access,
and then moving on to verifying services.
And those are different
concepts that hopefully
with the boards that we're doing right now
and the slides that we're showing you,
this kind of elaborates what
we're trying to get to here.
But that's that network
was the then, if you like.
This is the now.
And essentially the way that we do it
is by being able to determine what data
is that we are trying to protect.
So you really do have to
understand your assets
and your business-critical data
so that you ensure that you're putting
on that business-critical data
the adequate controls
for security controls
and not just adding the same
level of security controls
across different data sets,
which again makes it expensive
and potentially impacts productivity.
So here what we've done
is being able to say,
well, as a user if you want to
be able to access cloud data-
and we're going to start
talking about strongly verified
and verifiable and trusted applications-
there's no necessity for you
to go down a VPN, alright.
But those people who require VPN access
or access into business-critical segments
of the Microsoft network
essentially have to do
extra identity proof to be able
to say I am who I said I am.
And again, similarly to that
four-step journey that we have
from our maturity model
perspective in terms of zero trust,
we also talk about the four
identities at Microsoft,
identity as me as a user,
identity as the device
that we're talking about,
then the applications and the data.
And essentially the new face for that
may be something like
workloads or services,
and we're going to talk
about that, as well.
So I'm going to pass you back to Mark
just so that he can fill in the detail
on the left-hand side of this graph.
Mark, over to you.
MARK SIMOS: Thanks, Les.
Yeah, one of the
super-important parts about this
when you look at this
sort of left right divide,
where you have your
traditional macro-segmentation
or big picture segmentation on the right,
and then on the left you've
got those user access devices,
and this is really where the much more
sort of revolutionary parts
of zero trust start to emerge
because the reality is
is we very much moved
those client devices off of the corp net.
Now, they're still there.
They've got the VPN as a backup, right,
and I VPN in maybe once
every month or two.
There's a few services left
that I still use that require VPN,
but just about everything else
is published out on the internet
and runs through all
the zero trust goodness
in terms of checking my device,
checking my user account,
and making sure everything
is security healthy
before it gives me access.
And so ultimately, I
can be working anywhere,
and I work from home primarily now,
but I could be working from anywhere
and have those very elevated levels
of security assurance
that are, quite frankly-
and we'll talk about this
in another slide or two-
much better with the native controls,
much better fidelity, much more clarity.
And one thing that is
distinguished on this slide,
so I do want to explain
it is unmanaged internet
is pretty much good enough
for just about most things,
but we have found that
there are some reasons
to have a sort of common network.
This is a little bit
stuff from our corp net,
where there's like peer to peer,
so that like for optimizing download
of software updates and Windows updates
and a few other kind of peer-to-peer tasks
and Teams meetings and whatnot,
there is good reason to have
sort of a common network
that isn't the raw internet.
So we do actually qualify people into that
after the health check for
sort of some of those things
in addition to requiring health for that
but also requiring health
for things like Office 365
and all of the different SaaS universe
as well as all those
on-premises applications
that have been published
through Azure AD App Proxy.
And so very much a kind
of two-part strategy,
with one, the traditional
sort of macro-segmentation
locking things off,
and then this sort of new
based on the trust of the
device, the trust of the user,
and then what app they're trying to access
doing the right level security checks
and that policy-driven piece.
So very adaptive, so static policy,
dynamic threat intelligence signals.
And so now Les is going to take
us through a little bit more
of what this really
looks like in more detail
as well as the native controls
that really kind of enable it
and bring that higher-level
safety and security
from that zero trust approach to security.
Les?
LESLEY KIPLING: Mark, and
the future is exciting.
As I say, it may not be here right now,
but it's certainly
something that's on its way,
and we expect it imminently.
From the point of view,
you mentioned passwords
a couple of slides ago,
that's certainly
something inside Microsoft
we've been trying to get rid of.
We don't like passwords.
Password-less authentication
using biometrics,
such as Windows Hello, is the way forward.
Equally, one of the key things
that we're trying to
get rid of eventually,
and I'm not saying this is
going to be an easy thing to do,
but essentially is to move
away from VPNs completely.
So at the moment, what we
have is split-tunneling VPN,
or selected VPN, if you will,
which essentially is to say
if you're connecting
through to that trusted
and the sanctioned application,
then you can do that directly.
So essentially, again going
back to the concept of
the controls need to be where the user is.
So instead of trying to
route all of that traffic
back down into the VPN
because of the ability
to be able to look at that
from a security perspective,
because it's a sanctioned, verifiable app,
then it should be something that goes
directly through to the internet.
And that is something that
we do inside Microsoft.
So as to say, we have that selective VPN.
Next steps, of course, would be
to be able to get rid of VPN completely.
That may take a little bit longer.
Certainly, it's something
where we can say that services-
an example would be if it's
a Microsoft application
or line-of-business application
and that's published to the internet-
certainly thinking about VPNs,
they are a mechanism
for us to be able to work hard
if there's something that hasn't yet
published to the internet
and maybe something we want to be facing
and doing as quickly as possible.
So essentially, VPNs, I hope,
are going to be off the
table sometime soon.
It's been something that
attackers have used as a mechanism
into our customers'
environments for many years.
So I'm certainly excited, as I said,
to get rid of VPNs when possible.
Thank you. Back to you, Mark.
MARK SIMOS: Yeah, Les,
that really reminds me
of one of my favorite adages
of, Why would I bother breaking
in when I can just log in?
Referring to the VPNs.
So all this is great context,
but now, of course, what do I do about it?
How do I get started is the
next most important question.
And so that's why we built this RaMP,
or "Rapid Modernization Plan,"
to really help folks do the
most important stuff first.
And the first step on this is
actually pretty nontechnical:
aligning teams and strategy.
One of the things that we've
seen through a lot of things,
including sort of the
segmentation strategy,
is that the technical
teams in most organizations
tend to not be aligned tightly.
They tend to be fairly disjointed.
So if you ask the networking team,
OK, how do you divide up
the enterprise assets?
And they'll tell you about subnets
and server rooms and
all that kind of stuff.
You go talk to identity folks,
and they'll give you how they
thought about the OU model
and how they thought about
the groups and all that,
which doesn't really line up very well
to what the networking folks have done.
And then you go talk to the apps teams,
it's like we don't
really use any of those.
We kind of do our own thing.
So we tend to find that how do we approach
segmenting up the business assets
and grouping them and protecting them
is very, very bottom up; very organic;
and very much not aligned.
So that is just a symptom
of many other things
where the organization isn't talking.
As we sort of switch to
this cloud generation
and we go through this zero trust piece
where we need to update
everything and rethink it,
teams really need to kind of
sit down and work together
and figure out, OK, we need to have
an enterprise segmentation strategy
that the business tells us
these things are important,
these things not,
and we tell them here's the high risk ones
we need to isolate-
work it all together, one strategy,
and then everybody lines up to that.
So very important to get all
the teams on the same page.
We found that really gets in the way
of moving forward with zero trust.
The next piece is really
where the technology starts.
And so that's really building
that modern identity-based perimeter.
So a lot of folks think of
it in a perimeter mindset.
You can either say this is perimeter-less
or it's a new perimeter.
We tend to say it's much
more of two perimeters,
a dual-perimeter strategy,
because that tends to offer
more clarity, we found, than
the perimeter-less terminology.
But the idea here is that
you're starting to build up
those other controls beyond the network.
So those user validations,
the password-less MFA
is the very first step we recommend.
And then, those device assurances.
As soon as you got sort
of the users measured
and assurances are good,
you want to go ahead and get
the devices measured and good
and integrated into
those decision processes.
And the thing that-one quick
tip here that we've learned-
is that rolling this out to admins first
tends to be good because
they're technical users,
they're very targeted by attackers,
so very likely to be attacked.
It's a bad day if you lose
control of a user account,
but it's really bad if you
lose control of an IT admin
because they have privileges
to a lot of different assets.
So for those user and device things,
we do recommend rolling those out first.
And then, kind of wrapping up
that kind of identity-oriented perimeter,
those sort of new sets of
controls beyond the network,
really kind of modernizing
the apps obviously as you can.
Everybody's got a pretty
big backlog of legacy apps.
As much as you can modernize them.
But also, and this is
very much referencing
what our IT organization does,
is updating sort of the
publishing of those.
By publishing to the internet,
you can hook into all those
good user device validations
instead of sort of the
legacy VPN validation
so that when you're authenticating to
and accessing that application,
you get all these modern controls
retrofitted onto your
applications as you publish them.
So you actually get more security
as you give more accessibility to a user.
So we found that's a real big win-win.
And then, of course, the data.
You do need to make sure you understand
where it is, what's important.
Can you devalue and take some of that
sensitive stuff out of your databases?
Great! The ones that you can't,
the ones that are still important
and have to be important,
make sure you're putting those
extra sets of monitoring
information protection
kind of encryption
phone-home-type of approaches.
And then, of course, as
with everything else,
there's always legacy in every area,
and so you will have
legacy identity protocols
that you've been using,
typically on ActiveSync
or some on-premises ones
like WAN, LAN, NTLM, etc.,
and so you want to start retiring those
as your way of sort of making sure
that these solid modern games
really don't have a backdoor in them.
The next and the last piece
here is the network perimeter
does require a little bit of focus.
Like as we mentioned, we do
segmentation at Microsoft.
That's something we do
recommend for our customers,
so that macro-segmentation.
So you want to for those
most important assets
that really need to be there,
the ones that have life
safety and operational impact
on the physical world,
you definitely want to have
an extra set of controls around those,
especially because some of them are messy
and can't be patched,
and so they're kind of
sitting there vulnerable.
You want to have network
controls for that.
They are very well suited for that case.
And micro-segmentation is a
great thing to be exploring.
It's tricky because the technology
isn't quite as mature
as we'd like it to be-
not nearly as mature as
the productivity stuff in blue.
And of course, there
is always those legacy
that I mentioned, such as
the unpatchable assets,
where you really want
to apply those controls.
We've talked a lot about technology.
Now let's talk a little bit about people.
And so if you step back for a moment,
it's a pretty big transformational change.
There's a lot of incremental progress,
very straightforward technology updates,
but there's also a larger, bigger picture
of transformation of how I do my job.
If I'm an IT pro or a security pro,
a practitioner doing my job,
I'm having to learn lots of new things.
I'm having to do unfamiliar things.
I'm being asked to give security opinions
and risk assessments on things
I don't necessarily understand.
The people are affected as much
as the technologies and the processes are,
and we have to make sure
we keep that in mind
because security itself,
what we're trying to do
in security outcomes-the
principles and methods-
has not changed.
We've gotten a little bit clearer picture
on what that is and what it should be,
but security itself and that
protect against bad guys
messing with it or bad gals-
there could be female
attackers, too, and there are-
that hasn't changed like
the discipline of security.
But the environment that we're protecting
as security people has changed.
The way that development
is happening with DevOps,
the continuous engagement of architecture
rather than here's my document,
throw it over the wall-
automation, integration,
asset-specific controls
like we've been talking about,
like getting into the device,
getting into the user and
not just the network layer-
there's a lot of change mixed in
in how we actually achieve this mission.
So the "what" really hasn't changed,
the "how" has changed quite a bit,
and it's changing and continuing to.
So we've learned that it's very important
to work with people, to educate people,
and engage and inspire
them, training and learning,
encourage them to do a self-service,
make sure that folks are
getting the training,
the funding, and the
mentoring that they need
to really learn and understand this
because if you ask a security person,
hey, you're responsible for giving me
a security opinion on this, right?
Or assessing it or
whatever the case may be,
and you don't know a thing about it
because all you've learned
was IP addresses and networks,
but I'm asking you to give me
an assessment of an
application or this or that
that you're not familiar with at all,
they're not going to
feel that comfortable,
and they're going to
feel kind of defensive.
And so it's very important that
we recognize how important,
how much of a human
change this is, as well,
and that we work with those folks,
and say, hey, do you know how this works?
Let me show you how this works.
And these are the controls
that we're looking at.
Did you want to put this
in the next pen test, penetration test?
And really engage and make
sure that we're remembering
that we're all humans
with a common mission
of helping the organization succeed
and protecting it at the same time.
We've also learned as much
as possible to bring in
diverse perspectives
and fresh perspectives
and have people that are coming in
from different backgrounds,
from applications,
different walks of life, etc.,
and that really helps people see things
through a different lens
and helps kind of get
a better picture on it
so that people aren't kind
of stuck in their old habits
of the way things are done.
So we found that this people change
is just as important as the
technology aspects of it.
So, Les, did you want to wrap us up?
LESLEY KIPLING: Thank you, Mark.
It's an interesting concept
thinking about the people side of this.
So we're very prone to
talking about the technology.
So hopefully today during this journey,
we've given you some food for thought
and thinking about how you
move your security needle,
maybe thinking about
some of the steps to take
to increase your maturity
from a zero trust perspective.
We do have some key takeaways.
Obviously, they're on the slide there.
For example, you can use some
of the recommended actions
that we talked about inside
our Rapid Modernization Plan.
As part of this also, we
will be giving you access
to more resource information
in terms of things like the
maturity model that I mentioned
and also a zero trust framework
for you to be able to start that journey
and be able to think of that.
So on behalf of Mark and myself,
I hope that was useful.
Thank you so much for listening.
And goodbye for now.
MARK SIMOS: So thank you
all very much for listening.
We really appreciate it.
And hopefully this
helps you make our world
a little bit safer.
Thanks.
