[MUSIC PLAYING] Hello and welcome to the Better Together podcast series brought to you by Microsoft and One Identity. I'm Charles Commins and in this episode, we're exploring Zero Trust as an information security module. You'll learn what Zero Trust is, the reasons companies are implementing a zero trust model, some of the barriers they are facing in implementing this framework, and what actionable steps you can take right now to implement a zero trust model in your business.
To help me do that, I am delighted to be joined by the president and general manager of One Identity, Bhagwat Swaroop. Hello, Bhagwat.
Hello, Charles. Good to be here.
And Microsoft CTO of Global Partner Solutions for the US, David Totten. Hi, David.
Hey, Charles. Thanks for having me.
Great to have you both with us. So let's start, then, by defining what a zero trust is as an information security model. David, can you explain what this security model is all about, please?
Yes, sir. I mean, zero trust, for us, is a proactive, very intentional integrated approach to multi layers of security. And it really is focused on three essential principles, right? One, explicit verification. Who's trying to access data, where transactions are flowing in and out of your ecosystem, and who has access to that information. So that's a continuously verifiable model. That's the first principle.
The second being, it works off least privilege, right? So assume least access is the best route possible for any infrastructure or application data that you have. And you have to actually validate everything. And then the third piece is really around intelligence, advanced metrics, quick and proactive identification, and then response.
And we just want to do that because the faster that we can be-- and the more intelligent we can be about identifying these issues and then have rapid response to shut them down, the faster they can move along. So it's this truly end-to-end, integrated security model that relies upon those principles.
Do you have anything to add to that, Bhagwat, at all, from your opinion?
Yeah, look, I completely agree with what David said. I think the only thing I would just add is I think a fundamental shift in the zero trust model is it assumes that attackers will get in rather than our ability to always keep the attackers at bay. So you kind of believe that intruders are already within the castle, and they could have access to different assets. How do you make sure that we explicitly verify access at every single interaction, at every single application? There is no forever rights, as David talked about. The concept of lease privileges is just in time access to the assets, to the application, and with the intended use at the time. And it starts with the premise that you cannot protect everything. Assume breach, assume compromise. But how would you protect your crown jewels and the business, right?
And I think there is-- it's great to see resonance around the industry around this whole concept. We have finally come to the view that set it and forget it and forever security are not a thing. We are living in a dynamic environment where attackers sometimes change tactics multiple times. So the are only, only true north here is a zero trust model.
That's quite interesting because not all the time do we actually see people going, we will admit that, or assume, that attackers will get in. A lot of the time in cyber security, that's the one thing that people-- they kind of want to say no, that doesn't happen, and that will never happen to us. We know, obviously, through-- well, every month it seems there is a different piece in the news that tells us otherwise. So in a way, it's quite good to hear that actually, you're going to assume something's going to happen, but it's about reducing that risk.
Yeah. That's exactly right. And if you see some of the regulations that governments around the world are crafting, it's also going with the way that lower the bar on what's being reported, right? Because earlier, the notification laws get triggered when there was a breach. And there are definitions that are more classified as a breach versus an incident versus something else.
And what we have seen over the last 12 months-- there's been a lot of incidences where the severity depends on the eye of the person who is impacted or views it. And so they're going back to the model of, well, you have to start notifying your partners and constituents when something is happening. If there is somebody inside, whether they have caused harm or not, but they got their hands on something, we need to notify of that. So just really taking zero trust to its core.
Fabulous. And David mentioned, I think, some of the core principles at the start. Was that everything there, Bhagwat, that you would have said that is those three things?
Yeah, I agree. I mean, those are the core three tenets. If there were such a thing-- like, what is making zero trust really top of mind for everybody and why is the need greater at this time better than any of the time? I think a few contributing factors. Some of those are secular trends. We saw the mass migration to cloud. That was a good thing. Some of us in the IT industry have been waiting decades for companies to adopt public cloud. And I remember a time where it was always the next year with the adoption of public cloud. But we went through that in the last two years, right? But what that also resulted in is a very quick migration to public cloud with distributed identities, distributed application rights, and entitlements that the defenders necessarily don't have a good handle around that, right?
So we have this notion of what we call identity sprawl. And sprawl-- it's not a very technical term, but again, everybody gets the picture what it means. Sprawl in terms of increasing number of identities, right? You have humans identity, machine identity, and application identity. And if you layer in the notion of a metaverse, then you have digital identity of yourself who have rights to conduct a certain set of functions, including e-commerce.
The second thing is that where the identities access rights are reaching. The notion of everything being in the cloud and application being available everywhere-- that basically means your access rights are everywhere. So I think it's really the sprawl, which is not-- by itself not a bad thing, but unless the model to defend and protect is take that into account, it makes the problem worse. And oftentimes what we see in organizations is they would have solutions for each of the points things, but they are usually very siloed access rights and siloed access management solutions.
We've seen organizations with as many as 25 different solutions or disparate solutions, rather, trying to manage aspects of identity access and entitlement. And so-- and that just kind of makes things worse. If you can't really have a full picture of visibility, it's hard to protect the full thing.
Yeah. I would love to jump in on that as well. I think that's the core of this really interesting time in security and data collection, data access, that we're facing. We want everybody to have access to their information wherever they are. Particularly what we've seen over the last several years, people working for-- remotely, people working from home, people working from different offices, whether it's partners, customers, distributors. Everybody we want to have more access to more information and more data. What that does is it increases that threat vector ratio.
So it's sort of a good-good scenario. Hey, let's collect more data. Let's make sure people get access to that data from wherever they are. But that obviously introduces complexity with the security model, where it needs to be. And it's strange from a technology advocacy perspective to talk about assume breach has already happened. Just pause and just assume breach has already happened. Now, what would you do, and how do you flag it, and how do you minimize the damage? How do you minimize the blast radius of a bad actor?
And more and more companies now are coming at security not as a, hey, we should probably have this figured out, to a, we're assuming we're already compromised, OK? And so what are the different levels of protection we can put in? And Bhagwat talked nicely about the multiple sources of identity that exists. It all goes down to the identity layer.
And when I started in information technology, identity was the person. It was the user account who was logging in. Now, each app, application, or each data store has their own identity. Each call to a data store has their own identity. So you've got personal. You've got application based. You've got data. With the metaverse, you've got virtual calls for information and applications.
And it's just a never-ending stream of entry points, if you will, for bad actors to take advantage of a suspect security posture, which is why-- like, when we talk about-- the best first step is understanding identities. Just understand the identity landscape that you have within your organization, within your distribution, within your supply chain, within your partners. Understand all the identities in play, and what's your security model at the identity layer? That's the molecule of access to information within your enterprise.
That's exactly right, David. And couldn't have said it better. I mean, I was just thinking of another analogy in the medical field. Like, if you go to a doctor, they never tell you that you'll never get sick or I'll give you this pill which will protect you from everything. They tell you, here is the hygiene. Wash your hands. Take your vitamins and all of this so you remain healthy, but at all points, be vigilant. And I think zero trust, in the layman's language, is a bit of that. Assume that the bad things will happen, but how do you protect yourself against the most severe things?
And going back to the identity being the core of it-- this is really-- now, more and more people recognize that identity is so-called the new parameter, which really starts with the bad guys. Also know that-- where the keys to the kingdom are. Rather than breaking 256-bit encryption, it's easier to do credential abuse or privilege abuse. And so they go to the path of least resistance and wreak havoc.
I really think that's great that we're finally going to that point where we are going to assume that this is going to happen. And like you said, that analogy is brilliant, Bhagwat, about the docs who are never telling you that you're not going to get sick. That's perfect. I mean, do you think-- you mentioned before the move to cloud-based operating, David. Is that one of the things that we've seen driving businesses moving and implementing this zero trust model? Are there any other market dynamics that are specifically showing this?
Yeah. I mean, I think the first factor is just increase of devices, access points, bandwidth, technology, technology improvements, right? The way that we've innovated and the amount of data that's been captured in applications-- it triples every two months, right? And it's only going to continue to grow. So the more entry points, the more data, the more applications that are in market and accessible by a simple cell phone connection or bandwidth or a Wi-Fi connection, it just increases the threat vector radius that we have. So that's sort of job number one.
Two, hackers are getting better. The bad actors are taking advantage of the same technology in innovation and improvements to develop their own proactive models, to develop their own automated and AI-based scripts. And so they're finding new ways to take out vulnerabilities on both old and new IT environments.
And then the third piece is, it's a pretty profitable business both to capture data and then exploit data. So I mean that from a customer perspective-- like, data is a profit center for most organizations who can leverage it. What are our customers doing? What's the relationship with our suppliers? What does it look like for a loyalty program? How do I upsell a specific scenario? That data is a gold bar for every customer who wants to continue to grow and delight their customers with better and more relevant solutions.
With that said, it's also becoming quite lucrative, then, to capture that data. And we're seeing all kinds of vectors within the industry that are experiencing this. Think about constrained industries, such as supply chain. Anywhere right now that we're talking about physical goods, shipping processes, logistics around access to products and goods coming from overseas or domestically. How do we handle billing transactions? What's happening with crypto to actually pay for that within a blockchain environment?
I just outlined a pretty simple follow the bouncing ball on how to procure and manage through a supply chain. And there are hundreds of thousands of opportunities for a hacker to infiltrate and just with one script completely disrupt an entire global supply chain. And we're seeing the pressures on people getting access to not only their data and their applications but physical goods at a much higher rate right now than we've ever done in the past.
And Bhagwat, I know you and I have chatted about this before. I'd love some of your insights on what you're seeing specifically on precious to procurement supply chain management.
Yeah. I think that's a great point, David. One thing I would say-- and we noticed this in the Verizon DBI report as well. A lot of people have this notion of a hacker as a lone hacker, right? Kind of a lone wolf, a guy in a hoodie. But what the research suggests that almost 80% of the breaches are conducted by groups, whether they are formally or informally organized. So think about the resources that the bad guys are bringing to bear. It's not a lone person. It's really, they have sophistication, as David pointed about, automation, but also the resources and the means, and quite often, and especially in the current geopolitical environment, in nation states which are sponsoring a lot of that, right? So the enemy here is formidable, right? That's the first thing to start with.
The second thing I would say-- the supply chain pressures are real. We've all seen the impact on physical goods, whether trying to procure a new washing machine or a new car. I think the supply chain backlog is running into years right now. That's without a cyber disruption, by the way. This disruption is largely driven by a pandemic and a lot of the geopolitical events.
So in the industry, we're beginning to talk about not just a first party identity verification of your employee, your workforce, but also external identity validation and verification and the zero trust model is becoming really critical. So we already extend the model of identity protection to the customers, to the end consumer. But now it's extending to third-party verification and the fourth party, which really goes to the depth of supply chain.
And we are seeing customers who say, look, I want to have a certain set of confirmation and confidence that my supply chain will not be disrupted or I will not be disrupted by somebody's identity being compromised in my supply chain. And as you can imagine in certain industries, people share a design blueprint within their OEM model to create that. They want to make sure that IP is protected. They want to make sure that their financial environment is protected.
So I think that's going to become increasingly-- as organizations implement a zero trust model within their organization, that's the first thing. We'll get your house in order, then get your friends to adopt that, and get-- make sure the supply chain is secure.
And I would say to the point around cloud-- this model of zero trust or supply chain disruption is not unique to cloud. Cloud, as David talked about, has increased the attack surface, so to speak, or the radius, so to speak. But the same kind of problems exist in the on-prem world as well. So I think this-- I just always remind people that zero trust is not just a destination. It's a journey, and it's a model-- it's a way of thinking. And then you can apply that in your current environment, whether it's on-prem or hybrid or cloud. And as everybody moves to the cloud, this becomes just even all the more important.
Absolutely. I know One Identity recently commissioned a zero trust survey of a thousand IT security leaders from around the globe representing a wide range of company sizes and verticals. Bhagwat, can you just share some of the key findings from that study for us, please?
Yeah, I'm happy to. Look, I think some of the insights that we got from the report were what you would have expected, but now there is a validation around that, right? And some were quite unique. I think the one thing that stood out is that roughly 75% of the organizations agree that zero trust is a critical approach. It is the true north. It should be a very important part of their overall security posture. So great. From awareness and agreement perspective, check.
However, only 14% of the organizations said that they have a zero trust model today. So, OK. We all know this is important, but only a fifth of the people who thought it was important have it implemented, right? And then roughly only 40% are saying, we are just beginning to implement it today. So think about this, as the biggest disruption in the industry is coming from cyberattacks and compromise and identity, people agree that this is needed to be done, but very few people have started on the journey.
And there are many drivers of that. When we ask people, like, what were the things which are coming in your way, the first one, as you would imagine, is clarity. Like, OK, I can go get a budget for an endpoint solution, for an identity security solution. There's no budget line item today for zero trust. Again, going back to it, it's an approach. It's a model.
So what is zero trust? So part of it is driving clarity. Part of it is also driving alignment around stakeholders within the organization to create budget categories. And the third thing is to really create the zero trust model, you need to have an integrated visibility and approach across multiple solutions. And this is where, as the topic of our webcast, better together is-- it could not be a better approach to that. Because we need a better together model across companies coming together to help our customers implement a zero trust model.
I think that sums it up really nicely in terms of that whole-- like, if you go out there alone, then you're not going to be as good. I mean, David used the opposite before to talk about how hackers are getting better, but also about how it's more groups and they're organized. Well, therefore, the businesses need to get organized and need to work together to make sure that known-- that whole group is uncompromised and keep everybody secure.
Yeah. I completely agree with that. I think what-- and Bhagwat just gave a really simple example. It used to be in IT, people considered an endpoint protection, a firewall, sort of-- that now I'm secure, right? And what we're seeing now, and you can just do some recent research, whether it's SolarWinds or other companies that have had hacks that have infiltrated enterprise organizations, it's hackers get in through a various point of needs. Could be applications. Could be data. Could be just lack of policy optimization. It could be just a lack of response to even threat protection tools. They get in, and then they sit and they wait, and they look at and they observe all the entry points and all the critical data that exists, that then they can then go and take advantage of.
And so all these pieces have to fit together. And I'm proud to say from a Microsoft perspective, we love creating infrastructure and platforms, and we've got a ton of services and a threaded personal and enterprise-ready experience that's scalable, that's secure, that's integrated, that builds on one another.
It's also a lot to consume for a customer, right? What service do I leverage for what technique? And that's why Bhagwat initiated this. The relationship between One Identity built on Azure is the crucial follow the bouncing ball through this myriad of services that Microsoft offers to make sure that all of those entry points are closed. And again, we're at this strange paradox. We want people to consume, evaluate, buy more and more services built on Microsoft, but sooner or later, you've got so many services-- how do they all tie together, and how do you make sure you've got a zero-based, threaded, security model through all of those services?
And that's why I'm grateful that, hey, I'm proud of the work that we do in R&D with Microsoft to build all these awesome services. I'm even more grateful that we have partners like One Identity that help us actually define with our customers that bouncing ball of access and identity throughout all of those services to make sure that we can maintain that zero trust position.
And that's why this better together story makes sense. Like, build a bunch of services. Love it. We want customers to use it. Now, how do we make sure that we keep all those services integrated and secure through that journey? We rely on partners like One Identity to execute that with us.
Bhagwat, you mentioned before a fifth, only a fifth, have implemented a zero trust policy. So did they, the survey respondents, give you any indication of what the biggest barriers were to implementing a zero trust model?
Yeah. That's a great question. And I think it follows up to what David just talked about. Question today is, some people are asking, how do you define zero trust? But more and more people are defining, how do I get there, right? And so I use another analogy of, you can have five people playing different musical instruments, or they could be playing in a symphony, right? The difference is how coordinated they are, right?
And so I think the example when you look at SolarWinds or [INAUDIBLE] or many other ones, we see that attackers use multiple control point breaches or compromise. In SolarWinds case, they compromised bypass authentication and then escalated privilege. So you don't need just an access management solution or a PAM solution. You need both, and you also need a better SIEM model to be able to alert it, right?
So this is where I think is there-- can there be a blueprint for zero trust? I think so. I think the work that Microsoft and One Identity are doing together-- our teams have put together a quick start guide. Here is where you start. What is the first set of things you would do? Implement MFA. Implement risk-based authentication, making sure you have a plan around correct, by construction, identity governance module, and so on and so forth, right?
So I think that's the biggest thing, that if we can make people believe that, look, this is a simple, doable journey. This is not climbing Mount Everest, right? This is not a walk in the park as well. It's a hike. Be ready for it. It's a phased approach. So rather than everybody having to figure out how to get on this journey, I believe there is a simpler model, and I think our teams are putting that together.
The second thing I would say also is many companies take the approach of, if you talk to me, I'm going to give you everything you need. And I think that's a foolhardy promise. Nobody alone can do it, right? And so we have to do it together. We have to play to our strengths and partner with companies where they come in. And as a good example, we use Microsoft tools in our R&D. We use Azure as a platform quite publicly because we believe this is a great way to innovate on top of Azure but also expand our reach instantly, right? And we are confident there are certain set of security models that Microsoft and Azure have already incorporated in their platform, so we can innovate on top of that.
When you take the joint story to the customers, I think that's-- they know that it's easy to consume from them, rather than giving them LEGO blocks to say, now you go build that, the model yourself.
Brilliant. So let's get some actual advice, then, on steps that you recommend companies take as they embark on the implementation of a zero trust model. David, you go and start me off, please.
Yeah. Just to sort of capitalize on what we were just talking through about why companies struggle with this, is it is a journey, right? Number one, there is no point that's like, OK, I'm secure now, right? And we have to think beyond just endpoints and in application or network security. It's all these pieces together.
And Bhagwat sort of just-- he touched on this, but he's sort of-- he sold it low. It's a lot of work to put together a playbook on how to go from start, crawl, walk, run, and then maintain that pace through a security posture within an organization, right? And so, we have. We've got a process within Microsoft, and you can just go out to microsoft.com and find our maturity assessment, that goes and outlines, hey, take these assessments. Measure these variables within your environment. And it'll tell you where you're at on your journey across identities, endpoints, networks applications, data, infrastructure, policy, threat protection-- all of the factors that we think are a part of that zero trust model. And it'll give you an assessment, right, based on what you do. And are you mature? Are you optimal? Are you advanced? Are you nowhere in the game at all?
After that, we give you a roadmap, right? Hey, you scored a 3 out of 10 on this particular assessment. Here's three ideas to get you to a 5 out of 10. Here's three more ideas to get you an 8 out of the 10. And what we want to do with that assessment framework is really give both ideas and templates and best practices and starter guides and also build business cases for our customers, right? Like, hey, here's our journey.
And Bhagwat's correct. People are used to going out and getting budget for an endpoint solution. They're not used to getting budget for a three-year security, complete rebrand, refactor approach. And so how do we get people and help them really do a strong project plan around how to improve their security posture? We want to actually do that with an assessment-based approach and then provide recommendations on tools and processes to help make progress on that maturity scale.
So that sounds really like you're asking people to just stop thinking, I want to be at the end, and start thinking about the process of getting there. You said start off by going to microsoft.com, go and do a maturity assessment, and then follow the road map that provides. I mean, that sounds like the easiest first step that anybody listening can make right now.
That's 100% correct. Go out and do an assessment. But I'll just give you a perfect example and, again, where this relationship with One Identity plays off, right? If you think about just going and doing an identity assessment, think about just the getting started. OK, authentication is a thing. That would be a base level of identity. We do authentication.
The advanced level has authentication using multiple processes, like multifactor authentication. It's a little bit stronger. The third, most optimal approach is authentication uses password lists and phishing-resistant methods. We're leveraging analytics and constant automated tools to check authentication drives nonstop.
OK. Most companies are going to be in that either getting started or advanced phase. And they say, OK, hey, I'd love to be in an optimal stage. And what we have right next to it is, click the button. Go call One Identity and implement their solution stack, right? Because that will leap start you from getting started all the way into the optimal approach, really having this automated intelligent approach to identity management.
And it's not easy, right, to really get an assessment of where you are, and then, OK, well, gosh, how do I get all the way to the right hand? Or I get all the way to the most mature space? And that's why we rely on third-party partners like One Identity to be the easy button, frankly, right, on how to actually move from a lower maturity model all the way to the optimal in a way that's easy to implement, easy to understand, easy to go out and take to market with.
And so that better together story of take the assessment, understand where you are, and then click the button to implement the optimal solution, and here's the configuration that works the best sense, is really a color-by-numbers guide for IT administrators everywhere.
I like the easy button, David. And I think that's probably a better way to talk about what we do. I mean, look, for us, identity is all we do, and that's what we focus on. So we've taken pains to make sure we can implement a zero trust model out of the box, or I'm going to call it the easy button. And it is really around, for a customer who is beginning to start with authentication, as David pointed out, as the first step. And quite often, we find that some people would have implemented MFA, but not at the application level, not at the device level, not at the interaction level. Like, how do you bring MFA? You don't want to have employees bring every time when appropriate, but how do you do it based on interactions?
So there's a whole maturity model is actually the right way to think about it. But then you say, like, OK, now I extend it further. I want to look at entitlements. Am I giving entitlements which are dynamic? So I tell people that, take away forever rights. And nobody likes to hear that. Like, give your organization, this is where the change management comes in. You guys, you have 45 days or 60 days, whatever the approach may be. It's not that your rights are taken away, but we're going to move to a model where we give you a right as needed rather than forever right.
And so this is where we find out quite often that in an organization, people use more than-- less than 20% of the entitlements they are given, right? And I could look in my example of how many applications do I have access to? Which ones do I use more regularly? And so we started coming up with a profile of most commonly used applications, most commonly used interactions, where you could dial up or dial down how long your access remains viable before you have to request it again, right?
So it's a fundamental shift, but there are steps in the way that we want customers to know that they don't have to do it all by themselves. When we talk about privilege access management, I talked about-- talk about privilege, access management, and governance in the same aspect, not because we have an ideal solution or a PAM solution, because that's the second problem people are going to hit. The moment they have privilege account management, then a large Fortune 50 company CSO recently told me-- they had 150,000 privileged accounts. 150,000 privileged accounts? Like, OK. And that was probably more than the number of employees they had. Like, OK. So how did that happen? You need a governance model around that.
So you have to stop treating these as different individual problems, but the facets of the same problem. And I think this is where zero trust and identity management holistically really come into play.
I love the fact that you've mentioned that there are organizations out there who are going to have a ridiculous number, let's be honest, of users there that are essentially their prime entry points. That's got to be one of the challenges that companies are going to face as they go through this implementation process. What others are there, Bhagwat?
Yeah. I would also say, again, just going back to zero trust, there are many models of zero trust. Some people would say zero trust network. Some people would say zero trust as an IP. For us, I think it's fundamentally getting people to align on, if I'm a bad guy today and trying to compromise an environment, it's really up to the person and the assets there that I'm after, right?
And so using that as a single unifying factor to say, look, we need to protect everything related to identity in their environment and entitlements. One of the things we are seeing is cloud infrastructure entitlement management is becoming a big thing. I know Microsoft has a set of solutions. I know we have built a set of solutions organically around that. And that just plays homage to the fact that, well, entitlements are everywhere. I sometimes tell people, like, you don't call it a color TV anymore. We say TV. So I don't talk about cloud entitlements every time I talk about holistic entitlement management.
And I think every single entitlement left unattended is a way for attackers to get in, right? So we just have to make sure we're taking a holistic approach. And then one of the points that David talked about earlier is, it's really about 360 visibility, right? Microsoft with a central platform and the set of services we have, we try to make sure we plug in with the ecosystem, Microsoft, and some of our other partners, so a customer can get 360 visibility so they can find out where the points of weakness versus soft spots versus point there where they are pretty secure.
Yes. It's fantastic having both of you here because obviously Microsoft and One Identity are working together. You guys have been talking about how it's better together, constantly, throughout this podcast. And you're doing that to help customers implement this zero trust security model. So can you explain, David, just how you're going about doing that?
Well, sort of three different pillars of our relationship is one, we've decided at Microsoft, we're going to keep building new services. We're going to keep getting customers access to new types of information and data and applications and integration. And we're going to continue to onboard third-party applications and data models and databases into Azure and into Dynamics 365. Again, that's all good news. That's for market consumption, and it's to make sure that the customer experience is seamless and threaded as possible.
Second part of that-- we have to secure it. We have to find out how to go across these different types of technologies, these different identity solutions, to actually make sure that it is secure, that we are doing proactive and ongoing maintenance of all those connection points. And so that mechanism of taking our baseline services and all the ports that we're opening and making sure we've got a lock on each one of those doors is what One Identity really does specialize in, down to the individual call level. And we're grateful for that, for that solving and that coming together of all that integration.
And then the third piece is I've always been impressed with One Identity's engineering group and how tightly aligned they are with our priorities. We build roadmaps together. We help identify flaws and gaps, not just in first-party services but in the overall ecosystem. We use the examples of supply chains earlier. We know there's a lot of infrastructure investment going into different markets, going into different shipping, logistics companies. Together, we're working to make sure that we've got the right set of services, both from a data and application layer, but also from a security and identity perspective.
And the fact that One Identity is so tied into our product roadmaps-- we know where they're going to fall in and support the gaps that our first-party services don't provide. I think that trust factor and that common evolution of engineering resources is a really strong aspect to our ongoing relationship. And it's not just about what's in market today. You know, Bhagwat and I are committed and tied at the hip on what we're going to be developing over the next three to five years, continuing to evolve and get more sophisticated with our combined and integrated efforts.
That's brilliant. What are the key benefits, then, to customers and what are they experiencing, Bhagwat, thanks to this partnership?
Yeah, I think the-- two things, really. One is that we make it all feasible faster, I think probably the best way to describe it. So going back to the start of zero trust-- it's not lone logging. What is zero trust? But how do I implement it. So we have built a set of solutions built on Azure, built on our technology, to make sure we can offer an integrated IG, PAM, and access management solution. By being able to do that, to offer to our customers all around the world 365 days, 24/7 reliability, so the customers are confident on not only the service reliability, but also the security posture. And I think that's a true testament to our partnership.
I think the second thing really is the fact that our teams really collaborate not only just on development but also sharing insights, right? What we are seeing in the threat landscape. And so they are getting the benefit of telemetry and security posture from two of the leading organizations in the world.
It's all about confidence. It's all about, if you're managing infrastructure, data, applications, customer relationships, you don't want to be in the paper for a breach. And so if you can be confident that you've got two mega companies that work together with the biggest, baddest, most scalable platform on the planet that's doing all the proactive, all the intelligent work on your behalf, that's-- that allows you to do what you do best, which is actually service your customers with whatever product or service you're actually deploying.
And so that confidence, I know for me, when I'm confident in what I do every day, I'm pretty good. And I think that reliability and that confidence that there's two companies that are looking out for our better interests here, and together, they've made it easy and efficient for us to execute and implement so that we can go and focus our time on the technology investments that will further our business forward-- I think that goes a long way for our mutual customers.
Fantastic. Right, OK. So look, that's everything that you need to know to get started with a zero trust security model. We've discussed how to define it, why more and more companies are moving to implement it, and provided some simple steps that you can take right now to start implementing a zero trust security model in your business.
My thanks to both Bhagwat and David for joining me. You've been listening to Better Together, a podcast series brought to you by Microsoft and One Identity. In the next episode, Dan Conrad joins me to discuss zero trust best practices with Active Directory and Azure Active Directory. Join me then.
[MUSIC PLAYING]
37:09