>> Live from San Francisco, it's theCUBE, covering RSA Conference 2019. Brought to you by Forescout. >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We're at RSA Conference in North America. The brand new reopened Moscone Center. They finally finished the remodel, which we're excited about, in the Forescout booth, and excited to have a returning Cube alum, I think we had him on last year at RSA, Dr. Chase Cunningham, principle analyst security and risk for Forester. >> Hey. >> Chase, great to see you again. >> Thanks for having me. >> So what's happened in the last year, since we last saw you? I'm sure you've been keeping busy, and running down lots of ... >> Yeah well, >> Crazy risk. >> It's been really pushing the sort of strategy set around zero trust. I mean if you look around the show floor, you can't go 75 feet without seeing somebody that's got zero trust on a booth, or hear it from somebody, so it's been really pushing that narrative and trying to get people to understand what we're talking about with it. >> And it's really important because it's a very different way of thinking about the world. >> Yeah. >> And you guys have been talking about it for a while. >> For a decade, basically. >> Right. >> Yeah. >> And then we've got all these new complexity that's thrown in that weren't there a decade ago. You've got IOT, you got OT, and then you've got hybrid cloud, right? 'cause everyone, well there's public cloud, but most big enterprises have some in the public cloud, some on their data center. So you've got these crazy hybrid environments; so how are you kind of adjusting the zero trust game, based on some of these new complexities? So really we flip the script a little bit and said, "Okay, if we were to try and fix this from the start, "where would we start?" And we'd obviously start around taking care of the the largest swath and sort of compromise area, which would probably start with users, followed closely by devices, because if we can take care of those two pieces, we can actually gain some ground and work our way going forward. If you've heard a lot of the stuff around micro-segmentation, our sort of approach to micro-segmentation means micro-segment everything. We mean users, accounts, devices, IOT, OT, wired, unwired, whatever it is, if you can apply control to it, and you can segment it away to gain ground, segment it. >> So how do you deal with the micro-segmentation? Because ultimately you could segment down to one, and then you haven't really accomplished much, right? >> Right, a network of one is no good, yeah. >> Exactly; so when you think about micro-segmentation architectures, how are you creating buckets? What are your logical buckets that you're putting things in? >> So really it should be based on the function that you're trying to allow to occur. If you look at the way we architected networks for the last 20-something years it's been around sort of use writ-large. What we're talking about micro-segmentation is, if I'm micro-segmenting devices, those devices should live in a micro-segment where devices do device stuff, and you can keep control of that, and you can see what's coming and leaving. Users should be segmented that way, networks, all of it should be built around function, rather than inter-operability. Inter-operability is a result of good micro-segmentation, not the other way around. >> Right, and that's interesting you say that, we're obviously, we're in the Forescout Booth, >> Yeah. >> and a big piece of what they're talking about is, identifying these devices, but then basically restricting their behavior to what they should be doing. So really following along in your zero trust philosophy. >> Well I said it last year, I'll say the same thing again, a key piece of this whole thing is knowing what's supposed to be occurring and being able to control it, and then respond to it. It's not really that we've changed the evolution of this whole thing, we've just looked at it a little more pragmatically, and applying fixes where you can actually start gaining ground. >> Right, and applying the fixes at all different points in the spectrum, as opposed to just trying to create that big giant wall and a moat. >> Well yeah, moving away from the perimeter model, like the perimeter model has categorically failed. Everyone around here seems to understand that that's a reality; and we're not saying you shouldn't have your defenses up, but your defenses should be much more granular and much more focused on the realities of what enables the business. >> Right, so I'm just curious to get your perspective, you've been doing this for a while, as you walk around the show floor here, and see so many vendors, and so many products, and so many solutions, and so many bright shiny objects; how do you make sense of it? How do you help you customers make sense of it? Because it's not a simple space, and I always just think of the poor CSO's, sitting there like "How am I supposed to absorb, "even just the inbound information "about knowing what's going on," much less get to the point of doing evaluation and making purchase decision and making implementation decision. >> So one of the things that we've been really pushing forward with is using virtualization solutions to build architectures, not PowerPoints, not drawing stuff on a whiteboard, like actually using virtualization to build virtual architectures, and test and design there. It's actually very similar to the way that we write applications, you iterate; you don't write an app and release it, and think you got it right and you're done, you write pieces of code, build the app, you iterate, you move on, because of virtualization, we can do the same thing with security tooling and with networks. So one of our major initiatives is pushing that capability set to our customers to say, "This is how you get there, and you design, "and then you build, and then you deploy," rather than, "Deploy it and hope you got it right." >> And know that it's not going to be right the first time you buy it, right? You just got to write a check and the problem goes away. >> And it's much better if you screw something up virtually to just nuke it and start over, than if you try and do it with a bunch of hardware that you can't actually rip and replace. >> That's interesting, right? 'Cause the digital twin concept has been around in the OT space for a long time. We talk to GE all the time and digital twin in terms of modeling behavior, and a turbine engine is something they've been talking about forever. At a healthcare conference they're talking about digital twinning people, which I thought was pretty interesting. >> Kind of creepy, but yeah >> Kind of creepy, but then you think, "Okay, so I can, "I can test medications, I can do these things," and to your point, if I screw it up, I'm screwing up the twin, I'm not necessarily screwing up the real thing. And you talked about in your last blog post, starting to create some of these environments and architectures to help people do some of this exploration. >> Yeah we launched our first one here at RSA on Tuesday night, we actually put out our own Forester branded virtual reference architecture; and the good thing is is the way that we're approaching it, we can actually have our clients build their own semblance of this, because something everybody forgets is, this is one of the few places where there are snowflakes, right? Everyone has their own individual build, so being able to have yours that you build, maybe different from mine, even though we both line with a strategic concept like zero trust. >> Right. >> So, we're building a library of those. >> So is the go to market on that that you've got an innovations space, and people do it within there? Or are you giving them the tools to build it on PRIM, how's the execution of it? >> So really it's about, we've published a lot of research that says, "This is the way to do it;" now we've got this platform and the capability to say, "This is where you can do it;" and then allowing them to go in there and follow that research to actually design and build it and see that it's actually do-able. >> Right, right; so as you're looking forward, 2019, I can't believe the calendar's flipped already to March. Crazy ... What are your top priorities? What're you working on as you go forward this calendar year? >> It's mostly about ground truth sort of use cases on this adoption of zero trust across the industry; and really getting people to understand that this is something that can be done. So we have write-ups going on customers that have deployed zero trust solutions; and sort of how they did it, why they did it, where they got benefit from, where they're going with it, because we remind people all the time that this a journey. This is not something I wake up in the morning, build a zero trust network, and walk away. This is multi-year in some cases. >> Well it's going multi-year forever right? Because the threats keep changing; and the thing I find really fascinating is that the value of what they're attacking is changing dramatically, right? It used to be maybe I just wanted to do some, crazy little hacks, or change a grade, maybe steal some money from your bank account; but now with some of the political stuff, and the state-sponsored stuff, there's a lot more complex and softer nuance information they the want to get for much softer nuanced objectives, so you're going to have to continue to reevaluate what needs to be locked in tighter and what needs to be less locked up, because you can't lock it all up to the same degree. >> Right, and it's really something that we remind our customers a lot on, that security is being done by the majority of organizations not because they actually want to do security, it's because security makes the customers have more faith and trust in you, they buy more stuff, your revenue goes up, and everyone benefits. >> Right. >> You know, some of these large organizations, they don't have SOC's and do security operations 'cause they want to be a security company, they're a company that has to do security to get more customers. >> Right, have they figured that out yet? The trust thing is such a big deal, and the Big Tech backlash that we're seeing that's going on. >> I had thought that they would have figure it out, but it comes up all the time, and you have to really wrap people's head around that you're not doing security because you think security is cool, or you need to do it, it's to get more customers to grow the business. This is a business enabler, not a tangential business thing. >> Right, it's such a high percentage of the interaction between a company and it's customers, or a company and it's suppliers, is electronic now anyway, whether it's via web browser or an API call, It's such an important piece 'cause that is the way people interact with companies now. They're not going to the bank branch too often. >> With the growth of GDPR and privacy and things like that, companies are being mandated by their clients, by their customers to be able to say, "How do you secure me?" And the business had better be able to answer that. >> Right right, but hopefully they're not, to your point, I thought you were going to say they're doing it for the compliance, but it's a lot more than just compliance, you shouldn't be doing it just for the compliance. >> Yeah, I mean I stand on the compliance is kind of a failed approach. If you chase compliance you will just be compliant. If you actually do security with a strategy in place you will achieve compliance; and that's the difference most people have to wrap their head around, but compliance is something you do, not something you strive to be. >> Love it, well Chase thanks for stopping by and sharing your insight and a lot of good work. Love keeping track of it, keeping an eye on the blog. >> Great, thanks for having me. >> All right, he's Chase, I'm Jeff, you're watching theCUBE, we're at the RSA conference in the Forescout Booth, thanks for watching, we'll see you next time. (low techno music)

>> Narrator: From downtown San Francisco it's theCUBE covering RSA North America 2018. >> Welcome back everybody, Jeff Frick here with theCUBE. We're at the RSA Conference North America 2018 downtown San Francisco. 40,000 plus people swarming all over Moscone to the north to the south and to the west. We're excited to have our next guest on. He's Chase Cunningham, principal analyst at Forrester. Chase, great to meet you, welcome. >> Thanks for having me. >> Absolutely, so you just had an interesting blog post. Was Zero Trust on a beer budget. >> Yeah. >> What is that all about? >> Well, so Zero Trust is a pretty simple concept about accepting failure, if you will, and focusing on the internal and moving outward. And basically the premise was, I had friend of mine ask me if he could do Zero Trust for his small company. And I said sure, let's go get a beer and we'll figure this out. And literally, in about half an hour we had a Zero Trust strategy in place for less than 40 grand and his infrastructure is way more secure and it's really simple. >> So that's pretty interesting because, you Know it's easy for big companies that have a lot of resources or the big puddle of Cloud companies have a lot of resources to put a lot of implementation into place. But as we look around this conference tons and tons of companies, it's a lot harder for small and medium businesses either to have the expertise or the budgets to really bring in what they need to secure things. So what were some of the insights from your beer exercise? >> Sure, so it was really simple. If you really think about where the majority of the threat comes from, the network is there and everybody uses it but who accesses the network? The users, the individuals, the devices, everything else. So the first thing we did was we're going to lock down identity and access management because I know if I can control that I've made a fundamental shift into power position for myself. And the next thing we did was we said look you guys don't really own intellectual property but you send emails. We're going to put stuff in place to encrypt every email you send whether you like it or not. So between those two simple things, identity access management and sort of data email encryption we put a really strong security platform in place and it didn't break the bank and it wasn't really hard to do and it's something that you can get better as it goes on. >> Right. And I'm curious, had he had an event or he was just trying to get ahead of the curve? >> He had had some weird stuff showing up. He's in esports, right, so he doesn't have actual intellectual property but he's worried because if they get dossed or they get hacked or they get ransomware for every minute they're down they're losing viewers and that's business and money for them. >> Right, so it kind of ties back to this kind of next gen access where it's really important with the identity but the other one is the context. Who is it and where are they trying to get in? Do they usually come in that way? Do they usually have access? So that's another really way to kind of isolate the problems that might come in the front door. >> Yeah, and you know the, years ago the next gen firewall was really the thing to integrate lots of functions across the network and that's all there. It still exists and it's still necessary but really when you break it down and look at historically where the threats have come from and where the compromises have come from, it's access and if you can't control that you don't have the capability of actually stopping bad things from happening. >> Right, right, so as you look around and you've been coming to this probably for a couple years, as this space evolves. You know, kind of what are your general impressions? I mean, on one hand, so many vendors, so many activities. On the other hand, it was like, we've been at this for a while or are we just stuck in this race and we just got to keep running? >> Well I think we're going to continue running the race but interestingly enough there's buses driving by now with Zero Trust all over the side of it. And I'm glad to see that that strategy is starting to take hold because the problem I have is you can Frankenstein technology together all day long but if you don't have a strategic guidepost that everybody understands from the board down to the network engineer you're going to get it wrong. You're going to miss and so I'm a fan of simplicity and force multipliers and to me the Zero Trust strategy sort of drives that forward. >> All right, well Chris thanks for taking a few minutes. Everyone can log onto your site, take a look at the blog. Thanks for stopping by. >> Thanks for having me. >> All right, he's Chris Cunningham from Forrester. I'm Jeff Frick from theCUBE. Thanks for watching from RSAC 2018.

>>from around the globe. It's the Cube with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS and our community partners. >>Hey, welcome back already, Jeffrey here with the Cube coming to you from Palo Alto studios today for our ongoing coverage of aws reinvent 2020. It's a digital event like everything else in 2020. We're excited for our next segment, so let's jump into it. We're joined in our next segment by Andrew Rafa. He is the principal and zero trust offering lead at the Light and Touche LLP. Andrew, great to see you. >>Thanks for having me. >>Absolutely. And joining him is Robbie Deval. He is the AWS cyber risk lead for Deloitte and Touche LLP. Robbie, Good to see you as well. >>Hey, Jeff, good to see you as well. >>Absolutely. So let's jump into it. You guys are all about zero trust and I know a little bit about zero trust I've been going to are safe for a number of years and I think one of the people that you like to quote analysts chase Cunningham from Forrester, who's been doing a lot of work around zero trust. But for folks that aren't really familiar with it. Andrew, why don't you give us kind of the 101? About zero trust. What is it? What's it all about? And why is it important? >>Sure thing. So is your trust is, um, it's a conceptual framework that helps organizations deal with kind of the ubiquitous nature of modern enterprise environments. Um, and then its course. Your trust commits to a risk based approach to enforcing the concept of least privileged across five key pillars those being users, workloads, data networks and devices. And the reason we're seeing is your trust really come to the forefront is because modern enterprise environments have shifted dramatically right. There is no longer a defined, clearly defined perimeter where everything on the outside is inherently considered, considered untrusted, and everything on the inside could be considered inherently trusted. There's a couple what I call macro level drivers that are, you know, changing the need for organizations to think about securing their enterprises in a more modern way. Um, the first macro level driver is really the evolving business models. So as organizations are pushing to the cloud, um, maybe expanding into into what they were considered high risk geography is dealing with M and A transactions and and further relying on 3rd and 4th parties to maintain some of their critical business operations. Um, the data and the assets by which the organization, um transact are no longer within the walls of the data center. Right? So, again, the perimeter is very much dissolved. The second, you know, macro level driver is really the shifting and evolving workforce. Um, especially given the pandemic and the need for organizations to support almost an entirely remote workforce nowadays, um, organizations, they're trying to think about how they revamp their traditional VPN technologies in order to provide connectivity to their employees into other third parties that need to get access to, uh, the enterprise. So how do we do so in a secure, scalable and reliable way and then the last kind of macro level driver is really the complexity of the I t landscape. So, you know, in legacy environment organizations on Lee had to support managed devices, and today you're seeing the proliferation of unmanaged devices, whether it be you know, B y o d devices, um, Internet of things, devices or other smart connected devices. So organizations are now, you know, have the need to provide connectivity to some of these other types of devices. But how do you do so in a way that, you know limits the risk of the expanding threat surface that you might be exposing your organization to by supporting from these connected devices? So those are some three kind of macro level drivers that are really, you know, constituting the need to think about security in a different >>way. Right? Well, I love I downloaded. You guys have, ah zero trust point of view document that that I downloaded. And I like the way that you you put real specificity around those five pillars again users, workloads, data networks and devices. And as you said, you have to take this kind of approach that it's kind of on a need to know basis. The less, you know, at kind of the minimum they need to know. But then, to do that across all of those five pillars, how hard is that to put in place? I mean, there's a There's a lot of pieces of this puzzle. Um, and I'm sure you know, we talk all the time about baking security and throughout the entire stack. How hard is it to go into a large enterprise and get them started or get them down the road on this zero trust journey? >>Yeah. So you mentioned the five pillars. And one thing that we do in our framework because we put data at the center of our framework and we do that on purpose because at the end of the day, you know, data is the center of all things. It's important for an organization to understand. You know what data it has, what the criticality of that data is, how that data should be classified and the governance around who and what should access it from a no users workloads, uh, networks and devices perspective. Um, I think one misconception is that if an organization wants to go down the path of zero trust, there's a misconception that they have to rip out and replace everything that they have today. Um, it's likely that most organizations are already doing something that fundamentally aligned to the concept of these privilege as it relates to zero trust. So it's important to kind of step back, you know, set a vision and strategy as faras What it is you're trying to protect, why you're trying to protect it. And what capability do you have in place today and take more of an incremental and iterative approach towards adoption, starting with some of your kind of lower risk use cases or lower risk parts of your environment and then implementing lessons learned along the way along the journey? Um, before enforcing, you know more of those robust controls around your critical assets or your crown jewels, if you >>will. Right? So, Robbie, I want to follow up with you, you know? And you just talked about a lot of the kind of macro trends that are driving this and clearly covert and work from anywhere is a big one. But one of the ones that you didn't mention that's coming right around the pike is five g and I o t. Right, so five g and and I o. T. We're going to see, you know, the scale and the volume and the mass of machine generated data, which is really what five g is all about, grow again exponentially. We've seen enough curves up into the right on the data growth, but we've barely scratched the surface and what's coming on? Five G and I o t. How does that work into your plans? And how should people be thinking about security around this kind of new paradigm? >>Yeah, I think that's a great question, Jeff. And as you said, you know, I UT continues to accelerate, especially with the recent investments and five G that you know pushing, pushing more and more industries and companies to adopt a coyote. Deloitte has been and, you know, helping our customers leverage a combination of these technologies cloud, Iot, TML and AI to solve their problems in the industry. For instance, uh, we've been helping restaurants automate their operations. Uh, we've helped automate some of the food safety audit processes they have, especially given the code situation that's been helping them a lot. We are currently working with companies to connect smart, wearable devices that that send the patient vital information back to the cloud. And once it's in the cloud, it goes through further processing upstream through applications and data. Let's etcetera. The way we've been implementing these solutions is largely leveraging a lot of the native services that AWS provides, like device manager that helps you onboard hundreds of devices and group them into different categories. Uh, we leveraged device Defender. That's a monitoring service for making sure that the devices are adhering to a particular security baseline. We also have implemented AWS green grass on the edge, where the device actually resides. Eso that it acts as a central gateway and a secure gateway so that all the devices are able to connect to this gateway and then ultimately connect to the cloud. One common problem we run into is ah, lot of the legacy i o t devices. They tend to communicate using insecure protocols and in clear text eso we actually had to leverage AWS lambda Function on the edge to convert these legacy protocols. Think of very secure and Q t t protocol that ultimately, you know, sense data encrypted to the cloud eso the key thing to recognize. And then the transformational shift here is, um, Cloud has the ability today to impact security off the device and the edge from the cloud using cloud native services, and that continues to grow. And that's one of the key reasons we're seeing accelerated growth and adoption of Iot devices on did you brought up a point about five G and and that's really interesting. And a recent set of investments that eight of us, for example, has been making. And they launched their AWS Waveland zones that allows you to deploy compute and storage infrastructure at the five G edge. So millions of devices they can connect securely to the computer infrastructure without ever having to leave the five g network Our go over the Internet insecurely talking to the cloud infrastructure. Uh, that allows us to actually enable our customers to process large volumes of data in a short, near real time. And also it increases the security of the architectures. Andi, I think truly, uh, this this five g combination with I o t and cloudy, I m l the are the technologies of the future that are collectively pushing us towards a a future where we're gonna Seymour smart cities that come into play driverless connected cars, etcetera. >>That's great. Now I wanna impact that a little bit more because we are here in aws re invent and I was just looking up. We had Glenn Goran 2015, introducing a W S s I O T Cloud. And it was a funny little demo. They had a little greenhouse, and you could turn on the water and open up the windows. But it's but it's a huge suite of services that you guys have at your disposal. Leveraging aws. I wonder, I guess, Andrew, if you could speak a little bit more suite of tools that you can now bring to bear when you're helping your customers go to the zero trust journey. >>Yeah, sure thing. So, um, obviously there's a significant partnership in place, and, uh, we work together, uh, pretty tremendously in the market, one of the service are one of solution offering that we've built out which we dub Delight Fortress, um is a is a concept that plays very nicely into our zero trust framework. More along the kind of horizontal components of our framework, which is really the fabric that ties it all together. Um s o the two horizontal than our framework around telemetry and analytics. A swell the automation orchestration. If I peel back the automation orchestration capability just a little bit, um, we we built this avoid fortress capability in order for organizations to kind of streamline um, some of the vulnerability management aspect of the enterprise. And so we're able through integration through AWS, Lambda and other functions, um, quickly identify cloud configuration issues and drift eso that, um, organizations cannot only, uh, quickly identify some of those issues that open up risk to the enterprise, but also in real time. Um, take some action to close down those vulnerabilities and ultimately re mediate them. Right? So it's way for, um, to have, um or kind of proactive approach to security rather than a reactive approach. Everyone knows that cloud configuration issues are likely the number one kind of threat factor for Attackers. And so we're able to not only help organizations identify those, but then closed them down in real time. >>Yeah, it's interesting because we hear that all the time. If there's a breach and if if they w s involved often it's a it's a configuration. You know, somebody left the door open basically, and and it really drives something you were talking about. Ravi is the increasing important of automation, um, and and using big data. And you talked about this kind of horizontal tele metrics and analytics because without automation, these systems are just getting too big and and crazy for people Thio manage by themselves. But more importantly, it's kind of a signal to noise issue when you just have so much traffic, right? You really need help surfacing. That signals you said so that your pro actively going after the things that matter and not being just drowned in the things that don't matter. Ravi, you're shaking your head up and down. I think you probably agree with this point. >>Yeah, yeah, Jeff and definitely agree with you. And what you're saying is truly automation is a way off dealing with problems at scale. When when you have hundreds of accounts and that spans across, you know, multiple cloud service providers, it truly becomes a challenge to establish a particular security baseline and continue to adhere to it. And you wanna have some automation capabilities in place to be able to react, you know, and respond to it in real time versus it goes down to a ticketing system and some person is having to do you know, some triaging and then somebody else is bringing in this, you know, solution that they implement. And eventually, by the time you're systems could be compromised. So ah, good way of doing this and is leveraging automation and orchestration is just a capability that enhances your operational efficiency by streamlining summed Emmanuel in repetitive tasks, there's numerous examples off what automation and orchestration could do, but from a security context. Some of the key examples are automated security operations, automated identity provisioning, automated incident response, etcetera. One particular use case that Deloitte identified and built a solution around is the identification and also the automated remediation of Cloud security. Miss Consideration. This is a common occurrence and use case we see across all our customers. So the way in the context of a double as the way we did this is we built a event driven architectures that's leveraging eight of us contribute config service that monitors the baselines of these different services. Azzan. When it detects address from the baseline, it fires often alert. That's picked up by the Cloudwatch event service that's ultimately feeding it upstream into our workflow that leverages event bridge service. From there, the workflow goes into our policy engine, which is a database that has a collection off hundreds of rules that we put together uh, compliance activities. It also matched maps back to, ah, large set of controls frameworks so that this is applicable to any industry and customer, and then, based on the violation that has occurred, are based on the mis configuration and the service. The appropriate lambda function is deployed and that Lambda is actually, uh, performing the corrective actions or the remediation actions while, you know, it might seem like a lot. But all this is happening in near real time because it is leveraging native services. And some of the key benefits that our customers see is truly the ease of implementation because it's all native services on either worse and then it can scale and, uh, cover any additional eight of those accounts as the organization continues to scale on. One key benefit is we also provide a dashboard that provides visibility into one of the top violations that are occurring in your ecosystem. How many times a particular lambda function was set off to go correct that situation. Ultimately, that that kind of view is informing. Thea Outfront processes off developing secure infrastructure as code and then also, you know, correcting the security guard rails that that might have drifted over time. Eso That's how we've been helping our customers and this particular solution that we developed. It's called the Lloyd Fortress, and it provides coverage across all the major cloud service providers. >>Yeah, that's a great summary. And I'm sure you have huge demand for that because he's mis configuration things. We hear about him all the time and I want to give you the last word for we sign off. You know, it's easy to sit on the side of the desk and say, Yeah, we got a big security and everything and you got to be thinking about security from from the time you're in, in development all the way through, obviously deployment and production and all the minutes I wonder if you could share. You know, you're on that side of the glass and you're out there doing this every day. Just a couple of you know, kind of high level thoughts about how people need to make sure they're thinking about security not only in 2020 but but really looking down the like another road. >>Yeah, yeah, sure thing. So, you know, first and foremost, it's important to align. Uh, any transformation initiative, including your trust to business objectives. Right? Don't Don't let this come off as another I t. Security project, right? Make sure that, um, you're aligning to business priorities, whether it be, you know, pushing to the cloud, uh, for scalability and efficiency, whether it's digital transformation initiative, whether it be a new consumer identity, Uh uh, an authorization, um, capability of china built. Make sure that you're aligning to those business objectives and baking in and aligning to those guiding principles of zero trust from the start. Right, Because that will ultimately help drive consensus across the various stakeholder groups within the organization. Uh, and build trust, if you will, in the zero trust journey. Um, one other thing I would say is focus on the fundamentals. Very often, organizations struggle with some. You know what we call general cyber hygiene capabilities. That being, you know, I t asset management and data classifications, data governance. Um, to really fully appreciate the benefits of zero trust. It's important to kind of get some of those table six, right? Right. So you have to understand, you know what assets you have, what the criticality of those assets are? What business processes air driven by those assets. Um, what your data criticality is how it should be classified intact throughout the ecosystem so that you could really enforce, you know, tag based policy, uh, decisions within, within the control stack. Right. And then finally, in order to really push the needle on automation orchestration, make sure that you're using technology that integrate with each other, right? So taken a p I driven approach so that you have the ability to integrate some of these heterogeneous, um, security controls and drive some level of automation and orchestration in order to enhance your your efficiency along the journey. Right. So those were just some kind of lessons learned about some of the things that we would, uh, you know, tell our clients to keep in mind as they go down the adoption journey. >>That's a great That's a great summary s So we're gonna have to leave it there. But Andrew Robbie, thank you very much for sharing your insight and and again, you know, supporting this This move to zero trust because that's really the way it's got to be as we continue to go forward. So thanks again and enjoy the rest of your reinvent. >>Yeah, absolutely. Thanks for your time. >>All right. He's Andrew. He's Robbie. I'm Jeff. You're watching the Cube from AWS reinvent 2020. Thanks for watching. See you next time.