Webinar recap: Zero trust in the age of unmanageable applications



Session overview

This session discussed the concept of zero trust, nonfederated applications, and how they relate to each other. The webinar also covered research conducted with the Ponemon Institute on nonfederated applications and the impact of breaches from these applications.



  • John Kindervag, Creator of zero trust and Cerby Advisor
  • Matt Chiodi, Cerby Chief Trust Officer



  • Introduction to zero trust and unmanageable/nonfederated applications
  • Research findings from the Ponemon Institute
  • The role of zero trust in managing unmanageable applications
  • Common misconceptions about zero trust
  • The zero trust maturity model



Takeaway 1: Unmanageable/nonfederated applications pose a significant security risk, and adopting a zero trust approach can help mitigate the risk.


The research conducted by the Ponemon Institute revealed that one in seven breaches are from applications that can't be managed with an identity provider. Emphasizing the importance of addressing unmanageable applications in an organization's zero trust strategy. In the webinar, John Kindervag explained that zero trust is a strategy to stop data breaches and make other cyberattacks unsuccessful by removing trust from digital systems.


"Trust is a human emotion that's been injected into digital systems for no reason at all. And because of this, it's actually a dangerous vulnerability," said Kindervag. Organizations can better manage and secure unmanageable applications by adopting a zero trust approach, focusing on protecting their most critical assets and data.


Takeaway 2: Implementing zero trust requires a clear understanding of what needs to be protected and a strategy to enforce policies.


Kindervag emphasized the importance of defining the protect surface. A protect surface is a key concept in zero trust that includes the data, applications, assets, and services (DAAS) that need protecting. Building a zero trust environment is accomplished one protect surface at a time. Building protect surfaces one at a time allows organizations to create a more scalable and manageable security strategy.


"The most we can screw up is one protect surface at a time. But let's say we wanted to control an unmanageable app…we're going to be able to say, oh, we know what that protect surface is…we have a base control, base policy, a little bit of logging…and then we need to get to a place where we get to [an optimal level] in a certain timeframe," explained Kindervag.


Takeaway 3: Zero trust is a continuously evolving strategy that requires monitoring and maintenance to stay effective.


According to Kindervag, one of the key aspects of zero trust is creating an "antifragile" system that becomes stronger over time. Zero trust requires continuous monitoring, updating, and refining based on the organization's changing needs and threat environment.


"So the more we get information, the more we get stressed, the more we get attacks, and when we defend against something, the stronger we can make each protect surface. So zero trust is an antifragile system…if you don't understand that secret, you'll never be successful," said Kindervag. Implementing zero trust as an ongoing process helps organizations stay agile and proactive in their approach to cybersecurity.


Insights surfaced

  • One in seven breaches are from applications that cannot be managed with an identity provider.
  • The median number of nonfederated applications in an enterprise is 176.
  • Business units 63% of the time manage access to nonfederated applications.
  • Over half (52%) of respondents experienced a breach with a nonfederated application.


Key quotes

  • "Zero trust is a strategy designed to stop data breaches and make other cyberattacks unsuccessful by eliminating trust from digital systems."
  • "The only entities who get value from trust are the malicious actors who are going to exploit it."
  • "The most we can screw up is one protect surface at a time."
  • "Zero trust is incremental, iterative, and non-disruptive."
  • "All the bad things that can happen to you happen inside of an allow rule."


Watch the full webinar below:


See how Cerby works with your team

Get a demo