Hello, Griffin. I'm Navin Kumar Beru. I'm truly honored to be here at conference 42 ML 2025. Today's talk is going to be about Beyond Perimeters, implementing Zero Trust at Enterprise Scale. In this session, I want to go beyond the hype and breakdown what Zero Trust really means, why it is not just a security password, but a fundamental architectural shift that enterprises need to survive and thrive in today's cloud driven distributed world. Zero Trust has become one of the most important strategies for modern enterprises, especially those operating across multi-cloud environments, different geographies, and supporting remote workforces. In this presentation, I will walk you through key concepts, shared data points, and highlight real world implementation challenges and outcomes. Thank you for spending time with me. Let's get started. Evolving digital landscape. Let's begin by painting the landscape we are operating in today. 76% of enterprises run multi-cloud environments spanning across average 3.7 cloud providers, creating a highly complex, interconnected system. Despite investments and tenter defense, 95% of reaches still result from human error, phishing attacks, misconfigurations accidental exposure. Breach costs are rise class now averaging around 4.8 million 10.7 increase from last year. These trends show that traditional perimeter based defenses are no longer enough to effectively protect modern enterprises. We need a model that assumes breaches will happen and focus minimizing impact the business case for zero trust. So why zero trust. Because organizations that embrace mature zero trust programs save around 1.4 million on an average for breach. Adoption has skyrocketed 49% of enterprise of support, progress, and zero trust initiatives up from 21% just a few years ago. This shift is practically driven by remote work, which has expanded attack surface by 37%, adding unmanaged devices, unsecured networks, and external. Access funds beyond security. Zero Trust offers business benefits like greater rigidity, safer cloud adoption, and stronger regulatory alignments. I think it's an essential for business from perimeter to zero Trust. Zero trust requests a fundamental mind shift. Instead of assuming that everything inside the network is trusted, we follow three principles, continuous verification. Every request is checked every time. Identity based trust. Gas stations are based on identity, not on location, no default trust. Nothing is implicitly trusted. Even inside the network, this shift matters because 70% of today's traffic moves from east west, inside the perimeter. The old castle and motor approach leaves too many gaps open with zero trust. The trust becomes something you earn, not something you inherit. Identity centric security identity is the heart of zero trust in this model. Identity becomes a new perimeter, whether it's a person, device, or a workload. According to Nest. All resource authentications and authorizations are dynamic and strictly enforced before access is allowed. But this is challenging. 92% of enterprises use multiple identity systems, making it inconsistent and hard. Implementing leading implementations now adopt continuous authentications, checking identity at multiple points during a session, not just at the login. This has resulted in 37% reduction in identity based compromises proving the power of strong identity centered defenses. In short, identity management becomes the foundation for all security layers. Microsegmentation is another key zero trust complement rather than managing. Network zones, you apply granular control. At workload level, 76% of enterprises now implement software defined segmentation, which controls ease to best traffic. By ensuring that only explicit allowed services communicate, you reduce the breach by 66%. In segmented environments, microsegmentation effectively limits lateral movement, turning what could have been a system wide breach into a small, contained instant. It reinforces the principle of least coverage at the network level. Cutting off attack pathways before the spread. Contextual access policies, dynamic access policies are central to zero trust. They rely on combining multiple factors such as user identity and behavior patterns. Device health assessed by 83% of enterprises request context like locational time data sensitivity. Ensuring sensitive resources get extra protection by layering this control organizations create adaptive risk of access decisions. The result of 37% of infiltrate exfiltration incidents showing that smart policies make a real impact. This isn't just a static role based access, but it's a applying context over every decision. Again, dynamic policy and enforcement is central to zero trust implementation. Witness defining a core tenant that access to resources is determined by dynamic policy, including the observable state of client identity, application, service, and requesting asset. The result is that zero trust, security effect. Increases in lot of areas, reduction in exploitable attacks at first by 41% reduction in breach scope based of microsegmentation by 66% reduction in data filtration instance by 37%, and reducing identity based compromise instance by 37%. Current state of zero trust adoption. Let's look where most organizations are today. O. Only 8% have fully implemented zero trust across their enterprises. But for others, the pro process is under the way. NI 90, sorry, 49% are actively applying zero trust and key areas, and 34% are still planning their approach. This highlights the implementation gap between early pilots and fully enterprise coverage. Zero trust takes time. It's not a plug and play solution. It requires careful strategy, phase rollout, and alignment across various teams. Feder identity management. Managing identities across a large, complex organization is one of the hardest zero trust challenges, mainly because identity, confidence gap. Only 29% of the organizations are really confident in their identity security controls creating a significant challenges for zero trust implementations. Privileged IDENT Identity Management is 57% of the organizations Report U using privileged identity management and solutions as a part of the Zero Trust approach machine identity. 73% of the organizations report managing more machine identities that humans human identifies, creating an expanded identity surface requiring consistent security controls. Large organizations must, I must implement, it must implement federated identity solutions that provide seamless, yet secure across distributed environments. The identity confidence gap creates significant challenge as 89% of organizations have experienced at least one identity related breach in recent years. End-to-end encryption, zero. Trust demands persuasive encryption, protecting data no matter where it travels. This includes encrypting data transit data trust, securing a PA communications, protecting EastWest microservice traffic, and implementing robust key management practices. Zero trust requires encryption to protect data throughout its life cycle, emulating implicit trust in network boundaries or transport mechanisms. Research shows encryption is one of the fourth most common controls supporting zero trust initiatives. This shift reduces reliance on network boundaries and ensures that even intercepted data remains producted. It's about making sure that data sensitive information is always secure, and even on unru channels distributed policy enforcement, zero trust requests. Enforcing policies consistently at multiple levels. Network layer, the secure gateways with secure gateways and next gen firewalls. 57% of organizations imple implement secure gateways as a part of the zero trust policy proving foundational security through next generation firewalls and secure access through SAS E Solutions service. Meh layer using MTLS and fine game controls. Finding control policy in a containerized environment enables zero trust principles to modern application architectures with service to service communication. Securing the MTLS communication between each service application layer, applying rules through a PA gateway, address that all a PA access and others to zero trust policies with comprehensive authentication or authorization for each request. Policy enforcement must occur at multiple layers within the technology stack to implement zero trust principles effectively at enterprise scale. This architectural approach to policy improvement represents a critical success factor with 70% of the organizations reporting through difficulty and incorporating consistent policy enforcement during distributed environments. Without uniform policy informants gaps appear and attackers look for those inconsistencies. Effective policy enforcement is not just about tools. It's about ensuring alignment across technology stack. Comprehensive observability is true backbone of a successful zero trust implementation. Without it, you are operating blind and in today's fast moving environment, there's a risk no, no organization can afford. To succeed, you need a visibility across entire stack from infrastructure to application, from network to user behavior. This means that you're not just collecting raw data, but you're turning it into meaningful insights that can drive action. Key components include the secure event collection across all the systems, cloud and on-prem. Comprehensive visibility enabling both proactive threat identification and effective incident respond. Respond. Behavioral analysis to establish baseline studies and quick, quickly identify unusual patterns, establish baseline behaviors and identify deviations that may indicate security threats of automated responses that contain threats, the the moment they're detected, enabling rapid mitigation of potential threats before they can cause significant damage. Cons, consistent feedback loops where real time data helps fine tune policies and controls over time. Leverage operational data to adjust security controls based on environmental conditions. Currently, 42% of the organization report expanding their logging, monitoring and telemetry efforts as a part of the zero trust journey, but achieving comprehensive observability about more than just tools. It's about designing the systems that integrate visibility natively and not an after that a thought. Remember, you cannot secure what you cannot see. Zero trust requires full situational awareness across systems, identities, devices, and networks. The more you know about the environment, the faster, the more precise, precisely you can act. When something goes wrong. Ultimately, I done zero trust, zero trust from a static policy framework into a living adaptive security posture. Let's talk about service mis integration. When we talk about securing cloud native application service me, service meshes like Sst o Linkerd or a WS app mesh become central to zero trust. They aren't just networking tools. They're embedded deeply into how microservice communicate to communicate with each other. Serviceness provide critical capabilities including MTLS, mutual TLS, ensuring that every service to service inter interaction is authenticated and encrypted. All service to service communication is authenticated and encrypted. Explicit access policies defining exactly which services are allowed to talk to each other. Can make zero trust, easy to implement. Services can only communicate with explicit authorized endpoints. Telemetry collection is another in important feature of zero. Miss Integrion gathering rich telemetry data on communication patterns, errors, latency is critical for telemetric collections. Detailed metrics on communication patterns reveals potential security anomalies. Cryptographic workload identities. This gives services unique verifiable identities that are hard to solve. Cryptographic identities for services that can easily, that can't easily be spoofed. By integrating these features directly into the application layer, organizations can, and for zero trust at a granular sub level, sub service level communications. This reduces the risk of lateral movement. Even if one part of the system is compromised, the other parts stay minimal impact. It also provides better visibility on how applications behave, enabling tighter controls and faster detection of anomalies without the service mass. Mass integration, zero trust efforts and mic Microsoft microservice and environments often fall short, leaving gap for attackers that GA, that possibly could be exploited. Think of a service mesh as a connective tissue that holds zero trust principles and high dynamic cloud architectures. It's not about improving security, it's about building resilience, scalability, and adaptability into the heart of the system. Service mesh like. STO, like we talked about, linker, DAWS mesh facilitate zero trust by providing critical security capabilities for containerized microservice environment. Service mesh provide critical capabilities for implementing zero trust and micro microservice environment by creating an architecture by securities embedded within the application infrastructure. Now let's talk about API security and zero trust. APIs are front doors to modern applications and they're under concentrate. A zero trust framework, API security must be treated as a first class citizen and first class priority, not an afterthought. Securing API involves several key practices deploying API gateway as a centralized centralized enforcement points for all incoming and outgoing, a PA calls. This helps in centralized enforcement points. For applying security policies, implementing authentication requirements for all, a PA consumer, regardless of their network origin, applying rate limit, and anomaly detection to prevent abuse, denial of service attacks, or unexpected spikes. Protecting against this abuse is critical for zero. Forcing schema validation to block malformed and malicious payloads that could exploit the backend system. This prevents, this is critical in preventing controls, ensuring that all data passed through a PA others to expected format, preventing common attack techniques like injection attacks. Zero trust for API becomes, goes even further. It means authenticating every API consumer validating authorization for every action and continuously monitoring for suspicious behaviors. A PA often connect to sensitive data, financial transactions, or critical operations, making them prime target fraud. Attackers without strong API security, even most well-designed zero trust architectures can be bypassed. Additionally, as organizations entries open ecosystems working with partners, vendors, and third parties, API Security becomes a vital piece of maintaining trust across extended supply chains. Zero Trust can be applied to APIs to ensure that every single request is evaluated, verified, and controlled. Ultimately, your zero trust strategy is only as strong as your weakest a PA. Now, let's talk about how to overcome implementation challenge. We can't talk about zero trust without addressing its challenges. Adoption is really smooth and organizations fail and face real practical hurdles. About 60% of security leaders point to legacy system compatibility as one of the biggest obstacles for zero trust policy. Older systems weren't designed for continuous verification or granular access control and retrofitting them can be expensive and time consuming. These. These are also challenges with other tools like sprawl, skill gaps. There are also challenges with skill gaps, cultural resistance, and also alignment across teams. Zero Trust isn't just a security project, it's a organizational transformation that requires buy-in from leadership, IP operations, and business units. Successful organizations approach zero trust as a structured and stage journey. They start by identifying high value targets, applying zero trust policies. Where they can and applying zero trust principles where they can have biggest impact, and then gradually expanding the output help build momentum. But strong, long-term success requires sustained investment and cross-functional collaboration. The transformation of zero trust architecture presents numerous implementation challenges that organizations must systematically address. Approximately 60% of the security professional site legacy systems as that main concern by decoupling identity from network location, implementing rigorous authentication and authorization, and maintaining continuous verification organization can build resilient security framework that adapt to realities of modern distributed enterprises. It's important to remember that zero trust isn't a product you buy your checkbox, you complete. It's a shift in how organization thinks about trust, access, risk, and a mindset that puts continuous verification at its core. At the end, the organizations are that succeed of those that see zero zero trust as a strategic commitment, not as a tactical fix. In closing, thank you all so much for joining me today. I hope this talk gave you a clear understanding on how zero trust cancel enterprise security and give you a realistic sense of what it takes to get there. If you'd like to connect and share insights or continue this conversation, I would love to hear back from you. Thank you again and enjoy the rest of conference 42 ml 2025.