Webinar Recording
How Advanced Identity and API Management Helps You Meeting the Security Challenges of Digital Transformation
The new business environment is increasingly reliant on web and open source applications, with external partners and customers accessing resources via web browsers and social media channels. Employees are also bringing consumer digital habits into the workplace and merging their home and work applications on single devices. Meanwhile, non-traditional groups within the organisation are opting to use open source APIs to build cloud and local applications on the fly. While the new ways of working are considered necessary for continued business health, increased competitiveness and innovation, these trends need to be carefully managed if security is also to be maintained.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our equipping a call webinar, how advanced identity in API management helps you meeting the security challenges of digital transformation. This webinar is supported by deny the speakers today are defined sank, whose vice president marketing and business development at deny all and me Martin Kuppinger I'm CEO, founder, and principal Analyst at KuppingerCole. Before we start trust some quick information about a and some housekeeping information, and then we'll directly dive into the topic. So KuppingerCole is an Analyst company. We were founded back in 2004 are focusing on information security with a strong expertise in identity in access management, but also a lot of other areas concerning the digital transformation. We provide neutral advice, expertise, and so leadership to our customers. We do this through three types of services, which are research, where we provide our research, including our leadership composites, which compare vendors in certain markets segments. We do it through events where we provide things like our European identity and cloud conference. I'll talk about this in a minute, and we do it through advisory where for instance, support customers in making the tools choice and defining the strategy roadmap and all the other challenges they are facing.
When we look at some of the upcoming conferences, there's the next big thing is the consumer identity world tour, which will take place in three locations, which are Singapore, cl and Paris in the timeframe between September and December this year. And then we will do an next generation marketing executive summits next year, February, which is focused on marketing automation and all the trends here. So also affected by GDPR, by consumer identity and other stuff. And then we will do the digital finance world focus on all the changes in security identity, etcetera space, which impact the finance industry, which will be held in end of February next year in Frankfurt. So for the webinar, some guidelines, you are mute centrally, so you don't have to mute or arm mute yourself. We are controlling these features. We are recording the webinar and we will make the podcast recording available by tomorrow.
Latest. Then there will be a Q and a session at the end of the webinar, but however, you can enter questions at any time using the questions, featuring the go to webinar control panel. This control panel is usually at the right side of your screen, and there's an area questions where you can enter your questions. The more we question, the more questions we have, the more likely the discussion will be. Let's have a look at the agenda it's as usual split into three parts in the first part I'll talk about or give a view on the trends I see in secure DevOps, in the context of the digital transformation and on managed digital identities within the organization. The second part, then Ste understand, we'll talk about best practices, practices for secure code and the opportunities for managing APIs to enhance digital transformation. In the third part, finally, we'll do the Q and a session as I already mentioned.
So let's directly start where I wanna start with is looking at the digital transformation. So theoretically, that slide should say, circles of change on top, for some reason, the title trust disappeared. So when we talk about the digital transformation, we have a number of drivers. And when we look at these external drivers, then we on one hand, have these ever increasing attacks, we have to ever change regulations. So we have, which is a little bit in conflict. So on one hand we see more attacks. We have a bigger challenge by regulations. On the other hand, we want to be become more flexible in our business by defining dynamic partnerships, by changing our competitive landscape, we need to do be to provide rapid innovation, which all means we need to be very flexible at trial, which makes it harder to protect against tax, which makes it harder to meet the regulation.
So it's a little bit of a dilemma we are in. We need to move from products to services, earn our money more with services than traditional risk products seems to be seen each area of the business today. And clearly everything becomes connected. So this is, I would say a lot of changes. We are facing this digital transformation and it means that we require as an organization, certain key capabilities and these key capabilities, the three main ones for my perspective are agility as an organization. So be flexible regarding the business models, be flexible regarding the competitive landscape. These are innovativeness. So we need to innovate far more than ever before. And organizational flexibility to adapt to the changes within that digital transformation. We have three key topics we are facing. One is smart manufacturing. The second is know your customer. And the third one is internet of things.
So smart manufacturing or, or industry Porwal as we terminally tend to call it. It's about connecting the physical production with the business processes, know your customers more than trust anti-money anti-money laundering. It's really understanding the customer, serving the customer perfectly well. Then we have all these connected things. And finally, we have these key enabling technologies. And when we look at these key enabling technologies, then I think there are couple of them. And some of them are very closely related to our webinar today. So when we look at these technologies, there's robotics, there are all these sensors, there's blockchain, there's cognitive and AI. There's big data, but there's also security and privacy and there's identity. So to know our customer, to understand which things are owned by a customer, we need to understand the identity of the customers, the identity of the things we need to connect these.
We need to understand the relationships. When we look at security and privacy, it's very clear. We need to act in a very dynamic, highly connected or hyper connected environment, but we need to be compliant. So we need to look at privacy, particularly when we look at the upcoming U GDPR regulation, so general data protection regulation, and we need to understand security. So how can we really secure all these environments? How can we really manage this balance between agility on one hand, new businesses and security and privacy. So we need to understand this, and this is what we talk, we'll talk about in today's webinar. So I'll start with a sample and what we are in fact facing virtually everywhere is what frequently today is called the multi-speed organization. So an organization which acts with different speed for different purposes. And I'll explain this by the banking example.
So banks, on one hand, they have their car banking business and they're still, and will continue serving traditional customers with traditional services customers, which sometimes even still walk into the branch office, which have their payments on paper, which don't use the online banking or only use it. Occasionally on the other hand, there are more among new banking services. There's no new banking business that have also again, driven by regulation. That case the upcoming PSD two, the revised payment services directive, which will indeed you massively impact the way banks operate and the competition day face cetera. So there are traditional and new customers which will use innovative services, which at the end of the day, we rely on the core banking. So to some extent, they go back to this core banking business. And in fact, these banks have to operate in different modes at different speeds, multi speed.
While the core banking business needs to operate stable, reliable at standard speed. The new banking business has to deliver new services extremely rapidly in a very agile way to both existing new customers. So it's here, it's, it's more about agility about competitiveness. So it's definitely a different challenge they facing here in this multi-speed organization. And that's not only true for banks. It's true for virtually every organization because you have to build new services for your customer. You have to innovate, things are changing here and this, this multi-speed, it APIs start playing a very vital role. So we have to core it. And anyway is a core. It is protected by some sort of interface. I just used the term API for reputation programming interface for more traditional and more modern interfaces. And we already might have a more agile it layer around where we build for instance, new types of applications for new types of insurance contracts.
If it's an insurance company or for new types of banking services or for new types of customer service and automotive organization, whatever else. And again, we then might have to open it up for externals. For instance, in banks, driven by the PSD two regulation, they have to support payment initiation and account information access through API. So there's another layer, the alter API layer for external it, that might be even more layers. So, but it put it toge down to three layers. And so we have these APIs and they in fact protect various levels. So the traditional core, it, the more modern, agile it from the outer space, so to speak well where the core, it again, is different acting at a different speed than the actual it and how fast or slow the external it is. That's depends on the externals. So we need to have different layers.
We need to protect these layer. This is where APIs come into play. When APIs coming to believe, we also have to talk about the security of API and in general, about how can we protect all these layers in a consistent, efficient way, which works for all layers with these two layers of protection, so to speak, you know, layer of protection between core and, and agile and the outer layer between the actual it and externals. So the one has more, the focus of protecting the stable core. When we look at it from an inside art perspective or on the other hand, enabling the agility while keeping the core stable. So if you look at some industries, banks, insurance companies, they still have, might have mainframes in data. Is there are many legacy systems which are not very agile. So APIs also give us the ability to become more flexible while protecting this, these key system services and systems, which need to run reliably.
So the out more about exposing about us integrating this mobile app. So it must not be only, or it's not necessary only externals. It might be mobile applications, cetera, but we are clearly facing a lot of challenges here. So how do we authenticate users? How do we users, how do we do the auditing end to end? So how do we know which user has accessed certain core service in the context of a technical user at a certain point of time, we have to scalability things. So how can these things scale particularly if the core layer is not as scalable as we would like it to be version management and many other challenges we are facing here. So API management, API security are one important element, but there are other things like traditional web application firewalls, which are closely related to this and other types of security technologies, I'll touch some of these aspects.
And then Stefan and the second part will go far deeper into detail. So what are the drivers? When I look today at API management and API security, so one important driver, mobile devices and apps, which is part of the transformation. So the more we do with mobile devices is mobile apps. The more we need to protect the API is because all these success, all the success runs through APIs, all the connected business. So all our business partners in the digital transformation, the consumer internet of things. So all these connected things, smart cities, when we look at that part of the world and the business than it's a little bit of different thing, but there clearly we have a lot of challenges in that space because we need to make our cities more smart by whatever information about empty parking lots and all that stuff, public transfer information, but we need to keep it well secured and clearly in the smart manufacturing and industrial internet of things area, we also have more and more these APIs we need to expose as part of industry photo or smart manufacturing, but which we also need to protect very well.
So what are the main requirements for this area? The absolutely main requirement security solutions for security must be secure. They must be also performant because the more layers we have, the challenges, many layers as the, every layer we add has an extra cost in terms of performance. So everything we put in to protect shouldn't add too much to this cost scalability, we need to scale. And when we look at each transformation scaling very important thing, we need to be able to scale massively when we succeed in transformation, standard support, very obvious, yes, and usability should be easy to use. So, you know, when we look at the title of the webinar, diverse a lot in Theran DevOps and digital transformation and other things. So I've talked about digital transformation. I already touched security. Let's have a quick look at DevOps in that context. And DevOps is one of the areas I found will talk about far more in detail when he starts his presentation in a few minutes from now.
So DevOps is development, operations done way where development operations are tightly aligned and building testing and releasing software can happen rapidly, frequently and more reliably. So the idea is to say, I have not won big release every couple of months or years, but I'm very, I have a very continuous stream of in innovation here. And then in this context frequently, this term of NP also pops up, which sometimes is just misre. So in fact, min NP or minimum viable product is a product that has trusted a features to satisfy early customers and to provide feedback for future development. So with that term, we should be a little bit careful. It's more something if we do software development, but we shouldn't end up, shouldn't use it for too many things. So if you say we want to deploy infrastructure and MVP approach, we might end up with having that sufficient things provided.
So when we look at this, there are some obvious questions and many of these will be answered by Stefan. How can we ensure that rapidly release software is sufficiently secure? I think we always should think in not only DevOps ops, but Def sec ops. So development, security, operations, that also means that I'll touch it in my next slide, having an infrastructure, which provides the security service, having, having an infrastructure, which keeps these things secure, how can we ensure that small steps all are heading in the right direction? So if we do DevOps, we do small development steps. We still need a target. We need a roadmap, we need a strategic alignment of all the things we do. And we need to understand what is out scope, what is in scope.
So how don't can we ensure that development doesn't stop after reaching the minimum target as long as there's more needed, if you don't need more fine, but frequently there's a risk of saying, okay, we did this, particularly if it's only internally facing and we did a minimum and we believe it's enough, but we in fact, all know, oh, we will need more over time. And then yeah, we, we, again, we need a strategy. We need to understand what is, what we really need over time in which steps to align our DevOps with what we really need to achieve and how can we ensure that these approaches don't lead to how to manage infrastructure. That's another risk I see. So if we do it wrong, then we might end up with this WEP and DevOps stuff in a way that we say, okay, we do that.
And, oh, right now we need that infrastructure component. We just deploy it. But at the end, we might have a Sue of many, many different infrastructure components where we then end up with a mess and the high cost in managing these. So what we need in this context, we need an application security infrastructures, where we are dynamic in the applications. That's what we need to achieve in the multi speed organization. In the context of the digital transformation, we have the APIs where we have a strong protection here, but where we also have well sought out and stable underlying services. So we have the services which are exposed and we have the building blocks, which provide these services and that part should be stable. So we should, when we look at it for a strategic perspective, have a stable strategic stream for creating our security infrastructure with these building blocks, consistent layer of services, which even remain stable when we change something in the underlying infrastructure and the ability to provide APIs to applications so that applications can consume security as a service. So this is what I see as the most important trends, DevOps, without such an infrastructure inevitably will fail over our time sooner or later with that, I hand over to Stefan who I make the presenter right now. So Stefan is your term.
Thank you, Martin. I hope you can all see my screen now. Yes.
Yes.
All right. So hi, everybody like to be on this call with you. I just want to start with a quick introduction about denial. We're a French company, but we're recently acquired by a German company cybersecurity, and just a little background on the company we were created initially 15 years ago, actually in 2001, that's almost 16 years ago now. And we have sort of pioneered the space of web vacation, firewall working for very large French banks initially. And then for variety of companies in all sorts of verticals, we have 600 customers in more than 30 countries. And I'm gonna tell you a little bit more now about what we do. Indeed. I want to refer to what Martin was talking about a few minutes ago as the, the application security infrastructure or the, the building blocks of that shared application security infrastructure at denial. We have three main products, a warranty manager, which is a, a scanner, which helps organizations identify their assets in their it, and then detect the T prioritize them based on both their technical, the risk that they represent, but also the business value of the assets are attached to and, and, and the tool also helps reduce the attacks effects by remediating assigning tasks to people so that those warranties are remediated.
The second building block is our core web application firewall and web services, firewall products, which obviously the goal of which is to block attacks, to prevent attacks from succeeding, both in terms of, you know, protecting users, interactions, or requests to those backends, but also machine to machine communications. And in recent years, we've added the ability for these products to also evaluate the user reputation. I I'll get back to that in a few minutes. Web access management is another component of that architecture or that infrastructure, which takes care of enforcing the authentication policy to those applications. And also making security simpler for people for users, because we all know that, you know, whenever security is too complicated, people tend to bypass it. And the, the idea is we're able to adjust the authentication mechanism to the user context, making sure that security is an enabler, not doesn't come in the way of people's productivity.
All of these products can be managed deployed, and more importantly than the reporting that one would expect for many security products. These, this architecture, this infrastructure helps people automate the response to changing user's behavior and context. And I'll get back to that in a second, just in, in passing, we're now a subsidiary fully owned subsidy of auto and subs, cyber security at a new division of the auto and TRAs company, which in addition to the web application security firewalls that we just discussed has a varied large portfolio solutions from securing endpoints to securing communications and encryption products and, and network security solutions, which we'll come handy. If you're looking for a solution from a, a trusted vendor. Now let's go back directly into the, the topic of today's webinar, Martin spoken about the need for DevOps to become dev SecOps. And really that's an ongoing effort that many organizations are going through.
I want to reinforce the importance of doing that, not only by training developers on security Matthias, but also really making the security teams that are part of your organization, full members of your DevOps teams. If you're moving to this agility concept, bring these people on board, make them contribute to the design of your, to the overall process from design all the way to delivery. And, and in doing that, also take advantage of the knowledge they have in using tools, such as the ones we're gonna talk about today to make sure that you take the full advantage to the full, you know, benefit from, you know, the, the security, the incremental security that these products provide. When you look at the software development life cycle, you know, starting from, you know, the left, it's very important to be able to assess and evaluate as early as possible in the development life cycle, how secure the code that is produced by your developers is, and that's an intuitive process that requires that at every stage, they scan their application for vulnerable T and then as you embark on delivering the solution to end users, you know, the web application firewall and web services firewall can contribute to that.
Obviously if you have that environment set up as early on in the process as possible without, you know, in order to avoid creating a, a gap in the delivery mode, you can also do what's people referred to as virtual patching, which is the idea that you're able to verify that the WAFF does prevent the exploitation of any verities left in the code. As we'll see in a minute, application, stacks are complex and there tends to be, there's no chance of ever having an application with zero vulnerability. The last component is the authorization policy, the component that the web access manager provide and which takes care of not only the authentication of users, but also of making sure that we're able to automate their response, to changing users' behavior, by adjusting to how people are behaving in the context in which they're connecting to these applications.
So that's the overall framework. I want to talk about two things. Now, first, the application security and, and then how these tools can be used. So first of all, securing applications requires number of things. I want to, you know, go through these six points. Now, first of all, let's take a look at reducing the attack surface, your web applications, your web services, your APIs are, are, are, are, are part of a complex ecosystem of, you know, architecture with multiple technologies involved and focusing on only one layer. The application layer, for example, is the first step, but it's not sufficient. You need to look at the overall stack and be able to identify how the overall system is vulnerable to exploitation by attackers. And so, you know, that's the first first requirement. The second requirement is obviously those APIs we're talking about whether they, you know, support mobile applications or machine to machine communications, enabling, you know, data to be created and shared within your organization or with third party members of your ecosystem, they need to be routed and securely are delivered to, you know, so that, you know, you avoid anybody, you know, leveraging those automated communications to, you know, get in the, in the process, get in the way.
And so, you know, schema validation, authentication message signature and exception are, must have in this space. If you're going to secure your, your overall digital environment, validation is another very important step, which requires that you use the modern tools, the modern methodologies to make sure that your web services, your APIs are, are correctly, you know, are correctly structured. That you're able to point to the areas of weakness possibly, and, and are able to learn and, and dynamically improve the overall security and the overall quality of the code. We'll talk about that in a, in a few minutes, again, protection, sorry, protection against men in the middle attacks is, is essential. Obviously SSL is a must have nowadays, but also, you know, encryption of data and, and the use of signatures is essential to avoiding anybody getting in, in, again, in that data flow and pretending to be a member of the web service to, to get access and impossible, possibly create Ava authentication and authorization.
This is another must. There's plenty of ways to do that. Plenty of industry standards that are being used, some of them are more recent than others. Open ID connect is, is the most recent one. And JWT provides, you know, a way to, to utilize tokens that is very convenient. I wanna spend just a minute explaining what we call adaptive authentication, which sort of bridges, the two words of identity and access management and authentication with the, the need to, to address the, the policy, the protection policy in this very simple workflow would describe what happens when somebody is connecting to the application to a backend. We're looking first at where they're coming from the device they're using. And depending on that, we can adjust the authentication policy to their location, to the device they're using. And all of this can be fully automated so that, you know, you, you're, you're setting up a policy and it's being enforced automatically by, by the system, but are a large portion of the traffic that are, you know, ting or, you know, being dealt with on a daily basis by your applications, the best way as we found to, to remedy bots, to make sure that we don't block the good bots, but prevent the malicious bots from hitting your infrastructure from consuming the, your bandwidth from bringing down your services or your, your APIs is what we call user reputation.
And it's the idea that we can actually monitor how people are using the applications that are being protected to prevent people from abusing their rights they have been given, and also to prevent, you know, bad things from happening when somebody's identity has been stolen or, or spoofed. Again, we're getting back to this. If you're interested in a, a bit later in that second part of my presentation, I wanna talk to you how about how the application security tools that I was referring to earlier can be used and leveraged by DevOps, or should I say, dev SecOps teams to, to, to improve the quality of their work? The first thing we're gonna talk about is automation Ws in particular, but also scanning tools have evolved a lot recently and they all can now be industrialized in their deployment and their configuration via APIs APIs to protect APIs, to make sure that the process of setting up the right level of protection, their shared services that Martin was talking about are, is, is done in an industrial way, especially as you know, new services require new, new, new machines, new virtual machines, new control environments to be set up.
The second point is the, the ability to learn how the application works. And here, we're gonna talk about a, a sort of an intuitive process between the developers and the security tools to make sure that we are creating an application that is secure by design and Alexei actually also embeds, you know, privacy by design requirements brought to, to us by the JDR. So you, in this slide, we, we exemplify what can be done. A developer can basically learn, teach the web application file, how the application should be, you know, working. And so what's what we also call whitelist is the ability to teach the WAFF, what is normal behavior or normal usage of the application? That same process technology can be used also to scan the application, feeding the, the scanner with the same information from the same swagger file, for example, and enriching that information with new information delivered by the scanner on how vulnerable certain parts of the application are that back and forth exchange of information and enrichment of information helps the developers then go to the next page, which is to, to fine tune the security policy, to make sure that any remaining vulnerability in the code or in the stack of the, in the overall application is not going to be exploitable by an attacker or a, you know, misbehaving user that per that process of virtual patching is, is now very functional.
Thanks to the, you know, the support of industry standards there says open API or, or swagger with. It's the idea that a lot of the sort of heavy duty activities related to the exploitation of web kitchen firewalls can now be resolved or can be reduced in terms of the time they consume false positive has always been and will remain the issue with security for the longest time. We are now in the, in web, in modern application web application firewalls, the ability to do a, a quick resolve that is to create exceptions very easily for all of the based on all of the events that have been collected and with a view to, to make sure that people don't spend too much time in the WAFF, but actually creating agile applications and last but not least being able to monitor how the application is performing both in terms of performance itself, but also in terms of security, that's an ongoing effort then can be, that can be automated DevOps or dev secs teams can now take advantage of the reporting features built into all of these products to, to monitor how, how well the applications are performing.
And so if I want to summarize, I wanna say that I think the move to a dev sec ops approach is, is a must. The efforts that organizations are making to, to move to an agile, you know, approach are important. They are costly, and they are, they, they, they are rewarding, but the risk that people are taking by not embedding security in the very fabric of that method is, is to lose, you know, is to sacrifice security or, or data privacy. And that's probably an effort that people don't want to, or a risk that people don't want to take. I think it's pretty obvious nowadays, that security and agility are compatible. It's just a need. It's just a matter of making the right investments. As I discussed before, I think DevOps dev secs teams can take advantage of some of the automation that is happening in application security tools.
We've talked about how the WF and the scanner can work together as early on in the process as possible to automate things, to make sure that the policy is, is effective and to also automate the, the remediation of vulnerabilities. And finally, I want to leave you with the, the idea of the notion that denial has a, you know, has put together a best of breed platform for securing your APIs, your web services and your web applications, whether we're talking about web applications or mobile applications, with a combination of, you know, the ability to test applications for security, to protect APIs and web apps and web services, and also to incorporate the, the user paradigm and make sure that security is easy for users. And we're also able to monitor their behavior and to prevent them from doing the wrong things with that. Martin, I want give it back to you,
Stefan, thank you very much for your presentation and the insight you provided. And so I'll hand back to my screen. And as I've said earlier, we right now want to start with our Q and a session. So it's your opportunity to enter questions so that we can pick your questions. You already have a couple of questions here. And so the more, as I've said, the more questions we have, the more likely our discussion will be. So, Stefan, I think the first question is for you. And I think it's a very interesting one. So Wes are sad to require a lot of experts tuning, so not easy to manage. So, so how can DevOps teams where, you know, where, where the applications sort of are changed, rather dynamically can take advantage of them. So on one hand, the experts and the complex tuning, which is the conceptual many people have, which might, might not be true. And on the other hand, the need for agility and DevOps,
Right? So I think we've touched on some of the answers to that. When I talked about the ability for the, for modern waves to learn the application, the, the way it's structured to enrich that with the information from the Verity scanner, so that, you know, developers, as they create the application are aware of the, the risks that exist. I haven't shown this, but there's also, it's possible today to set up a WAFF in matter of minutes, you know, by, you know, there there's some automation built into these products nowadays that helps identify the nature of the application. Even before you perform a scan to identify whether it's an ASAP application or a WordPress application or PHP application, and to, to sort of suggest a, a recommended predefined policy that helps the DevOps team be up and running with a functional wha in a matter, in matter of seconds, but you're right.
There's a, maybe a preconceived notion or a narrated notion that WAFs are complicated. Indeed. They are very powerful tools that, you know, people with the right level of expertise can do a lot of things with in terms of tuning. But I think the, the industry as a whole is moving towards, you know, a notion of simplification via the, the technologies of application learning and whitelist and making sure that, you know, you don't spend too much time tuning the configuration, but focus on the, the deliverable, the, the user experience, the functionality that you want to deliver without sacrificing security.
Okay. So, so what you're saying is that waves are, are far easy to manage than they have been before far automated. And so it works well for DevOps.
Yeah. We're, we're moving in the right direction. Let's put it this way, Martin. It's not perfect. The word is not perfect yet, but yeah, but I
Think it's, it's, that's true for everything regardless of what you do. So if you have a very dynamic changing environment, you always need to catch up with the security part to make it work and, and make it secure. So you also talked about reputation. So how do you track user behavior and how do you respond accordingly?
So, yeah, I touched on this very briefly on didn't want to, to, but the, the interesting notion there is we're able now to look not only on a transaction by transaction level, what is happening? Is there anything in the request that is a, a threat, but also look at how and how people are using the applications that are protected over time and being able to, to set a, sort of a, a standard for what is normal behavior, normal usage of the application, and what's what differentiates from that normal behavior or that safe behavior. Let's me take an example. Let's assume you're connecting from the co call network using a machine that your, it, you know, controls and maintains state of security that is compliant with security. You're accessing a very critical application that your company uses. And then, you know, your, you want to go have a coffee or, you know, work from home.
You're now connecting via maybe a different device using a, a, a network that is not the corporate network that is maybe a 3g line or wifi connection, very, so much more, so much less trusted than the corporate network. The question there is, is do you want to provide the same level of access, or do you want to log the information and maybe sort of reduce the level of trustworthy enough of that access to, to, to the applications with user reputation scoring, we're able to basically assign, you know, scores to those various events of your normal usage and detect what is increase or decrease that, that score based on, on how you're behaving. So, for example, you're connecting from a wifi network, maybe reducing the trustworthy, the trustworthiness of that connection until such time, as you start doing things are really on the edge of being normal, like, you know, connecting at the, at the time, which is unusual or from a location that is, you know, that is possibly dangerous.
I don't want to point to any particular countries, but, you know, maybe the corporate place says that in your, if you're in certain areas of the world, that then the, you know, we don't trust the connections from that region of the world, for example. So that score evolves over time. And the modern waves allow you to basically, you know, assign thresholds and adjust the policy, including the authentication policy or the filtering policy to that evolving score. If your score, your, your score, your user reputation comes down on one certain level. We may, we may require, you know, we may send you an authentication challenge, like a second factor authentication to make sure that it's really you connecting from, let's say China, or if you're starting to attack the application, because somehow your idea has been compromised or your, I don't know, your, your device, the device that you're using is, is actually infected with some malware. We may actually redirect you to a, an area of the application that is, you know, that is less, that is exposing less critical data until such time as a remediation can be, can be crafted and implemented. So that's the sort of logic that we're building into these products to make them a lot more automated in their ability to respond to a changing user context.
Okay. So to the audience a great time right now to enter questions, if you have any, I have one more question here. I think it relates well to the reputation and user tracking topic. So what is the impact of GDPR here? What is the impact of GDPR and applications? We all know it's one of the upcoming regulations that it will have a massive impact with all the various changes it brings for us.
Yeah. So GDPR is a, is a whole topic. We should do a webinar, especially on that, but let me, let me point out a few issues or a few things that arching, you know, this notion of new rights for users, including the, the right to, to, to provide consent for a certain transaction. And then to remove that consent over time, or the ability to, you know, to, for your records to be modified and deleted the right to be forgotten. These, these new requirements are going to, you know, increase the burden on the DevOps teams or the developers in general, to, to design a, you know, a user experience that is compliant. So the ability, you know, the interfaces is going to have to evolve to provide that ability to remove my, for example, or to ask, to be deleted. That is going to have also an impact on the way databases, the backend databases of these applications are designed.
And there's a lot more, you know, issues of that nature. If you think about it, you know, GDPR talks a lot also about anonymization of data and the use of encryption within the applications or in the backend systems infrastructures between remote remote data centers, for example, to make sure that the data, the, the data remains private, even while it's circulating in a very distributed environment. There's another, you know, topic that I think is going to have a major impact with, with the design, the way applications is designed is the way we're supposed to be. We're all supposed to be able to identify and report incidents in a, in a very short timeframe. I, that I think is going to be a, a very significant operational challenge for, for many organizations around the world. So hundreds, if not thousands of applications are going have to be changed and modified to, to, to deal with that, to be able to identify issues and to report them either to the authorities and or to the, the users themselves, cuz that there's a few cases where, where people are gonna have to do that.
Okay. Stefan, thank you very much for this very extensive answer. I think we had a very interesting webinar today. Some very interesting questions and answers. So I'd like to thank you. You Stefan for your presentation. I'd like to thank you all the attendees for participating this call webinar. Hope to have you soon in one of the other upcoming call webinars or see you on one of our events. Thank you very much.
Thank you Martin. And thank you everybody.
When we look at some of the upcoming conferences, there's the next big thing is the consumer identity world tour, which will take place in three locations, which are Singapore, cl and Paris in the timeframe between September and December this year. And then we will do an next generation marketing executive summits next year, February, which is focused on marketing automation and all the trends here. So also affected by GDPR, by consumer identity and other stuff. And then we will do the digital finance world focus on all the changes in security identity, etcetera space, which impact the finance industry, which will be held in end of February next year in Frankfurt. So for the webinar, some guidelines, you are mute centrally, so you don't have to mute or arm mute yourself. We are controlling these features. We are recording the webinar and we will make the podcast recording available by tomorrow.
Latest. Then there will be a Q and a session at the end of the webinar, but however, you can enter questions at any time using the questions, featuring the go to webinar control panel. This control panel is usually at the right side of your screen, and there's an area questions where you can enter your questions. The more we question, the more questions we have, the more likely the discussion will be. Let's have a look at the agenda it's as usual split into three parts in the first part I'll talk about or give a view on the trends I see in secure DevOps, in the context of the digital transformation and on managed digital identities within the organization. The second part, then Ste understand, we'll talk about best practices, practices for secure code and the opportunities for managing APIs to enhance digital transformation. In the third part, finally, we'll do the Q and a session as I already mentioned.
So let's directly start where I wanna start with is looking at the digital transformation. So theoretically, that slide should say, circles of change on top, for some reason, the title trust disappeared. So when we talk about the digital transformation, we have a number of drivers. And when we look at these external drivers, then we on one hand, have these ever increasing attacks, we have to ever change regulations. So we have, which is a little bit in conflict. So on one hand we see more attacks. We have a bigger challenge by regulations. On the other hand, we want to be become more flexible in our business by defining dynamic partnerships, by changing our competitive landscape, we need to do be to provide rapid innovation, which all means we need to be very flexible at trial, which makes it harder to protect against tax, which makes it harder to meet the regulation.
So it's a little bit of a dilemma we are in. We need to move from products to services, earn our money more with services than traditional risk products seems to be seen each area of the business today. And clearly everything becomes connected. So this is, I would say a lot of changes. We are facing this digital transformation and it means that we require as an organization, certain key capabilities and these key capabilities, the three main ones for my perspective are agility as an organization. So be flexible regarding the business models, be flexible regarding the competitive landscape. These are innovativeness. So we need to innovate far more than ever before. And organizational flexibility to adapt to the changes within that digital transformation. We have three key topics we are facing. One is smart manufacturing. The second is know your customer. And the third one is internet of things.
So smart manufacturing or, or industry Porwal as we terminally tend to call it. It's about connecting the physical production with the business processes, know your customers more than trust anti-money anti-money laundering. It's really understanding the customer, serving the customer perfectly well. Then we have all these connected things. And finally, we have these key enabling technologies. And when we look at these key enabling technologies, then I think there are couple of them. And some of them are very closely related to our webinar today. So when we look at these technologies, there's robotics, there are all these sensors, there's blockchain, there's cognitive and AI. There's big data, but there's also security and privacy and there's identity. So to know our customer, to understand which things are owned by a customer, we need to understand the identity of the customers, the identity of the things we need to connect these.
We need to understand the relationships. When we look at security and privacy, it's very clear. We need to act in a very dynamic, highly connected or hyper connected environment, but we need to be compliant. So we need to look at privacy, particularly when we look at the upcoming U GDPR regulation, so general data protection regulation, and we need to understand security. So how can we really secure all these environments? How can we really manage this balance between agility on one hand, new businesses and security and privacy. So we need to understand this, and this is what we talk, we'll talk about in today's webinar. So I'll start with a sample and what we are in fact facing virtually everywhere is what frequently today is called the multi-speed organization. So an organization which acts with different speed for different purposes. And I'll explain this by the banking example.
So banks, on one hand, they have their car banking business and they're still, and will continue serving traditional customers with traditional services customers, which sometimes even still walk into the branch office, which have their payments on paper, which don't use the online banking or only use it. Occasionally on the other hand, there are more among new banking services. There's no new banking business that have also again, driven by regulation. That case the upcoming PSD two, the revised payment services directive, which will indeed you massively impact the way banks operate and the competition day face cetera. So there are traditional and new customers which will use innovative services, which at the end of the day, we rely on the core banking. So to some extent, they go back to this core banking business. And in fact, these banks have to operate in different modes at different speeds, multi speed.
While the core banking business needs to operate stable, reliable at standard speed. The new banking business has to deliver new services extremely rapidly in a very agile way to both existing new customers. So it's here, it's, it's more about agility about competitiveness. So it's definitely a different challenge they facing here in this multi-speed organization. And that's not only true for banks. It's true for virtually every organization because you have to build new services for your customer. You have to innovate, things are changing here and this, this multi-speed, it APIs start playing a very vital role. So we have to core it. And anyway is a core. It is protected by some sort of interface. I just used the term API for reputation programming interface for more traditional and more modern interfaces. And we already might have a more agile it layer around where we build for instance, new types of applications for new types of insurance contracts.
If it's an insurance company or for new types of banking services or for new types of customer service and automotive organization, whatever else. And again, we then might have to open it up for externals. For instance, in banks, driven by the PSD two regulation, they have to support payment initiation and account information access through API. So there's another layer, the alter API layer for external it, that might be even more layers. So, but it put it toge down to three layers. And so we have these APIs and they in fact protect various levels. So the traditional core, it, the more modern, agile it from the outer space, so to speak well where the core, it again, is different acting at a different speed than the actual it and how fast or slow the external it is. That's depends on the externals. So we need to have different layers.
We need to protect these layer. This is where APIs come into play. When APIs coming to believe, we also have to talk about the security of API and in general, about how can we protect all these layers in a consistent, efficient way, which works for all layers with these two layers of protection, so to speak, you know, layer of protection between core and, and agile and the outer layer between the actual it and externals. So the one has more, the focus of protecting the stable core. When we look at it from an inside art perspective or on the other hand, enabling the agility while keeping the core stable. So if you look at some industries, banks, insurance companies, they still have, might have mainframes in data. Is there are many legacy systems which are not very agile. So APIs also give us the ability to become more flexible while protecting this, these key system services and systems, which need to run reliably.
So the out more about exposing about us integrating this mobile app. So it must not be only, or it's not necessary only externals. It might be mobile applications, cetera, but we are clearly facing a lot of challenges here. So how do we authenticate users? How do we users, how do we do the auditing end to end? So how do we know which user has accessed certain core service in the context of a technical user at a certain point of time, we have to scalability things. So how can these things scale particularly if the core layer is not as scalable as we would like it to be version management and many other challenges we are facing here. So API management, API security are one important element, but there are other things like traditional web application firewalls, which are closely related to this and other types of security technologies, I'll touch some of these aspects.
And then Stefan and the second part will go far deeper into detail. So what are the drivers? When I look today at API management and API security, so one important driver, mobile devices and apps, which is part of the transformation. So the more we do with mobile devices is mobile apps. The more we need to protect the API is because all these success, all the success runs through APIs, all the connected business. So all our business partners in the digital transformation, the consumer internet of things. So all these connected things, smart cities, when we look at that part of the world and the business than it's a little bit of different thing, but there clearly we have a lot of challenges in that space because we need to make our cities more smart by whatever information about empty parking lots and all that stuff, public transfer information, but we need to keep it well secured and clearly in the smart manufacturing and industrial internet of things area, we also have more and more these APIs we need to expose as part of industry photo or smart manufacturing, but which we also need to protect very well.
So what are the main requirements for this area? The absolutely main requirement security solutions for security must be secure. They must be also performant because the more layers we have, the challenges, many layers as the, every layer we add has an extra cost in terms of performance. So everything we put in to protect shouldn't add too much to this cost scalability, we need to scale. And when we look at each transformation scaling very important thing, we need to be able to scale massively when we succeed in transformation, standard support, very obvious, yes, and usability should be easy to use. So, you know, when we look at the title of the webinar, diverse a lot in Theran DevOps and digital transformation and other things. So I've talked about digital transformation. I already touched security. Let's have a quick look at DevOps in that context. And DevOps is one of the areas I found will talk about far more in detail when he starts his presentation in a few minutes from now.
So DevOps is development, operations done way where development operations are tightly aligned and building testing and releasing software can happen rapidly, frequently and more reliably. So the idea is to say, I have not won big release every couple of months or years, but I'm very, I have a very continuous stream of in innovation here. And then in this context frequently, this term of NP also pops up, which sometimes is just misre. So in fact, min NP or minimum viable product is a product that has trusted a features to satisfy early customers and to provide feedback for future development. So with that term, we should be a little bit careful. It's more something if we do software development, but we shouldn't end up, shouldn't use it for too many things. So if you say we want to deploy infrastructure and MVP approach, we might end up with having that sufficient things provided.
So when we look at this, there are some obvious questions and many of these will be answered by Stefan. How can we ensure that rapidly release software is sufficiently secure? I think we always should think in not only DevOps ops, but Def sec ops. So development, security, operations, that also means that I'll touch it in my next slide, having an infrastructure, which provides the security service, having, having an infrastructure, which keeps these things secure, how can we ensure that small steps all are heading in the right direction? So if we do DevOps, we do small development steps. We still need a target. We need a roadmap, we need a strategic alignment of all the things we do. And we need to understand what is out scope, what is in scope.
So how don't can we ensure that development doesn't stop after reaching the minimum target as long as there's more needed, if you don't need more fine, but frequently there's a risk of saying, okay, we did this, particularly if it's only internally facing and we did a minimum and we believe it's enough, but we in fact, all know, oh, we will need more over time. And then yeah, we, we, again, we need a strategy. We need to understand what is, what we really need over time in which steps to align our DevOps with what we really need to achieve and how can we ensure that these approaches don't lead to how to manage infrastructure. That's another risk I see. So if we do it wrong, then we might end up with this WEP and DevOps stuff in a way that we say, okay, we do that.
And, oh, right now we need that infrastructure component. We just deploy it. But at the end, we might have a Sue of many, many different infrastructure components where we then end up with a mess and the high cost in managing these. So what we need in this context, we need an application security infrastructures, where we are dynamic in the applications. That's what we need to achieve in the multi speed organization. In the context of the digital transformation, we have the APIs where we have a strong protection here, but where we also have well sought out and stable underlying services. So we have the services which are exposed and we have the building blocks, which provide these services and that part should be stable. So we should, when we look at it for a strategic perspective, have a stable strategic stream for creating our security infrastructure with these building blocks, consistent layer of services, which even remain stable when we change something in the underlying infrastructure and the ability to provide APIs to applications so that applications can consume security as a service. So this is what I see as the most important trends, DevOps, without such an infrastructure inevitably will fail over our time sooner or later with that, I hand over to Stefan who I make the presenter right now. So Stefan is your term.
Thank you, Martin. I hope you can all see my screen now. Yes.
Yes.
All right. So hi, everybody like to be on this call with you. I just want to start with a quick introduction about denial. We're a French company, but we're recently acquired by a German company cybersecurity, and just a little background on the company we were created initially 15 years ago, actually in 2001, that's almost 16 years ago now. And we have sort of pioneered the space of web vacation, firewall working for very large French banks initially. And then for variety of companies in all sorts of verticals, we have 600 customers in more than 30 countries. And I'm gonna tell you a little bit more now about what we do. Indeed. I want to refer to what Martin was talking about a few minutes ago as the, the application security infrastructure or the, the building blocks of that shared application security infrastructure at denial. We have three main products, a warranty manager, which is a, a scanner, which helps organizations identify their assets in their it, and then detect the T prioritize them based on both their technical, the risk that they represent, but also the business value of the assets are attached to and, and, and the tool also helps reduce the attacks effects by remediating assigning tasks to people so that those warranties are remediated.
The second building block is our core web application firewall and web services, firewall products, which obviously the goal of which is to block attacks, to prevent attacks from succeeding, both in terms of, you know, protecting users, interactions, or requests to those backends, but also machine to machine communications. And in recent years, we've added the ability for these products to also evaluate the user reputation. I I'll get back to that in a few minutes. Web access management is another component of that architecture or that infrastructure, which takes care of enforcing the authentication policy to those applications. And also making security simpler for people for users, because we all know that, you know, whenever security is too complicated, people tend to bypass it. And the, the idea is we're able to adjust the authentication mechanism to the user context, making sure that security is an enabler, not doesn't come in the way of people's productivity.
All of these products can be managed deployed, and more importantly than the reporting that one would expect for many security products. These, this architecture, this infrastructure helps people automate the response to changing user's behavior and context. And I'll get back to that in a second, just in, in passing, we're now a subsidiary fully owned subsidy of auto and subs, cyber security at a new division of the auto and TRAs company, which in addition to the web application security firewalls that we just discussed has a varied large portfolio solutions from securing endpoints to securing communications and encryption products and, and network security solutions, which we'll come handy. If you're looking for a solution from a, a trusted vendor. Now let's go back directly into the, the topic of today's webinar, Martin spoken about the need for DevOps to become dev SecOps. And really that's an ongoing effort that many organizations are going through.
I want to reinforce the importance of doing that, not only by training developers on security Matthias, but also really making the security teams that are part of your organization, full members of your DevOps teams. If you're moving to this agility concept, bring these people on board, make them contribute to the design of your, to the overall process from design all the way to delivery. And, and in doing that, also take advantage of the knowledge they have in using tools, such as the ones we're gonna talk about today to make sure that you take the full advantage to the full, you know, benefit from, you know, the, the security, the incremental security that these products provide. When you look at the software development life cycle, you know, starting from, you know, the left, it's very important to be able to assess and evaluate as early as possible in the development life cycle, how secure the code that is produced by your developers is, and that's an intuitive process that requires that at every stage, they scan their application for vulnerable T and then as you embark on delivering the solution to end users, you know, the web application firewall and web services firewall can contribute to that.
Obviously if you have that environment set up as early on in the process as possible without, you know, in order to avoid creating a, a gap in the delivery mode, you can also do what's people referred to as virtual patching, which is the idea that you're able to verify that the WAFF does prevent the exploitation of any verities left in the code. As we'll see in a minute, application, stacks are complex and there tends to be, there's no chance of ever having an application with zero vulnerability. The last component is the authorization policy, the component that the web access manager provide and which takes care of not only the authentication of users, but also of making sure that we're able to automate their response, to changing users' behavior, by adjusting to how people are behaving in the context in which they're connecting to these applications.
So that's the overall framework. I want to talk about two things. Now, first, the application security and, and then how these tools can be used. So first of all, securing applications requires number of things. I want to, you know, go through these six points. Now, first of all, let's take a look at reducing the attack surface, your web applications, your web services, your APIs are, are, are, are, are part of a complex ecosystem of, you know, architecture with multiple technologies involved and focusing on only one layer. The application layer, for example, is the first step, but it's not sufficient. You need to look at the overall stack and be able to identify how the overall system is vulnerable to exploitation by attackers. And so, you know, that's the first first requirement. The second requirement is obviously those APIs we're talking about whether they, you know, support mobile applications or machine to machine communications, enabling, you know, data to be created and shared within your organization or with third party members of your ecosystem, they need to be routed and securely are delivered to, you know, so that, you know, you avoid anybody, you know, leveraging those automated communications to, you know, get in the, in the process, get in the way.
And so, you know, schema validation, authentication message signature and exception are, must have in this space. If you're going to secure your, your overall digital environment, validation is another very important step, which requires that you use the modern tools, the modern methodologies to make sure that your web services, your APIs are, are correctly, you know, are correctly structured. That you're able to point to the areas of weakness possibly, and, and are able to learn and, and dynamically improve the overall security and the overall quality of the code. We'll talk about that in a, in a few minutes, again, protection, sorry, protection against men in the middle attacks is, is essential. Obviously SSL is a must have nowadays, but also, you know, encryption of data and, and the use of signatures is essential to avoiding anybody getting in, in, again, in that data flow and pretending to be a member of the web service to, to get access and impossible, possibly create Ava authentication and authorization.
This is another must. There's plenty of ways to do that. Plenty of industry standards that are being used, some of them are more recent than others. Open ID connect is, is the most recent one. And JWT provides, you know, a way to, to utilize tokens that is very convenient. I wanna spend just a minute explaining what we call adaptive authentication, which sort of bridges, the two words of identity and access management and authentication with the, the need to, to address the, the policy, the protection policy in this very simple workflow would describe what happens when somebody is connecting to the application to a backend. We're looking first at where they're coming from the device they're using. And depending on that, we can adjust the authentication policy to their location, to the device they're using. And all of this can be fully automated so that, you know, you, you're, you're setting up a policy and it's being enforced automatically by, by the system, but are a large portion of the traffic that are, you know, ting or, you know, being dealt with on a daily basis by your applications, the best way as we found to, to remedy bots, to make sure that we don't block the good bots, but prevent the malicious bots from hitting your infrastructure from consuming the, your bandwidth from bringing down your services or your, your APIs is what we call user reputation.
And it's the idea that we can actually monitor how people are using the applications that are being protected to prevent people from abusing their rights they have been given, and also to prevent, you know, bad things from happening when somebody's identity has been stolen or, or spoofed. Again, we're getting back to this. If you're interested in a, a bit later in that second part of my presentation, I wanna talk to you how about how the application security tools that I was referring to earlier can be used and leveraged by DevOps, or should I say, dev SecOps teams to, to, to improve the quality of their work? The first thing we're gonna talk about is automation Ws in particular, but also scanning tools have evolved a lot recently and they all can now be industrialized in their deployment and their configuration via APIs APIs to protect APIs, to make sure that the process of setting up the right level of protection, their shared services that Martin was talking about are, is, is done in an industrial way, especially as you know, new services require new, new, new machines, new virtual machines, new control environments to be set up.
The second point is the, the ability to learn how the application works. And here, we're gonna talk about a, a sort of an intuitive process between the developers and the security tools to make sure that we are creating an application that is secure by design and Alexei actually also embeds, you know, privacy by design requirements brought to, to us by the JDR. So you, in this slide, we, we exemplify what can be done. A developer can basically learn, teach the web application file, how the application should be, you know, working. And so what's what we also call whitelist is the ability to teach the WAFF, what is normal behavior or normal usage of the application? That same process technology can be used also to scan the application, feeding the, the scanner with the same information from the same swagger file, for example, and enriching that information with new information delivered by the scanner on how vulnerable certain parts of the application are that back and forth exchange of information and enrichment of information helps the developers then go to the next page, which is to, to fine tune the security policy, to make sure that any remaining vulnerability in the code or in the stack of the, in the overall application is not going to be exploitable by an attacker or a, you know, misbehaving user that per that process of virtual patching is, is now very functional.
Thanks to the, you know, the support of industry standards there says open API or, or swagger with. It's the idea that a lot of the sort of heavy duty activities related to the exploitation of web kitchen firewalls can now be resolved or can be reduced in terms of the time they consume false positive has always been and will remain the issue with security for the longest time. We are now in the, in web, in modern application web application firewalls, the ability to do a, a quick resolve that is to create exceptions very easily for all of the based on all of the events that have been collected and with a view to, to make sure that people don't spend too much time in the WAFF, but actually creating agile applications and last but not least being able to monitor how the application is performing both in terms of performance itself, but also in terms of security, that's an ongoing effort then can be, that can be automated DevOps or dev secs teams can now take advantage of the reporting features built into all of these products to, to monitor how, how well the applications are performing.
And so if I want to summarize, I wanna say that I think the move to a dev sec ops approach is, is a must. The efforts that organizations are making to, to move to an agile, you know, approach are important. They are costly, and they are, they, they, they are rewarding, but the risk that people are taking by not embedding security in the very fabric of that method is, is to lose, you know, is to sacrifice security or, or data privacy. And that's probably an effort that people don't want to, or a risk that people don't want to take. I think it's pretty obvious nowadays, that security and agility are compatible. It's just a need. It's just a matter of making the right investments. As I discussed before, I think DevOps dev secs teams can take advantage of some of the automation that is happening in application security tools.
We've talked about how the WF and the scanner can work together as early on in the process as possible to automate things, to make sure that the policy is, is effective and to also automate the, the remediation of vulnerabilities. And finally, I want to leave you with the, the idea of the notion that denial has a, you know, has put together a best of breed platform for securing your APIs, your web services and your web applications, whether we're talking about web applications or mobile applications, with a combination of, you know, the ability to test applications for security, to protect APIs and web apps and web services, and also to incorporate the, the user paradigm and make sure that security is easy for users. And we're also able to monitor their behavior and to prevent them from doing the wrong things with that. Martin, I want give it back to you,
Stefan, thank you very much for your presentation and the insight you provided. And so I'll hand back to my screen. And as I've said earlier, we right now want to start with our Q and a session. So it's your opportunity to enter questions so that we can pick your questions. You already have a couple of questions here. And so the more, as I've said, the more questions we have, the more likely our discussion will be. So, Stefan, I think the first question is for you. And I think it's a very interesting one. So Wes are sad to require a lot of experts tuning, so not easy to manage. So, so how can DevOps teams where, you know, where, where the applications sort of are changed, rather dynamically can take advantage of them. So on one hand, the experts and the complex tuning, which is the conceptual many people have, which might, might not be true. And on the other hand, the need for agility and DevOps,
Right? So I think we've touched on some of the answers to that. When I talked about the ability for the, for modern waves to learn the application, the, the way it's structured to enrich that with the information from the Verity scanner, so that, you know, developers, as they create the application are aware of the, the risks that exist. I haven't shown this, but there's also, it's possible today to set up a WAFF in matter of minutes, you know, by, you know, there there's some automation built into these products nowadays that helps identify the nature of the application. Even before you perform a scan to identify whether it's an ASAP application or a WordPress application or PHP application, and to, to sort of suggest a, a recommended predefined policy that helps the DevOps team be up and running with a functional wha in a matter, in matter of seconds, but you're right.
There's a, maybe a preconceived notion or a narrated notion that WAFs are complicated. Indeed. They are very powerful tools that, you know, people with the right level of expertise can do a lot of things with in terms of tuning. But I think the, the industry as a whole is moving towards, you know, a notion of simplification via the, the technologies of application learning and whitelist and making sure that, you know, you don't spend too much time tuning the configuration, but focus on the, the deliverable, the, the user experience, the functionality that you want to deliver without sacrificing security.
Okay. So, so what you're saying is that waves are, are far easy to manage than they have been before far automated. And so it works well for DevOps.
Yeah. We're, we're moving in the right direction. Let's put it this way, Martin. It's not perfect. The word is not perfect yet, but yeah, but I
Think it's, it's, that's true for everything regardless of what you do. So if you have a very dynamic changing environment, you always need to catch up with the security part to make it work and, and make it secure. So you also talked about reputation. So how do you track user behavior and how do you respond accordingly?
So, yeah, I touched on this very briefly on didn't want to, to, but the, the interesting notion there is we're able now to look not only on a transaction by transaction level, what is happening? Is there anything in the request that is a, a threat, but also look at how and how people are using the applications that are protected over time and being able to, to set a, sort of a, a standard for what is normal behavior, normal usage of the application, and what's what differentiates from that normal behavior or that safe behavior. Let's me take an example. Let's assume you're connecting from the co call network using a machine that your, it, you know, controls and maintains state of security that is compliant with security. You're accessing a very critical application that your company uses. And then, you know, your, you want to go have a coffee or, you know, work from home.
You're now connecting via maybe a different device using a, a, a network that is not the corporate network that is maybe a 3g line or wifi connection, very, so much more, so much less trusted than the corporate network. The question there is, is do you want to provide the same level of access, or do you want to log the information and maybe sort of reduce the level of trustworthy enough of that access to, to, to the applications with user reputation scoring, we're able to basically assign, you know, scores to those various events of your normal usage and detect what is increase or decrease that, that score based on, on how you're behaving. So, for example, you're connecting from a wifi network, maybe reducing the trustworthy, the trustworthiness of that connection until such time, as you start doing things are really on the edge of being normal, like, you know, connecting at the, at the time, which is unusual or from a location that is, you know, that is possibly dangerous.
I don't want to point to any particular countries, but, you know, maybe the corporate place says that in your, if you're in certain areas of the world, that then the, you know, we don't trust the connections from that region of the world, for example. So that score evolves over time. And the modern waves allow you to basically, you know, assign thresholds and adjust the policy, including the authentication policy or the filtering policy to that evolving score. If your score, your, your score, your user reputation comes down on one certain level. We may, we may require, you know, we may send you an authentication challenge, like a second factor authentication to make sure that it's really you connecting from, let's say China, or if you're starting to attack the application, because somehow your idea has been compromised or your, I don't know, your, your device, the device that you're using is, is actually infected with some malware. We may actually redirect you to a, an area of the application that is, you know, that is less, that is exposing less critical data until such time as a remediation can be, can be crafted and implemented. So that's the sort of logic that we're building into these products to make them a lot more automated in their ability to respond to a changing user context.
Okay. So to the audience a great time right now to enter questions, if you have any, I have one more question here. I think it relates well to the reputation and user tracking topic. So what is the impact of GDPR here? What is the impact of GDPR and applications? We all know it's one of the upcoming regulations that it will have a massive impact with all the various changes it brings for us.
Yeah. So GDPR is a, is a whole topic. We should do a webinar, especially on that, but let me, let me point out a few issues or a few things that arching, you know, this notion of new rights for users, including the, the right to, to, to provide consent for a certain transaction. And then to remove that consent over time, or the ability to, you know, to, for your records to be modified and deleted the right to be forgotten. These, these new requirements are going to, you know, increase the burden on the DevOps teams or the developers in general, to, to design a, you know, a user experience that is compliant. So the ability, you know, the interfaces is going to have to evolve to provide that ability to remove my, for example, or to ask, to be deleted. That is going to have also an impact on the way databases, the backend databases of these applications are designed.
And there's a lot more, you know, issues of that nature. If you think about it, you know, GDPR talks a lot also about anonymization of data and the use of encryption within the applications or in the backend systems infrastructures between remote remote data centers, for example, to make sure that the data, the, the data remains private, even while it's circulating in a very distributed environment. There's another, you know, topic that I think is going to have a major impact with, with the design, the way applications is designed is the way we're supposed to be. We're all supposed to be able to identify and report incidents in a, in a very short timeframe. I, that I think is going to be a, a very significant operational challenge for, for many organizations around the world. So hundreds, if not thousands of applications are going have to be changed and modified to, to, to deal with that, to be able to identify issues and to report them either to the authorities and or to the, the users themselves, cuz that there's a few cases where, where people are gonna have to do that.
Okay. Stefan, thank you very much for this very extensive answer. I think we had a very interesting webinar today. Some very interesting questions and answers. So I'd like to thank you. You Stefan for your presentation. I'd like to thank you all the attendees for participating this call webinar. Hope to have you soon in one of the other upcoming call webinars or see you on one of our events. Thank you very much.
Thank you Martin. And thank you everybody.
Stay Connected
Related Videos
How can we help you