Good afternoon or good morning, wherever you are. Ladies and gentlemen, welcome to this co a cold webinar authentication access and assets of the triple a of securing sensitive systems and information, a new approach to privilege access management. And this webinar is supported by Bomgar the speakers today. Originally it was planned that Martin Kuppinger would do the first part of this webinar, but unfortunately, Martin cannot be here today. So I will take over for him. My name is Matthias Bangard I'm senior Analyst with KuppingerCole and in the second part, William Berg director of solutions engineering mayor of Bomgar will join us and present a second part of this webinar before we start some housekeeping. And of course, some general information about keeping a call as an Analyst company, keeping a coal is providing enterprise it research advisory services, decision support, and networking for it professionals. And we do this through our research services where we provide several types of documents, including our leadership complex documents, comparing market sentiments with our advisory notes, looking at various topics, vendor reports, executive years and more.
And we do this through our advisory services where we provide advisory to end user organizations and vendors. And we do this through our events like webinars or seminars. And of course our main event, which is the EIC, the European identity cloud conference. And this year's EIC has been held a few weeks ago in Munich. And in case you've missed it, you missed something. And I highly recommend that you check out our website where some of the really awesome keynotes are available as online videos for download or for online viewing. Please consider having a look at our website, the guidelines for this webinar, you are muted centrally, so you don't have to take care of this. We are recording this webinar with the recording and the slide text going online on our website tomorrow and important. There will be a Q and a session at the end of the webinar, and you can enter your during the presentations at any time using the questions panel of the go-to webinar software.
And please, please do so, so that we can start the Q and a session right away with the good set of your questions. The agenda consists of three parts, as already mentioned. The first part will be my introduction and it'll be called why remote access the new normal and why you should put your emphasis on privileged management for controlling such access. Then William culvert from Bomgar will take over and he will give us insight into securing VPNs and remote connections to critical systems with privileged access management. And the third part will be the Q and a session as already mentioned. And so that's it for the introduction. So let's start with our first part with my part, which is, as I said, why remote access is the new normal and why you should put emphasis on privilege management. And one big reason is actually that we are want to protect the organizations crown jewels, and what are these crown jewels?
So there are four that we mentioned there, of course, more but four that we want to focus on. The first is nothing technical it's brand reputation. We, it is important for an organization to make sure that their brand and its reputation is protected from negative impact, which can result from, for example, data breaches, or other negative information spreading around the news for an organization. So this is something that needs to be protected and protecting access to critical resources within the organization might be a good way to protect the brand reputation. A second part of crown jewels is when it comes to the important data that an organization needs to handle and maintain. And probably one of the most important data that organizations can have is their customer data. And that needs to pre be protected for various reasons, be it data protection laws, but also really protecting the competitive advantage of organizations when it comes to customer data and the knowledge about the customer.
So know your customers important point and protecting this knowledge is even more important. Intellectual properties of course, is an organization's crown jewel, because this is actually the, the information that you really earn the money with. So if it's a blueprint for the product, which will be released next year, or if it's information about mergers and acquisition that might take place next week, this is information that needs to be highly protected. And this is of course, a crown jewel and maybe something that people usually don't think of being a crown jewel it's people. It is all the people that are involved with an organization and they need to be protected and they need to be, yeah, they need to be protected from access to assistance, from information being leaked through source, through sources, which are not identifiable. So making sure that your employees are really confident with your, as an organization, that your customers are, people is most definitely one of the crown jewels of an organization.
And why do I mention that? That is because we are looking at a massively changing environment of, of organizations and their it infrastructure. And as we're looking into privilege management and privileged access, this is also changing with the changing infrastructure of organizations. So when we started with people, they are, and you most probably have seen this image before. They are part of the organization and organizations act on behalf of people. And if we build up this picture slowly, then we realize that there is no longer this traditional image of an organization being, yeah. Being a big data center and a wall around that. And the firewall around that. So really a perimeter protection is enough. This is no longer the case. And all these components that we have now on the screen are actually systems that are relevant when it comes to providing information, when it comes to accessing information within the organization. And it also includes systems that are relevant when people are actually administering systems, when they are using privileged access towards systems within an organization, administrators typically now nowadays use their notebook or their tablet to access critical resources. And this needs to be maintained in an adequate way.
If we look at the privilege management landscape, then we can clearly identify some core features, which are relevant for, for most of the vendors and most of the solutions that are available. And on the one hand, the one hand there's the session management. So we are looking at solutions that allow for the request for, for such sessions for the approval, but also for monitoring the solutions for recording them, even in a graphical mode, but also in providing information that is relevant for forensics. So in the aftermath, if something went wrong, that they can check what did go wrong, what information is available when it comes to actually identifying issues with a session. So session management is one of the core features of privilege management or privilege account management. And the second, which is typically a, a core functionality or can be considered as such is shared account password management.
So it's all about what happens to those privileged accounts, which are not, are not necessarily personalized, which are not assigned to one natural person. So this needs to be maintained in an adequate manner so that we can make sure that not one single well, not one group of people know the root account and its password, but there are adequate procedures in place. For example, one time password password, which allow that access is regulated accounts, scanning is an important part. So which are actually important accounts that need to be managed. And it all boils down to privileged single sign on so that people are identified as natural persons, as people with their ID, with their personal ID, and that they, as a second step can, can get access to those systems, which are relevant to them and that they gain access when required. And then with a simple sign on additional features are currently being added to the pool of functionalities that is connected with the privilege management market sectors.
And one important aspect is anomaly detection that is identifying behavior of users of administrators, which is not expected, which is probably undesirable. And to identify that in comparison to what can be considered as normal so that we can really identify if somebody does the same backup 30 times a day, although he should do it once a week, this is typically an anomaly that should be identified and should be detected and probably lead to an alert. Another aspect very much gaining traction recently is application privilege management. So what is an application actually allowed to perform for operations on behalf of a user? So maybe this can be restricted or can be identified, or even can be bike listed, one functionality or even a complete application. On the other hand, very important is the integration part of privilege management. So we have to make sure that the information that is gathered through the privilege management solution is also fed into the systems which are capable of using this information in subsequent steps on the one hand, which should be something like seeing or R TSI, which is an acronym for realtime security intelligence. So information that arises for, for example, from such an anomaly detection can be then used in identifying threats and probably advanced persistent threats through a R TSI solution. On the other hand, as I mentioned before, we want to personalize access identity is then an important aspect. So the integration with identity provisioning and the identity and access management of an organization is also a key feature of applications doing privilege management.
And this is all done when we look at the picture or when you think of the picture before with everything being connected and, and related to each other, this also leads directly to a changing risk surface. So we are no longer in an environment where critical enterprise infrastructure is put on premises of an organization, but this is changing massively with virtualization and cloud services being, getting more and more important for many organizations. So we have in the different colors, blue, red, and black, the traditional administrators and the traditional applications. And, but this is also now extended with virtualized environments on premises on the one hand. So we have more systems, more components gaining more and more importance ranging from the hypervisor as the, as the key infrastructure within the virtualization environment and also your guest operating systems and their administrators. And of course, again, the applications running in these environments.
So we have new components that we have to take care of, and we have changing amounts of servers and changing numbers of servers and more and more frequently deployed and deleted new components, which require also adequate administration. And of course, in black, on the right side, we can see everything that ranges from cloud service providers to manage solution providers. So this is actually infrastructure, which, which is run by other people in other locations, which is run maybe through Microsoft or Amazon or other cloud service providers or your favorite managed services providers with all their system administrators and very important when it comes to software as a service also application administrators, which play an important role when it comes to administering critical access as well. So it's not only rude. It's also the highly privileged CRM administrator who runs a usual user account.
Another aspect that we have to look at, and which is important from our experience is that also the responsibility and the, the, the tasks that are involved when it comes to it is changing subsequently. So when we say it is shifting into the business, then we start with a picture as it is given now. So we have business it and the red bar representing the it aspect of business. It typically was spread among security and the it. So for operations and monitoring for configuration and adaptation, and also for deployment of execution, this was very clear cut. There was an internal security team and there was an internal it team, but business was not necessarily involved, but this is changing quite rapidly. So when it comes to this new deployment models as described before we now see that the CSP, the cloud service provider is getting more and more important when it comes to managing the operations and monitoring aspect of business it and the business side also becomes more and more important when it comes to configuration and adaptation, because it is a business is getting more and more closer to the it, to the it.
And it's getting more and more combined and consolidated approach when it comes to deploying and defining solutions and deployment of execution. A large fragment of this part is even today, already in, in the hands of cloud service providers. So this is changing massively. And if we take a look at the different other aspects from operational it and IOT to consumer IOT, this is also changing very much and business is taking over a large role, especially when it comes to operational it and the IOT and consumer IOT is gaining more and more importance. But this is also only the aspect for, for the business side while configuration adaptation and deployment execution, of course wise with the consumer himself or herself. So this is left blank. So we really see that the responsibilities and the roles and the tasks are changing as well. So other people are now getting into the position that they use privileged access, and they need to be controlled and maintained and, and managed adequately as well, major risks arising from that, of course there are risks because we have a changing landscape. And first of all, we have the typical risks of internal privilege in shared accounts because they don't go away. They might be less important, but they are still there.
The second is of course an important part when it comes to communicating between the customer, which is typically the, the actual enterprise, the organization, and the managed service provider, or the cloud service provider, that there is a danger of this information and this communication that goes there and back again, it's intercepted. And this needs to be of course prevented. And this is one of the major risks. So intercepting the communication, which leads directly to a data leakage is an important factor. And there are new interfaces, additional interfaces. For example, when you run as a, as an enterprise, a software as a service solution, something like Salesforce or something within the Microsoft Azure cloud, then you will have a, an administrative interface, which you never had before, which of course exposes an additional set of, of risk vectors of risk surfaces. And this of course also increases the, the amount of proper major risks.
The typical things that we read in the newspaper is actually the abuse of privileges of operators and administrators. And this is the, the main part where privilege management comes into play, or one of the main parts where it comes into play because these operators and administrators, they have these access rights, these elevated rights because they need them. And how can you prevent them from app using them, which is an important question. And is of course a question that will be answered by William later on, how can we actually control that? How can we identify abuse? How can we prevent abuse at that point? Important factories that many organizations which provide cloud services and managed services are reluctant in gaining, giving insight to, to, to their internal organization, to their technologies, to their structures and processes. So meaningful audits is something that is sometimes difficult to achieve and to look into the actual processes and organization.
So this is a risk, and this might be medicated from the, from the organization point of view from the customer point of view. And this is also very much of important to, to get this information. And one last major risk that we'll look at is the identity and access management for external parties. So how can we make sure that the accounts for managed service provider are managed adequately and how can we make sure that these entitlements are managed appropriately with terms like lease privilege and segregation of duties and really access only when it is needed. So when this is implemented, this, we have to make sure at that point, if we look at this at this metrics, we can see the, the evolution of privilege management. So when we look at that, we see the traditional aspect of privilege management. As we, I have mentioned that before, and that's, this is the traditional password vault, the privileged single sign, as I mentioned before, and the application privilege management.
And if you look at the, at the access of these metrics, we see that usually around shared accounts, and this is credential management and session access. And this is typically something that is in place and which is of course, a solution or these are solutions, which are available for some, some time already. But a new aspect that we see as trending is of course, the privileged user behavior analytics, which is of course, something that can be, has to be considered as critical in both directions. This is of course critical information that we look at it's user behavior, but also we get to critical insight when we understand what the administrator actually is doing the system. And the second part, as we've meant, as I've mentioned before, is session monitoring and recording. So getting real insight, even as documentation as an audit trail, what happened in the system and today's system systems it's 2016 are capable of recording and providing logs of this sessions in an adequate manner.
So these, these are the trending topics that we see within the privilege management sector. And I think William will have a look at that as well. And one thing that we typically provide as cooking a coal is the leadership compos. And this is a document that compares this market segment compares vendors within the privileged management sector. So we are currently preparing a third edition as you might have guessed. That's when we look at the, at the arrow on the screen, the first edition was an initial addition, which well was focusing on the traditional aspects. This is the reason why I explained them before. So it's shared account password, vaults, privileged, SSO, and a bit of privileged account application, privileged management. So the main innovation for the first edition was integration to other IAM areas. The second addition, which has been released recently, all of the first edition plus session management and monitoring, and the main in innovation is privileged behavior analytics.
So this what we have seen as trending before, and then next edition will have of course, all of the current edition, plus the integration with application by listing. So really understanding which applications are really permitted to run on which systems, the privileged behavior analytics and the innovation is. Of course, as I mentioned before, the, the extension of all application infrastructure inside the organization, virtualized and in the cloud and managed service providers, providing services onsite and offsite. So this will be the next edition. So you can see also the documents that we provide as an Analyst companies are changing. There is an evolution with the product and with the solutions and also for the documentation as we do it, it, and from that point, I want to hand over to William from bomber. But before I do that again, a short reminder to our participants, please feel free to submit all of your questions. Why are the questions panel on your screen? And we will come back to the old questions later in the Q and a after William's presentation. And I would like to hand over to William. Yeah. William, are you there?
I am. Hi. Thank you, Matthias. Great. So I'm just making sure that we can now see the screen here.
Perfect.
Great. Well, thank you for the, for the introduction there and, and the positioning around the evolution of this space from keeping a call. And it's, it's good to, to hear that we are on track with, with what you are saying as well and welcome, and thank you for joining to the, to everybody in the audience as well, just as Matthias was, was suggesting a little bit earlier today. What we're going to be talking about is Boar's view around securing authentication, access and assets. What ultimately we've, we've coined this the three A's to secure, sensitive systems. I'm just gonna walk through a journey, very similar to that finest final slide from, from Matthias around the evolution of this particular segment, as we see it as well. So without further ad let's crack on just as a, as an additional piece here, what we'll also do is I'll just drop into a little bit of product.
So a few slides we'll go through them quite quickly, a little bit of product so that you can actually see in real time what we are talking about here as well. So just to advance, as we see now, who needs privileged access, what does privileged access mean? We've heard an excellent description of this. And from BGA, what we see is privileged access is ultimately any form of access. That's perhaps a little bit more elevated than we would normally expect. So this can be privileged access to just normal desktops from a customer support perspective who needs admin rights on somebody's computer in order to reinstall some software or, or something as trivial as that. And then it goes all the way through to, you know, how do we, how do we start accessing, how do we start permitting access to some of our internal critical systems and critical assets from our suppliers from third parties, and also the day to day work from our privileged administrators, those individuals who on an everyday basis, connect database servers, web service, and infrastructure of all types in order to keep the lights on within the business.
So that's what we're gonna be talking about. So what are the three A's that we are talking about here at Bomba? Well, the first a that we wrap around is authenticate. Unfortunately, too many systems. These days are still prone to infiltration through a single factor authentication. This is just something that's known and typically something that's known, it's something that's relational to that individual as well. So, you know, quite easy to, to break or through brute force, perhaps as well. So adding that second factor, something that we have is a much provides a much greater layer of protection to the initial part of the story. The second piece here is access. You know, what exactly should people have access to? And should that be the same for everybody? Should we just provide everyone access to the entire scope of a subnet, or is it particular systems in particular applications that they should have access to and really monitoring the who sorry, the who, what, when, where, and here at Bomba, we are also implementing a why piece here as well.
We'll talk about what the why means. So now we've, we've proved who we are, which then allows us to access only the systems that we are approved and authorized to access, and finally then the assets themselves. So how can we then access these systems and have the right permissions on those systems when these two, when the, when the environments that we're connecting to are so separated from, from the, from the other corporate environments, well, ultimately shared credentials. We, we will never get away from it. So we need to manage those shared credentials. So as opposed to having them together, creating a mapping, if you will, or a Federation of those credentials across the authorized individuals enable to access. And the reason I would like to go into a little bit of product just a little bit later is to show you how at bongo, we do this in a very different way.
So that's the three A's that we're gonna be talking about. So now let's just talk about the types of privileged users that we are just gonna quickly iterate through during this presentation today, very high level, two single types of privileged users, employees, and our third parties. Now you can see the trust thermometers there on the left and the right hand sides. And it's not that third parties can't be trusted. That's not what we're trying to say. But what we are saying is that from an employee standpoint, these individuals are issued with corporate laptops. They're issued with corporate anti-virus anti-me wire. They also comply these devices now comply with are organizational security standards and best practices helping to mitigate any of these common attacks that, that are so prevalent these days, whether it's, whether it's a simple social engineering or fishing or whatever type of, of a type that these individuals might might off.
So again, the protection there from an employees from a third party perspective, well, how can we, how can we enforce the same constraint, or should I say the same protections on their environments that we do on our own? It's very difficult to do that yet. We're still providing our suppliers with these accesses to, to very, you know, highly sensitive and very critical systems to, again, to the business, just as much as was saying a little bit earlier, let's draw it back to what's really important. So these are our two personas that we're just gonna be iterating through. And why have we particularly picked up on this vendor or supplier aspect? Well, we've, we've done some, some research ourselves at Bogar around the vendor vulnerability, if that makes sense. So how do organizations perceive their operates with their suppliers and, and what could be done to, to improve that as well?
So some really interesting statistics pulled back from that proving this particular use. Now I'm just gonna walk through a day in the life, almost here. These are, these are lots of slides, but we're going to iterate through them very quickly. So here the evolution of corporate connectivity. So this is a particular, very high level example of a, a remote worker back in, you know, even today, or, sorry, a few, a little few years ago, we had access to corporate systems without any layers of protection. We simply accessed them through hard wire through wifi, tell nets, all kinds of open systems, maybe even HTTP. And this was dangerous. We saw attack vectors on multiple layers. So we had man in the middle through the actual wifi connections, we had other forms of listening on the line, perhaps even connectivity to these remote workers machines. So what did we do to mitigate that?
What did we do to protect it? Well, we added something called a VPN. We're all familiar with them and I'm sure we all use them. This absolutely superb for what it was designed to do, which is to secure the connectivity of our corporate workers and our corporate estate to access the business systems that they need. No, not business critical systems, but business systems. And that's very good. However, as we've gone through VPNs have been allowed to propagate a little bit, and we are now issuing VPNs, not only to our internal trusted employees, but now to our suppliers as well. And remember, we talked about the machines and security security compliance of these different machines, but we're now opening a Dr. A pipe between our vendors, computer and our critical assets. And we don't really know what's going up and down that particular pipe. There are definitely layer levels that can be protected and monitored, but very sophisticated malware can traverse a lot of this as well.
So we just, just need to be aware of this particular thing. So what does that mean? Well, now we've provided this to a, to a third party, as we've heard in the past with lots of organizations and unfortunately, lots of negative press is the threat that this poses and it's possible for the third party to be exploited bearing in mind. Now that this third party's actually connected to our infrastructure, which makes them an employee almost gives them the similar kind of access. So they are now an insider, unfortunately, because their machines are perhaps not up to the same specifications. We can see these devices becoming compromised. And this is perhaps where the insider threat can also take hold. We're not saying that our third parties, our suppliers, or even our internal employees are malicious. We're just saying that there's potential here to come through a new vector into the organization.
And there's, there's lots of examples of this in the press as well. So once we've got this understanding, we now know that this machine's compromised. Maybe that's typing in passwords to particular supplies, typing in passwords to these assets and systems that they are absolutely legitimately allowed to access. But so too now is the, the individual who's compromised their machine, perhaps installing keying software, perhaps starting to traverse the internal infrastructure as well in navigating around having this kind of connectivity also allows them to create persistence as well in terms of a persistent attack. So how can we help mitigate these things again, let's come back to these three A's. If we have the multifactor in place, if we control the single assets that they're, that these suppliers and our internal administrators are allowed to access, and ultimately then not having to extract and type in passwords, this should be a, an identity that is managed the asset that's managed as well.
So how do we go around securing this piece? Well, let's, let's step through it. We have now our third party and we have our target infrastructure. Let's not only, let's not forget now that the corporate network, so to speak on the right hand side is no longer just a single land or a single piece of a single location. Of course, we have distributed infrastructures, cloud infrastructures on premise infrastructures spanning multiple data centers and multiple geographies longer, just a single connection, again, important piece to be aware of. So how do we go and iterate this? Well, first of all, let's think about how we can broker these connections. Let's remove the peer to peer connection. So once we've done that, let's think about how we can start securing things. Well, again, if this is cloud infrastructure, if this is internal infrastructure, let's get that communicating back out to the broker.
We don't need to have ports open. We don't need to have services listening on machines. These are all negative things that, that need to be removed in order to help reduce that attack surface within our infrastructure as well. So let's then ensure that we authenticate multifactor authentication is the key, ideally, a token less multifactor, so that our indivi, our suppliers, there's no additional cost in supplying them with those things, but also they can't get lost as well. So token less multifactor is important access only to specific systems. So through a broker and an, and an individual or an identity here at this particular third party, we can now define which systems they're able to access and which systems they're not able to access. Let's break it down one level, further application white listing. Okay. So Mr. Mr. Supplier, you are who you say you are, you've proved that now you can access this particular device.
Absolutely. But you can only access these particular systems on these particular devices or these particular applications. And you're only allowed to access them for certain windows of time as well. So let's not have a maintenance window that you're able to access, install, updates. What have you, during cert during production time, let's have it out of the main production time. Again, the business requirements as we move through that, let's ensure that we have the why this is the access approval workflow. So this is the additional w that we've added at. Bogar the, what the, where the, when and the why this particular individual might be completing an authorized change request. Let's state that let's have that approved by a, an approval panel on the fly, if we need to. And then finally let's ensure that the credentials that we need to authenticate the, perhaps even the share credentials are automatically injected then into these devices.
Again, shrinking that attack surface and, and ultimately not putting these things at risk. So with that in mind, we have now have an element of, of security, well, many extra elements of security that we've created versus that single VPN tunnel that we discussed a little earlier. In addition, the final piece to this here is the full audit trade with a broker such as the Bomgar platform, as you can see here on premise, or however it might be deployed is a means of also in real time, performing screen recordings as to what occurs during a session. So realtime audits, both textual and video that can then be captured. And just as Matthias was saying a little bit earlier, let's also think about our defense in depth. It isn't a single, a single piece of software it's software working in collaboration or systems working in collaboration. We have all this infrastructure.
Let's also output that to a seam tool to perform the, the, the analytics that might be required in order to just create those trend events, to help protect our infrastructure. So let's just talk about this again. We've now have the three A's we've seen this now, a couple of times we have the multifactor piece protecting who we are. We have the control, the who, what, when and where and why. And then we have the ability to eliminate these records. Well, how do we do that? Of VGA? We have three and products that work together to provide this single and homogenous platform. So we have our verify to perform multifactor. We have our privileged access in order to, to, to, to ensure the access to only the systems were allowed. And we have our vault technology allowing us to protect these credentials as well. A final point that that Matthias raised was around application privilege management.
Well, we've talked a little bit here today around individuals. One, the, the technology, the platform here that you can see and we've spoken about is also has the facilities to work with applications, with scripts as well. So let's think about web applications. Let's think about any common scripts. We need to remove any of these credentials that are running in these scripts from our infrastructure. It's far too accessible and using technologies such as the vaulting technology here to eliminate these shared credentials from these scripts is a vital step to securing the infrastructure around privileged management, privileged access and privileged accounts. So with that in mind, there's just five short minutes that I just want to take you through what we're talking, actually, a graphical representation of what we're talking about here today. So this is the web console of the, the, the access product. I've authenticated into this.
I've used my two factor to prove who I am, and then we can then ensure that we can define who has access to what systems. So through a grouping system, we can then define that certain suppliers have access to only certain systems. And again, from an operations perspective, those internal administrators, we don't wanna make their lives any more complicated than they already are. That needs to be just as simple as using the systems that they've been using up until this point. So RDP, SSH based systems as well. This is why we've made it web-based and simple click. I come through here. I want to find access to a single system. Whatever the different types might be here, you can see different jump methodologies. We have, we even include RDP within the privileged access management platform as well. And here, now you can see that I've actually initiated a request asking for access to a certain system.
So now it comes the why. So why do we need need access to that system? And in order to help me with that, what I'm gonna do is just bring up my telephone here and just show you the request. Email, the request email came through, it's now pending approval. This is an approval workflow. The why, and as you can see here, the requested reason or the why is to complete a particular change request. This can even be integrated into your existing change control processes and change management systems. We can see the systems that this individual wants to access and ultimately it's pending approval. So let's go ahead and respond to that request. We can then connect into this web Porwal. And as we come through to here, the comments that we provide are production, do not reboot. Oops. If we spell it correctly, and then ultimately now we can approve the reason I've chosen just to bring in the, the, the mobile console here is to show that we are not all desk based.
We must be cognizant of the fact that people need to do their job. It's no longer nine till five. Everything is a 24 by seven operation. So we need to ensure those break glass technologies or break glass scenarios to emergency ask requests for certain things are also possible from here. Now that particular change has been approved. So I can now access this endpoint. We have notifications in place to make sure that the owners of these systems know when they're able to access them. And then here is that the credential you can see here, it's predefined for my user, cuz I, the system knows who I am. I the certain it knows who I am as I've proved it twice through multifactor. And then from our vault technology, we have this single identity that's provided to me, notice how we do not display the, the passwords available here.
This is automatically injected into the workflow so that it's not exposed to the administrators or suppliers. Ultimately, then the message from the approver comes here and we can then continue and get into our workflow. As you can see, very simple, very quick. And ultimately that balance between security and productivity is maintained. The final thing that's just worth noting is around the reporting piece, which again, Matthias was, was alluding to in terms of the direction of travel from the, the reports at, at COA call. And if I just have a look here, what we can see now coming into the report section, we can, we can employ session forensics within Bonard to automatically now record when certain activities were executed. And if I just come down to these previous actions, we can drill down into really the latest point in this in time and when these activities actually occurred. So as you can see here, this is a real time recording. That's now accelerated to one minute 20 in this particular example, as to when the, the executable to run the remote desktop interface, which has been defined as a black list application was executed and therefore controlled access to as well. So that's really everything I wanted to, to, to discuss today. I sincerely hope this has generated some, some questions that that'll be coming through. So I welcome those.
So thank you very much great presentation and very good insight into your solution approach and this different approach with no peer to peer connection, which is very interesting to me. We are now moving over to the Q and a session. And again, a short reminder to our audience to please enter their very own questions and to the questions panel of the go-to webinar software, there is still last chance to contribute and to have your questions answered in, in this session. So let's first have a look. Oh, this is a long question. Give me a second. Ooh. Okay. I will read, read that later. I start with a short one. How do you discover who has privileged credentials? So how do you actually, when you start a project, when you move into an organization, how can you identify, where are the administrators? So which are the ones that should be controlled.
That's a, it's a very good question. As part of our technology suites, we have a utility that can go out and find certain credentials and map the credentials onto the endpoints as well, or adding them into the vaulting technology. So that, that helps us effectively perform an audit as to where these particular shared accounts might be found. It's a, it's a short answer because it's been thought of and, and automated.
Okay. Yeah, yeah. Then, then short answers and then our efficient answers. But, but the questions now, now I've read it through and this is a very, very good question. So this is the, the balance between enabling security and maintaining compliance to regulations. And on the other hand, having administrators being on the role to, to, or in the position to get their jobs done. So what are your experiences when, when you really introduce such a system and people have to do the request and have to wait for approval and how is the, the reluctance, or is there, how do, what is the feedback that you meet when you get to, to implementing such a solution? And in additional question, what are the, how have you have, have you had any experiences with legal implications afterwards with controlling people with looking into their, what they're doing? So it's actually two sides. How, how do administrators actually react?
I would love to say administrators are really forthcoming and open to change. It's it's not quite like that. And so we, one of the reasons that I, I wanted to just show the interface here today is because we we're taking potentially taking away tools that these individuals have been using for many years in order to, to again, create that balance between security and productivity, also removing that peer-to-peer connection. And so we need to make it as easy to use whatever system we put in front of them to replace it as well. And so there where we have the enhanced approval workflows, this isn't necessarily something that we suggest is in place for all administrators. So certainly for our internal privileged administrators and privileged users who aren't requesting those things. And because there are employees don't need to request those things, we can perhaps just get them straight in using that vaulted identity straight into those sessions and connections that they would normally have.
So again, making people's lives difficult is not the objective having elements or having pieces here such as the approval workflow. The why is commonly used for, as I mentioned, break glass scenarios. So if it's outta hours and we need to access a system that would normally be locked down during these hours, then that's when approval workflows are a really good, a really good way of managing and auditing what, who, who requested access, why they requested access and when they requested access. So it's not a one size fits all. It's very much understanding the, the function of the group and the systems that they need to access and when they need to access them. So it's common for some of our customers to say, well, third parties or suppliers definitely need to have multifactor. Our position would be everybody needs multifactor, but let's start with, let's start with the suppliers. So the suppliers then need to be anyone coming from the internet basically needs to have multifactor authentication. So again, we're stepping through this process. It's not a big chunk that we bite off all at once, but it's these, these elements that responds to the business need again, business need. And again, the balance of productivity and security. There was a second part of that question though. Sorry that I, that
I, I don't believe the legal implications. So, so looking at the work that people do might be a problem, for example, in Germany, when it comes to, to employees rights, and this might be an issue. So how do you handle that?
So it's a really good question. And you're absolutely right as, as I'm sure majority of the individuals on this particular webinar around the workers council. So one of the pieces that we have here is because Bogar the privileged access management platform isn't necessarily a cloud-based platform. This is something that organizations deploy within their infrastructures as well. And so the organization never loses control of their employees, data and their employees information. And so really what we're capturing is productive work that can only be accessed by authorized individuals. It's very common for certainly in Germany for us to have a specific group of, of individuals defined within the privileged access management platform who only have access to the reporting and to those videos. So it has to go through the, the appropriate channels within the business in order to then allow this information to be, to be retrieved from the, the Boga platform.
Okay, great. Yeah. Thank you. I think that was quite a elaborate answer for that. And it's, it's, it's an important question. Very different angle is integration with IAM system. I I've mentioned it and I guess you've mentioned it and, but can you elaborate a bit on, on the advantages of integrating the privilege management on the one hand side and the identity and access management, the traditional one, those both together into one aspect, I think for personalization purposes.
So if I, if I can just grab that question again, how and why we recommend integrating into the IM is that right
And how the scenario could look like right.
And how it could. Okay, perfect. So we've, we've talked a little bit about IDM around multifactor and, and ultimately most organizations use some form of domain control or some form of that based system, whether it's active directory or supplied by another vendor. We believe that that is still a really good place for getting information as to who people are and what they should be doing. So the Bogar platform would typically interface with the, let let's just say, active directory for now would typically interface with that in two ways. In fact, we could do it in three ways. The first way is through the, the multifactor piece. So when somebody comes in, we wanna prove that this is the individual, and then the second factor, or the second piece there is around the authorization. This is what security groups does this individual belong to. And how does that map on to these different systems within Banga?
We're not suggesting certainly from a Banga perspective, we're not suggesting that this should replace domain controllers or that type of that type of construct. In fact, to make everybody's life easier. If we have a single pane of glass, which around authorization might be the domain controller, we then can grab those security groups, create the mappings within the bombard platform, enabling these therefore supplier a to only access supplier, a systems with these privileges as well. So automatically creating that mapping around the interface, into the target systems. So using the vault credentials as well, typically, what we would recommend of course, is that this is not the same domain controller that would be used to access the, to access the bombard platform in the first place, having a separation of credentials both internally, or having the separation of credentials between our infrastructure that we need to connect to. And the management systems is quite an important piece there as well.
Okay, great. Understood. One short question, you've mentioned token less authentication for, for multifactor, which I think is a good way to go for nevertheless, if there are tokens in place already, you can build on them. Right.
Totally. Right. So within a Bomgar construct, we support the radius protocol as well. So if an organization has made a decision around their multifactor piece, we're not suggesting that there's only one way and it's the bombard way we are, we have an interface into the radius protocol as well. Yeah.
Okay, great. I, if, if we understood that correctly, the first step that you do is introducing this broker component of, but to avoid the, the VPN connections and the peer to peer or end to end connection between the, for example, vendors machine and the actual infrastructure. And the second step would then be creating the, the, the password vault and the management of the privileged accounts. So you're doing quite other way round approach. So from your point of view, as I, as far as I understood it, privileged account management is not only implementing the passport vote, but first cutting the line. Right.
You're absolutely right. So typical, typical organizations within this particular Pam space have emanated from account management or credential control, and we've come from this in a very different manner. So it's not just a case of we'll look after the, the passwords and you can use whatever technology to connect to the devices, whether it's secured or not secured, Boga has a heritage of secure access and the secure access pieces where we started our privileged access management story. And so that's why we've progressed from privileged access management, including therefore the credentials around the accounts within the vault piece, and then injecting into that. And if you notice as well, that's why we have this, the, the nifty injection of the credentials, as opposed to the exposure of those credentials as well, naturally, the support for rotation and automatic update of services, et cetera, of, of certain system accounts. But we believe that, like you said, perfectly cutting the line is the first piece.
Okay, great. We have three, four minutes left. One question, one short one, probably what could be a good thing. There are lots of questions. And I ask, I kindly request the people who will, who have questions who have not been answered yet to, to direct them to me or to, to William, just to have them answered just by mail without the address will be on the, on the webinar page, within the a call site. One question I've mentioned operational technology before in my slides, is this something that you're seeing in practice and that people also want to make sure that they're scatter systems real time systems are also controlled?
Absolutely. Yes.
So these, these systems are, as we know, right, absolutely vital to how organizations are performing certain actions. And these, these, these systems need to be accessed maintained by both internal privileged users and external privileged users. And so ensuring that we have evidence as to who connected when they connected, why they connected is, is vital to this as well. Let's piece a piece of the, the bomber construct that we, that we didn't show today, just through that very quick presentation is in fact, the ability to collaborate within these same access sessions. So we can be two or three or four, five, however many individuals we need to be, however, however many privileged individuals we need to be in order to ensure that the right thing is being done to these systems as well. There's lots of different types of connectivity today. We showed a little bit about RDP, but we are also, we've introduced technology to enable us to simply use protocols, to connect between the devices as well, so that we can use applications based on our machines, remotely on the target machines as well, without losing any of the security, the audit trails as to the actions incurred a long answer.
But I, but I hope that answered that one
No perfectly, because I think this is an issue for many organizations who have these systems in place. So I have to speed up. I would like to thank all the participants of today's webinar. And I would like to ask to thank you, William, for this, for your expertise and experience and for showing the system real life system is always interesting. And for showing an interesting new approach towards privilege account management, some breaking news, we have the related research page on the, on the screen and tomorrow will be a Bomgar specific report being published at KuppingerCole just tomorrow focusing on this privilege management offering. So this is good timing and yeah, William, you have some additional final words to say contact information or something like that.
Yeah. Thank you, Matthias. I just wanted to thank you the team at co Cole and all the participants for joining today. And I, I sincerely request any additional questions to be then brought either to myself or to the team at co Cole. Thanks again.
Yeah. Thank you. We are looking forward to having all of you as participants in one of our next webinars and seminars and wherever we can meet, that's it for today. Thank you for being with us today and have a great day. Goodbye.
