Event Recording

Learn How SD Worx Turned Its Cybersecurity Strategy Into a Business Enabler

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So title presentation is how as the works turned its cybersecurity strategy into a business enabled. It's a customer case in fact. So who are we as the works? We're in fact a people solutions company. Our mission is to become the number one in Europe. We have about 75 years of experience, more than 6,000 employees and 5,000 temporary workers and more than 80,000 customers. So we're not the multi biggest company, but we are becoming quite large. Things that we do is that we are staffing a recruitment. We handle about 5 million payslips per month. It's about core hr. We provide legal assistance. We even if companies require it, take over their complete HR department. Myself, I am product owner is my role from a team called Middleware and Hosting Solutions. It's a team, something in between development and infrastructure. So we don't manage servers, we also don't develop things, but we manage components that need to connect everything like you see in the presentation and identity providers, but also queuing mechanisms, hosting, monitoring tools, things like that. So that's a bit an introduction.
So I'm going to talk about identity and Authentication Hub. The ambition of SD works is in fact that we want our clients to be able to enroll quickly. Easy, simple, no fu that it all goes smooth. One of the main ambitions is to have a single account to access all of the works platforms. That's real challenge because of course we are growing, we are buying new companies. They all have their own portals, they have their own tools and in fact we want to give a customer experience. Certainly for international companies that we say you only need one Porwal, you only need one account. You log in and you have access to everything that as the work has to offer. We're not there yet, but we're coming there. It should be easy and frictionless. Like I said, no first needs to be very easy, but the customer authentication needs to be strong.
Doesn't make sense to have only user passwords for example, because if it's not strong enough, yeah, we are sitting on a lot of data. So if people manage to get in with just a simple user and password, you can take over accounts and misuse it. Yeah, of course we want to avoid that. We also provide the user with control over his own account and data seems a bit logic and yeah, we want to collect and manage constant from users but then needs to be continuous and in a transparent way. So that's a bit the mission that we have.
And last but not least, there are a lot of things regarding authentication and we want to reduce the costs of all those local authentication solutions. A slide about, yeah, how does it work a bit, and don't be overwhelmed because it's, there's a lot on this slide, but it's with steps effect. How do we do it here you have the end users, they're sitting by their pc, you have the customers. If they want to log on to our systems, they first pass our reverse proxy. Of course their firewalls, load balancers. It's not all on these, on this presentation. Then important part, it passes our identity provider and that's a trust builder from Trust Builder Corporation Trust Builder. For us, it authenticates the user. It verifies the user against authentication policy. So it's, it's communicating with the AdWorks identity store. The Identity store gives feedback about accounts profile credentials.
It asserts the identity to the service provider and it goes back to the reverse proxy. And then in fact the user is authenticated at a lift. You also see that for customers we provide single signon, which we can also do Withers Builder. Technically we're using protocols like SAML two and Open ID connects most standard ones used in the industry. That allows that we make a connection effect with the identity provider of the customer and that's if the customer employees log on to their internet, Internet, they just have to push the button and automatically they're also logged on to our Porwal via single channel.
The next part is once they're logged on, yeah, they need to have access to all their applications that they are allowed, they have access to. There comes in authorization, which is not handled by Trust Builder, but within an internal application effect, which just checks, Yeah, to which applications do you have access and also within the applications to which data do you have access? Very important of course because yeah, one customer should not see data of another customer to start these applications. We use Open Id connect and they have a lot of products besides our Porwal. We also have an app and that will come in place a bit later in the presentation. Also, something important is the partners. So we're working together with other companies and we have creating a win-win situation that we call it a business platform where other companies just offer their tools on our Porwal. Again, we implemented SSO with those partners, makes us easy for them. Besides the products, we are also trying to work on a flow that's more intuitive for the customers because yeah, knowing the products is good, but in fact on the Porwal you can also just say, okay, I want to view my my salary or I want to create some kind of absence next week for example, without even knowing the application.
So that's a bit about the structure. Then you have also the administration point people, let's call them as they support. Yeah, they provide of course the correct access. There's always somebody that needs to handle those access rights. So that's a bit how it works. Yeah, why Trust Builder? Because this is also advertising for Trust Builder Corporation. They invited me here to present this customer case Trust builders. We've chosen them as partner because in fact it unburdens the as the works in integration, secure authentication mechanisms. They have a broad set of out of the box connectors with traditional vendors. They offer to factor authentication to SMS or an authenticator app like Azure Authenticator, Google Authenticators, and lately we are, There's also integration with an QR code scanning for which I will give demo. They also have your partners like European identity providers, like it's me and D G D.
We can connect with their identity hub with multiple identity stores. So that gives flexibility in integrating our acquisitions and what we really like is their orchestration engine. It has a strong workflow. We can, we rely on trust builder consultancy if we have some questions to adapt some workflows, it's quite easy. They do it first and they do their authentication flows and policy checks. So it's also highly customizable for our needs. Also very important for us is the flexibility. So if we, we have regular meetings, service meetings and if we have some requirements that we say, yeah, this would be nice for us to include in Trust Builder, they're always willing in saying, okay, either maybe just customized for ASD works or yeah, this is interesting indeed for other customers also let's include it in another, a next version of trust builders. And then we get feedback when, when it's on the roadmap and longstanding trusted relationship. We're working together with Trust Builder Corporation more than 15 years I think. So we're really funded it all of them. Also with the trust builder management.
Let's talk a bit about authentication methods. Yeah. How did it all start? The internet came, applications were provided on the internet. There was no security then came user password, but yeah, it's in fact weak. They tried some things with longer passwords, password phrases, things like that. You know, everything capitals special characters in the passwords, but in fact it remains weak. Then came to factor authentication using tokens like digs. Authenticator apps is ais to provide an extra code all fine, that's better security, but there's also some weaknesses. Single channel already mentioned, put it in brackets here. What I want to demo is in fact next generation authentication, modern authentication we call it also passwordless a bit about the digi process. Yeah, we use them, but yeah, it's bit difficult to handle. It's a whole administration. You need to hand it out, them out, send them to the customers, not so practical, very costly also to deploy to everybody. And what we also see sometimes is that people don't think about them as their identification, like an ID for example, but they sometimes just pile them on to somebody else. So yeah, this is, this is the pin code, eh, So you just don't think that's it's, it's a security breach in that that fact and they're responsible for themselves.
Yeah. Is a Miss Authenticator apps fine, but in fact then is a miss can be intercepted a app. Yeah, if you have them on your phone, you have to type in to type over the coats. If you have them on your laptop, you have to copy the codes also, not that it works, but not that user friendly. So without the exception of single signon, we like the universal modern multifactor authentication mechanism, strong authentication, easy, frictionless. And then we came up with this together with trust builder. This is how the flow currently works and I will demonstrate it live, but this is the flow. So on our website we have a login screen at the left, it's just a normal login with user password to factor authentication at a right. It's a unique, your code that is generated can only be used once. It also renews I think every 32nd or something. So it cannot, you cannot reuse it. So people just open the browser, they have an app on their phone and then they press the QR code scanner. So that was that I icon. They scan the QR code with their phone. They have to accept, say okay, you want to log in? Yes, I'm going to log in as extra authentication. They can do a fingerprint scan or a face scan or enter their pin codes
And then they're logged in. No username, no password, very easy. So I'm gonna give it, try to do a live demo this morning. I saw that there were a lot of people on the internet here on the wifi, so normally it should work. I'm just going to refresh this page, but nothing's shown
To close.
Yep, thank you. So this is the page. So I'm opening my app on my phone, I hear the button with the key code scanner. I press the button, I try to scan it on the screen, it says won't allow authentication. So yes, it's fine. M enter my pin code and then it logs on. But I think there is an internet problem. Yep, there's an internet. Well there it goes. It's purely the internet. Normally it works very, very fast and nothing should, should say nothing. And that's it in fact. So very easy, we're on a security fair, so I'm going to low out a bit of a technical architecture behind this, but it speaks a bit for itself here you have the app, you have the application request, it communicates with a trust builder hub. In fact here you have a private key and a public key,
Which is check by trust builder. If it fits, there's also no risk in, like I say, recording this now, see a QR code, if somebody else would now scan the code, what happens? Nothing because yeah, nothing. The code effect is already used. That's one thing would be also implemented. You need to register yourself first within the app before you can start using this modern authentication mechanism. People that haven't installed yet the workshop and we just scan a code ieo, what is that? And they scan the code Twitter camera, they're redirected to a support page on our website, which just explains how this all works and how they should install the the app. So that's about it. So I still have 13 minutes lefty scenes. So questions,
Do we have questions in the room? We don't have any questions online yet, but do we have any questions in the room while you're thinking about that? Yeah, I was hoping to, to see kind of much more of a case study that you know from, from your title. It did sort of seemed to indicate that you were gonna be talking far more around security as a business enabler. And I touched a bit earlier with Andre Kava on that. Maybe just talk around the actual topic of, of your presentation in the sense that, you know, how are you seeing this kind of using this kind of authentication enabling business?
Yep. So, so first of all it's indeed it's it's strong authentication. So no username, no password needed. So it's frictionless. It's, we think it's easy for the user to enroll themselves that they don't need to remember username passwords. It also minimizes cost Health desk and at this moment we already see that we have four of the websites, we have 1.5 million registered users and from that 1.5 million we rolled it out since June. At this moment without making a lot of advertising, we're just putting it open on the side saying yeah, it's new and try it out and only already a half million users are really using this new authentication method. So I think it can be really enabled also if we roll it out now we are growing in other countries that customers also ask, yeah, how can we access your website? And that we can see besides we have possibilities, we just have our app and you can log in via our app and meanwhile people are still starting using our app, which we also see as a business enabler because a lot of what we see, a lot of employees, for example, if they want to consult their pay slip, they get a notification and in the past, yeah, they had to log on to their pc, they had to log on to the website and now they just receive a notification, they open their app, they can go to their salary if they want to do more, okay, they can also go onto their pc and then there's a link between the app and the pc.
So that's why we also see it as an enabler to do more business.
Okay. So now you've indicated that there's a fair amount of appetite cuz at keeping a call, one of the things that we're talking a lot around and trying to encourage organizations is to to work, you know, move away from passwords obviously and to to to move to passwordless multifactor authentication. Do you think this is kind of something that most organizations are now understanding is a good goal or is this something you know, cuz I I you've said that there's been a fair amount of demand, but I mean how much sort of education and evangelization are you having to do around this concept of moving to better methods of authentication? Do do organizations understand the needs?
I don't know from other organizations but our security officer was really fond of implementing this saying yeah I really want this because yeah, because of the reasons that I provided and I think yeah, that that customers will like it.
And I just wondered, you know, in terms of organizations that you know, you've obviously done it internally, are you able to share any metrics with us? Let's say, well beforehand we had so many calls to the help desk and now we have whatever. How are you able to quantify, do you have any metrics that can, can help the audience understand how going this kind of a route can, can help?
I don't have the metrics but we see things like for example as ais, what sometimes happens is that people choose for two factor education, they get an As AIS and they don't get it. And there are a lot of reasons why they don't get it. Maybe they just don't have availability at that time or they're just entered the wrong phone number and then we see indeed in our locks, okay, authentication failed or things like that. And if we then try to convince them to move to password list yet then they don't have that problem anymore. So we see in data drop off certain things that we say, okay, this is better. We have less problems that people cannot log on even though they don't log the ticket because they try again. But yeah, trying again is also not good for an employee. You want to, that it works immediately. And,
And what would you say are the kind of, could you categorize the kind of companies that find this kind of a useful approach or you seeing equal demand across all sectors or you know, I just wondered whether, whether a certain sector got it more than others or found it more useful than others as a business enabler of new revenue streams. And
That's something that I don't, I can't say no. Okay, but maybe, yeah, there are people from Trust Builder Corporation in the room here. Maybe you know something about it.
The question
Is, is just, you know, what, what industry sectors are, are you seeing the most demand for this kind of more modern authentication method and you seeing better degree of, of of business business enabling?
That's an interesting in all kind of verticals. I think banking, of course for many years banks are using strong authentication usually or most of the times integrated as in SDK in the mobile apps of the banks. But let's say all all businesses where there are a lot of consumers involved, where there are a lot of big communities, we see traction areas. So it's, it's really cross, cross vertical. I would not, let's say limit, I would not limit it to a couple of verticals. Which,
And, and in terms of the kinds of of new businesses that it's enabling though new revenue streams can, have you got any examples of those, the kinds of things that organizations are more now more comfortable doing because they have this kind of authentication method rather than, you know, previously when we were, we're reliant on, on a highly hackable fishable crackable pathway.
Well maybe I give an example, maybe it's not a good example, but we're currently implementing a project with Sure Guard in seven countries around across Europe with c sure Guard had a problem of the offices were closed and so they had a, the first let's say obstacle to overcome was to how to onboard in a digital way customers. So now we are implementing a solution based on local IDPs like bank ID in Sweden or it's me in Belgium, but also we are doing identity verification validation based on passport scanning. So that's the first step. Then the second step is that you, you you have community via mobile app or, or website and you want to, to add functions of functionalities and, and securities of course important, but you want, you want to access to those applications to make it as simple as possible. User ID password. Okay, that's obvious but it's not safe and, and plus people forget the passwords. So you have to do a lot of reset. So then the next step is that we're gonna implement mfa. So it's a, it's a multifactor authentication integrated into the mobile app. So, so there are different steps. So it's, it is indeed a business enabler. It is indeed a business enabler. Yeah, it's, it's obvious.
No. Okay, Grant, I just wondered whether you could give specific examples. You,
I can maybe add something. So in the case very
Quick cuz we've got our next speakers waiting,
So, Okay, so just yeah, just one sentence. Maybe the, just what the example Young gave is we, and that way they moved their business online because they could not do it before, They could not onboard before online because they'd always, the risk of people pretend to be someone else and like storing like illegal goods over there and that the business enabler in that case for instance would be, okay, we can do our physical business suddenly online.
Okay, thanks very much. Okay, thanks. So now we move. Thanks very much. We move on to our next presentation.

Stay Connected

KuppingerCole on social media

Related Videos


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Webinar Recording

Effective IAM in the World of Modern Business IT

Digital Transformation promises lower costs, and increased speed and efficiency. But it also leads to a mix of on-prem and cloud-based IT infrastructure, and a proliferation of identities that need to be managed in a complex environment. Organizations adopting a Zero Trust approach to…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

Event Recording

Cyber Warfare - A Reality Check

Cyber Warfare and Disinformation have been heavily weaponized since Russia´s full-scale Invasion of Ukraine and even before, aiming at destabilizing the free part of the world. It is the "synergy of the evil" between cyber warfare and MDM (Misinformation, Disinformation,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00