Tower defense identity addition, zero trust machine learning, MFA multifactor indication, password, less how to prevent your customers and employees and everything everyone else from and everything else from falling victim to hackers. So a lot of things in there, I would say. And so probably we best start with that question that was unfair that they just remove here. Okay. But I have it here as well. So it's not a problem for me, but maybe we start with, how do we protect customers best from falling victim to Hagar. So if you, if, if you would have to, to name the, the number one thing to do, what would be maybe Alexei you start, and then we continue. So what would be the number thing, one thing you, you would recommend when it comes to protecting customers?
I think in practical terms today, that's very, very easy it's multifactor off, right? The, unfortunately, even though we talk all day about how passwords are so easy to, you know, to gas or to root force or, you know, to intercept in various different ways, we have a very low statistically, very low penetration in most organizations of multifactor off. So if I were to say one thing to do, which would reduce the vast majority of compromise would be that that would be my first tower.
Yeah. And, and so when, when talking about multifactor and probably be all like Korean or someone who comes up as a totally different perspective,
Well, I, I, I can say that, you know, and you're right. Multifactor authentication is really important if you're trying to secure your customers to protect your customers. But the composition of multifactor authentication is also important. So we have to understand which factor can help us cover. What kind of risks when we say multi multifactor, that means two are three factors or even more factors than that. But then we have to choose those factors very wisely to make sure that they cover more secure risks that are being presented to our organization or the customers as part of compromise of those credentials. So, you know, when you say passwordless, passwordless not essentially means that it's always biometrics, right. We can have one or two different kind of tric modes combined with certain other factors to create a multifactor authentication. So even until I would say that, you know, yeah, the composition of multifactor is really important for us as well, to protect the customers.
Yeah. Sometimes choking that credit card companies believe that having a number on the front and the number on the back of a credited card makes multifactor indication not really is true. So yes, and I, I would fully agree. It's it's about understanding which factors to use when, which I think leads us to the topic of adaptive a indication as well, because, so, so my definition of adaptive a indication, which, because I'm, the boss is the definition of cooking. A cold for adaptive authentication is, is that is really about two aspects of adaptiveness. The one is support, be adaptive regarding the authenticators. So it support variety of virtually all different types of authentics the others be adaptive regarding the risk or the level of authentication. So you have a risk of interaction transaction, and you have to context, risk and other risks, and you need to balance that. And this is my, my perspective. And I think that would be logically the next thing then if you say, follow what all animals at, you're an adaptive authentication, aren't you?
Yeah. Yeah. I would say, you know, if you have to look at, you need to look at the different risk levels and what, what you're trying to protect, you know, a bad example is of multifactor authentication. There's a financial service provider that thought they got, you know, MFA by requiring a password and then knowledge based authentication. That's just a bad idea. That's not multifactor authentication. So I mean, it depends on what you're trying to protect then, you know, I think there are policies that you need to put in place that would say, you know, for this type of transaction, you need this level of identity assurance and authentication assurance. And I think it's important to sort of distinguish between the two, you know, identity versus authentication assurance and make sure that you map those appropriately. Because like we hear quite often, you know, people don't want any more friction in their transactions than necessary, but at the same time, at the same time, I think users do want, let's say, if you're gonna make a high value transaction, you probably feel better if you're getting some sort of popup or step up authentication before you try to transfer 10,000 euros.
I do think there's some value in the ritual. Yeah. And so when we talk about adaptive offering the credential that you prevent present to the user first, or eventually, if you vary that very much, you get to problem of user confusion, right? It can be in some sense better to simply say the strongest thing you need is the thing I'm gonna get in the habit of challenging you for so that you get that ritual trained, as opposed to, I'm gonna surprise you every time you log in with a different experience.
There's more to authentication than just the, the ritual too. I mean, I think that you have to look at environmental factors and that's another thing that I believe you were hinting at with adaptive authentication, collecting information about the authentication event itself. Where's the person, are they coming from a known and trusted device? What do you know about that device? Does this fit with the user behavioral pattern? Those kinds of things could be, be done sort of silently in the background as well.
And in fact, actually there, there are 2, 2, 2 sides of context. The one is the risk side of context, which, which means, okay, this device has been five minutes ago in China right now, it's in Russia. And then it's moving to Germany within a few minutes, then it's a little bit scary. So there's the risk side of things. And there's the sort of security side of context, which means what you said. Yes, we have a device that we know device that is healthy cetera. So, and, and I think that that helps them because when we look at multifactor indication and also just zero trust notion, then probably this is where, where these things start to come together. Because it's, it's saying we need, we use more information to make things more secure. I think the other password we have, so we have to two out passwords in here, which are one tire already touched, which is zero trust. And the other is machine learning. So what is the blade of machine learning that materials? I remember you had have some AI history. So do you wanna start here?
Yeah, maybe. So one idea really is that the, the number of attacks is always growing and to follow up on what is actually happening inside an organization inside the systems during authentication and authorization processes is getting more and more complex just because of the vast amount of data that is amounting. So to analyze that some more or less intelligent measures need to be taken often, it's just patent detection. And just trying to find the, the, the outliers within that, but more and more, there are offerings companies services that, that really apply deep learning machine learning to these events that happen and that they can at least identify these as, as suspects of, of potential breaches and then hand over this information to an, to admin who can react at, in an assistant manner and in an informed manner. And in an ideal world, this could even lead to automated responses if possible, and if viable.
And I think a very good use case where I see machine learning can help in the authentication process is really about as we talk step up, you know, so step up can be from different ways. And, you know, there are different types of factors that you can use to step up assurance at the time of you authentication process. So if you have accurate or, you know, more appropriate machine learning in place, then you can find out which step up mechanism is more effective at that point in time technical security or the, the risk in the consideration. So we can actually choose on the type of step of authentication based on machine learning, which is most effective based on previous usage patterns. That's one. And I think the other scenario where we machine learning can really help in authentication is when we talk about continuous authentication, we talked about, you know, highest transactions. So how can continuous authentication can actually help you secure highest transactions to provide assurance for the user session throughout the, across the session, not just the time of establishing the session. So machine learning can actually help you to consider, or I would say carry on the whole assurance throughout the session for highest transactions as well.
I think machine learning has a lot of broad applications, you know, as we look at the advantage of studying user behavior, it doesn't need to just be in the moment, right? We can look at that as a session risk assessment and look at doing, for example, per factor, step up author, continuous authentication, but we can also use it to do things like set up our policies and our governance in an organization based around what we're observing in the organization. And so, you know, if I were to sort of say, you know, good tower two would be constrained, constrained actions. One of the things that we see a lot in our environments is people who leave, for example, a service account open that doesn't have MFA because it's more difficult to MFA a service account, but that same service account has rights to go to any file share in the organization and download files, right? So that's, that's a lack of constraint and that can be done from a governance perspective manually, but that's very difficult if we start to think about applying machine learning to look at what do the logs tell us about what's normal in the organization, and then start building those constraints around that as another valuable use of the technology.
So, so when, when I look at this machine learning thing, I think we, we all learned over the last couple of years, that machine learning requires large amount of amounts of data. We translate to, I think, to the question of which part of machine learning can be done well by internal data. I think that last example is something which basically is based on, on your internal data while authentication, when we look at
New
Threats, new types of attacks probably benefits from, from external data. So what is your experience or what is your such session also on balancing these and, and integrating these different types of, of data for, for machine learning and the context we are talking about?
I I'll try to answer it sort of simply I think that unsurprisingly attacks, which are moving against multiple tenants are often benefit from machine learning that studies multiple tenants and attacks that are constrained to a single tenant, you know, can do okay with less data. But I think that what we're looking for, that where we can benefit from having a multi-tenant view, even in a single tenant algorithm, is that we can train up that algorithm's efficiency. Very often the attack patterns are similar from tenant to tenant. So that's a place where we can still get good detection in that, in that world. And the other thing that we can do is we can see patterns between markets and in and sectors. So for example, someone in healthcare may have similar roles and responsibilities someone else in healthcare. And so the training can benefit a little bit from comparison, but usually even if you have a medium sized organization with a lot of people doing a lot of activity, you're generating an awful lot of data, anybody who's in the business of storing and managing a logs. And especially in the face of GDPR understands how much data they're generating, and it can be a lot of valuable training data. So it certainly can be valuable to do something that's on a per tenant basis.
Okay. Zero trust the password. We only touched lightly so far. I think it's a paradigm we, we see currently a lot or frequently discussed being sort of the paradigm. A lot of organizations are following. Is it really zero trust or is it more a distributed trust thing, Trump?
Well, it can be kind of confusing because we talk about trust and trust frameworks, and then we talk about zero trust. So I think it means we need to define what we mean by zero trust. And it's kind of a hypothetical ideal situation when you're, maybe let's take authentication as an example, you know, to require authentication or authorization for any and every user on the network device or application that they're going to. I think zero trust. We often get a little too wrapped up just in the network side of things. It's more than network segmentation or, you know, VPN modernization. It's about combining the different environmental factors around users, network applications in the associated devices and, and treating them as if they're untrusted until they, you know, pass the gate.
But if you look at it at the, that you're trusting somebody, who's providing the identity information, the author authentication information, that is actually something that you have to rely on. Otherwise you don't have the, the valid authentication and authorization processes. So there needs to be trust, at least trust in the IDP, at least trust in the, in the quality of the information that you use for, for context information. So there is some trust in there, but of course the basis is, first of all, you don't trust the network that you're in. You don't trust the environment you budget that you're in, but without a basis that you can build upon, there could not be any communication at
Time. And, and it's you not only trust whatever the username password, you need more and you verify. And I think that that's where another thing comes in, which is continuous authentication.
Yeah. And I, I think, I think that's from a zero trust model. I think that's something which we have been talking about a lot and eventually, you know, the whole ecosystem will arrive to what we call as, you know, a, a, a trust circles. So, I mean, and it has been a concept for, for a long time. You know, we create those trust circles. We know what IDPs, for example, to trust more than, you know, the others. We know exactly what entities we trust more than others, right? So it's about creation of trust circles and putting the right amount of trust in each of those circles. And then there's a concept of what we call is delegative trust. And there's a concept of transitive trust when you call about delegative trust. Like, you know, I trust, I mean, I want you to trust him, right? And the transitive trust is that, you know, I trust you and you trust him. And that means I trust you. So it's about, you know, the different models that we are trying to create as part of the whole trust circles. And, you know, so I'm just saying that zero trust approaches obviously appropriate, but even it will result into some models which create trust circles for us, which are appropriate for our risk levels.
I think for zero trust where it comes from, I think is the, the old model of, I simply set up a network boundary. And I assume that what's in that boundary is safe. And we talked about how service accounts having access to file shares is a great example of where that breaks down. You know, so zero trust in my mind is about creating micro segments that are based on more than just network, but network time, user role, you know, everything I can learn. And one thing that I think would benefit from being said is that triangulation is super valuable. So algorithms that might be network based may fail you or be at low precision level and algorithms, which are say credential based may also be at low precision level. But when you start to intersect those things together, you start to get to a fairly precise view of what the user is doing and whether that's a legitimate thing to allow. So that's where I think another benefit of zero trust is, is just looking at multiple data signals and interpreting them.
And we have the advantage to data. We can, we have more data available and we can process far more data than ever before, right? Which allows you us to do these things we weren't able to do quite a while ago. So, and we are to able to do it close real time, which is essential for protection, that space. So we're pretty close towards the end of our panel. So maybe let me quickly, quickly sum up. So there's not the one single thing you can do to protect your employees, your customers, from following to hackers.
There's a starting point, which is MFA. We definitely should do MFA today and not just dumb username password. Unfortunately, when I registered to websites, I would say it's still nineties plus percent, which is trust, username, password or something. I don't like to use like a Facebook login. Anyway, I don't have a Facebook account, so I can't use it, but it's not enough. So it's really about combining it with the zero trust thinking, which is really bringing together a lot of elements in your trust circle and with AI slash ML to do it better. I think that probably sums it up, hopefully quite well. Everyone is nodding that's positive. So I hope that brought some information to you at the end of this day, right now it's time for the evening events. We have two events starting at 8:00 PM. One is in the hush island, that's that direction over, but there should be science around, which is the Bavarian style event. And then there's the woman in identity event, the D E IIC cafe at the first floor. So thank you very much for attending our keynotes. Thank you very much for listening to all these various speeches in Troy evening. See you tomorrow morning, ideally at 7:00 AM for the EIC run. I think it's at 7:00 AM. Otherwise. I think the keynote started. Let me look it up. Eight 30 already. So seven o'clock EIC run eight 30, the first keynotes again here. See you tomorrow. Thank you. Thanks.
