KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
A comprehensive and fully functioning identity program is an ever evolving mission. From creating security awareness that sticks with employees, getting executive buy-in, and assembling the right team, there’s a lot to do – and then deciding the correct mix of services and solutions that are required for the identity program can be quite the task. One thing is certain – security should not compromise user experience. If there is too much friction in the mix, users will avoid best practice. In this keynote, Gerald will look at some of the challenges as they exist today, some of the solutions that will help into the future, and what mix of solutions can help you deliver an effective identity program that is both robust and flexible.
A comprehensive and fully functioning identity program is an ever evolving mission. From creating security awareness that sticks with employees, getting executive buy-in, and assembling the right team, there’s a lot to do – and then deciding the correct mix of services and solutions that are required for the identity program can be quite the task. One thing is certain – security should not compromise user experience. If there is too much friction in the mix, users will avoid best practice. In this keynote, Gerald will look at some of the challenges as they exist today, some of the solutions that will help into the future, and what mix of solutions can help you deliver an effective identity program that is both robust and flexible.
The onslaught of account takeover attacks from insecure passwords is driving the rapid adoption of passwordless solutions. While the risk reduction benefits are substantial, eliminating passwords is just the first step on the path to fundamentally strong authentication. In the “new normal” era of work from anywhere, and rapidly increasing cloud adoption, organizations are moving to a new risk-based authentication model. Advanced organizations are validating users, their devices, and inspecting the security posture of the device for each login. Strong and continuous authentication is a fundamental building block of Zero Trust. Learn how you can make it happen without making the user experience miserable.
Discussion topics include:
Takeaways:
Logging in is such a common process, it’s easy to take for granted. However, that entry point to your application or service is also when organizations become responsible for the user’s digital identity. And with the increase in innovation, and use of technology to deliver products and services, there is an explosion in the number of sources from which users can gain access. Overlaying all of that is the constant evolution of the threat landscape and regulations that inevitably follow.
Tech leaders who want to grow their position in the market must balance two goals: delivering security and customer experience.
Join Auth0 as we discuss, and provide some insights on how to utilize a strategic approach to digital identities, that has helped customers such as Siemens, HolidayCheck, and EnBW to:
The challenge is to offer user-friendly login procedures via social media accounts, passwords or biometric devices while securing and respecting personal data at the same time. This combination must be taken seriously to provide a smooth Customer Experience (CX) and to guarantee that every consumer can control the access to his personal information. Join this panel to hier the best practise advises of experts in the branch.
Cyber attackers continue to be successful in gaining access to many different organizations, often by exploiting identities and weak authentication. To ensure they are protected, organizations should consider modern Adaptive Authentication techniques to increase identity security and thwart attacks.
In the digitalized world, passwords are not sufficient anymore to protect digital logins and transactions. What’s even worse: In 81 percent of all cases, they are the main reason for a hack. Once a password is stolen, it opens the doors to fraudulent use and data theft. Furthermore, since most consumers link their online accounts at Amazon, eBay or Twitter to their Facebook or Google account, attackers only have to hack one password in order to gain access to the entire range of applications. This also enables them to easily compromise the complete digital identity of a user. All these examples show, that passwords are outdated. Their single application for the protection of digital identities is not only careless, but very harmful. However, there is a remedy, which is reliable and widely available today: the 2- or multi-factor authentication (2FA/MFA). Providers of online portals and services can offer their users a broad range of easy-to-use tokens, which relieve consumers of the burden to remember another password – from push tokens that only have to be confirmed by tapping the “OK” field on the smartphone’s touchscreen to scanning a QR code with the smartphone’s camera. In his presentation, Dr. Amir Alsbih explains the latest challenges and solutions in the protection of digital identities and illustrates how consumers can benefit of new MFA technologies.
Nowadays, Identity and Access Management (IAM) is undeniably the first line of defense for organizations worldwide. It enables employees to securely access applications while enhancing control and transparency. But IAM is also on the change. It is already more than just the traditional employee IAM. Digital business requires advanced identity services, well beyond the human identities.
The segregation between various dimensions of IAM is blurring. IAM today treads the line between providing security and acting as a business enabler. It has left behind the notion of being "just IT" and turned into a necessity for implementing security and policy and a facilitator of modern business models. But how can security leaders turn the challenges, both legacy and new, into opportunities to mitigate risk and add value to the business? And all this in a way that will elevate the position, and change the perception, of security at the same time?
Join security experts from KuppingerCole Analysts and Beyond Identity as they discuss the challenges of first-generation MFA and how to reduce friction while increasing security and improving the user experience by implementing passwordless authentication within a Zero Trust security framework.
Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will present a matrix that helps organizations to prioritize their Zero Trust efforts, mapped to the key building blocks of a comprehensive Zero Trust strategy.
Patrick McBride, Chief Marketing Officer at Beyond Identity will explain how organizations can eliminate passwords and friction within a Zero Trust framework. He will also provide an overview of Beyond Identity’s Zero Trust Authentication solution.
I'm the chief information security officer for LogMeIn make us of last pass. And like Martin said, we really wanna start out right away with a poll. I think. Do we get the poll? Here you go. So what is more important to your business? Is it the user experience for your end users? Is it the security that the identity systems provide or is it more complicated?
And in this presentation, we wanna walk you through some of the rationalization that we have been making about where we, where the emphasis should be, where we want to go and why data driven analytics and why metrics are so important in order to make this a successful kind of event. This is the first time log in is at, at the EIC. We're really happy to be here. It's my first EIC as well.
Although I've been in the community for many, many years, glad to see a lot of new faces here and really excited to see how we can now really engage with last pass and with our identity offerings in this, in this environment. I don't know, do we have some results from the pulse yet? Takes a little bit time. All right. So while we go through those pulses, I do want to walk you a little bit through memory lane.
So, oh, here we go. Fantastic.
So like, like we expected, it's complicated and I think I'm really glad to see that the vast majority of people here share this kind of overall assessment, it user experience is really important. And I agree with you, Martin, that that is one of the most important factors. And one of the best innovations we've seen over the last years, security is also really still important.
But at the same time, the balance between the two, making sure that you have a good security environment that is user friendly and delightful for, for, for the end user to essentially interact with is a, is a critical key and how that really can be measured up against each other is something that we've been starting to look at. So as, as I go through this presentation, when it first started out down memory lane a little bit, where do we start with access management? In the past, we had big systems. Passwords were invented at the MIT 1961.
The CTTS CTS S the time sharing system developed the is accredited to have developed the first password environment, not too surprising. That was in 19 61, 19 62. We had the first password breach at the CTS S for the same reasons why we have password breaches today, financial gain free access to computers, but overall security was pretty good. We had everything under control. It was a high friction environment though. People didn't like this necessarily. They try to get around it today. We're in a much better position.
Our user experience authenticating to our phones through biometric means our ability to move around and have some form of blended access across the board is something that makes it a lot easier, but security has not necessarily been benefiting from, from that. What we feel is that in the future, by using a good, good metrics and good understanding about how users are actually interacting with the systems, we provide them, we can almost almost deliver frictionless environment.
We can use location based data and other things for risk based access decisions, and really improve the overall experience as well as the security across the board. So a quick thought quick thought about what are metrics, what kind of metrics are we looking at? I can't really manage anything as a CSO that I cannot measure. So what's important to me is I need to define KPIs, key performance indicators. I need to define K key risk indicators in order to really be able to understand how my users are actually interacting with the identity systems or security systems in general, that we have.
And in an ideal world, those kind of KPIs and K are actually fed by real metrics metrics that I can get out of my systems that really tell me about how the overall system is being used in the case of user experience. That's not, not always easy. How do you measure user experience? How do you define a key performance indicator for, for user experience?
Generally, what we see is like user experience looks roughly like this. We have a really nicely designed kind of path. We do understand how users want to use that, but since we don't really measure this upfront or on ongoing basis, what happens all too often is that the users really figure out how, how to get around those kind of systems. That's not really desirable. That is great user user experience, but not necessarily greater security.
What we really wanna do is like improve on this through the better understanding how systems are being, being used, how they can be optimized and how we can overall better understand where we are for the user itself. It's really important to just get the job done. They don't really want to think about, do I need a dongle? Do I need a password? Do I need biometrics? They want get the job done as much as possible.
So their, their main question is really how hard can it be to define, to create a system that ultimately provides a decent environment, but also keeps things safe enough. They have to deal today with all kinds of systems in all kinds of things that have been making their life easier, and also have been making it more secure. This includes all kinds of multifactor authentication systems. We use passwords, we use dongle keys devices we're using now biometrics in order to be able to, to truly, oops, here we go. That was the slide I was talking about. We use multifactor tokens.
We use keys devices biometrics in order to ease this overall. But at the same time, we also still go back to the password. Reality is as much as we would like to get rid of the password today, it is still there. And it's like, that is an environment that still needs to be measured in meaningful ways. Measuring password security is not really easy because most of the times it's a secret. It's a shared secret, but it's a secret that should not be really disclosed. So how do you measure password security?
You can't implement policies on system and you can enforce those, but at the same time, there are so many ways on how to beat those kind of policy systems. If you look around often enough passwords, start with a capital letter, they end on an exclamation mark. And the last second last character is a number that goes up by one every single time you have to change the password.
It's like, sorry, it's like just reality. So how can you really measure this? And how can you really get a little bit more clarity? What we've done with enterprise password management? What we really understand really well from a logging in a last pass perspective is to define a security score.
Security scores can really help us to bring clarity to what kind of passwords, what kind of metrics can be applied in order to better understand how users are interacting with the systems and using passwords, both those in those environments, where we can enforce policies as well as in those environments where we cannot. So what we do we use, we look at duplicate passwords, we look at weak passwords. Are they long enough? Are they complex enough? We look at shared passwords.
So if you share a password like a Netflix account with your family or Twitter account with a marketing department, often enough, the, these passwords are actually very weak because you do wanna share this with other people and having a strong password around that is obviously important as well. The overall average strengths of PA all the passwords at a particular user has, are critical critical in this. We do wanna look at the vulnerable sites that users have been using passwords in the past and make them aware that something really needs to change.
And then finally, we do want underst better understand how MFA tokens are being used across the board. How can you do this?
It's like, those are a lot of different things that you really wanna understand. Sometimes you can enforce them through password policies on the system, and sometimes you cannot. Sometimes you will always have a very hard time looking at duplicate passwords because one shared secret with one system should not really be shared with another system. So the concept of enterprise password management in this environment then really goes back into making sure that you have a shared environment on the user device, very, very user centric that allows them to store their passwords.
Use very strong passwords at different ones at every site. But at the same time, not share this with, with a company or with, with a provider like us.
What, what it does allow us to do is it does allow us to compute on those devices on the mobile phone for the user on the laptop for the user. It allows us to compute these kind of factors into a security score across the board, and then ultimately make this visible through an admin dashboard to the end user. This is kind of cool, cause at the end of the day, now, as a, see if I roll this out, I can see how many users are using this. How many users are using duplicate passwords?
How many users are using passwords that have been disclosed in the Adobe breach in the LinkedIn breach, or what have you, and then really start to better understand how the overall password hygiene of my users actually looks like not only in systems that implement SSL, not only in other kind of approaches for identity, but also in all those kind of legacy systems that we still have to deal with today. And we'll probably deal with for a long time.
So what that ultimately means is that going back to our metrics, we can really focus on defining KPIs and Caris based on actual data that is available. So for the, for the, this environment, we have these kind of security scores. We have an understanding about how many users are actively using the environment. So have a good user experience across the board.
And we can define a KRI like the risk of a credential theft that will ultimately help you to understand where you stand from a risk perspective and communicate that out to senior leadership, communicate that out to your respective boards and the stockholders at large, you can define KPIs that really measure now the overall user access posture across the board, based on your understanding of how your users are actually interacting with systems, both within the environment, both within your federations, as well as on the outside things that you did not have control about before.
And I think this, this kind of understanding this kind of in depth ability to report on how your overall risk posture is with regards to the passwords or the access that you have across your environment is critically important. For example, it's may I'm in Europe. So I have to talk about GDPR, I guess. So it's for article 32, we all know requires an adequate amount of technical organizational measures. This really helps in this kind of environment.
If you can really go in and demonstrate to a regulator that you have done the right things around password management, that you are looking at the overall scores and are trying to influence them through security awareness training, and other efforts to reach out to your users. It really helps you to demonstrate your due diligence with regards to the overall security of the, of the data that you're processing for your customers and end users. So all of that is super interesting. All of that really helps.
I think our users and folks general, but what this really comes down to now is like, how, how do you, how do you engage this? How do you really measure this across the board? It's good to know that your average password score is maybe 48 or maybe it is 64, but how do you really measure up against your peers, against your partners, competitors, whatever, on a worldwide basis in your industry, in your sector? What we started doing in 2018 is to create the global password security report. This is a report that we compiled based out of the 47,000 customers that we have on the enterprise side.
We aggregated all the information across how users have been using passwords. In this environment. We looked at how does this distribute across different industry sectors, different geographies, different sizes of companies and published this in this report is gonna be something that we wanna do going forward on a yearly basis around cybersecurity awareness month in, in October. So to really help our customers, but also people in general understand where we are from a password password posture on a worldwide basis.
Some interesting reads, there are super interesting things that I did not necessarily expect. We found that for example, smaller companies tend to have better password hygiene than larger companies. We also found that the geographic distribution or, or even industry sector really doesn't matter that much.
There's, there's a very psychology about changing password or managing password seems to be really much more of a human thing versus like an industry thing, despite regulations, despite all kind of other enforcements across the board. So where does that leave us?
We, we really understand now where we are. We understand how things are going.
We, we look at the, the overall future landscape of where we wanna be security and productivity user experience are really at the center of it. Obviously we feel that enterprise password management is important, but we really also want to start now looking also with the help of, of folks here in this room and at this conference to look at the broader picture, and that does include privileged access management. It does include MFA. It does include SSO. And it does also obviously include enterprise password management for us.
This really results in a unique blend for, for the security process that you wanna define for your company. Obviously the risk appetite can be very different across organizations. If you're a startup and you really want to innovate fast, you wanna grow fast, you are willing to take a larger risk doing that. So in a very conscious way, by understanding how access actually works for you is very helpful because it, it, it puts clarity and transparency around how this environment ultimately works.
So what, what do we come up with with regards to recommendations? These are generally ideas that we, we, that we really want put at people's heart.
And, but also then start to reach out to industry in order to go across know your IM strategy and your business goals. Like I said, it's like, you really wanna be able to understand and measure where you are from a identity posture, from a password hygiene posture, for example, but, and then really align this with your, with your business goals.
If you're mature industry, a highly regulated industry, your risk appetite is likely a lot lower versus the, the prototypical startup that really goes in and wants to innovate fast and maybe a little bit looser around the edges in order to support those kind of goals. This may lead ultimately to refining your, your security program within your organization, those kind of decisions as if they aren't being made very consciously, can really help rationalize things and make it much more straightforward for your, for your leadership, for your board, for your investors, to understand what's going on.
There is really no single solution across the board. You have to leverage partnerships for us. This means reaching out to our partners in the, in the industry with regards to multifactor single sign on with regards to how we want to deal with the, the different ways of people accessing our, our environments or our customers environments, and for a company, it really means to build a pass a overall I am strategy that has all the necessary building blocks, whether it's BPA, SSO, multifactor, etcetera, etcetera, and also enterprise password management in order to support your goals.
Finally, you really wanna minimize the user experience impact across the board by the security controls that you have, like, like we've shown on this little picture up front. If you design a great security systems, without people in mind, you end up being in a situation that your users always will find ways around that measuring the ability of users or willingness of users to go around your controls, measuring then the effectiveness of the controls and how you roll them out is really helpful.
And that is where again, where we go in and say that key risk indicators, key performance indicators driven by actual metrics across the board are extremely helpful to drive this through. So with this, I kind of want to close on time. I would like to say, I just would like to encourage you to just stop by at the last past booth. We're just outside. We do have a little game. You can crack our vault. You can try to get into the, into that vault and win a price.
Stop by say hi, we can walk you a little bit deeper through how the admin dashboards, how the enterprise policy enforcement within the password manager work and how that can ultimately help you across the board to drive it better, better password hygiene in your environments. Thanks a lot. So thank you very much. Got trust out of your is standard password, which is commonly used Across the world. Okay. So this is actually this, this code. I think I'm not given way too much. It's a very secure, important date in security history. Okay. That's the hint.
So if you have a good thing in mind, it's not May 25th, 1920. I thought it might be 1, 2, 3, 4, 5 as all the passwords are. You can try. Absolutely. Again.
Thank you, buddy. So thank you very much. Thanks a lot again. Thank you. And I.
