Operational concepts with the WALLIX tiering model

Thank you so much. So applause please afterwards.

Okay, so in the next 20 minutes we are talking about more and operational model. We are talking about access management, so meaning the interaction between any user, human and machine and any digital device either in the IT or in the OT space. So what we are going to consider is quickly what is the typical business case?

Yes, we are talking about cybersecurity, we are also talking about regulations, frameworks like compliance and risk management. And just coming from the recent situation, the current cyber defense, the risks of cyber attacks have been indeed grown. You see in all of the press notifications. And this clearly means that the traditional cybersecurity technologies are not enough. And today we are going to show you what exactly if you can control your accesses, what does it mean for your compliance and risk management on an operational point of view.

So for sure it concerns especially those industries who have been regulated like tacs or even like the new Nitish two regulation where we have a quick word on. So what does it means? It is clearly to say more or more and more the demand for European technologies are coming because there is no backdoor, no way to call home, even zero trust architectures are requested, zero trust means nothing else than the principle of the least standing privilege and for sure the transparency and the control. And then for sure you have the different frameworks of compliance.

And finally you have the cyber endurances. And maybe one point we are currently cooperating with a big endurance starting with an A ending within Z. And with those we are currently also working on their cybersecurity profiles to make it easier for customers to get a cybersecurity. As of today, without an access management technology, you have no chance to get a cybersecurity these days. Okay? So for sure we are going to protect identities, the access credentials itself. So for sure the digital assets and especially the interaction in a session between a user and a digital target.

And one of the main solutions which is really affecting a lot of controls in a cybersecurity framework like the ISO 27 0 1 like like the N two, we have a significant impact on the security, on the compliance and with automation we are also able to do a lot of cost reduction based on the operational efforts. And this is just a scenario we can work on several different scenarios.

But if you would really consequently follow the requirement of the ISO 27 0 1 from appendix A five to appendix A 18, if you really would do it without such a technology, your effort is far higher than with a technology like pump where you can do a lot of automation. And this is what we mean also with the operational model. So to summarize the compliance approach more or less is really to say that most of these common and well-known compliances and with the NIST two I will spend the word afterwards, all of them have one in common.

This is the protection and the control of the axis between critical information or high risk systems. So at the end what we want to say, we have several impacts if you are not following compliance. So at least there is one good point we can map the different risk classes we are talking about a bit later on such a risk assessment matrix and even one comment based on the NS two regulation, this will be far stricter than with the regulations before. So when there is an incident after 24 hours, you have to do your first warning.

After 72 hours you have to present a full report and after one month you have a full detailed report with all details of the cybersecurity incident. Also there are new penalties between 1.4 and 2% of the net income of a customer, their annual turnover.

Alright, so this is an example of different really relevant controls of the ISO 27 0 0 1, ISO 27 0 0 1. Yes. So here you see the different controls where you can find it. We all have it for you if you want to have details just come over to our booth. But at the end, if you do not have the option to automate a few of these requirements could take a lot of time, especially on the operational, on the ongoing activities.

And with such a technology as I have shown before in this cost diagram with such a technology you can significantly reduce the operational efforts because you can do a lot of automation and if you would like to see some further details, a demo, whatever, please come to our booth and we can show it to you in detail. So at the end, what can you expect? We are talking about access, we are talking about the interaction between any user and any machine. And this is what we need to control.

So for sure to start with, you always need some kind of an authorization model, a very clear description of the user roles, of the user profiles, even in a functional or organizational structure that you have a very clear understanding what a user is generally allowed to. And I can clearly say to you, if you don't do that, designing also the role medals, every access management project will fail or will become at the end far too expensive. There are real good best practices.

So this is not rocket science, we can really help you, but this is absolutely key that you have a good understanding of your authorization that should be apply in your organization. The second point, this is an optional point, but this is free from you, from us to you. And this is what we especially developed in the German in the dark market.

This is the operational concept, meaning that based on the risk assessment of your target of the machine the user wants to interact with, to to patch it, to modify some software, whatever, managing a full production plant, there is a risk classification. And based on this risk classification we can apply rules for the access. You will see some examples and I think this is then very clear. So what we are doing for sure if you have done this pre-work, what we are doing is the identification of the user through technologies like MFA, then we are doing the authorization.

So to which systems this user profile, this user group is allowed to have access to if approval processes are needed, typically for external users we can apply approval process. We would then do the full automated credential injection. So single sign on for the user site also meaning that the user does not know any access credentials for critical targets anymore. And here you can do a full machine generated password management with password rotation, password strengths and so on. And finally we are providing you a full and audible auditable session control.

So meaning you have the full transparency what happens in your infrastructure and you have a full information on every usage. And this is what we then have as auditability or traceability, which you can show to an auditor but also for your internal usage, even for root cause analysis, you can at least also save a lot of effort for root cause analysis.

And finally you have the ability for identity and access governance, meaning that there is a permanent control and certification and re-certification of the authorization of the accesses and even the plausibility of the policies you have applied in such a system. And this can be fully automated and that means as some examples you are onboarding a new company you are dealing with, you are onboarding a new user, any new group, new machines, you have a project, you need to deploy some machines in the cloud, everything is now automated.

You put it in the group and all the authorizations, the accesses will directly given there. There, there is a high, high level grade of automation if you really have done this work before together with us or with your system integrator. So what does it mean you are able to use a full organizational and functional tree model where you have your organization in this example you have the organizational location of Munich, you can have several more, you have IT and OT and then you have different organizations below for sure. You can make such a digraph even more complex.

This is just for explanation. You always have three main user roles.

The user, an auditor and an approver only responsible for their area. If someone is sitting here for sure he would have the responsibility for everything below. So what we are going to do, we have such a user and this user goes through the pump system and connects with a role to the target. So this is a big difference and you can do a lot of, let's say interactive activities even with autogenerated lock-in scripts, autogenerated lock-in paths. So you can really do a lot with that role at the end we need to control it. So meaning there is the role profile coming from here.

And this is considered also the risk assessment coming from here is considered, and this is let's say defining the authorization. The authorization is the combination of the role profile and the risk classification of the target. And this is defining always on a group level the way you are going to access from a user to a critical target. Full control, full transparent, transparency, fully automated. So what you, what you can, what you can do with that.

In many, many infrastructures you see something like that. You have the grown access structures someone was asking someone got the access granted it was never removed. Even the the person is no longer in the company since a long time. So at least at one point it looks like that you have no control at all. And also keep in mind all the lot of exceptions in the firewalls you give a remote access, which is always an exception on port level, on the perimeter, on the firewall. And this is for sure also an entry point for hackers.

With such a technology you can centralize your accesses through the pump system and you make your firewalls again as a wall without any exceptions and limitations. So this would also help you to bring you from this grown access, a real structured and channel access again. And here we will help you with our tiering model. So what we just discussed, there are some points you have to do in advance your organizational measures.

Yes, these are the GPOs meaning which protocols allowed, which access paths are allowed. This is something the majority of the companies already have. The access policies is what I meant. This is the definition. The definition of the roles and the clear definition. Who is allowed to do what, access to which systems and which systems not. And for sure if you can do the risk classification on the target systems, we can then have also the policies based on these, let's say templates we will provide to you. They are based on the German BSI, the IT chu. This is the standard 200 dash three.

So no worries, this is all what you can get for free from us. There is no way to pay. But this is a template you can use for a real fast project installation of the technology at the end, the technical measures, authentication policies, session policies and passport policies will be then measured and enforced based on the policies designed here in this risk class model. For sure. These are templates. You can do your own thing but you will get at the beginning something what the BSI requests.

The policies are all the same, but they have different different parameters based on the risk assessment. And this is an example you see here, the authentication Pro policies meaning in a risk mill system, in a very high risk system you always have to identify with MFA. If there is an approval process, at least you need a four ice approval principle session must be recorded with video. And also the media data file transfer is not possible. Even system services are really sever restricted. Also the remote connections are not allowed.

Passwords have to be rotated every two hours, 16 characters encrypted with four mbit. This is something what you can instantly implement on these systems which are classified as risk zero. And you see also that the regulations are here far less strict in the lower risk classes. So at the end it's a recommendation of the German BSI. But you can do your own templates, you can change, you can adjust, adjust it based on your own needs, but you will get the principle. And with that you have also the chance to use an access management technology. Overall.

You can really use the power of these techno technology very efficiently. So coming back to this risk matrix where you have the damage probability on the x axis and the extent the the the volume of the damage on the Y axis, and this is what we can then hear really easily map with these BSI risk classes. And based on that, if we then agree and say based on these policies, we will only allow the privileged access. So meaning the access for users with extended rights they have to go to to these policies fully automated through DevOps.

We are using Ansible, but you can do it with other technologies like Kubernetes or Terraform if you want. But if you are doing that, you instantly have your risk matrix under control. And why I'm saying this is more or less about the operational usage, this is indeed because you all get that for free for sure. Maybe you need some consultancy. But all the policies, all the help from the technology point you will get for free from your system integrator. And this is finally how the technology stack is built. You have the identity services platform at the very beginning.

Below that you have the privileged access, the access control, where you have the session management, the password management, also a password vault. We have here also technologies to protect the privileges on your endpoint. Here we are calling EPM endpoint Privilege management, meaning the principle of the least privileges. So the foundation of zero trust. And finally you have with identity and access governance, the regular review certification and recertification of all your policies and configurations. Yes. And that's it.

I see my time is now anyway, over 20 minutes is not very much quickly to say we are a European vendor. We are all noticed here in these nice Analysts, especially in the Gardner leadership Compass. Thanks for that. And with that I'm going to finish my presentation for today. If you want to see any details, we can go to our booth, which is on the other side in the yeah, where all the, the booths are. So you are all welcome. Thank you very much and I wish you a nice afternoon. Thank.