Webinar Recording

Passwords: Dead, but Not Gone

Log in and watch the full video!

Organizations are looking to eliminate passwords because they are costly and difficult to manage, they result in poor user experiences, and they are easily compromised, enabling 81% of breaches. But despite these efforts, many passwords remain unsecured. These passwords can still be compromised, and must be managed to mitigate the risk.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Hello, everyone. Welcome to our copy. A call webinar passwords that are not gone. This webinar is supported by keeper and the speakers today are Craig Lurie, who is CTO at keeper security and me Martin Kuppinger I'm principal Analyst at Ko a Cole Analyst. Before we started our webinar, the content of the webinar, some quick information about upcoming events and some housekeeping information. Then we'll directly dive into the agenda for today. So starting in last three weeks, I think from now we will have our European identity and cloud conference, which is our flagship event. It's a fully hybrid event, so you can join in Berlin or online. And it's that event around identity and related topics. We have a Casey live event on managing complexity in the cybersecurity space, and we will do our cybersecurity leadership summit, another hybrid event, which will also be in Berlin on site or fully online in November, which is done more as cybersecurity focus up to see you at one of these events and great option to meet also with you or you, you with me in person, housekeeping, very simple, very short for audio.
You don't need to do anything. We have a Q and a search by the end of the webinar. The more questions we have, the more interesting it is. So use the opportunity to raise your questions to Craig and me, and we will try our best to give you good answers on this. We are recording the webinar and we also will provide podcast recording and the slide X for your download. Soon after the webinar, and last and least we will do two polls during the webinar. And if time allows, we will also have a look at the results of these polls during our Q and a session. And that is the first thing I'd like to do right now, a very quick poll. And that is a simple question to answer a yes, no answer helped your organization suffered an attack that was caused ed passwords.
So did you already have cyber incident Q2 password related attacks? So either yes or no. And please participate the more, provide an answer that more. Well, the more relevant the results are so used to your opportunity, I'll leave it for another 10 to 15 seconds so we can close it. Thank you for participating with that. Let's a look at agenda. And as we, we have it in many of our webinars, it's split to three parts. The first part, I'll talk a little bit about my Analyst perspectives and, and my, my thoughts about this topic and my, my talk will be about managed passwords, do it right if you can't eliminate them. And I think we all know that will be also very important topic of today's webinar. There are many, many passwords we can't get easily rid off. The second part, and Craig will talk about the benefits of strong password management and how this looks like and what to look at, what our criteria is, how to do this.
And then as I said, we will have our Q and a session. So that will be the closing part of our webinar today. And so let's get started. I'll take some 50 minutes or so and continue. And I think that there is some sort of a dream and the dream is we don't need passports anymore. It would be great in reality. So when I look at all these scenarios where it's about, oh, you do some e-commerce, oh, register says just in the, in the daily life, but even the business life, then they ask you for use an and password. Again, for me, for instance, that means I, I don't, I don't register, but also in the business, we have so many passwords. We have so many systems where we still need passwords and dealing with passwords, we sort of dream would be passwords are that, which is not a new idea. So when, when I look at, from a reality perspective, this has been discussed for round about two Kate. Now I just brought up a block post for, from Dave currency, who was at our team for many, many years, dating back to 2013. And they are even even older posts. We discussed this at, I think at our first European identity conference back in 2007.
So passwords for declared debt for quite quite some time. And that's a good reason for passwords are inherently insecure. So if you have passwords, you always have a security problem. You just can try to manage it better. And this is, I think the point passwords are insecure, they're inconvenient, and they keep the help desk occupied with password research. And yes, there's passwordless application, which is gaining momentum, but it is not that we are in a situation that we could stop caring about passwords. So why do we need to care about passwords still? And for the future, probably for forever, maybe worst case, at least for a really long, long time. So I'm, I'm very convinced when I retire there still, still be a lot, still be too many persons around. And that is the reality. The reality it's more complex. This is not the stream. It's a complex reality to deal with hard to understand how to manage, but we need to do it and we need to do it right, because passwords are still alive.
Wherever you look and trust you. Some, some pictures here passwords are around in eCommerce for legacy systems, for applications, for network equipment. And even in passwordless cation pins and passwords are the fallback in many of the past so-called passwordless authentication solutions. Even there you have passwords. But when I look at the reality, when I look at trust, my own devices I have at home in the home office and run, there are quite a number of usernames and passwords to server passwords for admins. So try to do dication with a standard home rule, online banking, wherever second factor and MFA. So when you look at the common MFA, it's the second factor. So passwords in many, many more use cases, passwords are around and passwords will stay here for, for quite a while. Also in very sensitive use cases, think about server passwords. Think about the passwords for, for network equipment. This is a very common scenario. So passwords are still the reality. So what can be the solution?
Yes, part of the solution can be to say, Hey, I try to get rid of passwords, but be a realistic. There are many passwords which will be here and the solution only can be, have a, I would say in a minute, again, several twofold strategy, which is about both. So manage passwords, manage passwords with an appropriate solution, keep them under control and safe place. Broadly encrypted, well managed with controlled by the passwords with automated rotations, with all the other capabilities, which you need also understand which passwords are at risk. So, and that is something trickle. Elaborate on surely more. If you would go to the dark net and purchase list of passwords, or if you use just one of these tools, which whether your password is exposed or password for is exposed, you surely will find something because there were so many password breaches the past.
So we have this first, we need something which helps us to deal with, to understand what is at risk to better manage the passwords, to simplify the use of the passwords, to do all these things, because the passwords are even when they are declared being dead or at least dying, they are reality. They are here to stay for long and we need to do it as well for a variety of applications, because there are many use cases as I've shown for passwords. So make it flexible at the end. The point is, do both. I have a twofold strategy. Don't just say, okay, I, but sometime they will disappear. They are a risk and you need to get better and better and better and managing passwords. So keep treating, but act now strateg strategic is, it is fine to say if I can avoid passwords cool, but this will take long.
So think about strategy and a long term tactics. In some way, it could even say, this is still from the timing. It will need to manage passwords. It's also strategic to both key, ensure that your passwords are safe and under control and that they are stay safe and under control. So yes, it's both, but you need to protect it to increase. They also password convenience. So because they are here and the more convenient, the more securities, the better it is to live with the passwords. And I think this is the, this is the key message from my, my end, despite all hype, despite all the passwords, that stories for the last 15 or 20 years, we need for a cybersecurity perspective to get really, really good in doing both. That means we need to really good in password management, everywhere. Our passwords live with that. I'm already done with my part of the presentation. And I'd like to bring our second poll here.
And that is the question of how many passwords approximately you yourself are still using. When you look at trust, the business side of sync. So is it zero? Is it one to 10? Is it 11 to 25, 26 to 50 or even more? So looking forward to your responses when you trust even the ones that you only use once a year now, and then the ones you seldomly use, but how many are the passwords you use for interacting with a business partner, for managing servers and other stuff for accessing business applications. So come up with your rough estimates, at least you don't need to count. Just give us your rough estimate. We leave it open for another 10 or 15 seconds. Okay. So thank you for writing the answers. Maybe I already can say one thing. There was not a single participant in this quick poll who said zero as an answer. So everyone who has still to deal this passwords, I think this shows how relevant, how important this topic is. We stand, I hand over to Craig.
All right. Yeah. Thank you. Thank you for the introduction. Nice to meet everybody. My name's Craig Lurry, I'm the CTO and co-founder of keeper security. And I'll, you know, just to, to talk about our product and everything that Martin just said about, you know, in, in, in reality, you've gotta have a way to, to manage and secure these passwords and, and secrets. I don't know why I just switched over. And so we've gotta, we've got a solution that I'll, I'll give an overview and talk about just the background of, of what we've built and how it works and how this relates to zero trust. And, you know, zero trust is a, a new model of, of security, which really breaks down the perimeter. There's no longer thinking about a perimeter. It's thinking about how to protect access to, to resources and systems, everything that Martin discussed in terms of, you know, everything from servers to individual applications.
And so it ties in directly to the management of passwords because passwords are really the foundation of zero trust, just a, a quick Snapchat about us. So we we've been in business since 2011. We've got tens of thousands of, of enterprise customers around the world, millions of millions of users. We are focused on our core product, which is password management, enterprise password management. So we have a product we sell to end users, consumers, families, small business, large enterprise, the entire spectrum of user base because this problem affects everybody. We started off in the consumer space. And then in 2014, we pivoted to a business focus and built out our enterprise platform. We've been also funded by insight partners a few years ago, and we have several offices around the world in us, Europe. We're also launching offices in other countries in the coming months ahead.
So we all talked about this in Martin's presentation. Obviously passwords are a huge problem. Once, once an attacker uses a, either a leaked password or an account takeover through a password attack, of course, the, the payload that they're looking to deploy is, is ransomware among other things. And so what we found in our, in our research is, is that, is that most breaches are due to these, these weak passwords or related security around how passwords are managed. And so they're retrieving these passwords from the attackers are retrieving these passwords from these dark web lists or other methods such as such as brute force attacks. So one of the things that in our business, we, we sell to all industries and all, you know, everyone's affected by, by this problem, of course, but we find that, you know, financial services is one of our largest verticals with our enterprise customer base and, you know, enter financial services and government tech software healthcare. So these are really huge. Now the, it just so happens that obviously people are targeting financial services for gain and they have the most to lose. And so their therefore password management secrets management in those industries is a massive problem.
So visibility and control over password security. This is something that, that our product is allows you to master and well, I'll, I'll show a few slides on, on how that works, the visibility over the dark web data, which, you know, directly affects employees and customers. So these dark web data lists like Martin was saying, which can be purchased very easy to get ahold of, and they can easily be used for password based attacks, route force attacks, account takeovers, and accounts. And it's really difficult to manage those lists. And one of the things that we do in our product is we actually pull in all those billions and billions of data points and, and protect the users by notifying them, them within the product, if, if they have credentials that match those and being able to protect applications and systems. So it's not just passwords to websites, it's, as Martin said, legacy applications, especially in financial services, you've got these, you know, these platforms that have been written years and years ago, the, the thoughts of, of migrating to password list is really an impossibility for those types of things. And so you've gotta protect access to those, those legacy systems and also infrastructure, which we will talk about a little bit as well.
So our platform, which is the keeper enterprise password management platform, it, it defends against these ransomware attacks, any password related breach, it's focused on control of passwords secrets across all of the users. So we deploy a vault to all employees of the organization. It implements zero trust and zero knowledge security. So what that means is that the encryption and decryption of data of the passwords of the secrets of any credentials is performed on the user's device. So we do not have access to customer's data. We hold the cipher text, the encrypted cipher text, and we have a system which distributes that cipher text to the user's devices and the endpoints, but it locks down access and only the user can access and decrypt their data. A really key point of this is that keeper integrates with any existing identity solution. So what we see in the, in the market is that a high number of a high percentage of users or enterprises are deployed to Azure typically, or they're using maybe on-prem ad with ADFS. But you know, what we see in environments is typically a handful of applications that are deployed through the identity provider and everything else has to be protected by the vault. So what enterprises want is to deploy their password management product with their existing infrastructure. So we integrate very specifically and directly with Azure and Okta ping any SAML based identity provider and works in both on-prem identity environments and also hybrid cloud environments.
So of course, when you deploy a password manager, one of the first things that people realize is that it's, it's huge in terms of productivity increase. So people aren't dealing with password resets, they're not calling the help desk. So there's a huge productivity gain. Of course, that's, you know, that's the convenience aspect of password management. So you have the security aspect, which is huge. And then you have this, this other requirement by enterprise, which, which is to make it easy. And so a lot of our effort is on building a secure product. The most secure product was zero knowledge encryption, and then also making it really easy for people to use it across all of their devices, web browsers, desktop apps, native apps, mobile devices, everything. So it has to be extremely easy.
So just kind of looking at, just broadly about what an enterprise password management product like ours includes, and what's critical for enterprise, and this is not, you know, just us saying what we think would be great to have. This is these, these are requirements of the enterprise that they have the ability to, within the platform to build in dark web data monitoring, right? To be able to determine if passwords that are in your employee's vaults have been found on the dark web either they were existing before you signed up and, and started using the product or something that occurs like a, a site was breached. And all of a sudden certain credentials show up on the dark web. You need to be notified when that happens. The, the obvious one of being able to generate strong passwords and auto filling on browsers is, is a big deal.
And it's, it's, it's difficult to get it right. And so years of development went into developing our autofill technology. We call it keeper fill, and it works across every web browser, even the, the, any chromium based browser, safari, even brave any of those newer mod, newer privacy focused browsers, as well as mobile devices. So complete integration into iOS and Android platforms is, is critical, securely storing. So the, the storage mechanism just as we talked about earlier, is that where zero knowledge. So you're, you're storing password secrets, metadata files, documentation, anything that needs to be kept secret and encrypted in the vault. And so a huge, a huge piece of the platform is the zero knowledge encryption and making sure that users are only able to access the data on their, on their approved devices, being able to attach files, we, you know, call files and metadata.
So there's a lot of use cases for that sort of thing. For example, if you were talking about server infrastructure or cloud infrastructure, being able to protect AWS access keys, or protecting SSH keys or, or SSL private keys, any, any certificates that have to be protected and generated. So there's a lot of use cases around DevOps and engineering, of course, and then getting into, especially with financial services and client data, if you're collecting information from your customers and you need to store that in a secure way, storing it in the vault is the absolute, most secure way to protect that data. And it never exists in plain text enforcing policies across the organization. So you want to ensure that people are generating strong passwords, that, that they're when they're accessing sites, they're utilizing strong passwords. And you wanna ensure that that if there's shared passwords, which sharing is, is a huge use case of the platform that you are in control of who is sharing.
Who's not able to share what credentials are shared among users, what permissions have been granted. And you can, you can control that through compliance reports and role-based access being able to transfer and revoke permissions. So permissions within a platform like keeper is, is critical. And it's one of the, one of the top use cases of the platform. I guess I'm kind of, sort of going around in the opposite direction here. And then of course, being able to provide access in any architecture, meaning whether you're running OnPrem ad or cloud Azure or Okta or ping or Centrify jump cloud, any identity stack it's got to integrate with. And so one of, one of the, the new modern protocols that we do support, which is called skim is also something that's a huge requirement for, for customers that are migrating to the cloud, because they don't want to have to manually provision users and provision vaults and think about, oh, you know, when this employee gets terminated or they leave the organization, how do we protect that vault that they were using?
How do we revoke it? How do we lock it down? And so automation and integration with existing identity stacks is a huge deal. And of course, I'll, I'll kind of show some screenshots of our admin console, but being able to audit, perform reports and analytics through both a user interface and also through SDKs and open source CLI and code and tools that we provide our customers. So they really want to integrate into, into their backend systems. Like if they're using ServiceNow or they're using other identity tools that they want to build that analytics, and it's really important.
So this is kind of jumping into a few kind of use cases of the product, and this is showing the vault itself. So here in here in the vault, it's showing a folder called shared it records. This is a shared folder, and it's shared among a team. The point is, is that this is a vault that gets deployed to any user, whether they're an employee, a contractor and not every device. So we have strong protocols around how devices are approved. So you can only authenticate onto an approved an enterprise approved device. That's allowed to host the vault on that device. And once the user authenticates with the identity provider, the cipher text is delivered to the device. And then the user is able to decrypt the Divi, the, the vault locally on their device using elliptic curve cryptography. So every device that loads this fault generates a public private key pair, elliptic curve, key pair, and synchronization between devices synchronization between users. It's all cloud based. It's all through our backend cloud, but the decryption of data takes place locally on the device.
This is the admin console. So this is where the admins will go in and provision the platform and analyze and run reports on what's happening throughout the organization. So this is, this screen here is showing kind of like the top events that are taking place. So we track over 120 different events of the platform. So everything from a user logging into the vault, a user accessing a particular vault record, a password secret, have they made changes to it? Have they used it to auto fill on, on the site? What device were they on? What, what client version of the application? So all the, all those attributes and data around utilization of the platform is built into the console. And the, the, the, the important thing about the console is that it's also zero knowledge. So information from the user's vaults and their let's say their activity of let's say, browsing a site or not browsing site, but, but auto filling into a site, generating a password or generating a, a bad password or, or having their passwords found in the dark web, all these events. And this information is encrypted from the user's device. It's decrypted by the, the administrator on the console. So zero knowledge is a, is a tenant of our platform. And that information is only available to designated admins.
So we track on the, on the user's vaults, as I said, the information on the, on the vault itself is encrypted locally. And the summary information, let's say the record password strength or the, the strength of individual passwords or usage of their vault is encrypted directly from the user's device, encrypted with the enterprise key. So only the admin can sign into the console and decrypt and access this summary statistics. And so they get a good picture. They can run reports. This is integrated into our SDKs, so they can see the progress and the status of the passwords and secret strength, and, you know, total visibility into the whole organization. We also have this concept of, of enforcement policies, which is role based. So role based enforcement policies define what users can do within the platform, how they access it, what type of security policies are in place, for example, how often do they have to log in, log in?
Are they forced to use step up authentication and how often, and or can they use biometrics? Can they access the vault offline? So there's all these questions that you kind of go through when you're, when you're evaluating the platform and determining what roles within the organization have, what, what access policies. So, you know, generally end users are asked to, let's say, authenticate into the vault, every let's say on their, on their desktop device, they, they may want them to authenticate every 60 minutes or less, or let's say what some organizations want people to authenticate after just a few minutes of inactivity. And so users are routed to their identity provider. They're typically using the MFA from the IDP, or they can also use step up MFA on the keeper platform itself. And so we'll support, we work direct integration with duo and hardware based devices like pH oh two UBI keys, web N, and then you, and, you know, typically what we see is, so the end users will have certain policies and then the administrators will have their own policies.
So the admins are sub admins of the platform will be, let's say, required to authenticate only from certain allowed IPS, or they have different policies, maybe stronger policies that apply to the administrators of the platform. So that's all through world based policies. We have also dark web monitoring built into the platform. So within the vaults of the users, the users will be notified if they have passwords that have been found on the dark web. Now, we, we target the password. You know, we're, we're, we're really focused on the password because of course attackers know that passwords are reused and they're, they're used across different sites and applications. So we notify users, if any password, regardless of what site they're using has appeared in a dark web data breach. So keeper pulls in billions of records from dark web breaches. We hash them into HSMs within our environment with non-reportable keys.
And those, those hashes are compared locally on the user's device to hashes of passwords within their vault. So there's a lot of technology built into this platform, which provides that zero knowledge notification of preached accounts. So they're notified on their vault themselves, the end users, and then the admins, the summary information is provided to the admin. So the admin can, can be notified themselves if a particular users, vault or records within the vault have been, have appeared in the dark web. So they can, they can just see it in summary. They can also receive alerts, perform some automation around that. And, you know, for example, integrate into some alerting systems, ServiceNow, slack, Microsoft teams. So there's a lot of outputs where they can receive this information and get notified. We have this, this module called the advanced reporting and alerts module. I talked about how we, we, we track hundreds of different event types.
Typically customers will use our reporting tools built into the vault or built into the console and set alerts for certain actions. Let's say you wanna be notified anybody within the DevOps team accesses the Amazon AWS or Azure administrative accounts, for example. But so those events and those alerts can be tracked within our platform or with our SDKs, but typically these enterprise customers will also integrate into SIM. So we integrate directly into Azure Sentinel, Splunk, Sumo Divo, all of the top SIM solutions with the platform of, of keeper and, you know, just the overall architecture of the platform it's really built for zero trust. So what that means is that there's, there's no concern about, about perimeter. It's all about, it's all about assuming what would happen, what could happen if an attacker already has access to the perimeter. So with the platform you can completely control and lock down all accounts on all devices, all applications, all systems through an encrypted fault.
One thing I, I didn't mention previously is that we talk about this vaulted cipher text and where everything is stored. We, we host our platform in multiple data centers around the world. So even though it's zero knowledge and it's only storing cipher text, we do have data centers throughout Europe. So we have multiple data centers in the EU, Ireland, Frankfurt, as well as multiple data centers in the us for our us based customers, our us, both us commercial and also us public sector entities. So we, we operate in what's what the, the Fedra environment here in the us, in the EU data center, multiple regions, also Australia, which was launched last year. And we were also a couple months away from launching additional data centers in Japan and, and Canada. So those, those backends and those platforms are, are isolated and customers who are hosted in specific regions, their data and their site for text is stored exclusively in those regions.
And there's no, there's no cross region communication at all the, the zero trust model. And what's really key about this. Of course, it, it minimizes the attack surface because you're now an attacker has to, you know, specifically target individual resources. You have defeats against, against brute force attacks, enumeration attacks, any sort of privileges escalation, because in your vault, you are protecting, you know, every single account with completely strong and randomized passwords that are stored in the encrypted vault. So you are totally reducing the risk of exfiltration of data. And it checks the boxes on all compliance requirements. So most of our customers who are in highly regulated industries, they, they have this requirement of not just protecting and securing and encrypting passwords, but also rotation integration into privilege access, protecting not just passwords, but secrets and infrastructure, SSH keys, and those sorts of things. So it, it, it instantly checks the boxes on those core requirements that, that they need for compliance. So where to begin, it's very easy to get started with the product and, and you don't have zero trust until you have password security because you need to protect those endpoints and those individual target systems. And, you know, with, with our platform, you are going to fill all the security gaps with what you have today. So customers who have already deployed, let's say a single sign on or an MFA. That's great, but you have major security gaps unless you're implementing password security in the platform, in, in the environment.
And that wraps that up. If we look forward to questions, I'm happy to answer any questions through this Q and a, and looking forward to it. Thank you.
Thank you, Craig, for all the insight you've provided. So we are, we are back to our agenda. And right now at that part where we entered the Q and a Craig, you can leave your rep on, cause we both will be answering the questions right now. We have quite some questions here. And I think one is really interesting. I think we both touched in our talks to a certain extent, but there's this question of, could you, could you give us some, some use case examples which would show where passwords are still relevant and are expected, so to speak, to remain relevant? So, so what, from, from your experience from the field, what are the sort of the use cases that triggers the interest of your customers?
Sure. Yeah. And, and I think what's happening and what we see, you know, I'm on a lot of customer calls and we hear, we hear the pain points. And I would say that there, the, the top kind of pain points of customers is, is let's say sharing. So, so password management has many, many use cases. It's kind of hundreds of use cases. And so it's really about what use cases apply to your industry. And what's critical for you, you know, are you a, are you an organization that, that creates software or deploys content, or are you an MSP who manage, who manages client credentials or client access to your, so to your, to your, to their systems? You know, so the MSP use case, just as an example, they, they have to store thousands and thousands of, of credentials. It's, it's unreal, how many credentials and passwords for their clients or for their environments that they're managing, it's growing.
And it's, it's, it's staggering, how many secrets and passwords they have to, they have to manage for their clients. That's just one example. Another example is, as a use case is the need for organizations, especially in it to be able to share accounts. So they have, let's say they're using legacy apps or cloud-based apps or, or infrastructure accounts, or like you mentioned a, a firewall where they need to have shared access to certain credentials, especially if those credentials involve having a, a, an MFA code or some other secrets that are needed. And where do you store those? And so they're all struggling with password sharing in certain use cases. And so that drives, that drives a big portion of interest into the platform. And then you have organizations who have gone down that password list route they've deployed a single sign on and quickly realizing after they've deployed the SSO, how difficult and time sensitive it is to, to, or how much time is involved in deploying all these cloud applications.
So in an organization, how many apps are being used hundreds, maybe a thousand. And it takes a lot of time for an identity engineer to go in and configure and automate provision access to cloud apps for their users. It's a lot of work. And so they find that with they, they find that, okay, they've deployed a certain number of apps like office 365, maybe a few others. And then all of a sudden they're like, wow, we, we have this huge, we still have this huge gap. There's all these shared accounts. There's all these it accounts. There's all we have to have a place to put it. And the SSO software, you know, like Azure and com and Okta common identity providers, they don't have secure ways of storing credentials. It doesn't exist. So we fill,
Yeah. I think, I think what we can learn is a ton of ton of use cases. Yeah. It's really relevant. So to speak to everyone. And I think also when we look at the results of the second poll, I think this is, this is the quite interesting sort of proof of what we are talking about because so no one said I don't have passwords to do is okay. We have quite a lot of people who for their own purpose are between one and 10 passwords. Maybe sometimes it is when you don't start counting that you end up with, oh, they are more than 10. Most of them I don't use, but they're still a year and I still might need to care about, but on the other hand, more than one search says they have more than 25 and whatever 17% of the attend is that more than 50 passwords, they, they have for themselves in the business context. And we are just talking about the business context. And so passwords still are. And thank you for, for showing the results of this poll. Another question from the audience, which is more, a quick to answer and relatively easy to ask a question is, does keep or also have a UK data center or advance to at a UK data center.
We actually already do. Yeah. We have one in London.
Okay, great. And then maybe more, more, yeah, a technical question on more understanding question. I think this is really sometimes difficult. So I think most of us have some idea of zero trust, but there's also the term of zero knowledge. What's the difference between zero trust and zero knowledge?
Yeah. So zero trust is really about, about the perimeter and about an attacker gaining access to the perimeter and then being able to navigate, to, to take over targets within that environment. It really has nothing to do with how the data is protected. Zero knowledge has to do with the fact that we, as the provider of our software and the network and the infrastructure and the administrators have no ability to actually physically decrypt the data stored within those vaults. And so a zero knowledge encryption model is, is very difficult to build. It takes years of development and it's core to making sure that information that's stored in the vaults can only be decrypted on the user's device for which they've been granted access. And, you know, that's, that's kind of the, the major difference there.
Okay. Got it. Another question I have here is, and I think that that also reflects reality. So passive management seems to be ideal for users as privilege to access, but shouldn't, we think about extending it to all users. So maybe also you can talk a little bit about your, your experience from the field on, on more targeting, British access only, or is it going broader?
Yeah. So what you're gonna see with what we've built and about last year, we, we launched our secrets manager product. And as you said, once, we, once you deploy to an enterprise, the first thing that they wanna do of course is to get vaults to everybody's devices and they wanna have those secrets and those passwords protected. But once, once they realize how this works and the zero knowledge architecture and having access on all their devices, they start realizing these other use cases. Like you said, where all of a sudden the it teams are, or the DevOps teams need a way to manage their, their credentials for infrastructure or their software that they deploy is using hard coded passwords or hardcoded secrets into the source code or into configuration files or into C I C D pipelines like Jenkins or kit, hub actions, or puppet chef, you know, any of these types of platforms.
They're realizing that they have these, these secrets basically hard coded everywhere and in random places. So they're realizing while these, these great use cases to, to use a password vault with really strong SDKs developer tools, plugins for all these C I C D tools. So they're able to pull in with now with one unified vault, they could, from a user perspective, they can manage everything. They have a single source of truth. And then, yeah, so, so secrets management is huge because now you can integrate the enterprise password management into your C I C D pipelines. And then for privilege access privilege, access means many different things. But one aspect of privilege access is privilege sessions. Being able to connect to infrastructure through, let's say SSH traditionally with an SSH key or RDP with some administrative credentials. You know, when you use the built in RDP tools for, from Microsoft or any other third party, where are those being stored?
Where is the credentials being stored? Oh, it's just sitting on your computer somewhere in a flat file, or it's stored in some cloud service. You, you don't want that. So you wanna have the actual credentials that are being used for establishing cred, connections, to infrastructure, to be protected with an encrypted vault. And so you'll see, you know, you know, things that we're launching that will provide that seamless integration. And then it gets into other use cases of privilege access, which is things like check in and check out and request access and, you know, grant access granted, and kind of like that usability around how, how target privileged accounts are managed and how often they're rotated and which accounts exist. And how do you discover those in your environment? So those types of tools you'll see, you know, built into these platforms.
Okay. So is a huge topic here. Yeah. I have one more question here from the audience, which is, does keep, or have API integration, if so, or are those secrets protected? So it's probably more,
Secrets used for API access.
Yeah. So we have, so our, our APIs for the humans that use the vault are, are targeted towards humans. And then we have a whole set of APIs that are made for machines and machine authentication and SDKs. And so we call them, they're really, they're really more SDKs than they are APIs, but we provide very easy SDKs in every possible language. You know, Java, javascript.net go Python, and they provide easy ways to access the vaults from either software directly or through, you know, custom software or pre-built software or, or, you know, plug-ins with common tools. And it also preserves zero knowledge because these SDKs authenticate against the platform. And then they retrieve cipher text from the platform through the cloud and they decrypt the data locally on each device. And so just like when the, when the user logs into their vault and decrypts the data on their browser, on their browser, vault the machine, that's using our SDK to access the vault authenticates using elliptic curve crypto. And then it decrypts the data locally in the SDK and provides it to the user. So it's really easy to integrate.
Okay, Craig. Okay. So I think we are, we're done with the questions, Craig, thank you very much for all the insight you provided and thank you to all the attendees of this call webinar. Thank you for keeper security for, to keeper security for this product, this webinar, and hope to see you soon back at one of our upcoming events and maybe in Berlin in three weeks from now. Thank you.
Thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00