Hi, good afternoon or good evening. Good morning wherever you are and welcome to this latest webinar ING A Call. And today with Keeper Security, we'll be talking about perfecting privilege access management, or at least trying to. With me today is Zane Bond, who is head of product with Keeper Security. And we'll be hearing from Zain in a little bit. But first, just a few housekeeping notes. No need for you to do anything. You are muted so you don't have to mute, unmute, mute yourself. We're running some polls, actually we're running some quizzes during this webinar. Slight change there, but there is a q and a session at the end where you can enter questions using the control panel that you'll see on your screen. And of course we are recording the whole thing, so if any of your colleagues wish to see it afterwards, it will be available as a download in the next few days.
So that's all that for the housekeeping. Now we have something rather exciting. You can win these headphones. We're doing a quiz throughout the webinar and we'll basically announce, we'll find the winner and let them know after the, after the webinar. But these headphones are around worth around $200. They sound amazing, apparently haven't tried myself. I'm sure they're better than these ones. Stuff magazine said they're great. So noise canceling as brilliant as ever. Well, we all know that both headphones are good. So those could be yours if you get all the questions right in our quiz. And here is the first quiz question. So the que the question is, are all data breaches that carry share what percentage are due to weak and stolen passwords? So you have three options, 81%, 25%, 50%. So just add your answers.
So into the, the main event as it were. And what we'll be talking about, I'll, I'll do a very brief overview of PAM as it is now some of the choices you have for multiple devices. And then Zane will take over with a more in-depth look at the next generation of Pam, Pam next gen, perhaps that's what he'll call it. And how to achieve simplicity and security, something very difficult to do in today's IT world. And then we'll have your chance for questions. You can add your questions into the tool on your screen as well. And we'll take those as they come. So let's go. I always like to start my presentations with this saying that everything works with everything else, which is my way of summing up the world of it, the world of business it that we have now currently. I mean actually you could say that everything connects with everything, everything else 'cause it doesn't necessarily work.
But we do have this ginormous connection, connectivity where everything does indeed work with everything else. And then I also simplify what Pam is or what access management is. So instead of putting it into all sorts of ArcHa and technical language, what you're actually talking about is a thing which can be a person or a, a human, sorry, or a machine or even a service account. But in any case, it's just something that wants access. And so to do that, we have to give the thing an identity so we know what it is. So whether it's a machine or a person or something else, and then we give it a credential and that's what gives it access to the stuff. So that process is what we're all doing every single day in everything that we do kind of at our desktops. And again, I've simplified it right down to these few lines, but in reality, and as Zane will explain, things are actually quite complicate complicated behind the scenes. So
No, I I really like that one, right? It takes a very complex set of systems and just simplifies it down to, you know, this is what you need to do your job. And you know, yeah, we have controls when you're dealing with, you know, the, the keys to the kingdom. But this is great.
Well, you can even simplify a little further just call it thing and stuff if you want to just cut out the, but that might be simplifying it a little bit too much, but that's why I highlighted those, those two words there. But yeah, it, it's pretty much what's happening, what we're doing right now, in fact. And then what makes life more complicated is all this. So we have different types of identities that we have put in sort of four buckets here, but I mean there are more. So we have people looking to get onto devices, computers, mobile, et cetera. And then we have what traditionally are being called it admin accounts. So all the guys that actually decide how things work and also decide who gets credentials to privilege. And this is where it starts getting complicated because those people have need access before they can give other people access.
But now we have identities within software. So we have all these weirdo thing, containers, microservices applications, APIs, et cetera. And they too are adding to this mix of identities that are all bubbling around looking to do stuff. And increasingly those things are sometimes allowed to do stuff pretty much uncontested and not managed. And then of course, behind it all, we've also got automation. I was, didn't actually, I think I did this slide before, the invention of ai, which we all know and was invented this year and no other year. And so, but of course machine learning I think is, is a more accurate way to describe what we have now. But the tools that we are seeing coming out are also the, using a combination of APIs and code and stuff to do the machine learning that is now exciting everybody in writing reports and stuff.
So that's just, again, this is probably simplified, but I think I forgot the actual statistic, but I think machine identities are gonna out outnumber human or user identities are some like a hundred to one or something like that. It, it's a big number. And increasingly PAM or legacy PAM or existing PAM platforms don't actually have the capacity to deal with the speed and scale of of those identities. But you can see that this is some research that we did I think last year, just asking customers or our customers how many PAM solutions they use. And whilst the majority still only use one, it was interesting that we have 23% using two 16% using three or more. That suggests two things. One is a confusion in the market not knowing which is the best PAM system to buy. So they end up with more than one and sometimes line of business will buy their own version of Pam compared to the one that was originally set up by it five years ago.
But it also means that there is confusion in how to make PAM work. And I think that that's why they buy one and some of the legacy PAM applications of platforms are known for being very, very comprehensive and very, very good, but also very, very hard to deploy and very hard to administer. So we're getting into a situation where when the need for PAM is changing in terms of things like machine identities and for people like developers and DevOps and people that need fast access to stuff, you're finding that they probably want Pam that's a little bit faster, a little bit more cloud native and a little bit different. So there is this shift happening in the PAM market quite significantly right now. So we have the big players on one side and then we have, I don't like to say smaller players, they're just literally, you know, smaller companies, but they're actually quite often more innovative and also more targeted towards some of the applications that we need right now.
And again, this is really an attempt to show how identity flow management is working, particularly in the cloud. Because if more than anything the cloud has, well it's clouded the market. Let, let's use a cliche there, but it certainly has meant that when everything was on premise, when everything was fairly easy to localize and find, then identity and access management was also quite easy. So again, we have our types of identities looking for access. So people, machines, third party, I didn't even talk about third parties, but of course that is now another area and customers that are becoming able to enter different partner networks and the partners will have partners and so on. And it gets back to that original slide of everything works with everything else. So they're using a combination now increasingly of, of pab, but also the newer things called cloud infrastructure, entitlement management, and traditional I A M. But there is is now an emerging thing called identity threat detection and remediation. I think that's Zane, is that right? I T D r, it's, it's a new one that has suddenly hit and it is, it is kind of a version of Kim with a bit of Pam and so on, but it's, it's kind of taking, they, they're actually very sensible view that you need to understand who your identities are and whether they are being abused or not.
So all that is happening. So getting back to every, you know, people wanting access to stuff and then that sort of stuff. Again, the re the list of resources could go on forever as, as it increasingly changes. And I should probably add I T D R to this slide when I update it, you know, keep it, keep it current and probably put, there's definitely no shortage of acronyms in aerospace. No, no. I'm still getting my head around I T D R and see whether it is actually a thing or whether it's just a, a capability that could actually be attached to these three, but I'll, I'll add it anyway. 'cause you know, we like to be on the, on the ball here. So that's what's happening there. And there's a picture of Andy Warhol here for the reason was that I like the quote that he is famous for, which is in the future everybody will famous for 15 minutes.
And I kind of changed that around to in the future everyone will have privileged access for 15 minutes because that's kind of where we're going. We are moving away from a, a infrastructure of standing privilege and much more into just in time and no standing privilege or that's gonna take some time to, to change. And the reason are that the forces are happening, and I identify three here. So we have velocity, density, and dispersion. So velocity is simply the speed at which identities are looking for access, which is, when I'm talking about things like DevOps and machines, they, they, they want access on the spot, they want it for like, I don't know, 10 minutes or something and then it needs to be quit.
The sheer density of identities is, is is an issue because like I said, they're multiplying outta control and they're dispersed. They, they are no longer your employees, they're no longer just that, that sort of number of people, whatever it is that you could safely manage from an existing i a M or PAM tool, they're everywhere now. And you don't know actually probably where some of these identities are coming from. They could be coming from, like I said, partners of partners or somewhere else in the supply chain. So that's, so there has been a reaction and the reaction was again, what I call a pmo. So we now have, or we are moving towards a time when identities, people and machines, et cetera, all all will have privilege, access of some sort at some point in their working day or if not the working day, then a working week simply because we are shifting the emphasis of privilege from the user, the identity into the things or the resources that they want to access and that's what should be privileged. So on that, here is the second question of all the site. I hope you're, I hope you're all playing along as they say on tv, very nice headphones of all this cyber attacks taking place each year, what percentage are targeted at small and mid-sized businesses? So 10 46. So
Why don't we give the audience a couple seconds to answer that. I think you, you really touched the nail on the head really well in your last slide, where things kind of evolve. It almost feels like it's an individual journey for each company, like as they go through their security maturity journey, their needs increase and their needs for security and data privacy increase too.
Yeah, absolutely. And the one thing that I've noticed is that when we do our events and we have end users coming in, is that, well, I'm not gonna say they're, they're confused, but they're always looking for answers and last year's answers aren't necessarily gonna be the right ones for this year. So yeah, as each individual organization grows, the needs change. They might start off as a self-contained very small business, but as soon as they start working with others, they need that extra protection. So good, good point. So hopefully you've all had time to think about that. Can't remember who myself, who, what the answer is. So there you go. So a little bit, there's my friend Andy Warhol there again for no other reason than I like the picture of him and nothing to do with privilege, really.
There is arguments for and against standing privilege and it's kind of what's happening now because there is gonna be certain industries or certain sectors that will hold out for standing privilege and the reasons are there on the screen because it does limit access to critical sys. Well this is the theory, of course this is what standing privilege, this is what they say about it. So it should limit access to critical systems to a small number of individuals. There is no repeated authentication, streamlined workflow, improve productivity, et cetera, et cetera. Now the thing is, those are the pros and I'm sure that Zane, you could probably drive a truck through some of these pros, which I'm, I'm sure you'd like to, but simply put some companies just like standing privileges and they tend to be perhaps bigger, more perhaps financial services, more compliance DR or compliance checked organizations that need to be able to do tick box exercise and say, yes, only authorized individuals have access to this and therefore we, we, we pass the compliance. But increasingly standing privileges are, are going to come up against these cons. Like I said, the simply the velocity and density and dispersion of identities mean that you probably have more standing privileges than you. You realize they are now much more exposed to being stolen and used by malicious actors.
It's difficult once you have standing privilege unless you have some kind of tool to admin, which is something that we've been talking about. It's difficult to actually revoke actors. We, we, and you know, you hear all the time about companies that still have people, you know, zombie accounts or ghost employees that haven't worked at the company for some time and yet there's still an account set up to 'em because no one knows it's there. They're also quite complex to manage in access management systems and so on. So personally I think I can see why standing privilege is a, is a, an appeal or is appealing to certain organizations. But I do think that in the world of privilege access that we are seeing the beginning of the end of standing privileges and much more to just in time as and when you need it. Everybody having some sort of privilege at some point.
Now if I can just to, to sort of wrap up, I'll just do a little bit of advertising for the PAM Leadership Compass, which actually this came out earlier in 2023 and we'll soon be working on the 2024 version. But if you are interested in the market as it sort of stands right now, you will see that we have taken into account the emergence of Kim platforms and their impact on pam also, everything we've been talking about the cloud and device access demands, multiple endpoints now needing to be serviced and so on. Vaults and password there is within, in a more granular part of Pam is the debate between continuing to use password, which again is also very much part of your standing privilege into a more passwordless system or at least where end user machines never see any password and just in time and zero standing privilege are also beginning to impact the market. So buyers are actually saying, we want just in time, we want zero standing privilege because that's what our c e O wants.
So finally this PAB choice is now wider, but somehow it's, it's a bit harder to actually choose which is the right solution. So use the resources, not just cooking a cult, but everybody that can provide you with information, define what you see as your privilege framework and again, work around that and how to build a privileged access management system or platform that works in the way that you work. Decide on essential capabilities. Some PAM solutions have everything in them and some people need everything. A lot of organizations, and this is from our own research as well, show that they don't necessarily always want all the session recording or session monitoring for good or bad, but they just prefer to have the access.
And don't be afraid of automation and endpoint privilege management. The more that is automated for you, the better a machine or a software that is doing the tedious task for you leaves you with more time to do the important stuff and see where your identities are at threat and where your access is at threat and so on. And finally look at new Pam and Kim solutions and dare I suggest I T D R as well and see what's out there because the, the market for Pam is, is it's kind of mature and immature at the same time because it, it seemed like it's sewn up, you know, it was gonna be the, the four B players and this is what Pam is. But even in the short time that I've been four years or so, the number of vendors has actually increased and that is despite consolidation within the market. So it's, it's a great time to be looking at Pam and it, it's really, and I actually mean this, it is quite exciting 'cause people always say, I'm really excited about some technology, but I do find that this whole area is, is very exciting and interesting. So I hope you do,
I find there's definitely new room for new players because a lot of customers are just unsatisfied with what's being delivered with existing players. That's, you know,
Reason. Yeah, I, I think you're right and you know, there are new players coming in and then it's like, you know, exciting young athletes joining, you know, the club. So that's my bit done I will hand over. Now to Zain
A little bit about keeper security. We are not a traditional PAM player. We actually started out in the enterprise password management space. We were the first password manager on the Apple app store. We spend a good amount of our time doing direct business to business interactions. But we found that the, the password management space, when when you get really mature in that space, you kind of evolve into and overlap with some of the core PAM use cases. And it was just a natural evolution for us to get through there. So that's kind of like our journey when we look at what we have from our existing systems and what we have generally our customers like us, our fundamental approach to most of the things we've done in the past is super easy to use, super easy to deploy. The apps are available on the app store, your management consoles are all cloud-based.
There's very little, you know, on-premise components or management or any of the legacy stuff. And so we enjoy that because our customers really, really resonate with the simplicity of our deployment model for so many different things. However, we've found this time and time again, if you look at any breach, if you look at any major compromise where there's a significant, you know, amount of impact, almost always credentials are used in this process for one way, shape or form. The Verizon data breach investigation report from this year, they have the stat every year. It usually goes somewhere between like mid seventies and mid eighties. The amount of breaches where the human element including stolen passwords, re weak passwords, credentials, getting reused, things like that, is involved in almost every successful breach credentials. And protecting them and protecting those identities doesn't always make the news 'cause it's not the newest AI, cyber, whatever, but these are the things that typically get you breached.
And we re really try and hammer on the fact that, you know, protect the basics, protect your core components because this is where the, the challenges come from. Most of the time ran a couple surveys and studies recently, we were just looking to see how existing customers that have PAM solutions in their deployments, in their environments feel about what they have, what do they have to say? And almost universally through the surveys, through talking to customers, et cetera, is Penn provides really good capabilities, but man, is it complex, it is tough to use, it is tough to deploy and just a simplified version that allows us to meet the compliance regulations, meet the security regulations, and not have a lot of the extra fluff or challenge that we have to do is desirable. And we're like, well, we could definitely do that.
Almost always when you purchase some larger legacy PAM solution, you're buying a whole bunch of capabilities and they're great, but we find that very often they're, they're not needed or used. There's really core specific core use cases like, hey, I failed an audit, I need to do X, y, Z to succeed it. Or you know, we believe we have some risk protecting our crown jewels. We wanna put some controls in front of them. If you focus on the security benefits and the company benefits not so much as features, then you can really distill down and just get the things that you absolutely need. And obviously streamlining, deploying stuff is, comes up all the time. So when we're looking at the, some of the core problems that exist, like in, in the PAM space or when just talking with customers about what are the types of issues that we run into, where are the problems that we run into?
Number one is you, it's, it's difficult to protect what you can't see if you don't have the visibility into where your systems are, who's using what, who has access to it, where your machines are, what happened when someone on, when someone was on the device. It is very, very difficult. Also, you end up with a good amount of credentials being all over the place and just understanding where they are, how they're getting used is difficult. This is both from like an insider threat, from an external threat or even from just human error, right? If someone has access to too many things or is unaware of what the impact of rotating a credential is, then you could have, you know, significant outages with no malicious intent. It's just, if you don't know the impact of a potential change, it's, it's potentially quite a challenge. Alright, question time. First question I have here, what percentage of people reuse the same passwords across multiple accounts they have access to? I left out a hundred percent because, you know, we're not there. Wow.
Yeah, I would, yeah, well I would guess that one myself is pretty high because that's exactly what I do. So yes,
Even across the security conscious, just tive load that you have to invest into passwords is just way too much, right? Like passwords are a means to get your job done, they're, they're not a thing. Yeah. So avoiding that drum roll, see 65%, this came from tech radar survey that we did. This is absolutely aligned with what we see in the industry, even across security conscious companies, companies that have deployed PAM solutions. It is very common to have password reuse. If you don't have visibility into that, then one password compromise can lead all over the place. It definitely, definitely is a challenge. Which leads us into our second problem. One of the traditional issues we run into with a legacy PAM solution is they may provide great security controls, great compliance controls, great whatever. But if it's only deployed to three or four guys in the IT group, or it's only deployed to a very small subset of your organization, you might have some really good controls there. Or you might have good controls in the process of being deployed, which we find quite often is that the PAM components end up being a journey that everybody's in the middle of. I've never seen someone reach the end of the journey, but hey, that's great.
Yeah, I don't think anyone will ever reach the end of their journey that's,
Oh man, it's, yeah,
That's
E Even when you talk to those that are, you know, 18, 24 months into a deployment, you're like, great, you're into this, gimme a percentage. It's, it's never high digit percentages, right? It's, it's, it's a challenge. And when your scope of protection is really limited and yet everybody in your environment could be potentially compromised or reached, it is a very challenging problem to have to work, work through. The last one we got, this resonates within the pan space more so than so many other security products. If it is too difficult to deploy, if it is too difficult to use, if the control is too painful, it's either not gonna get adopted or people are gonna find ways to go around it. It it, you cannot implement something that is too difficult and not have some type of a challenge either disgruntled people. Now if that's your only option and everything else is shut down, okay, cool, then you just gotta angry people. But typically, especially when you have your, your engineers, your systems, the people that are responsible for keeping the lights on, for deploying these systems, getting your code, getting your websites, getting the things out there, they have the controls to get around this if they have to most of the time. So let's make it easier to use the tool than it is to not use the tool.
Yeah, I mean too much, not just Pam, but other bits of software are designed not for the way people work, but just designed to control the way they work rather than, and you, you mentioned devs DevOps, they're classic example of, well first they're super smart, so they know how to get round everything and, and they do get round it because they don't like, they see anything security as a barrier.
Well, yeah, if option one is, you know, bring the entire company back online and option two is do it securely, but a little bit slower, you really just, sometimes business has to exist. Yeah, regardless. So it's, it's a challenge. And again, additional challenges we find inside and outside, man, it's tough. You find more complex environments becoming either through on-premise cloud deployments, through acquisitions, through mergers, through small departments like IT teams buying a PAM solution just for them, and then somebody else having another solution needed for another org. There's a lot of complexity that gets introduced to your business as you grow and that's, that's normal, that's fine. At some point you have to make the decision to manage it and you have to make the decision to control it. And as you expand, your tax surface expands too. So you have to protect all those components. It, it, it's, it's a challenge. Definitely, definitely is. Without question, next question, what European countries suffered the most cyber attacks in 2022, uk, Germany, or France? So we're gonna give people following along a couple seconds to answer that first. Paul, any guesses?
I'm gonna guess it's my country, the Disunited Kingdom rather than
The slightly United Kingdom.
Yeah. Less united than it used to be, but yeah, seriously, I think it's probably uk.
All right. Drum roll. And our answer is that is,
Well, there you go. Yeah.
For, for many reasons, right? The UK has historically had a lot more banking and finance organizations for the world. Those are incredibly juicy targets and it's the, there's a lot of reasons that work into this, but that's what the numbers have told us.
Yeah, and that's an up-to-date stat as well. So
It's all righty. So what is the solution to all these crazy problems? Well, hey, good news keepers here to save the day, right? From our side, we really, really did try and focus on creating a next gen security platform. One of the things we did, we didn't come into the PAM space as an entrant and a choice we made. We came in from the password management, from the, from the almost consumer side by getting across this. But it means that some of our core foundational security components, zero trust, zero knowledge, the user's right to privacy, the user's right to own their data, things like that were just part of our platform. And so as we were evolving into a fully fledged PAM solution, we realized that these security choices we made earlier on are really, really impactful and just make some of the cutting edge security considerations just natural for us, zero trust is normal.
Nobody has access to anything. No admin can see our password. It's just how we were. So it's really powerful to evolve into that and bring our requirements for just an easy to use, easy to understand environment in there. So when we look at what keeper Pam really is, right? We've got three main components or enterprise password management. This is the vault, it is your storage, it is your credential store, secure file store. You handle sharing, alerting, reporting, all of those components. The connection manager is the privileged session management set of capabilities. And that allows you to, you know, connect to the targets without sharing the keys or credentials that allows the sessions to be, you know, tracked and monitored or recorded. This, this does a really good job across any of the compliance use cases you may have know who's coming in, know what they did when they were in there and, you know, be able to restrict it and, you know, ensure there are no passwords used on the sequence manager side.
That's really just the, the opposite of the password management, right? Password management does a great job of solving the human use cases. Hey, gimme multifactor, check your email for validation, you know, putting your yui key, things like that, those types of controls really don't make sense for the machines. We have a different set of controls for providing credentials to the machines for understanding tracking usage, automatic rotation of the passwords and keys, things like that. It's a different set of controls, but it's largely the same use cases. The thing needs access to the stuff. How does it get it? Should it have it? And you know, is it gonna get the right things that just applies across the board. So those are the core components that make up our platform out the gate things that absolutely set us aside. You're not stacking and racking servers, you're not setting anything, anything up on premise.
It's, you know, cloud native, cloud-based. It's, it's a much more easy to follow customer experience to get through the, the, and actually to get to meaningful protection quickly as opposed to, you know, being through these long deployments that require services. When we think of the evolution, the industry has really had, you know, CyberArk was the first entry in the space. They're, they have powerful capabilities and they've been evolving on that for many, many years. They've got just, if you want it, they've probably got one or two of them that are available to you. Your BeyondTrust, your Thycotic or slash deline folk. Those have been the evolution on the keeper side. We really wanted to leapfrog what some of the other players were doing and make sure that we just launched a complete cloud native, easy to use up and running in 20 minutes minutes instead of, you know, let's start planning on what certificates we have to buy, what databases we have to set up, do we have enough Microsoft licenses? Like no, just get to your protection that you need as quick as possible.
The, the ease of use is, it's hard to state the stark difference between getting value out of a traditional solution versus keeper. It's, you know, we, we, we have up and running and same day type of thing. We also have a really strong focus on our security model and how we lock things down. Every record has its own encryption. So we have record level encryption, we have so many other protections around outside of just your Pam it use case. This vault is designed to be used by everybody in your environment. It makes the, the password management, the password sharing components really easy. If everybody has the ability to securely store stuff on their mobile devices, their browser, their desktop, what wherever they are, if the passwords are there and the usage is controlled by your organization, it makes it easier. And that's really the, the big switch where we have on the security adoption paradox. We try and make business and normal access easier than without the solution. And I really, really hope we're gotten there. But that's, that's for our customers to tell us if we've actually attained it. But we are trying, and that's a core focus. Oh,
There is definitely a demand in there, there is a trend towards sort of decentralizing admin so that people in lines of business or in departments are actually given admin controls, which traditionally would've all been centrally managed, but they have to be easy to use. And so you're absolutely right there to be thinking about that.
Yep. And when we think of the, the, the various use cases right there, there's so many things within, within password management, session management, Pam, just the, the whole alphabet soup of what we can do that you can do. But we're gonna look at the key things that we solve, right? It's the credential risk that exists either through users, whether they're getting phished from clicking on the wrong website. You know, browser extensions will stop and protect that, whether it's credentials being shoved into teams or Slack or email or some other system. We have, you know, secure sharing capabilities that you can track. And then just automatic rotation of the grid. Like there's, there's a whole series of capabilities where we really try and focus on ensuring that we're delivering the necessary capabilities to either properly attain compliance or solve security use cases quickly. And we target those, solve 'em, make 'em all, and then, you know, try to move on to the next one to ensure we're able to get there as needed.
Our security architecture, I've worked at several security companies and keepers, foundational security is amazing. Zero knowledge from a cloud vendor is not stated enough. This, this is the, the core foundational tenet that you as a customer own your data and have absolute control over it. And there's zero knowledge to us as a vendor in the cloud. We cannot access, we cannot decrypt it, we cannot use it. We are very limited. Effectively we're storing your cyber text. Any of your key de derivation is done in your environment. Any of your rotation is those keys are calculated under assets that you control.
And you know, just like various things where even if we were get like a, an information request from an organization saying, Hey, we think that Paul's a terrorist, please give us his vault. The answer is we have no way to access it. We have no way to get to that. And you're gonna have to get that from Paul just foundationally we are unable to access and crack these things open. And that's a good thing. We really, really pride ourselves in keeper as not having the ability to do any of that crazy stuff, which is somewhat unusual, you know, normally within the PAM space, the PAM product that holds the keys to the kingdom, it holds everything. And so you just have to protect that really well because if that gets cracked open, you've got really significant problems.
Looking at our ver looking at our platform and where we go, we try and keep it really simple. Most of our things are deployed from the cloud. We've got our various products, the admin console, the user vaults, and those are available if you want it on your mobile device, go to the app store, try it out. If you are in a browser, we have the browser extension and then for the privileged components on premises, we have very lightweight rotation gateways that exist in your environments. You're not setting up large databases, you're not setting up high availability and load balancing and all these other things. We handle a lot of the, the Porwal, the administrative and the control access with all the security behind it to make sure that we are absolutely there from a security standpoint. We have a whole alphabet zup pick, pick one set of acronyms or letters.
We've probably got it. The most difficult and highest level security certifications on the list are a FedRAMP. This means that we're able to be deployed into, you know, some of the most secure environments in the world. And that is a significant security control to go through from code reviews to validation to encryption reviews to everything you need. And so from a keeper perspective, foundationally, everything we need from our core security foundation has allowed many of these certifications to just be a breeze. 'cause we don't have to change anything. The answer is no. The user controls the data. No, we can't see the data. So it's really nice. I'm a big fan of that. Alright, now hopefully we've got some questions from the team and we can get into potentially our q and a section.
We do have questions. Hey, so the first one is from Charles Newman. I mean this is potentially a question that could take some time to answer, but he says, how does keeper security compare to CyberArk BeyondTrust? Why would someone choose KSS over these two vendors?
That is a great question. The simplest is it, it's not about picking us as a vendor who's your favorite? You know, right? Think about the security controls that you need. Think about how you need to protect your organization. What are the things you absolutely need? And then come to vendors with that list. Don't, don't get, you know, distracted by entire feature lists of things that you may or may not need. Figure out what is the problem I'm trying to solve? Where am I trying to go? And we're hoping that if keeper security can, can solve the problems that you need, then we'll solve them more elegantly than other competitors. As an example, we don't have requirements for professional services get deployed. You can get running up and running fairly quickly on your own. We're not as, you know, crazy on the cost side. So it's, that's a determination that you need to make on your own. But make sure you stick to focusing on the problems that you need solved in your environment and hopefully we can be a partner with you.
Okay, thanks. Next question is, what are the most interesting critical trends you see at Pam in 2023 and beyond? So I guess we're talking about 24 really now since the, it's already September. So Zane, what's, I mean, we've spent, we've mentioned some already, but
No, we definitely have, right? So there's, there are new technologies coming out throughout, whether it's passwordless evolution, whether it's PAs keys, whether it's pick any number of acronyms, soup for the various, you know, PAM capabilities that exist. So there are, there are some trends in the industries that we see coming up, but when, when you break things down to just why are customers getting breached, why are customers failing audits, it's not usually the trends, it's, it's the basics. It's who has access to this, who should have access to this? You know, what happens if x, y, Z system? I don't know what happens if you rotate this password. Things like that. We find that things like long standing credentials, hard-coded credentials into systems and source code and stuff, those tend to lead to more breaches. So, no, it's, it's tough to focus on the trends when, when some of the basics aren't handled as well.
Yeah, actually here's a really good question and it kind of relates to what I was saying about some companies are resistant to just in time and resistant to getting rid of standing privilege. And Andrew, well his name seems to be Andrew Andrew, but I don't think that's, that's his, his name. But anyway, he said our OT i c s users are resistant to just in time privileges. They claim that for safety critical systems, standing privileges are safer comments, he says. So
There, there are some systems where standing privileges just make sense. Industrial control systems historically have more difficult management consoles to manage more different difficult components to protect. And so I think the, the newer thinking is if you can move to the just in time credentials, do so. If there isn't, you know, a password on the device for somebody to find or scour or attempt to reuse through token reuse, then you're better. But for some of your systems, it's just not practical and that's fine. There's nothing wrong with that plan for it to be managed accordingly. What we find many times is that if you put a good network barrier around those systems and have only authorized entry points, it is much easier to control and protect them. And so if you do have to have those systems that exist, that's, that's part of your business, you don't have a choice, let's just find the, the most appropriate way to protect them.
Great. We got some great people on the, the, the webinar today. Some great questions. David Murray mano, his question is, with Pam being a critical discipline of a holistic i a M program, what recommendations would you make to get the point across that Pam needs i g A and access management and those disciplines need Pam to mature I a m overall for an organization? Great question.
That is a good question. There's, there's a lot of ways you wanna take a first stab at that one Paul.
It's, I agree that probably Pam is currently seen as part of I a m overall. We haven't even talked about I G A or access management in this whole call or webinar. Now. I think my view is that PAM can be purchased as a standalone product to do specific functions that we've been talking about in terms of allowing access to a highly sensitive resources. However, probably in a bigger picture it probably works better with, depending on the organization, depending on the size, depending on the capabilities within the panel that you choose, it will benefit it to work with I g A or identity providers. Not ne I don't know about how it has to work necessarily with a wider I a M system because I think that's what's happening is that everything is blurring anyway. Like yeah,
I I think you kind of hit the nail on the head, right? Yeah. These, these technologies, they're inextricably linked together. Like, you know, just when, when you think about the user experience, I want to use my active directory login or my corporate login to get to all the stuff. Mm. And, you know, privileged solutions should allow you to just, I identify and do your assertion identity as yourself and then the appropriate capabilities follow behind that. But man, every, every one of those components and disciplines has its own specific components, but I think they, they exist within your environment and focusing on what is, what is it that I'm trying to provide or prevent, right? Yeah. Am I trying to say that devs get access to this or everybody else doesn't get access to this, then those business goals as, as long as they don't get lost in implementation, can help you drive some of that strategy better.
Sure. I mean, actually this brings it, there's two questions here both about I T D R and one says what areas I T D R can't cover that PAM can cover. Do you think that I T D R replace I a m? And then the second question is, it's not clear to me what identity threats are and consequently how to respond to 'em. Currently, it seems that vendors are using the term to mean what we offer the zero trust of I a m I'm not actually don't quite understand that question, but let's just say, let me paraphrase all that and say how will I T D R, where does it fit in, in, into the PAM story right now and the i a m story? Because I think if you take my version of events where you control your identities and you give the identities the credentials to get access to privileged resources, then I T D R probably does serve a useful function in, in assessing those identities in the first place. And knowing,
Yeah, I think the, so like skipping the acronyms, right? Your yeah,
Your, your your detection and threat response. This, this is the layer that finds the bad stuff and tries to respond to it. These other systems become points of input for your threat detection. Are there weird things happening in your PAM solution? Are there weird things happening in your identity and access management components? And then if there are suspicious activities occurring, your, you know, your threat detection and response systems, whatever those end up being should highlight those. And so the necessity for these to be interconnected, you know, we, we ran down the whole sim journey many, many years ago. The thought behind it was, you've got a bunch of stuff, a bunch of software, a bunch of implementations, let's send the telemetry to a system to analyze it. That was a great desire. I think the implementation of how far Sims have come and how much value customers are getting out of it is a little bit lacking compared to the promise of it. But the fundamental approach is that your threat detection or response needs to be more broad than just particular disciplines. It has to look at all your solutions and implementations.
Yeah, for sure. Okay, more focus one for you this time and probably a bit easier to answer perhaps, is how does Keeper integrate with workloads? Machine privilege access is becoming as big as human privilege access as Andrew du I think that's how you pronounce it. Well, he's absolutely right. It's becoming bigger actually, but yeah,
Yeah, absolutely. So it's, I I think the, the privileged access management at, at its foundation as a, as a practice is designed to ha handle this, right? You have users and or machines and or systems things that need to get to stuff. And in this case we're interested in the, the machines getting access to their systems and requesting them. And you want oversight and control into that. You can't oftentimes use the same human controls on that. Machines act very differently. They request stuff differently, whether it's a p i keys or database credentials or source codes. So from from the keeper side, we have a comprehensive set of integrations into your existing tools, right? C I C D tools, your Jenkins, your GitHub, your Azure DevOps, your secret vault, your HashiCorp, whatever it is that exists there, we focus on saying, let's integrate with that. Let's remove these individual credential silos that exist in 10, 20, 30, 40 places in your environment and get them into a location where the source of truth for credentials is handled.
Your management oversight, your automated policy around credentials, credential usage, credential rotation or privileged access is there. So I think the, the, the slightly longer answer is, we, we, a short, short version of that is we have an enormous amount of integrations that allow you to, to analyze where things are in your environment and determine like, Hey, we've got this Jenkins server, great, let's integrate it. We don't have to throw it out. We want to integrate it so that the credentials fit into the larger compliance and PAM solution. And you can continue using those. But there's no hard coded credentials in the system. There's no longstanding secrets that exist in those secret vaults all over the place. They're only retrieved when they're needed. They're, they're not there all the time.
Fantastic. We do have one more question, but I think it might be difficult to answer on online, but I'll give it a go. How does keep security help in meeting PAM requirements specific to UK Telecom Security Act 2021? I don't personally, I don't know what the requirements of that are, but it's one that we could certainly follow up on, I imagine,
Right? Let's generalize this. Every security and compliance framework worth salt is gonna have something in sections one or two that says, don't be done with passwords, don't reuse passwords and know who has access to stuff. That's generally the foundation for the necessity for the PAM solutions. So I'm unfamiliar with that particular framework, but generally if, if you have visibility into where your systems are, where your credentials are, who's using them, who had access to them, and you're able to ensure just a general state in your environment of least privilege, you're good From a foundational security perspective, there may be idiosyncrasies in every framework to do things a little differently. But that, that's my quick answer without knowing enough about the framework. Sorry.
Yeah, for sure. Well, we can, that, that was, I see Matthew, we'll, we'll get back to you with more details about that. But thanks everyone for really great questions today. I, it's really nice to interact with you all and I just realized that I could have displayed these questions on screen, but I'm sorry I, this, this tool is new to me. Also, I'm sorry that I didn't reveal the answers to my quiz questions, but it doesn't matter because whoever got them, there's one person who got them right and we will send you the prize of those headphones. In the meantime, let me just say thank you so much to Zane for an, you know, what's been a, a really good webinar, really enjoyed talking to you and discussing stuff and I hope to see you, hopefully you'll be working with us on the leadership compass.
Yeah, absolutely.
Pat, Pam. Yeah. So thanks everyone for listening. Watching Bye for now, I guess.
Thank you.