All good morning. Good afternoon. Good evening, ladies gentlemen, welcome to another call webinar. My name is Alexei Belski. I am the lead Analyst at call and today I'm joined by Nicholas PRS, who is the cofounder of point sharp AB. Our topic for today is secure logging for high regulated hybrid environments, avoid being forced into the cloud. But before we begin, let me say a few words about cooking call itself.
We are an independent and neutral Analyst company founded 15 years ago in VBO in Germany, still headquarters in there, but we have developed into pretty global company with Analyst around the globe all the way from us west coast to Europe, obviously UK, all the way down to Singapore and Australia.
We are focusing on information and cybersecurity, identity, access management, identity governance, risk management, and compliance, and just about everything concerning the transformation we offer, bundle neutral guidance and expertise on all these topics through three primary branches of our services.
First of all, we publish all kinds of research papers on various products, market segments, vendors, and all basically all aspects of IM and cyber security.
We do host multiple different events, starting from free online webinars like this one on the way to major industry renowned conferences, or like for example, our head like our flagship event, the European identity club conference. And of course we offer advisory services to specific customers, helping them to develop their projects in various areas of the transformation. Speaking of the events, just a quick hint or please to not miss this conferences we have planned for the rest of 2019. As I mentioned, the EIC will start in just about two weeks in Munich, Germany, hope to see you there.
And we offer quite a number of somewhat smaller, but still pretty significant events on various topics. You'll find going from a information on our website.
If you guidelines, you are on muted centrally, so you don't have to worry about it. We are recording this webinar and we will publish it on our website as a webcast tomorrow, the latest and everyone we'll get a link to download at your discretion. We'll be hosting a Q and a session at the end of the webinar, but please don't hesitate to submit your questions.
As soon as you have them use the questions box in the go to webinar control panel. You probably have one, your right, the agenda is as usual structured into three parts. First myself as an Analyst, my goal is to provide your general overview into all the trends and challenges of strong authentication. And then I will hand what to Nicholas trust, who will give you a more technically detailed recommendations and best practices. And he'll talk in detail about designing a proper hybrid authentication strategy.
And as I mentioned in the end, we will have a Q and a session.
And without further ado, let me start with a calls, favor slide. We are living in a world where everything is connected. You may call it the digital transformation, the industry 4.0 as such ones like to do or any other name. But the fact is that it is the digital digital information, the digital data, which is the life lot of just about our business and this blood is flowing through numerous vessels, numerous communications channel within your company, but also across your, rather across the space where your perimeter used to be to partners or customers leads things, devices.
And of course the cloud, there is no wonder that the cloud is probably still, probably one of the most, the biggest ongoing initiatives initiatives within the overall digital information strategy. Everyone wants to become cloud native or key in, are they?
And of course the problem in that cloud is not the silver bullet. Doesn't solve all your problems. And the cloud comes with pretty fine balance between rewards, however huge they might be and host of new and existing risks. And of course, perhaps the biggest, the biggest differentiator of the modern, it, of the modern digital transf.
Again, in that it's been no longer led by the it, but by the business, we, the it, people no longer get to decide whether we want to go to the cloud and how we do it. And we have to follow the lead of business and business, of course, demands access to all this amazing capabilities, infinite capability, reduced costs, new application models, new channels to customers. And we have to deliver, unfortunately, as I say, every cloud has a silver lining. This cloud is unfortunately not all silver lining. There is the dark side on the cloud, meaning that it comes with SL of risks.
And on this slide, I've just listed a few of the challenges, any company, not just operating in highly related industry, but nearly any company which wasn't worn like yesterday is about to face when consider a migration to the cloud. Obviously compliance. The more regulated industry is whether it's government, government, or defense or finance insurance, or any other highly regulated industry, you have to deal with compliance regulations. And as soon as you are moving to the cloud, you are giving away huge chunk of control over your resources, over your data.
And of course, all infrastructure, which is no longer yours, how do we deal with that? Or you have to consider that you are also facing a number of new cybersecurity challenges, availability issues, what happens when the cloud suddenly doesn't work anymore. And they already had cases like that on a smaller scale or, or even on a larger nationwide scale. Like for example, in Russia, a couple of years ago where the whole of AWS was unavailable for weeks and of course, vendor lock in, how do you deal with that?
Do you go all into a single vendor or do you hedge your risks and design your cloud strategy across several vendors? Unfortunately, the more you think about it and the more complicated any cloud service she becomes and the more complex your future, or maybe current evolving it, infrastructure is going to become. And of course, one of the primary challenges for just about every hybrid cloud environment. And by the way, the short aside, whenever we are talking about hybrid cloud, we do not talk about just the cloud.
We are talking about every possible combination between 18 infrastructures on premises, in a public cloud, in a private cloud, in a combination of different clouds, or maybe even on the intelligent edge, being the IOT or other, for example, industrial smart devices. So in just about any hybrid environment, your biggest, one of the biggest challenges is managing and governing secure access to your data because regardless of the model you are using or planning to use the cloud, you are always responsible for protecting and maintaining control over the information you are storing there.
And of course, information protection is simply impossible without identity access management and even more important identity and access governance. And it's soon as your infrastructure is starting to spread across multiple heterogeneous environments. It becomes increasingly complicated as well.
And on this slide, which I shamelessly quote stolen from one of previous webinars, the, my colleague and post Martin, you can see the big picture of how a modern identity and access management platform is combined with all the other aspects of accessing and securing access to other types of information, silos, services, systems, and so on, and dealing with multiple or identities across this highly complicated OUS environment. You don't have to look into every box. You don't have to understand it today.
Cause today we are only focusing on one single, but again, I will be one of the most important boxes on this picture. That authentication part.
Again, our authentication is no longer as easy as it used to be in the old school perimeter based it infrastructures authentication longer just telling the system once who you are, maybe proven it with a password. And then just working as usual since your system, your application, your data is spread across multiple environments and devices running totally different technology stack.
And you, again, quote unquote, you are no longer just a single type of identity or all the employee or your, your resources are being accessed by partners, contractors, suppliers, maybe your current and future customers and leads and multiple other types of identities. They, again, they're using what information systems spread around the world. So how do you keep track of all these multiple identities? You have to think about the bigger picture again. So the identity is no longer just the user and the password. It's a combination of the user, a device.
And more importantly, the context, the more you know about the user and the device, and sometimes just it just the device in case, for example, of IOT, the smart devices, the more additional data give location time of the day network environments, whether the device is managed centrally by corporate device management solution, is it free of virus system in the user privileged user? Like an admin always feeds into the whole context bundle if you will, which defines the strategy of making the authentication truly secure, adaptive, and ideally also continuous process.
And today we are focusing primarily on multifactor authentication. Why, well, first of all, obviously, because multifactor authentication is prescribed by just about every compliance regulation and not just in highly regulated anymore, but anywhere if you will, or, and secondly, or because without multifactor authentication, it's, it's no longer possible to establish your user identity sufficiently enough.
And as soon as we are starting to talk about multifactor authentication, we cannot, but continue and talk about adaptive of indication.
Basically adaptive of indication boils down to a combination of two things context, which I mentioned earlier, which is a combination of everything, you know, about the particular entity trying to access your sensitive resource. And of course, policies are, as soon as your system spreads, more than one technology stack, you'd no longer want to configure that each individual stack separate policies, it just becomes nightmare for every it employee of your company.
The policies have to be externalized and normalized unified in a way that the same policy can be applied to any system, any device, any user, any environment, be it on-prem in the cloud or on the edge. At least this is the theory. Whether this vision can be achieved to be discussing that in detail in the second part of this webinar.
And for me, I want to again, make this distinction whenever you are deciding to move in the cloud, to modernize your it infrastructure, you are always thinking about what do I do with my identity infrastructure as well?
My, I am, do I modernize it completely? Do I rip and replace it? Or do I let it evolve organically? Should I build it myself? Or should I buy it of the shelf or as a service? What is important for me compliance or convenience, so many questions, but basically it boils down to two primary options. Do you want to manage your identities in the cloud as well? Or do you want to keep them on premises?
Of course, again, for highly regulated industries, there is no question. There is no choice. You have to do it in premises.
Anyway, although this whole ID as a service or market is booming, many companies for various reasons and compliance, being just one of them are watching that from the roadside and dreaming.
Sometimes what if I could achieve the same level of modernization, the same level of functionality in an organic way, and still are kind of have the best of both worlds. So here on the slide, this is the choice such companies are facing.
Do I go all the way to the cloud and face the potential or challenges of losing control and being exposed to even harsher compliance pressure, but, or I will be so many amazing things from that predictable costs, no maintenance, modern human experience, or guaranteed to stay current, even when new authentication devices, new standards and technologies will appear later, or do I clinging to my existing, maybe even partially legacy infrastructure and try to have everything under full control facing all the existing challenges or, but doubly or even three times.
So, because I now have to manage not infrastructure, but two, three, or even more, or is having full control data sovereignty and having the highest compliance level worth all it.
But my question for you today would be, but why not both if it's really Acho and I hope that the key takeaway for you from today webinar would be no, it's not. And this is what Nicholas bras will be talking in detail in his part of the presentation. But on this last slide from my presentation, let me just quickly summarize the key takeaway. So cloud is awesome.
Cloud offers multiple benefits, but it also comes with a host of new risks, which you, and only you can properly balance and assess whether it's worth for your business or not cloud only, or rather cloud itself should not be a goal. It's just another tool, just another way to make your business, at least partially more modern, agile, and flexible and scalable, but for most companies hybrid will be your way for any foreseeable future.
And again, as soon as you are dealing with hybrid environments, you have to think about hybrid identity and access management or as a unified identity access management, not just for compliance sake, but for operational efficiency, improved security and just general business agility identity, a service is all the rage now, but really it's not the only option.
And hopefully you'll find out that you can build a similarly efficient and modernized and nice and simple solution yourself and keep all the control and data authority about concerning your identities and data.
And finally, although IM modernization is probably a long term strategy, starting with multifactor authentication, it's really a triple being it's relatively easy and it brings immediate improvements across compliance security and user productivity landscapes. And with that, I'm handy with the stage Nicholas, it's your turn now,
Alexei, just up here.
So once again, thank you for that introduction Alexei. So I'm Nicholas Presque out of paw sharp, and I would talk a little bit about paw sharp and our experience in this area point.
Are we all about providing you secure and that help you create the modern digital workplace? We say secure again, because it includes more technologies and classic two-factor authentication and multifactor authentication, but in the end, it's all about authenticating users. So you can trust that only the right user get access to your application.
Modern digital workplaces not only has to support a hybrid environment in my view, because it's a reality today and more and more for everyday that goes, but it also has to support the requirements that come by enabling users, access applications that can actually be placed on so many different locations and services. So in my presentation, I will cover our experiences that we have gotten so far working with many large organizations over the years, and also show you how POJO can be used in building a modern digital workplace.
Also, as Alexa mentioned in, then there would be some time for QA. So please use a control panel to put the questions down there during the presentation.
So we meet customers today that are really frustrated and kind of feeling forced to the cloud that get access to new functionality. We understand the frustration. And in short point sharp, we aim to offer you to build the modern workplace without the requirement of moving your identities and authentication to cloud. You can of course do that, but it's not necessary. This choice should be yours.
That also makes it easier to move in your own pace, the applications, and kind of share, pick the best applications out of different cloud vendors to build your digital workplace. And most customers already today, they have a working infrastructure and have invested in that and are happy with it and they wanna continue to use it, evolve it. And where cloud may be a very good fit in this development point shop is not a full blown IM solutions. We rather focused on the secure log in part.
So you can reuse your existing identity solution that you have today.
A lot of customers are running a lot of tools around the heaven, for example, active directory. They have catalogs of the user that are operating and working perfectly. And you can add things on top of that to make big improvements from user experience, security compliance and so forth. We also understand that a lot of customers are frustrated with security, always being complex to the end user and by that sometimes skipping the security aspect.
So another goal that we have in a vision is to actually build security that also deliver great end user experience because we believe it's the only way to have a successful implementation of security. So what are the challenges with a hybrid it environment?
Well, obviously cloud is have a lot of benefits and you have a lot of options, but from a perspective of point chart, focusing authenticating users, we have seen many customers running in different traps.
And one of the bigger is that moving a little bit too hasty to a, a cloud applications. So security always comes second. And by that, it tends to be, you may even have a security policy with multifactor authentication for your traditional on-prem access, but with the cloud application, you just thought it would use name password. We take the other things later.
And by that, when you do it later, you just enable it on that cloud banner. So we, we meet customers today that have 4, 5, 6, even seven different authentication solutions. And that's of course not a good thing, not from a cost perspective, but especially from a user experience is a bad user experience.
They have a different login experience from different applications, from a security perspective, you lose control and overview how you user log in into what application and when they do it, visibility, insight auditing, and especially getting insight when unauthorized users that is hackers is trying to get access.
So there's a lot of traps with and pitfalls with a hybrid I environment. And you should really think how to start your move to cloud and where to place different applications and how you can have the best flexibility to keep the choice to you when and how to move that transition.
So we believe to successfully implement hybrid it environment. The key thing to take control of is your user's identity and how you can ensure that they are, who they claim to be before getting access to their application. So avoid losing control of your business and security requirements by making good login strategy first. So what's a good login strategy, obviously I'm not objective, but we see that one of the key thing is to consolidate to one solution that support all different use cases you have in front of you.
Don't add a second authentication solution because the first one didn't support your new application in cloud because some new typical take is we take it later and so forth by doing this and having one solution.
You can also add the same user experience when users have to prove their identity. And remember, I would talk about that soon. It's more focused today for user to log into applications rather than network, but that also means in a hybrid it environment that the user have to prove their identity much more frequent. So user experience is much more of importance today.
And with this approach, you can focus on choosing the best authentication that fit your needs and by not mixing, but separating authentication from the application, they are accessing your users. You can also focus on choosing the best applications that fits your business and in your pace, what cloud vendor, typical, there is no cloud vendor that can give you all the applications that your organization needs today, especially not if you're a bigger organization.
So you have to pick difference and you want to be as flexible as possible to share, pick the best application as well as the best authentication solution for you.
So when you pick and separate your authentication solution, you also have another options. You can choose where to place it. You can have it in your own infrastructure and your infrastructure can be OnPrem and can be in cloud AWS or similar. And depending on your requirements from your organization, that may be very well where you wanna place it, especially initially to retain trust and compliance.
But we also see that there's a lot of and more and more, and we have partners using point chop to build private cloud services. So basically point chop as a service, we don't offer public service. We think either our goal is to have customers using them themself or partners, building customized service for their customers and with a private cloud or point of as a service, you, you can actually get the best of both words and that fits very good for smaller and maybe medium size business, where you had a partner.
You can trust with, you have a business relationship that goes a little bit deeper and you can trust on taking care of the authentication of the identities of your users. So there you can have a mixture, so there's a lot of different options, but in the end you can decide what fits your business. And obviously cloud vendors know that owning your identities of your users is key and crucial for locking in their, your, to their business. So there's a lot of vendors. And just taking one example, the bundle MFA into the licenses, Microsoft being one of them, office 365, very good authentication.
If you use everything from Microsoft and lock yourself into their ecosystem, but be aware of that. You also have from security aspects, that wherever you place your authentication servers service, you're gonna feed that service with data on how your users log in when they log in, how they log in, where they're located and so forth, the sensitive data about your employees, your users. So if you take care of authentication yourself, you can keep that data within your boundaries. You can place it with a partner.
You trust that you can have very close relationship with and someone to call if something happens. And by that, you can do that. But for a smaller organization, while you get a lot from a factory in the cloud, you could be okay with that and maybe place I think, cloud, but then you're probably not the customer point job, so to speak.
So with control, by taking control of your user identities and how they authenticate, you have a much easier way to meet your security requirements, the legal requirements you have, the GDPR requirements you have, especially if you are located in Europe, but also privacy, where do you expose data, how you use the log, where they're located and so forth, but also from a business perspective, you can get the flexibility that fits all of your use cases for your different users. Maybe even more important. And a lot of customer tends to forget availability. What SLA requirements do you have?
So just to give you one example, Alexei mentioned one in Russia. We had one last year, I think it was 19th of November, where Microsoft MFA was down for one to two business days in Europe, basically all customers using that could not log in to their office, 365 environment.
They could not log in to external resources. They also have connected to that, and that supports a nightmare. If you can't access your applications for wanted business days. And where do you call is a lack of separation. You get the lot of value, but you also get the downside.
So pro and cons, and you also have the user experience. If you have the flexibility of taking control and you having hybrid it environment, you wanna ensure that you can give the best user experience to all the different applications you have and not just the one supported by the MFA vendor use use, and especially not if it's in cloud.
So what's a typical point shop customer. We focus on medium and larger enterprise and governmental organizations, typically the larger the organization, the better fit they have with point shop and the less fit they have with the public cloud factory solution.
But we also have more and more smaller customers sourcing our software or MFA solution as a service from a partner they trust and have a good relationship with. So in short customers care about security care about availability and also user experience. So it's gonna name an airlines here on the, picture's a typical customer. Security's important obviously for their business and the airline industry, but they also have a lot of different user categories and they have a mixture environment with private and corporate smartphones.
I can go, come back to this, but that's also challenges for organizations, not only cloud today, but mobility and the mixture of private and corporate mobile devices within an organization.
So why do we need secure login?
Well, I think today, most understand why though one, I'm still surprised to meet, especially larger customers that don't cover all entrances with MFA as mentioned, they enable new service, oh, we don't have support for that, but let's start without that. We can take it later. Identity theft is today. One of the biggest growing security crimes, so has to be covered. And you also have the legal requirements like GDP or for example. So there's a lot of reasons and what is secure again?
Well in history and going back, we always did from the security and authentication perspective, talked about the three different factors. And combining two of them was a strong authentication or two factor authentication. What happened over the years is that something, you know, is a little bit on the bad side. We always say password is a bad user experience, but maybe that's also partly fault of the industry because we have forced uses with complex password.
They have to change in regularly. So basically giving all the tools for them to forget their passwords and making it difficult.
Combining other factors, we could actually ease up on that a little bit. And there's something head factor has transitioned from being a hardware token, generating one time password to software on your smartphone, generating, generating one time password. And this is an factor that is actually very interesting, which I will also come back to. What's more interesting is that biometrics obviously has been growing. And I would say that's especially due to mobility, mobile devices coming with sensors, fingerprint other biometric like face recognition and so forth.
So that's been an increasing factor. So today is quite easy actually to use a three factor solution. Is that secure?
Well, the different factors I think comes with pros and cons. Something, you know, you always have it with you.
So as a probe, something you have, well, if you have to carry, it could be a disadvantage. And is it complex? Coming back to that something you are well, that's very easy because you have it with you. You have your fingerprints, you have your eyes, you have your face with you. The downside is of course that you only have 10 fingers. And when they are exposed, you can't add 11. And remember that every time you fly today, you expose your fingerprints.
You have your face photo taken and so forth. So in some scenarios, biometrics is really good in other scenarios.
Well, you have to combine it with other factors.
There's something, half factor. I would say coming to smartphone is most of interest today because that could and add a lot of things in security, but still keeping ease of use for the end users and looking where users are using and which scenarios they have to prove their identities, network access, being the common scenario for many years, deep end to your corporate network, it's still popular and you can actually modernize it. But with cloud more and more is focused on a user logging into applications.
And then obviously a third user log into devices today where that has been usually a password that's more and more common using biometrics today. And obviously in some industry, smart cards is still of importance. Especially within healthcare point of we focus on user login to network and applications. We don't focus on logging into devices. We think the biometrics is quite good for doing that.
However, we use that you have a pretty secure way of logging into your device and reuse information about that when you log into network and other type of applications, because that could actually add to the user experience and for us to build the modern digital workplace, we strongly believe that the have factor can only be the smartphone, because then you actually have all the three factors always with you. You have something, you know, you are yourself with the biometric and today everybody carries their smartphone with them.
No one wants to have an external hardware extra Dongo and carry that with them. And there's other factors that are very benefit for using the smartphone. Because remember that something they have has always been a token of some kind software related on the smartphone, generating a one time password and the user have to enter that. But with the smartphone, you can do much more intelligence and do much more development and interesting added value within authentication and app on the smartphone, really an open up for doing more stuff.
And the other aspect, because as a user experience in a hybrid it environment today is where you previously had one digital entrance with a VPN into your company. From a business perspective, building a modern digital workplace, you have so much more end translates today with hybrid infrastructure, you have different cloud vendors, you have different access point into your corporate network and keeping an overview and insight on how user are accessing your applications is really key.
You have to have one solution and you have to have one solution that actually not only support your users, but support your business in logging and taking all of this information and presenting that to you, to give you full control. That's really important. So coming back to the smartphone, why do we think the smartphone is so important?
Well, first you can move away from one time password. That's usually being a little bit of why second factor and strong authentication being a little bit complex.
You can do it much easier. Now we using the smartphone. When the user log in, we can send out the push notification, the user, look at the data and say, yes, this is true. And I confirm and approve and get logged into their application. Can either use a smartwatch that is slowly, I would say, but more and more common in different regions. And you can actually make it even easier to confirm your login.
So for this, and for us, this is the future. You can add security by controlling access and devices. We talked a little bit adaptive, authentication and so forth. You can add secured by that, but it's also sometimes complex and it could actually add sometimes fault security actually met the customer that say, well, we went to cloud service, we used conditional access. So we thought we don't need MFA because we conditional access.
We would have everything, but obviously conditional access with your location that no one should come from outside and so forth. Hackers know this.
They can pretend to come from everywhere so they can bypass conditional access in a lot of ways. So key for enabling a hybrid infrastructure is always, you need to know that the user or who they claim to be. And the only way to do that is to have a good MFA solution, but it also has to be ease of use for the end user. So they actually can use it frequently. And with the smartphone and the login app, you can do so much more. So for example, you can add the third factor. The smartphone comes with sensors today. So we can add bio and say, well, you had your password. We can make it even simpler.
Maybe remove it or add it as a pin code instead.
But we also do biometrics and combine that when you log in. So we really know it's you that log in. If you have private devices that are not corporate, we can also enforce that you have to turn on screen locks. If you lose your phone, no one should be able to open it. Otherwise you can't use it as a, a token for authentication. Other thing that are important also is a little bit outside technology from, but still valuable for the user is branding because user, this is a com for user. This is a companion to support them around their identities.
And even if it's a paw shop that designed the login app, we built it. We have designed it for our customers. So you have different phases of our login. And one of them is a HelpAge that can be a hundred percent branded to the customer and you can do it yourself.
And you can instruct your user how to get support when they need, you can have your phone numbers, use a click on the phone, the phone calls help desk.
Obviously you can use the login app to confirm the identity when you talk to help desk, but even more important, you wanna avoid help desk if necess, if possible, because it's always connected to a cost. And, and one of the most common scenarios with the contacting help desk today is password reset because the password, so within the login app, you can also connect to our password, reset with multifactor and do it self-service to the user can do it themself also, especially in larger organization, ease of use also for the onboarding is important.
So we have a hundred percent, self-service driven onboarding procedure, some different scenarios that are supported, but in then it's easy and the user can do it themselves.
They can take a photo of a cuber code. If they're on the smartphone themselves, they just click on the link. And the login app is configured and the login app is public available on the market. Then we also know that the login app is the future and the modern wave of authentication authentication, but sometimes you need to have a fallback to the classic way of one time password.
So looking app actually include a third page, which is authenticator. It works like Google or Microsoft authenticator. So you have your point job authenticator in there, but you could actually use your own profile and the user can even have private profiles. And this part is free available on the market. And you can add it and have even biometrics enforced by the use of themself, protecting your one time password. We also know that onboarding process, a lot of automatic process around identities is important.
So our login app also include an inbox.
So through interface from our product, but also web service from other products can send out notifications to the user using push notification network. So quite easy. And the user gets very convenient and add more functionality, being login up, being a companion, supporting them in how to work within the organization, improve their identity. But then we know also that the login app, even if we believe in it a hundred percent, we still have customers within defense that still are on hardware tokens. We know we have customers that are having used this with private phones.
I mentioned Scandinavian airlines key for them when they decided some 10 years ago using point chart was to use mobile phone as a main factor for authentication, but they also have 75% roughly. I think two-thirds maybe OFS with private phones and they have a lot of unions.
So they just can't require that you have to have a smartphone because then they have to provide them. So for them it's easy they can offer.
Well, if you don't want to use your private phone, you get the hardware token ache, token. They're quite low cost today, but it's always up to you. If you don't wanna have an extra hardware, you can choose your private phone and use that for authentic authentication and you skip to have an extra hardware. So also not from security, but from a political part, it's important to have a broad range of authentication methods to meet the flexibility of different use cases. We even support Google authentica that you can onboard, which is some scenarios, also good SMS and so forth.
Then we differ a lot from other authentication vendors because we know that a lot of customers still have an especially larger on-prem applications and still are using VPN as key source to accessing the, the company externally and using our login that with VPN, you actually get a very moment feeling is actually really nice, but we also have a lot of customers using, for example, exchange on premise still.
They're not ready to move that to cloud nor to Microsoft or use a different vendor for their email. So we also support login to exchange both for mobile email outlook.
You don't need to use VPN. We can do it directly as well as web mail. And very short, we do that with technologies. As we call app DNA, we combine the credentials about leak information about the device. And we do that with the multifactor authentication, which is then inherited. So the use case for them user, they synchronize their smartphone, but if someone steals their credentials, the use that Steeler can never take those credentials and get access and log in because they need the physical phone.
Same goes with outlook, we're registered unique app DNA or outlook, so you can run it, just use it very easy for them user, but no one can with just the credentials log in and get access to your email.
Seeing is an honest, another scenario that is important in hybrid infrastructure. We offer very basic app. Porwal where you can place links, applications that are both on pre and in cloud. The idea is that the user log in once using our login app and click on the application, they want to go seeing and on, we do the cloud by using Federation as mentioned, we are not the full blown IM.
So we rather integrate, and I would say 95%, the most common integration is with Microsoft, a AFS because most customer have that on place already. But we also work with F five and CRE that also can be able to provide Federation tickets for accessing cloud services on premise, same, you can have CRE you could have F five. You can even use pointer for doing single using Kerber technology in order to access applications.
On-prem, especially if they're web based administration is also important for the running cost and having a high security keeping self-service using a user Porwal we allow to do as much as possible from a self-service perspective.
And we also do administration and combine it with insights. So we have a dashboard that is combined with the administration interface. So if you look at the user, you can actually see here in this example, top 10 list of users that have fail logins that by may my mistake, but it might also be that they're exposed for bruteforce attacks.
And here you actually see it doesn't matter if the login is coming from office 365, Salesforce, your VPN connection, as long as they're connected to point chart, you can see them in the dashboard and you can actually click on the and drill out and get in real time insight, auditing what what's happening with this user. So, and that's really powerful deployment. We are a software company. We provide security software, it runs on window server, physical virtual.
You can, by that, have it in your own infrastructure, which you place OnPrem or in cloud AWS, for example, or you can have a partner that actually is capable of building a service out of our product and selling it as a private cloud service.
That is a little bit more flexible than you would get from a cloud factory service. And just to give you a little bit of a technical insight from a very high level overview and how we can make things happening.
As I, as I talk about in this presentation, you have two circus in this presentation, and this is a classic on-prem deployment. You have point chop ID being the authentication server and the brain and the heart of the point chop system. That's where everything is happening. Talking about looking, talking to user catalogs, integrating with ADFS, integrating as radio service and so forth. But we also have a point of gateway component. And why is that important? Well that's for once it makes us capable to do specific solutions for products like exchange on-prem, but more important.
That's how we can enable to provide a modern user experience with our login app with post notification, even if we're not the public cloud solution to can still benefit of getting that modern digital workplace by having a login app and so forth without exposing your, your identities to cloud, because the gateway opens up a way for the login app to communicate customize, be branded and so forth to your own infrastructure.
And, and you can also use it to protect your Federation, its for example, and so forth.
But enough with that, that's a short introduction to our review of hybrid infrastructure. And what point chop can add into this picture for all of you that are visiting the European identity conference in Munich.
In, in a few weeks, we are exhibited there. I will be on site being our booth and we'd be happy to meet on site to discuss further. And by that I'm thanking for my session and hand back to Alexei.
Okay, well Nicholas, thanks a lot. It was a very comprehensive or overview of the, our both kind of the vision and the functionality of your own platform, which is, which has probably addressed or quite a few potential questions from our attendance already. But you are still welcome to submit for the questions we have about 10 minutes left. And the first question would be if I may rephrase one of the questions I have here in the list.
So yeah, you we've learned from your slide that your platform can basically do everything. What our typical cloud provided cloud delivered identity as a service platform can do it. It's easy to administrate. It's basically the only open question would be okay, great. But how much does it cost? How does it compare to the typical subscription based cloud service?
Yeah, so, so though we are a software and product company. We also have aligned ourself with what's popular today. So we are having a subscription model that's similar to cloud and so forth. So it's very easy, the budget. And so cost for point chart is basically per user and per month. And with that said, there is no other hidden cost other than you have to take the cost for your own infrastructure or as a service from a partner. And the cost per user a month is ranging somewhere between one Euro to two euros depending on functionality and volume.
So it actually doesn't cost more than actually even less in some scenarios than a typical cloud MFA solution would do, but you are still in control and you get the same flexibility from a business perspective. You can grow with the license model as you grow your solution. And if you actually decline a little bit, you can also decline the license because it's subscription based.
So basically you get all the benefits of a cloud solution, but retaining full control and compliance. Okay. Probably the last point addressing that regard or can you actually scale as well as a public cloud?
Can you support thousands or millions of identities?
Yes.
So, so basically paw shop is built to scale. I show a very simple technical drawing, but we are from a business perspective, there's no scaling in licenses just because you scale you scale users, but from a technical perspective, you basically only add resources. You add servers and you can have one to up to 10, 20 30 that that's no technical limitation. We have a support and customer running us with more than a hundred thousand users. I think our largest global deployment is probably around six or seven physical sites globally with redundancy on site and synchronized in between.
So yes, we scale to enterprise companies. So that's very easy. And if you even deploy us in the cloud infrastructure, you get that scalability from the cloud benefit as well.
Okay, great. So I would actually like to squeeze my own question between all the ones from the audience. So the term I used throughout my part was adaptive authentication. You are using the term secure login.
To me, it appear that both terms overlap quite a bit. So it's MFA based it's context based the last part I would like to hear a little bit more from you to you support policy policies that kind of go across multiple environments as well.
So, so, so basically that's why we talk about secure login in general because there are so many different technologies and for different customers, there are different value and secure log for us is using the combination of technology of two, two factory multifactor authentication context, information, building policies around the users and the information we have around it, information about devices. And by that also adaptive authentication that may adapt to devices as well as policies based on users. So we kind of summarize all of that into secure login.
Okay.
Because that's in them what it add for the customer.
Okay. So different terminology, the same idea, the same vision. Great.
That's another challenge in the it industry. So many terms. Right.
Okay. Next question. Let me just read it out. Okay. How do you prevent a malicious insider from accessing sensitive databases and access to physical IOT devices within a device to device ecosystem?
That's interesting question. Yeah.
So, so basically that's not the scope of our product because between IOT devices, there's usually not the user interacting. So we are all about user authentication. So we are not focusing on IOT devices and what we can do.
However, protecting the database is in the sense of users authenticating those databases to access data that you, you need for different scenarios. But as long as there is a user part of it, I'm sure if that's an answer to the question, if I understand it fully.
Oh yeah. That's kind of a, a tough question.
Or, and I could probably edit, I mean, even, even within the whole IOT ecosystems, there are multiple scenarios where a device is still acting on behalf of our, of a user, right? Yeah. It doesn't have to be all device to device communications like in industrial, that works. For example, there are many, I mean, even for example, we have taken a connected vehicle, still has a driver, which is a user, right? So probably your solution could still feed into that IOT scenario.
So we could feed the user authentication in IOT scenario.
And by that the IOT devices would inherit that authentication and that cross that comes with that. But then we leave it over to the T ecosystem. So to speak, we leave it with, yes, here you have a valid users that confirm to the policies that you have set.
Okay. Next question. Do I have to license only the users which really do logs or all potential users who can log in?
Well, as I'm part of sales support shop, I would like to say all of the users, but yes, you only license the users that are actually using the product to give an example. If you have an, let's say an active directory in your infrastructure that contains 10,000 users, but you want to connect paw shop to thousand users for deepen or office 365 or whatever. You only license a thousand users. If you want to have more users, you just add on top, over time, so you can actually grow with the license.
Okay.
And we have a minute left for one last question, and that would be the following can point sharp provide or device visibility to track the location and movement of authorized devices and authorized users within the ecosystem. I think it was exactly what you have shown in your slides, right? The dashboard.
Yeah.
So, so we basically can provide data or devices accessing through our gateway and that's a little bit technical. However, our focus is adding year location and that data of the user rather than the device accessing. And remember sometimes, especially when you access application on your smartphone and you use your smartphone as a, as a factor authentication, then it's the same device.
But for us, it's always more important where the user is located rather than the access, because access can always be you, you can always fake where the access come from, but you, it is much harder to fake a trusted users. And, and another connecting question to that is, well, if you access with the same device as you're authenticating, is that still secure? And I would say, yes, the policy around that was coming when you had pieces 10, 15 years ago, that was not separated. Mobile devices today are very separate in their applications between.
So even if it's a physical same device, you have separation between the applications.
Okay.
Just OTP, right?
No, no, M only for fallback, but not the best.
Okay,
Great. Well, thanks a lot, Nicholas. We have reached the top of the hour, which means that we can no longer accept any for the questions. Thanks. A lot to all of our attendees are hoping to see you in the future in one, our next webinars, or maybe even in the, the upcoming EAC conference in Munich with me. Thanks a lot. Have a nice day. Goodbye.
Thank you very much, everybody.