KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Afternoon, ladies and gentlemen, welcome to, to today's KuppingerCole seminar. No real security without multifactor authentication everywhere. Why even the stronger password policies are not enough today. This webinar are supported by Centrify joining us as a presenter today will be Barry Scott chief technology officer at my name is Ivan ly. I lead Analyst at KuppingerCole. I am researching the areas of identity access management, governance, blockchains, and cybersecurity.
First of all, some general information about KuppingerCole KuppingerCole is a global Analyst and advisory firm providing enterprise it research advisory, decision support and networking for professionals, Europe, Asia Pacific, and north America. We do our research by way of various types of research documents are flagship leadership compass series, where we compare technology vendors within various market segments.
We also have more general advisory notes, which examine key topics and future trends in technology and cybersecurity, as well as various vendor reports, individual product or service executive views to name a few through our advisory services, we provide advisory and strategy services to enterprise and end users and pride ourselves on our neutrality and vendor independence. We also do a number of events. These as such as this webinar, our flagship event was just held recently. It was EIC 2016. It was held in may and Munich.
It was the biggest event yet with the highest number of MDs, an amazing amount of tracks workshops on everything ranging from IM IG compliance, risk management, governance, privilege management, security tracks as well, dedicated to the internet of things, industry 4.0 and of course, cloud security. Our next upcoming conference is in a bit of time. It is in March, 2017, and this will be focused on the digital transformation and the financial sector. Before we begin some general guidelines for the webinar, you are all muted centrally. You do not need to mute or unmute your microphone.
As we control these speeches, we all, we will be recording this webinar. The podcast will be available in several hours after we've completed this live recording. And there will be a question and answer session, as you will notice in go to webinar, there is a questions option. Please enter your questions here. And then a Barry and myself will then answer as many as we can during the allocated period for Q and a. This is the agenda.
I will begin by speaking more generally about the market trends and the drivers of strong authentication, not just limited to strong authentication market players themselves. After that, I will hand over to Barry who will present in a much more detail, how to implement multifactor or also known as strong authentication and how to avoid common challenges that customers face when implementing it. And our final part will be a Q and a session.
So today, as we know, this was raised very much at our last conference, everything and everyone is connected. We've all heard of the digital transformation. We've all heard of the internet of things. We've all heard of, eh, the problem of privacy, the upcoming EU data, privacy laws, or any form of data processors, the new payment services directive, more and more services or transitioning to digital channels. This is a well known fact.
This is something that's has changed authentication from merely being something nice that is used for online services and for entertainment to actually becoming of, of key importance, which, and it must be treated with the same importance that we used to treat our house or car keys today. We must treat digital and online logins with that same sort of perspective on security measures. And really when we get down to the core problematics of the digital transformation, it is data. Data is our biggest assets. As organizations, as customers. Data is our key assets.
And these are the questions that need to get asked. First and foremost, when we are looking at security is who or what has access to which data who owns, which devices and things and how do we internet people services or things are whom they claim to be another key thing, which is being raised and is very much coming into prominence is two trends is one is the fusion of work has been traditionally separated as identity access management and customer relationship management.
These two are merging in many senses, and this is all to do with customer data and customer data is increasingly becoming legislated and any organization which deals with customers. Consumer identities has a huge responsibility to manage either their employee logins or personal data, as well. As on just as importantly, their customer data. We hear a lot about the password being dead. This is an overstatement. If we imagine a parallel universe where instead of passwords, we always use biometric data as a single factor authentica of, of authentication.
Then probably today, we would be saying biometric authentication is dead. The, the truth really is that single factor authentication is simply insufficient. It does not matter how complex passwords are, how many times they're rotated single you, we today we distinguish authentication as proving an identity either by something, you know, such as a password, something you have such as a hardware token or something you are such as a biometric, such as biometric data. A key principle that we all know in security is there is no such thing as a hundred percent security.
So this is why multifactor authentication is just becoming essential. And each of these three categories of authentication, none of them are perfect. They all have their downsides. They all are, are not useful on their own. As we've seen with these situations with passwords, we know these famous from LinkedIn to Facebook, Google the trouble.
We know, even when we deal with employees is if we set password policies to be too complex, they write them down and they're easily or they're easily given up through social engineering. So another key thing which I will highlight here is the importance of the user experience when thinking of security. And this is key because security is a process, not a project. And if your security is in your organization is too onerous, it drives away customers and it makes employees life harder. It makes them less productive and they will find shortcuts.
So beyond these, the risk here of passwords being exposed and users using the same password, across many different services. And another key factor is the legislative factor. The payment services directive version two will mandate the use of strong authentication for all payment services providers. And it will place the liability for fraudulent transactions on the payment services provider. If they did not implement strong authentication, they that the law is not specifically clear yet on what they consider strong authentication.
So they're not defining exactly which type of strong authentication. However, there is general agreement that it must be multifactor. This is something key to keep in mind because payment processor is not just applied to the financial sector. It applies to almost anyone who stores banking, details of employees, credit card information, any way that they can allow a purchase to be made as even as an intermediary.
So this, this affects almost every single organization. How do we, what do we go to now? What's what's next? How do we have strong authentication that is secure, has a low total cost of ownership is user friendly and is universally valid. And this is actually one of the few times we can see where user experience and security do not need to be at odds with one another. It's important here to think like a cus like a consumer, like a customer, we all are consumers in their daily lives.
And for all the faults of the big internet providers, such as Facebook and Google, many of us have been quite delighted by the, the adaptive risk based multifactor authentication that say Facebook or Google have implemented. We need to think like that. We need to think what, what kind of customer experience have I had outside of the enterprise that has delighted me. And yet also impressed me with its security measures. And this is where strong authentication can really flourish. And this is also, there is a huge market for this strong authentication.
We call it multi-factor authentication two fact authentication. There are often terms used interchangeably. In this case, we mainly with strong authentication. We mean anything that is more than just one factor of authentication for the purposes of this webinar.
And also important here is context and step up authentication and more than just adding another factor of authentication, which is another step for a user to jump through is also detecting anomalous behavior by having a full understanding of the risk and the context that the user is when, when an authentication event happens, for example, is the user logging in from a device location or time of day that has N they have never done that before. Are they attempting to perform a high risk or previously not done before action on your digital service?
Those are key examples where a risk based adaptive authentication and mechanism can step up the authentication dynamically. For example, we all have the experience of the public, the Gmails of the world, the Facebooks of the world. They will instantly detect when a new browser has been used. They know how to fingerprint the browser, and they only will then challenge you for an additional authentication factor and moving that from the importance of multifactor, the importance of user friendly, strong authentication, and security will move a bit to the market trends. So it's an enormous market.
As you can see from these numbers, it is growing and exploding. And a key factor here to distinguish is between the traditional IAM vendors who are growing at a steady rate. But what is really of notice is the explosion of the upstarts, the challengers, and the new entrance. Often cloud-based IAM players who are growing enormously here. We have some growth information pulled from various sources.
I do not mean to individually endorse any one of these single products, but any of us can go onto any of the many tech websites about startups, about venture capital and pull this funding and information. And we, we can note that these players are becoming market favorites. And what I want to make note of is with all of these various vendors who actually we speak to a lot of them and a lot of them say our biggest problem is that people think we just do multifactor authentication, or we just do Federation. And it's absolutely correct.
And these players have come to prominence specifically because they first started to develop and promote very easy. Multi-factor off indication using soft tokens, using very innovative new forms of mobile devices, hardware, tokens. They've really amazed.
And they've, it's really been the leader, the leading killer feature of their suites, which is almost why now many of them are, even though many of them, almost all of them have complete identity access management suites, their single most popular feature, which made them famous and made them grow has been easy to implement strong authentication. And this really is key security does not need to be act done at the expense of user experience. I'm gonna move to some best practices, which we've we've seen by speaking to customers.
And by speaking to vendors, when implementing strong authentication, it's important to consider a number of factors. Of course, we have user friendliness, we have the speed of authentication. We have security. Obviously our compliance, certain countries have legislation governing the storage for example, of biometric data or key parents, PKI legislation. So it's very key to keep that in mind.
And again, the total cost of ownership should not just be around. What is the cost per hardware device versus the cost per software device key is to consider as well service desk, total cost, cost of ownership. How hard is it to set up? How hard is it to support how hard it's to maintain? And then a final example is specific organizational requirements. For example, we need to keep in mind today. Almost most employees will have company phones, some may travel.
So data charges or SMS charges on a large enough scale do tend to add up as well as it could be that for these roving global employees, it might be more difficult for them to connect to a data service overseas, or it might be harder for them to get a text message. So these are, these are use cases to examine when considering what type of additional authentication token to use. And also another key important requirement, which I alluded to at the very beginning of this webinar was the question of data governance and classification.
So it's important to decide when to require strong authentication, again, implementing it on everywhere does provide an additional degree of security. There is no arguing with that.
However, it's not a silver bullet. And what's important before, before undertaking any security project is data classification because ideal world scenario is people is there is unlimited funding for information security and everything can be protected. The reality is that many organizations have limited budgets.
So they, they have to pick and choose where, where they will be putting that in those investments. Those OPEX is CA cap costs. So since we are living in the real world, it's, there will many times be a question of the need to not the need to roll out something gradually. And this is my data. Governance is key and risk management is key because without a good understanding of what sort of informational assets are owned by an organization, what are the compliance requirements around those? And what is the impact of an incident, a security incident.
This is key to any project, and this means it is always best to start off. If you, if there is limited scope or limited budget, it is always key to start off with those most important assets. And also remember that user experience is key. As we've seen complex passwords are not sufficient.
If, if to encourage the adoption of multi-factor authentication, many of the best practices or common practices within organizations relating to password complexity or expiry, they were just default settings, which were left on. No one can truly justify them and no one can really attest to their greater security necessarily. So often the implementation of multi-factor authentication should come along with a relaxation of user passwords.
This, this will make the users happy. This will make them, this will make sustainable security practices, which users can follow, which users want, which users want, find ways to circumvent.
And, and we're gonna end now with the, the cautions again, MFA can only provide an effective security improvement. If the channels for each authentication factor are kept separate. For example, using a mobile device to either have a one time password sent to it, to either have a soft token installed on it is a, is an excellent option.
However, the benefits of multifactor authentication go away. If then that same device is used to access, for example, a mobile banking app and that same, and, and the confirmation is sent by a text message. That same device we've seen reports of it, of successful attacks on, for example, Android devices, where once the device was compromised, then if, if those two channels were not separated, then multifactor authentication was useless.
Again, it cannot be considered a replacement for good operational security. Again, social engineering will always be a threat. This hap their user education is key. We know this multifactor authentication can mitigate against it, but it can never completely ma render an organization immune to those sort of attacks.
And I, I want to also conclude here with a, with mention of privileged accounts, privileged share, and service accounts should be completely managed separately. This is a, a topic for another webinar. We've done many of them, but this is something to bear in mind. When we talk about usability and making passwords simpler. This does not apply to privileged accounts with that. I will now hand over to Barry. Thanks again to Ivan I'm I'm Barry Scott, and I'm the CTO for Centrify in Amir.
And for those of you not familiar with Centrify, we've been around now for about 12 years, we're Silicon valley based, but we're, we're also have presence in Europe and across EA and Asia, and we're a security company and the identity and access management space. Now that covers many, many different areas in itself. But what we focus on within that space is IDAs identity as a service. And we've just been mentioned in the, the leaders quadrant on that and PIM privileged identity management or privileged access management, depending on how you refer to it as.
So what I'm gonna go through now is multifactor authentication everywhere and why we need it. So the agenda just very briefly for the next 10, 15, 20 minutes, what is MFA everywhere and why does it matter why now the customer problems that MFA implementation of FMA MFA can, can have, and also what are the key capabilities and use cases that we provide with multifactor authentication everywhere.
So, first of all, Y MFA and why now? So really, if we look at today's security landscape, it doesn't really matter what source we use. The bottom line is that the number one leading point of attack is compromised. Credentials. Over half of breaches are as a result of compromise credentials. I know I've got the Verizon D B I R for 2015 here, but the 2016 ones is very similar things. And if you look at Mandiant reports and so on, basically compromise credentials are killing us. The other thing is that today we've got more data than ever.
And what makes it worse is we have more passwords, more accounts. We can't remember them. Our companies have gathered more and more data, much of which has a value to the bad guys. So everybody wants to get in and find out what we've got. So what I'm showing here at the moment, it's that the list of the top 25 passwords last year has published a while back by Gizmodo. And it's a list built from the details of stolen passwords. They found on the internet. And really what it's saying to me is that many passwords can be guessed. They can be bruteforce really easily.
So just by using passwords, we're putting ourselves at great risk. And as I even mentioned, you know, nothing's perfect, but basically single factor authentication, which we know of typically is just using a password is not good enough. Also when we have too many passwords, because of the way we generally treat them, it's almost as if we have no passwords at all tool. Another thing that compounds the risk is the fact the it perimeter is dissolving users and their laptops and mobile devices, maybe inside firewalls, outside firewalls servers may be inside or outside.
It makes it hard to apply policy. And in turn, this leaves more openings for the bad guys to attack.
So, as it says, here, cloud and mobile have actually meant attackers have more targets than ever to go. After another thing that's slightly changed over the years is the cyber attack chain is targeting all users. So we're all under attack, both end users and privileged users, and really end users because they're the ones that have most of the burden in terms of passwords. They're the most likely to be using poor password practices. So they become a primary point of infiltration and the initial point of compromise in our environments.
And once infiltrated, the guy at the bad guys are on the corporate network and they can probe further. So they can use tools like Mimi cats, past the hash techniques, and so on to start moving laterally and looking for the keys to the kingdom, privileged credentials on a server from where they can then exfiltrate data. And that's the breach fully accomplished. And as I say, we're all under attack, all accounts, privileged users and end users. So the attackers have got what they need already. They've they've got what they need to infiltrate.
They've got some, there are some scary stats you've got up here. A couple of them Ivan's already mentioned LinkedIn, for instance, but as you can see, the FBI said, 1.2 billion passwords were stolen in 2014 and another five to 600 million in 2015. So basically everyone's got your password already. And the time to act is now. So what do we mean by that?
Well, over the last few years, we've had some bad times in security. 2014 was the year of the breach. 2015 was also bad, basically more of the same. So the risk to passwords, the risk of using passwords, single factor has been steadily increasing. So now where at Centrify can improve the situation by reducing the number of passwords implementing SSO and so on. But it's time to really do something about ultimately the password is a huge vulnerability as a single single factor authentication.
So we need to implement MFA because fundamentally it means the hack has only got half of what they need to get in if they steal your password. So what this does, the implementation of MFA, it buys us time to do things like consolidate identity, to implement single sign on provisioning of SAS apps and such like to, to start bringing on context to policy and for the sake of our privilege users to be implementing least privilege management and also full auditing. So that if the worst happens, we can tell exactly what's going on. So I'll just build this slide out fully.
So the centralized solutions that you can see here, all of this, everything I've said so far is why our platform, the identity platform includes MFA because all the user situations need it. So what we have in our portfolio, the identity service, that's our ID, a solution, primarily a single sign on solution. But of course it has to do things like provisioning. You need the right license in office 365 automatically provisioned to you. You need single sign on to it. You need the right list of folders in Dropbox, cetera, cetera. It provides multifactor authentication.
You might be using your mobile device for MFA. Hence, you've got to have your device managed. So identity service also provides ANM and MDM solution. And many people are gonna be using max as well, which also need to be managed. So that's the identity service. Then moving towards the privilege side of the house privilege service it's about shared password management. It's the fact that I want to give Ivan access to one of our systems. Maybe he needs to get on his route. Maybe he needs to get onto a network device as admin, but I don't want him to know the password.
So it's about shared password management. It's about giving him secure, remote access, maybe without a VPN. And it's also making sure that people can make privileged access requests so that we have a workflow. So that for our auditors, we can trace back exactly what people have done. And also it's about application password management. We've gotta fix the problem whereby we've got passwords in scripts. So privilege service helps to address this application, password management problem. Then with server suite on the right hand side, first of all, identity consolidation.
And that's for those of you that, that don't know Centrify, that's where we started 12 years ago was integrating Unix and Linux and Mac machines into Microsoft active directory. So you had a single identity to get onto all these systems. It's also about least privilege the service suite. We believe you should log on as yourself, and then you should elevate your rights based on the job role you have. So role-based access control. You should only be able to do what you should be able to do as your job demands on the systems where you should be able to do it.
And also everything needs to be audited properly. Same with the privilege service as well. We just didn't have enough bullet points in there. Basically imagine that you've got as a admin, you've got a, or you've got a camera strapped to your head while you are working. So there's a full, full copy of everything you do. And then at the base here, you can see the reasons why it's the identity platform.
A lot of things are common to this might be authenticating using a cloud directory, the authentication engine, being able to federate be it for privilege management or SaaS applications, having a workflow engine behind things. You know, I, I want an approval request and all that sort of things. Multifactor authentication that we're talking about today, reporting. So everything is common.
Now, moving on, what's MFA everywhere. Let's get down to the meat of this. It's an initiative, it's a rallying cry and it's an aspiration. It's hopefully a mobilizer to the industry to make sure that we do actually sort out the problems that we've got that we've had over the years with just using single factor with just using passwords. We've all been using MFA for years. You card at and at ATM, for example, is what you have. The pin is what you know. So we've just gotta extend that into our corporate and personal worlds.
So the key is to, I implement MFA for all your users across all your stuff, be an end user, a privileged user internal external user. We're giving lots of other people outside as access to our systems now and access to our infrastructure as a service systems. So this comes back to the, the fact that everything, every user, every app, every resource could be everywhere. And as it says here, from discussions with analysts, there are very real trends towards the increased usage of modern F MFA techniques for notification and mobile biometrics because they provide good usability and security.
But the MFA systems at the end of the day are as good as the number of applications that they support. So what do we mean by MFA everywhere?
Well, basically this is what it looks like MFA everywhere. Initially it might involve multifactor authentication for VPN access I'm out on the out and about. I need to get access to, to, to the home network, as it were using a VPN, I've gotta have multifactor authentication on that. There's been a number of breaches over the last few years that have, that have hit on VPN access as being the place to start. Next thing MFA for the on-premises apps that I use the VPN to access in the first place. And what about the servers on which those apps run I should have on those servers?
I should have multifactor authentication for the admins, for the DBAs, for the administrators that are logging in to those systems. I should also have MFA on privilege elevation as well when they elevate their rights to shut down Oracle, when they elevate their rights to shut down a system, we should also have multifactor authentication on the right. You can see we'd want MFA similarly to our infrastructure, as a service systems in the cloud to our platform, as a service systems, we also very much need MFA for cloud and SaaS applications.
Be it Dropbox box office 365, WebEx concur, et cetera, et cetera. And finally, we might be sharing privileged access to resources such as systems and network devices. So not only do we need to securely manage the passwords for them, but we need to make sure that access has MFA two as another gatekeeper to secure those devices. So in terms of the Centrify MFA capabilities and some of the problems, so Ivan mentioned a couple of times user experience. It's absolutely key.
And it's the big limiter for implementing MFA is that if it's a bad solution, if it's an always on solution like traditional F MFA is it gets really frustrating for users. And it's a really good example of the sort of constant battle we have in security between the user experience and security. So we've gotta give a balanced experience and we offer that through adaptive multifactor authentication, which Ivan was mentioning earlier, it's based on context, we've gotta limit the user frustration, the user impact time of day. Is it out of workouts?
Are they inside or outside the corporate network? Is it something to do with their role? Is it the device they're using? Is it the current management status of that device?
Is it a, you know, a rooted device or something like that? What location are they in at the moment? Is it specific, privileged role that we want to put multifactor authentication on top of, we also need to have flexible factors as well as many different ways we might want to be implementing MFA could be push notifications to a smartphone. It could be biometrics, it could be an email. It could be SMS, interactive phone call maybe, or, or the use of oath, compliant, tokens and devices. So here's one example MFA for secure app secure app access.
So we want to enable MFA for app access, and we can do that on a per application basis because we don't want it to happen all the time. So for instance, in Centrify wherever we are, we have to use MFA for accessing the expenses system. Doesn't matter where we are, but for other systems, maybe we would only have MFA if we were outside the corporate network. It depends. So whether the app is on premises or, or in the cloud, we combine this MFA with SSO using standards like Sam, like open ID connect.
So we'll have single sign application, but we'll also have MFA where required for secure app access. The next thing, and possibly logically I should have attacked. This first is MFI for secure VPN access. So we support a broad range of VPN servers through the radius protocol. And we can add multifactor authentication on top of this, we incidentally we can also provide secure remote access, which can make the VPN unnecessary. If the customer requires that.
Now, if you need the VPN, you've also gotta consider MFA on the resources that you need the VPN to get to in the first place. So that brings me on here to MFA for service for, for blocking these cyber attacks, covering both login and privilege, elevation to the service we want to get onto. And we have something called zones within Centrify, which live within active directory, but zone based policies control the step up authentication through the role assignment.
So based on Ivan being in a different role to me in the same company or in different companies with access to the same systems, we might have a different MFA experience because it's been decreed that that's the way things should be, but it has to be adaptive as well. Now, the cloud connector that you can see on the right here in the diagram, that actually means that the servers don't need a direct connect connection to the cloud, which is very useful in most situations where you are just simply not allowed to have direct connections between servers that have to fulfill some compliance regs.
They're not allowed direct internet connectivity. So the next thing is oath token integration as well. Let's be real.
You know, customers might already have a MFA system. There's been a lot of MFA hotting up in the market over the last year. So oath is one of the standards often mixed up for some reason with O which is completely different. But oath is one of the standards in this area, which enables interoperability and interchangeability between tokens. So lets Centrify we can validate the oath tokens through our cloud service. So for hard tokens, such as YubiKey SafeNet and so on and soft tokens, maybe Google authenticators, a good example. We can use them for multifactor authentication, supporting oath.
And as you can see on the right, we've got a wide number of different challenges we can use and we can configure based on authentication profiles for particular scenarios. So we might use password first followed by mobile authenticator. We might use a combination of, I dunno, oath and password first followed maybe by phone call or a text message or any combination of the two. The next thing is smart card login. And generally people are implementing smart card to eliminate passwords completely. But what about mobile phone apps as well?
So what we need to be careful of there is that we still want to use a smart card, but what we need and what we've implemented is something called derived credentials, whereby we can get the certificate off the smart card into a secure, in a secure fashion onto the phone. So it can be used for authentication as if it were a smart card, which is known as derived credentials. And also we can just use things such as UBI keys for straightforward smart card login to systems. So in summary, then I've been talking about our MFA everywhere.
It's an initiative, it's a mobilizer for the industry it's to get people thinking and moving on on multifactor authentication. So it's an aspiration. And as I said, because we're all under attack, privileged and end users, you know, Centrify, aren't just a, a multifactor authentication vendor. We actually do things within SAS, within privileged management, sorry, I'd a within privilege management and so on. And we saw MFA as being a very important piece across the board.
We also need, as Ivan mentioned at the beginning, MFA, mustn't get in the way of our users because it will really make it difficult to implement. There'll be, if it's a blockage to users, they will find ways around it. We should have MFA for accessing the VPN for the apps being accessed through the VPN for accessing the servers on which the apps run. We should have it for access to IR infrastructure as a service systems for all the SAS apps we use in the cloud, as well as when access shared accounts on servers and network devices.
So it's, it's a widespread thing. Multifactor authentication everywhere, single factor, authentic. As I even mentioned, isn't, isn't sufficient nowadays and it's all about user experience. It's gotta be a good user experience and it's gotta improve security. So thank you very much. And I'll now pass back to Ivan. Thank you for that. And that was an excellent presentation right now. We're going to be taking questions and please use the, there is a tag called questions in the go to meeting, go to webinar app. And either my salary will try to answer as many questions as we can.
We've got a large number of attendees. So we will do our best in the next 15 minutes to answer as many questions as we can. We're gonna give some time because for everyone to formulate and type in their questions. So we haven't gone away. We're just leaving some time for people to type their questions in. Okay. We've got some of the first questions. So housekeeping. One about yes, and the webinar will be recorded. And what's, if you've already registered on the Kuppinger call website for this webinar and reviewing it, you can just simply log in about an hour or two or tomorrow.
The entire recording will be available. Our next question, this one might be of interest to you, Barry, the question, Chris, Sorry. Ivan. I've lost you.
Oh, no worries. The question that a user has asked is can you provide more details on your derived credential offering? Yeah. So this has been driven.
We, we did quite a bit of work with another on this and we do a lot of work with federal and there's implementations, not just in federal, but all around with wanting to use smart cards, you know, an, an edict, if you like that a smart card should always be used, but that's great. You you've got your smart card, you put it into the slot.
You, you used it to authenticate to a system maybe, or to, to a web application. But then of course, nowadays you have a smart card and you have a mobile phone and you want to access things through your mobile phone. Where do you plug in the smart card? How does it work? So basically the there's been attempts over the years to have, have devices that you plug into your, your phone so that you can then use a smart card on it, but they've not really caught on. So what derived credentials really is, is it's a method of, of allowing smart card authentication through the phone.
So the credential is securely taken from the phone. And in terms of user ex, sorry, from the card in terms of user experience, the user would log on using a smart card to the Porwal, to our Porwal. And then in the devices, in their mobile device management tab for their own personal on their Porwal, they have the option to be able to derive a credential from the smart card and distribute it to the phone. And then through secure magic, basically ultimately the, the credential ends up on the phone.
So the phone can now be used in fact, in lieu of a smart card, but it is still using the same credential.
So it has the same levels of assurance, etcetera, as, as push pushing a smart card into your phone wood, if that was possible, There is one more question, which I think you might want to feel very it's is Centrify's MFA developed internally, or is it through acquisition as some competitors have done It, it's a service that we're using the multifactor authentication in terms of the, you may remember during the presentation, I showed a slide that had the platform at the base with the identity service privilege, service and service suite.
On top of that, everything that we have, everything that was on that slide, we've basically written ourselves from the ground up. Although yes, we do utilize some other services outside of that, as opposed to acquiring and building into our software. And also of course, you know, one of the great strengths of Centrify over the years, and it started off with allowing Unix and Linux people to use active directory was to use what you've got already, or alternatively, you can use our staff instead.
So as I say, it started off with active directory, but nowadays with oath compliance, that's, that's become quite big within the MFA area. We're also enabling customers to have a smooth experience using oath compliance devices as well, devices, soft tokens are tokens, et cetera.
So it's, it's kind of, that's a kind of hybrid. If they want to use us, they can, if they want to use an existing solution, they have, they can as well.
So hope, hopefully that answers the question either. Yes. Thanks Barry. I'm wondering, this is a very key question which gets fielded. You probably feel this a lot as an I'd ask provider, which is the question of where the user data is storaged and what are your options around that? Sure. So as an ID, a solution for people not familiar with it, a lot of that is around Federation.
So it's the ability to use straightforward example to use your corporate credentials, which would usually be the active directory ones to authenticate, to WebEx, to office 365, to, to whichever whichever I'd infrastructure as a service, sorry, identity as a service solution. You wanna connect to now a lot of solutions in this space, still using the, the ID credentials as an example, a lot of the solutions in this space actually copy your credentials to the cloud. And that actually has won us quite a lot of business because we don't do that effectively.
You could look on us in, in Sam terms where an identity provider and what we do is effectively act as a switch to be able to use your active directory credentials, to be able to authenticate to that other, you know, via the magic of SAML to allow you to authenticate. So in terms of user data, people mean different things by user data, they very often mean credentials and the credentials are actually kept on premises. They're still within active directory. We're not creating some sort of meta directory into the cloud.
Now, also you could use cloud based identity. We, we have a, a, an identity service within our cloud platform. Some companies completely born in the cloud have all their identities in the cloud. So the answer there is obvious, you know, the credentials, the user identity lives within the cloud.
So it, it depends to a certain extent, but I think the reason people ask the question is usually about their active directory username and password, where are they gonna live? And we keep them on premise. We don't replicate those to the cloud. So the next question then becomes, okay, availability if I'm disconnected, what happens.
But of course, if you're disconnected the way, the, the way it needs to work the cloud connector, I'm not sure if anybody can remember that diagram, but the cloud connector goes inside your DMZs DMZs and is actually connecting your active directory to the cloud service whereby the authentication can take place. The cloud connector only ever has an outgoing connection and it's inside your firewalls in any way. So it's very secure and you can, you would obviously deploy many of them.
So it's, it's not necessarily many of them, but basically you need redundancy. So in answer to the questions, the user data, the credentials are held are kept within active directory. We don't replicate credentials to the cloud. And also that then brings up the availability debate. And there is high availability methods put in there as well, so that you've got high availability back to your, to your credential.
So again, people would say, well, what if I've dis I would say, if you've disabled account and account, and you are disconnected from the network, you then don't want that person to authenticate. So it's, it's a lot stronger architecture than relying on a replication to the cloud as well.
Thanks, Barry. That, that does a very key distinction. I would almost say for you, you could think of yours as a better and improved example of, for example, ADFS. So you have this connector on premise and people's main concern is yes. What if the internet goes down and then their concern is what if an internal application uses one of these Federation protocols, which by and large is not the correct way to implement Federation protocols internally. They're usually used by to connect a semi trusted third part, external third parties, but that is a key key distinction.
And you of course have many different options. You mentioned the possibility of also using say a Fullon cloud based provisioning solution, as opposed to the authentication service.
And, and that's, that's often a question we also, as Analyst get asked by customers is they assume that an ID, a cloud based IDAs provider means everything in the cloud. So the equivalent of either everything must go in the cloud, or I need to continue to use the traditional architectures, but that very much is The case. Yeah. I think that's a really important, important point as well. Ivan hybrid identity identity, where you want it, you know, you might want to get some of your identities from Google. You might want to get some of your identities from active directory.
You might have an app directory. So you've got, you might want to just use the vendor as in this case and hold your identities within that vendor's directory. So it's very important that you give customers the option of where their identity comes from. Yeah. And that you, you also reminded me of another key point is it's one thing to think of employees with digital transformation, more and more, we have to deal with customer identity.
And that's a key example you mentioned Google is, is actually in that case as much as possible an organization does not and should not want to keep credentials of customers. If someone, I think Ian Glaser once mentioned, we should consider passwords as toxic waste. So one employees, but with customers, social logins, if, if, if you can outsource the risk to another, an external identity provider all the better, then you don't have to worry about losing LinkedIn about pulling a LinkedIn.
So, Yeah, I think also if, if we look at privileged access to our networks, now all of us are giving a lot of external bodies, spirit contractors, business partners, consultants, whatever we're giving them access to our networks because that's the way business works. That's part of the whole transformation. If I'm giving say, I'm giving you from cooking a coal access to the Centrify network, I really don't want the headache of managing your identity. So federated privileged access management, as it's being called.
Now, the fact that you can log onto your cooking coal web active directory account, you can then have federated access to be able to access one of our systems. That's a, I think that's a really useful and interesting way of moving forward as well, because we're talking about users and resources under resource could be an application. It could be a network device. It could be a server. And it's really important that we can allow everything to connect from everywhere. Wherever those things might be to get a smooth experience for, for how the business runs.
Excellent point, Barry, we don't have any more questions. Okay. There is one final question. This will be the last question, cuz we've got three minutes left. This is about deployment timeframes. Maybe Barry, you wanna fill this one? What is your, what has been your experience with typical deployment timeframes for MFA as service? I think it's a difficult one to answer because very often business process gets in the way of everything. And when I say business process, what I mean is reluctance to adopt such things. Many people have had experience bad experiences.
You were talking a lot about user experience at the beginning. Many people have had a horrible experience with multifactor authentication. And this is the second time they've gone around this loop. Having said that though, most of our customers would be using MFA because they can use it for access to the servers, to the apps, to all of those sorts of things. So it tends to be a wider project than purely an MFA project, as we're not just an MFA provider. It to be honest, Ivan, it's difficult to answer.
I think the most important thing is that you have buy-in, you have a good user experience, you know, what you want to achieve and that everybody's on board with it. You need executive sponsorship. It has to be made to happen, but it should really be a relatively quick process. But as I say, I can't give you an exact answer because organizations are very different depending on attitudes to, to such things. Absolutely. It should be quite quick. That that is, that is absolutely there.
The, the point I want, I want to mention though, as a testimony to, for example, Centrify but also many other cloud providers is if leaving aside the internal organizational difficulties that you mentioned various such as executive sponsorship business process, reluctance to change business processes, a key feature of all of these new upstarts and another reason for their growth is the extreme technical simplicity with which these solutions are deployed.
These new place have recognized the number of typical SA on-premise BPS, various forms of resources and the numbers out of the box connectors are all there. It's, it's amazing coming from a traditional IAM world as a consultant or as a customer and in going to an IDAC provider and realizing that it's possible to create a connector in point and click next, next, and or connect to create a new Federation in to office 365 with just the mouse click. So it's almost like, yes. As you mentioned, Barry, the, the least of your worries is the technical complexity.
We're we're used to the traditional I IAM world where everything takes weeks and team of developers. So Yeah. Okay.
Well, this is now we've reached the timeframe. I thank you again, very for this excellent webinar and thank my Pleasure. Thank you. Thank you. Thank you all for attending.
