Welcome to our equipping. A cold webinar working from home is not secure without an effective. I am. My work from home scenarios will not work without a strong identity and access management backend. This webinar is supported by manage engine, a division of solo Corp. The speakers today are Fayre, who is senior technical evangelist at men and me Martin Kuppinger I'm principal Analyst at co Cole. Before we start some quick information about some of this stuff, which is upcoming at KuppingerCole. So we have a series of virtual events.
Our Casey life events went, and the next one will be next week on Thursday, about customer identity and marketing automation. Then we will do one early August on future of digital identity, self Seren, identity, and verifiable credentials, and one on privileged access management August. All of these events are for free. So don't miss them register for these events and have access to one full day of interesting content, keynotes panels, best practices.
And so on the mouse keeping for the webinar, we are controlling audio centrally. So you don't need to care about that.
We are recording the webinar and we will make the podcast available short term, and we also will provide the slide X for download. So yes, they will be available. And then there's Q a session at the end. You can add the questions at any time. I always recommend doing that. So once you have a question, enter it because then we have more questions for a lively and interesting Q and a session. Having said this let's have a look at the agenda. The agenda for today is for most or of our webinars split into three parts.
The first part, I a look at the impact of a current crisis on it, specifically from a perspective of what and what not to do and how this affects security and why identity and access management is so essential for supporting from home effectively.
And my main focus there will be on measures that can be taken immediately without complex technical deployment. So this will be my part of the session and then ready from so core manager engine will talk about the details. So he will good and more into the details regarding IM capabilities, which can support remote working at scale.
And then as I've already mentioned, the third part, we will our Q and a session. So feel free to your questions now. So let's get started and I would say some work from home today is the new normal. It depends on the region, depends on your organization, on your job, but work from home is a new normal. And while people probably will have a mix of work from home and work in the office, there will be more work from home than we had before the crisis. We will never go back to that.
Former normal, where for many organizations work from home was the exception. So this is what I expect to see.
And another new normal is zero trust. So this concept of don't trust verify. So don't sink in a, I have a layer of protection parameters and I have firewall and I'm secure.
No, this will not work. That doesn't work for quite a while, if we are honest, but we need to verify, we need to verify the device. We need to verify the identity. And apparently this is obviously this is about identity and access management. We need to verify the access entitlements, etcetera, not only once, but repeatedly zero trust is a well established concept and it will play and has to play an important role. Our cybersecurity, because work from home works best with zero trust paradigms.
So in work from home, we have this scenario of people not only working from remote over networks, we don't have any control about, but many workers also use bring your own device devices, so to speak.
They use their own devices. And so we have lesser control frequently. And we also, that was a one of these observations.
And, and one of the things everyone probably has heard about is that various services specifically for, for remote collaboration had a very much, a very big uptake in, in usage during the crisis. So there's the device, there's the service. And it's not that everything happens to us in the per anymore. So we need to shift to a thinking, which is accepting that there are, that there is spring year own device, that people work remotely, that they access cloud services, and that we need other paradigms that don't sync in a parameter protected it.
So work from home works best with zero trust and following the zero trust for them. So we can't trust the device here with spring, your own device. We can't trust the network can be every network. We must assume breach something anyway, need to assume.
So breach, I think is also some sort of a new normal everyone, every device potentially is under attack. And so we need to take this into account. We need to consider that. So we need to verify, we need to verify is that the user using a device he already has been using, et cetera. We need to go to this verification. And so work from home and zero trust out to very tightly related.
Let's call it paradigms or concepts. There's limited.
There are limited touchpoints for security compared to traditional it, where you sit on your desktop computer within your organization, in the office and use the internal network. It's very different, but we can do a lot here. We can identify the user. If we have an adequate approach for authentication, we also can identify the user. If the approach is not that good, but we are, we are obviously more secure when we have a good, strong multifactor authentication management of endpoint, challenging with bring your own device because there are legal constraints.
Cetera, there are ways to, to, to for instance, use a, a virtual desktop on the device, but it's also that device fingerprints bring in some level of security and we can use other concepts. So we need to think about what is adequate to our work scenarios, to accept and accept that there might be other devices in used.
And we have in the past the network, there's no controller by the network, unless the part of the trends about, about your cover network.
Yes, we can set up some sort of virtual private networks with a lot of challenges that might be challenges in performance that might add complexity. So the most important thing is to ensure that our communication is, is encrypted. And to end, that would be the best.
Yes, we all know that there are things which work better and things which work don't work that perfectly well. But focus must be on encryption at the systems and applications, regardless whether they run on premises or in the cloud, we can harden. That's more for the, for the on premise part harden systems. We can apply measures here. But what we always can do in mass do is controlling who can do what who's analyzing, who's doing, what do we have anomalies?
Do we have outliers? So we need to look at these and then there's to start the data.
And what we must do is we also must implement data governance. So not only application security access controls within the application, but also data governance. So starting to protect data. And these are the, the things we need to look at in today's reality of people rocking from home or from the office, or from somewhere else with whichever device and with applications and systems running sometimes on premises and sometimes the clock.
So it goes beyond work from home, but work from home and changes we've experienced over the past couple of months of driving these trends forward, IC management has some logical touch points with, from home and zero trust. So when we take this user users, device and access is wire, the network systems where applications for site and thens, the data processes the data.
Then there are a couple of points where identity and access management is of specific relevance.
It is the authentications that it's the management of users, identification, verification management life cycle, the authentication that is a typical domain of identity and access management. And there's also the authentication of the device and the authentication that the device authentication itself. There's the device ID and theyand their relationship management. So it is which devices are assigned to which users. So which are that users devices.
And that is there's this notion of identity relationship management, where it's about understanding the relationship between users, between organizations, other users, devices, syncs, etcetera. So mapping, there's an understanding in the authentication process, okay. This is a smartphone of Martin, ER, this part of what we cover in at anti access management at the level of systems and applications, we have access controls. We have our standard management of access, our access governance.
We have the, a syndication.
We have the authorization, all technologies in place, and we also can implement access controls at the data level, for instance, in databases on file systems, but also information protection. So approaches, which help us really applying access control directly to documents other types of data and allowing only access following this, including which is part of that, including the encryption required here.
So there's a very logical relationship for anti access management with work from home and zero trust, identity and access management is a key element, maybe the key element for security and work from home. And the key element within zero trust zero trust is far, far more about identity management than it's about traditional network security. So when we look at this, the question is what can we do and what should we do in it? And we still are in a mode where in many organizations, a lot of people don't work in the office.
They work from home. So we are in some areas restricted.
We might have financial pressure budget restrictions. So what should we do now? And how do we, should we invest? And here are some more generic rules on that. The first thing is never in panic mode or in headless chicken mode, even when things are fundamentally changing, think about what is the best way to solve a challenge, keep a clear mind and don't act in panic. I've seen so many specifically insecurity. I've seen so many in Westmans being done. So to speak in, in panic mode, oh, this other company got hacked, or we had this incident here. We must do something.
Yes, frequent frequently, there is a need to do something, but if you don't think about what to do best and does it really help, that might end up in a wrong investment. And there's also a need not to blindly trust. So don't trust anyone blindly, not even us, not even the Analyst.
We might also be wrong. Step back and think about compare alternatives, look at the benefits and also think about what is, what you really can implement, what you can manage, et cetera. So think about it.
Also, don't try to, to rebuild the way people are working for work from home. Work from home is different. There are small online collaboration. And if you look at the uptake of tools, such as Microsoft teams, zoom, and, and various others, it's a different way of working. And I think everyone who spent some time in, in the home office has learned that there are things that are different running a full day workshop. Remotely is nightmare. You need to split it. You need to make a different, you need to find different ways.
So it is different and you need to change your work style and also adapt your it to that VPNs. Also in consequence of that. So it's not about doing the same thing fast remotely, really think about how your world will look, devices, cloud services and ask yourself the question is VPN, really the solution. If then don't add it.
Now, there are other more modern options available. Select your technology carefully. There are various options and you need, always need to think about, can I, can I manage just, does it work for my people or are there better ways to do it? Don't overinvest.
There are so many new ways to work. Look at these, think about what helps, but be careful not to use too much and not to spend too much. And at the end, it's always about educating. There are so many changes to your teams.
Some of them positively because people are what I've learned really, really good in collaboration and adapting to that change. But also the human factor is the biggest security uploads deploy. So you need to be careful at educate them, but also think except that people have most people at least have a very good human sense.
So they, they understand, or this might be a security risk, this thing, and really build on that as well. So in a, in a cyber security perspective, what are the things to do first? The first thing is multifactor also occasional touches on a separate slide again, activate it now, but inform people ahead.
Educate 'em okay. This will change. That's the way it works. So explain then activate check weather endpoint protection is working. It's easy on most operating systems to educate users, how to track weather endpoint protections in a positive green state, keep things up to date.
Automated patch management from my perspective is a, is a must. So the, the risk of patching is, is far lower than the cyber risks you are taking. So today rarely something goes wrong with patterning. There is always, there is a risk, but rarely it really causes problems. While you have a constantly high cyber risk train people in a simple way, no length of session, go for five minute videos, do it regularly.
So better, short and frequent than long and boring, and look at how to protect your data. So use the tools you're using the right way. Go to data governance, data control as well beyond just saying these are the access controls or some, if someone is indicated, it's enough, go beyond that.
But the number one thing to do is multifactor draw syndication. It is a must. So there's no way not to use multifactor draw syndication. From my perspective, it helps you against fishing attacks. It helps you to make things more secure. There are standard features applicable.
You might use, they are specialized twists of variety of options you have here for your devices. Check the phyto support integration, phys code standard, but inform you uses hat so that they know what is happening. And once you have a little bit more, more time to sit down and think about where we are heading with the entire identity and, and security, look at our concepts of identity fabrics and trust recently announced also the security fabric. So put all this into a framework where you say, what are my services, my capabilities. I need to connect everyone.
The consumer department, the employee, the device, the thing to all these services, regardless, whether so which capabilities do you need, which services you, you, you need for delivering these capabilities.
Look at modern architectures, which allow you to work with existing and with new applications, which also allow you to support services you build. So which give you the agility, but also the, the integration and the hybrid support. And this is what we call identity fabric. We have a ton of materials, online videos and research documents around the identity fabric already.
This is then what is your bigger picture? So the first step right now, not overinvesting focusing on the small steps, which help you really making this work from home more secure. And then the next step sitting down and thinking about what are the strategic method to take with that at the end of my, part of the presentations and I hand over to Jay who will then go deeper into details of how identity management can help in work from home scenarios and why it's so essential to, to work from home securely and efficiently.
Wonderful.
Thank you so much for setting the right for me, Martin I'm Jay Reddy, I'm with the identity access management team here at manage engine. We do quite a bit around identity access management and cybersecurity. So there Martin did set a very strong president for what I'm about to follow through today's session. A couple of points that I personally found interesting based on what Martin made. Let me start with that and then quickly get into the agenda for the next 20 minutes.
So the whole idea of per being, not a relevant thing anymore, because, you know, as we speak, users are working from home, your office perimeter, the one that you were absolutely sure about the one that you had a hundred percent control over with your SIM solution, with your firewall. So on and so forth is out of context as we speak.
So, one quick observation that we've been trying to make right here is how is the parameter taking a new shape?
User identities are becoming the parameter as we speak. And that is going to be the president for the rest of the session.
Guys, what we've been trying to do is even during the call that Martin and I had, I had, you know, last week we were trying to understand how to go forward with the whole presentation. We just figured that there was this one question that kept coming back from a lot of people. How do you do it at scale? How do you, you know, get the whole process, fast track. There's a lot of chaos as, as of now, as we speak. So how do we streamline the whole process is the question right now. And that's something that we want to address.
So what we've been doing here at managing the last hundred days or so, we've been helping out organizations around the world and especially we've been helping them, you know, go remote.
So we've set remote taskforce team. We've got about 50 folks helping organizations go remote. And in the process, we've been able to identify certain common problems organizations face. So while in the journey of going remote, there are certain aspects that need to be covered and addressed, and that's exactly what I'm going to be doing.
So I'm gonna be sharing the learnings of our interactions with all the customers and all the companies around the world that have gone remote. And what roadblocks did they have and how did we essentially help them come over? That that is what we are going to be doing. So as we go forward, like Martin rightly pointed out, zero trust can become the big deal, all the need of the heart as we speak, because, you know, we've been talking about endpoint protection, so on and so forth. Now user identities are again endpoints right now as we speak.
And when it comes to user identities, there's always this big question because, you know, as we speak, there are 10 or 15 new applications that get provision for every user who's working from home, primarily the ones that are collaboration applications. So a lot of us must have just started using office 365 or Microsoft teams, or, you know, collaborating over one drive, sharing data, so on and so forth. So how do we take control of that and answer that one question. Is it safe to trust our users? Because in my opinion, the security of your organization is only as strong as the weakest link.
And in this instance, the weakest link obviously is our users. We were also trying to understand how by OD is changing things. Users not just bringing their own devices. They're very much bringing their own vulnerability to and attackers are very well aware of what goes with this whole shift in the landscape.
And that's why we want to take an address, certain problems specific to enabling your users at the same time, not at the cost of compromising security. The biggest challenge as we speak is the whole problem of liquidating, the security aspects of your identity.
You know, you try to make it more accessible to users, but you compromise security at that point. So can we get that right balance and get the whole thing to scale? So a couple of points that we'll be discussing, essentially action items that you can go back and implement right away. That was the agenda. These were the ones that we recommended to our customers, and we got them up to speed to remote work. And that's what we intend to do with you as well. So we'll start with our end users, the ones who are essentially working at home or from home, how do we enable them through the whole process?
Yes. Educating them, making small videos, helping them understand how to go about the whole process is very, very important and equally making the whole process. Frictionless is also important. How do you enable self-service for your users is something that keeps coming up all the time, because as we speak, there is a tremendous surge in the dependency that your users who never, ever contacted the it team contacting day in day. So we'll see how self-service can make a difference. We'll go a little further and touch upon a little in depth for what multifactor authentication means.
And how do you scale with MFA? Martin did point out as to why MFA can be the game changer and foolproof in your system. I'd probably dive a little bit deep and see how you get the whole MFA set up for scale. We'll go a little further. We'll talk about single sign on as not just an enablement tool, but also from a security standpoint, how can single sign on reduce the number of interactions that your users essentially have with an IDP or an identity provider?
How do you keep that minimal? How do you ensure there are lesser chances that something could go wrong?
We'll see, and take a look at how single sign on can scale will go a little further and talk about monitoring user activity. Now as much as it is important to keep a tab and enable your users, it's also important that, you know, and have an Eagles eye view of what your users are working on or what are they doing and how are they interacting with your systems from two perspectives? Definitely from a security perspective, the variables are many, very many, so we need to keep a track on them. And also from a productive with standpoint. Now that's a definitely different take.
So how do you use your existing solutions to not just keep a tab on security, but also check, check. If you can enable your users better to work productively and in the process, optimize your resources as well.
How do you allot them? Can you load balance better? Those are the questions that we'll be answering and yes goes without saying there's a lot of shift or quantum shift that's happening towards Microsoft services like office 365 and Microsoft teams. So auditing them, keeping a tab on them, being able to analyze user activity on them is something that we'll be discussing through.
All right. So that being said, the first tip for the day, I wanna start with the action item is going to be self-service for your users. So as we speak, like I told you is a surge in the number of help risk tickets that your administrators in help desk off facing essentially around passwords and account unlock.
Now, you can't really blame your users because they don't have the provision to call up the administrator or walk up to an administrator as to how they'd be doing it while they were at work.
So teleworkers, as a matter of fact, do tend to make a lot of mistakes along the way. And when we try to streamline the process, things get a lot easier. So setting up a simple self-service for your users is how you can start your remote work scaling. And for most parts setting up an SSPR, shouldn't be a big deal.
And educating your users is also not going to be a problem, essentially, because this is not the first time your users are being exposed to SSPR. They don't call up Google or Facebook. If they wanna reset their passwords, do they know they just get it done? So how do you enable them and how do you reduce friction in the process of enabling them is what we'll try and understand. Yes. Goes without saying, we need to empower them while mobile applications as well. Can you do this at scale?
Can you get them to do on the goal is a question that we'd be answering.
So very simply to put, where do users forget their passwords? Where do users lock themselves out? It's the log on screen? So why complicate the whole process of calling up the administrator? Why not give them the provision to work at scale right at the log on screen and resolve their own problem was the idea in our heads. So we put together a simple module for SSPR or self-service password reset. One of the most important aspects of managing your identities effectively, ensuring business community. You don't want users to be stalled.
So you, you do that right at the log on screen. And when it's our users you'd want to have as much as least friction as possible for your users, all it has to look like is a simple button click, and they'll have to get done with that.
But in the background, it's not as easy as it seems because your users are not in your organization. They aren't connected to your active directory. What if they forget their possible source if they lock their accounts out?
So all that we are asking for is a tool that would sell as an interface between your users and your active directory or your identity platform, anything for that matter. So as that gateway, that's going to also enable and at the same time secure the whole process of transacting, all these active directory or identity related requests. So when a user clicks on the reset password or account on log, all they'll see is a simple validation page where they go through a couple of factors.
They'd not even realize it happens in a JFI and 83 60, the tool from manage engine that we've built, especially for identity access management and helping remote work does the job of weightlifting.
It takes the request, it processes, it, it understands and authenticates. The user releases. The request back to active break gets the whole thing back to the user overrides cashier credential, a whole deal of weightlifting happens in the background and all that your users see is as simple as this, they hit race. It works like magic. They get going with your work.
So that is the kind of enablement that we should be looking at. We will need to give them processes that are effortless. And the first one that I recommend is setting up self-service for password resets and account unlocks major, major problems for a lot of organizations that we've been working with help. This ticket volumes are sorting sky high because users keep consistently locking themselves out and forget their passwords. This is probably the last thing that an administrator or helpers should have in their mind while they're trying to battle out a hundred other things while working remote.
So with respect to support, look for a solution that can give you the broad range of support. Like any VPN, if you wanna bring your own VPN, you can very much do that. So my first recommendation is essentially to get set an SSPR, a self-service password reset, a very critical one. If you're looking to scale your remote work and enabling your remote users, now that we've spoken about remote users, what about what's happening behind scenes? What about how attackers are trying to take advantage of the situation?
So now your users are more vulnerable than ever before, because it becomes very, very easy to socially engineer your users down the line. I'm gonna be giving you and walking you through a personal experience that I had faced an email, a malicious email that I had received. So people are very much prone to, you know, click on links, be baited, socially engineered and attackers are trying to take the utmost advantage because you no longer have the backup of your organization's SIM tool or your security.
So it's not working out.
Your users are logging in from their home networks and we know how unsafe and unsecure and how many loopholes are there to crack through that. So behavioral patterns is all that the attackers are looking for. And one week spot in your network or one user making one tiny mistake, your entire network security can come crumbling down. So we are trying to understand a couple of points right there.
And yes, Microsoft two went on to make this recommendation or announcement a while back. So this is very forthcoming of Microsoft. They're saying that it's becoming really difficult given the fact that how hybrid systems are set up given the fact that even if one touchpoint goes down, even if one identity goes down, it takes nothing less than two days for an attacker to compromise the entire domain admin credential. That is quite scary.
It doesn't really stop right there. That's the worst part.
And right after the attack, we've been around in, in remote working for almost about a hundred days here in India, from where I'm presenting. Alright, what if we weren't able to detect one of those attackers who's already in the system like Martin was pointing out, be prepared for a breach, understand and acknowledge the fact that we are under attack. As we speak, we've been working with a lot of customers and companies around the world, and they've been targets to fishing attacks recently.
And it's been on the sort, not just normal organizations, even organizations like healthcare institutions, that's quite disheartening. The problem right here is there's a lot of chaos. As we speak while users are working remotely, there's going to be a lot of back and forth data transfer as such and attackers can easily get away without leaving a track exfiltrating data.
That's the most difficult part. And a lot of senior folks, cybersecurity professionals also agreed at this point, breaches are taking longer to protect than how it used to be before, while you're working from home.
So it all boils down to where do we draw that line? How do we understand and acknowledge that we are possibly under tracks as we speak?
There's a, so there's a race in terms of fishing attacks or malware is being installed or users falling victims for these because we keep, you know, talking to people and all of them, a lot of them fall pray for these COVID deemed attacks. They look like legitimate emails. The attackers take enough care to make them sound absolutely relevant and absolutely right. And click paid your users, end up thinking that it's the world health organization, or probably the CDC sending out an email or an upgrade.
And not just that people are taking advantage of the attackers.
So taking advantage of the government policy. So here in India, about two weeks back, what had happened was we had one of the biggest breaches that banking institutions in history I've had. What has happened is a big banking institution, government banking institution, the attackers pretended to send out emails, pretending to be the banking institution, asking users to fill out a basic form, to get a compensation from the government. A lot of people fell, pray for this before the government could get hold of the situation, a lot of damage had happened. Why am I talking about all this?
So it all boils down to how do you enable your users to not, and to, to do the right thing? How do you get them not to click on link like this? Because the line between your work device and your personal device has completely faded.
If one of your users bringing their own device had clicked on a malicious email, sent to a personal account, doesn't matter. Even before, you know, that could percolate the malware could percolate into your corporate network as well. So that is the scariest part. As we speak, a lot of account takeovers are happening.
As we speak, a lot of business, email compromises are happening as we speak and time and time again, there's been one layer of security that is protected, that is protected our identities, which is passwords. So what we are trying to do right here is to try to understand how passwords can be helping us going forward, but we'll also have to appreciate and understand that they aren't good enough. They're increment rate cost efficient. Perfect. Even if they're stolen, you can always reset. They don't require additional hardware.
These are advantages of passwords, but they've been there for a very, very long time.
In fact, in my opinion, if I were to talk about, let's say one of the common password policies, active directory, password policies, there's not been a considerable update in the last two decades. And that's a very big problem that we are facing. So attacks are gearing up with the best in class tools to hit you. And all you have is something that's called as a fine grain password policy may be the best version with what you can do with existing password policies.
It, it doesn't just stop with 80. I understand if it's 80, all other new identity platforms as well, do have these known difficulties or challenges. And this is publicly available information, as much as how administrators and security folks are aware, the attackers are equally prone and aware of the knowledge too. So what do you do to ensure that you don't fall pre for this incremental passwords are a big problem because there's password fatigue that is associated with it, where your users end up setting passwords in incremental order.
So you ask them to reset their password because of an expiry. All they do is get really smart, just add a number to it. So how many of us join in today with utmost sincere? Tell our users don't have a password like password at 1, 2, 3, or I love you. These are the common passwords. They've been the common passwords in 2019, in 2018 way back. And there's not been an upgrade that stops users from using such passwords. So is the case with dictionary, what's a big pandemic or an info. If I would say is using dictionary words, how do you stop them?
And it goes without saying the whole deal with expiry. The question, whether expiry is good, whether the regulations there are certain regulations like missed that suggest otherwise. So we are trying to battle a very big problem with identity security, with just one layer of password security and that too, it isn't full blown.
It isn't foolproof. That's the idea. So what we thought was we'd build a layer on top of it. Stop users from using dictionary words. That's the first basic recommendation that I have for you. Stop anybody from using any dictionary words at all.
Your users cannot do that. You go a little further, stop them from using patterns. You stop them from using patterns like 1, 2, 3, or keyboard words like Q w E RT, Y get them to not use. And a previously used password password. History is something that you can have in your mind. How do you stop them from using incremental passwords that way? So a couple of basic challenges that we are trying to solve here with a strengthener. So start looking outward beyond what your tools offer. Existing password policies are prone to attacks are error prone.
So look for a solution that can strengthen your existing password policy one step further.
And in fact, my recommendation to a lot of them is setting past phrases. You the longer the password, the more is the entropy, the difficult it is going to be for the attacker, the crack through not just that. We've got an integration with how I've been pawned. So these guys do a good job in collecting all credentials that are compromised, anyone, any that was complied and attack in the past, that goes right into the database and your users cannot set passwords that are compliments.
So look at it as your first line of defense and existing possible policies. Don't do a great job at solving that problem. So it makes absolute sense to start with strengthening your password. So as much as how is it important to set up self service? It is important to set up stronger passwords, which is your first line of defense and in the process, most of the time with stronger password policies, there's a little bit of friction.
We are trying to avoid that friction too, and give them those requirements right, where they'd be looking for right on their log on screen.
So the intention of self-service is to reduce password calls. And we don't want password calls because people weren't able to set stronger passwords. So give them that right there. And along those lines, along those lines of calls that help this receives another big problem is account lockouts. People keep forgetting, people keep locking themselves out. So you would need to be able to get on top of your system back in the day back while you were at work, it was easy to get on top of a system and understand whether was a expired credential.
Whether was it a service account using a sta credential? What was it, a wrong network drive mapping. But now while you're working remotely, the parameters are quite unpredictable.
So you should be at any given point in time on top of your system, be able to understand and analyze and call out whether was it a legitimate account lockout, or was it a security problem? So you will need to be on top of your system.
So in your identity management journey, look out for account lockout analysis as a critical aspect, along those lines, like I told you, account lockouts and password expiries are a big problem, but what if you can solve it by notifying users right on time. So the Microsoft way of doing it is a popup. And we know how effective popups are. Users tend to never read a popup and it's not worked ever. So what we are trying to do is we are trying to get the message in as many places as possible.
Tell them over an email, tell them over a text message, tell them over a push notification, let them know that their passwords are about to expire.
Let them know that their accounts are about to expire. Do that in chronology, do that one month ahead of time, 15 days ahead of time, one week kind of time. And you'd see great results. Over the last hundred days, we've worked with hundreds of companies around the world, and a lot of them have implemented this and have seen a drastic reduction in helpless costs. It could be a simple text message that could get the job done.
So the first step that I had for you is to enable self-service for your users, set up a strong account, lockout tracking, enable password expired notifications and strengthen password. So all of that around passwords and how do you go about making it smarter on top of it? Like Martin was pointing out. Now we make it foolproof. Can we make every touchpoint foolproof? That's the question that's been running in our mind, MFA outright is one of the best ways to make things foolproof, not just MFA for your applications or for your service.
We wanted to like rethink MFA.
And we thought, why not have MFA right at the log on, right? Where your users log on? Can we have MFA was what we asked our since. And we did make it possible MFA right at the log on, along with every other endpoint that we are talking about, servers, applications, wherever you think. So when you're trying to do it at scale, the easiest thing to do is to start with the most basic entity, which is the log on screen, where user logs on the, for the first time. So look for a solution that give you the breadth of options. We are talking about enabling users as quick as possible.
So we'd wanna give them the options. If you're using office 365, if you're using Microsoft Azure, you already have Microsoft authenticator free.
Of course, just start implementing it. If you already have subscribed to a solution, look for options that can make it quicker for your users, fingerprint, maybe face ID, maybe get them up to scale.
And in the process check, if you can get all the critical stakeholders upgraded to MFA and talking about service accounts and talking about administrator accounts, never, ever skip these critical accounts. I have a quick example right here where an administrator account got compromised and the attacker is blocked by a wall.
And the attacker is not able to proceed any further because there's a verification code that gets sent to the administrator's email ID. This can be the case with your service accounts. This can be the case with the credentials that are shared across your organization. So you would want to take that step of setting something up like an one time password or a time based authentication, or a verification code for all your critical accounts, right at the log on. And most of your problems be it remote log on, be it log on via VPN, be it access to files and folders.
If you can set up MFA right before that, most of your problems do seem to go away at that per instance, even if you're trying to look at office 365, you can check out the secure score dashboard that comes with office 365. The first recommendation that they have for you is enabling MFA and along those lines, does it really stop right? There is the question. Can we become a little more smarter? We are talking about attackers with sophisticated tools. Can we also be sophisticated? So the answer is yes, you can look at solutions that do contextual or adapt authentication.
You go one step further, not just treat the basic problems, try to draw risks course for users with every log on, try to draw baselines for every user, with every introduction that they do. So with time, your system gets trained. So Jay basically accesses his device from India.
This is the device that he logs in from. This is the network range from he logs in from, and Jay logs in from maybe nine in the morning to seven in the evening.
This is, are these usual timings. And if there's a deviation, my system can be smart enough to call that out and make things difficult. If it were an attacker, extra layers of authentication, extra challenges to go through, or if you want to completely block the whole transaction or stop the user from logging in, you can always do that. So look for solutions that can smartly scale because MFA is definitely useful. No doubt. But now that we are talking about working remotely, where there are innumerable parameters and variables in the equation, it's constantly evolving.
It makes a little sense to be adapted smart, and why not use machine learning to draw risk scores for users and authenticate them based on context, network, location, biometrics, lot of factors get taken into account based on how risky the log on is.
They either get access or be denied of access. You could absolutely try adapt to authentication more like an upgrade to multifactor authentication. So context can be the king right here as we speak.
So, so long we've discussed about setting up SSPR. That's the first tip that I had for you. The next one is to enable a very flexible at the same time, a smart authentication, a second level or a multifactor authentication along those lines. The next point is going to be single signoff.
Now, when it comes to single signoffs for a long time, it's been more of a enablement option with res you know, getting users to scale, giving them access to multiple applications, but it turns out it can also be a security option because you are reducing the number of times while your users are getting to enter their credentials. You are giving them a OneStop dashboard where they can access any application that you've configured for them.
They don't fall into the victim, or they don't become victims of password fatigue. They don't use the same password across multiple platforms.
They can set strong passwords at different platforms. And since you have a very clear cut enablement, right, a single sign on dashboard, they'd be able to just log into their active directory or their accounts and start using applications. So single sign on does go a long way in enabling organizations. So when you're looking at a single sign on solution, there are a couple of points that you can have in mind. You can look at systems that are platform agnostic. You don't want to be restricted. You wanna go to that very extent where you can bring in not just your own applications.
I mean, not the applications that are served to you by a window, but also you might have in house applications, because what we've seen is there are a lot of organizations out there as we speak have started exposing their internal applications over the internet for the want of better accessibility.
Now that can be a challenge. If you can secure that, if you can channelize the whole gateway through a single sign on nothing better than that.
So, likewise, look for protocol support. Look for Sam support. Look for LDAP support, radio support. So look for a solution that can go at scale. And at the same time, give complete control to the administrator on what applications are your users using. So it gives you a clear insight to optimize the resource utilization as well. A lot of us, a lot of our users tend to hold applications that they never need in the first place. So this could give you a report on how that is being used. So single sign on, setting it up is my next recommendation for you.
Now we've been enabling users all along right now. It's about time. We start tracking them as well.
Like I told you, there are two perspectives, one from a productivity standpoint, another from a user behavior standpoint. So from a productivity standpoint, since all these identity platforms have great deal of event tracking, you can be a little smart and not just track log on and log off. You can look at factors like how long has your screen been idle? Was there a wallpaper that came up? Did they go on a break?
And the screensaver popped up so many, such small events can be tailored into one, you know, equation, and you can get net productivity of your users. And along the line, you can let the respective line managers know, or if you're having contract employees who get charged or billed by the hire, this can be a great way to track remote users and how productive they are. So I have like a quick, a screenshot right here that shows you, it tells how long were they active?
It tells how long were the idle, how long were they net productive? So we are constantly reinventing ourselves. Now.
Identity access management administrators are taking center stage with respect to security and productivity as well. A lot of organizations are relying on them along those lines. Now we are talking about tracking users, right? It all boils down to looking for those indicators of compromise. You never know if you get just start tracking, log on activities for your users and start correlating them, you would make a lot of observations that you failed to make before. It can be something as simple as turning on auditing in your event view. Now you have tons of events.
If you can get context to it, nothing better than that. Because if I were to break down a brute force attack, it's nothing more than repetitive log on failures followed by a successful log on.
And then someone goes on to access a critical file or a folder or a server. And then they start installing a malware. Follow that up with data exploration. This is the whole queue chain that you can talk about. And if you can correlate all these data, nothing better than that.
And through the process at every step, if you can look for anomalies like business owners, if you can keep track of remote work, if you can look at how attackers move or how it can be an insider, it can be an hacker. You would want to know how they move in case. If you're looking for an indicator of compromise monitoring, log on activity is something that you can definitely do.
Yes, it doesn't stop right there. Since we've already established the fact that there is a machine learning. Why not use that here as well to detect deviation unusual volume, unusual count, unusual time of the day access done for the first time privileges being misused.
You can use user behavior analytics and identity access management can have a very strong integration with UBA because like Martin pointed out data protection is taking center. Stage data. Access governance is taking center stage and IM administrators have a critical role in that.
Now, when it comes to how we do it, analyzing what volume of data was accessed, what files on OneDrive access. Can we audit that the whole equation gets solved? If you have UBA in place and look for solutions that do that because unusual activity, you can spot that out in one, go, you get context with every problem right there you get told. Why was it unusual? When did the user log in? How was it different? Where was the first touch point? And you get details like that.
You go a little further and you can detect later movements as well, because like I told you some total of log activity, one IP address, multiple log on attempt.
That could be a lateral movement, quoting a malware. If there's an installation that's made for the first time, you can stop. That privilege is being used for the first time. Now administrators are tending to be a little lenient for the want of better business continuity and end up giving extra privilege that would probably lead to privilege abuse or privilege trip.
So you would wanna be under absolute control and have systems that can monitor that aspect of privilege as well. Along those lines, not just monitoring. If you can streamline the whole process of privilege delivery or entitlements management, you can do it with workflow. You can get all the stakeholders into your system, make them go through the whole process of a request, review and approval. And a lot of compliance regulations also demand you to do that. Thereby reduction, thereby there's a great reduction in your cost to compliance as well.
So you help set up quicker entitlements review.
So when there's a day, when there, you need to check your entitlements review, you can very much do that because you had visibility into who had what privileges and the whole process of entitlements assessment or identity governance, as we say, who gets what that's very clearly listed through an approval based mechanism. So this is something that you can look at. So we've been talking about how do you track remote employees? How do you track the behavior? How do you track privileges? And along those lines of privileges, can we streamline the process? That's what we discussed.
That was the last point, the next, and the last point or recommendation that I have for you is being able to monitor all these new found applications that we've become so fond of and we've started using. So auditing one drive is a very critical thing that you'll have to start because last year, along October, if I'm, if I'm right, the department of Homeland security in the us, they stepped in to say office 365 recommendations.
They said, these are the problems that organizations face when they fast track.
Now, as we speak, there are hundreds of organizations, thousands of organizations that are fast tracking into office 365 using these collaboration apps and in the process, they end up not checking all those important security check boxes. So do understand and be aware of the native limitations, set up quite a lot with respect to how long can it hold the data for you? How long is the data retention policy, you will need to get into it and make a lot of customization. Does it scale for your disaster recovery plan? Can you get your whole backup in place? How long do you set that up?
Can you have complete visibility and audit who's activating or who's accessing what files, what folders and how are they going about doing it? Is there a bulk modification?
Is there a bulk deletion? So there are multiple parameters that get taken into account while you are using these new found collaboration applications on the cloud. Along those lines, we are talking about enablement.
We are talking about keeping the business, going, keeping the lights on and having a clear cut overview with your identity access management saying, if there are services outages, I'd be the first one to be notified and I'd get on top of the situation. You should have processes for that too. Microsoft teams goes without seeing, being able to monitor activity on it, being able to do e-discovery.
That's something that we are working on could go a long way, because we are talking about a situation where Pia and P H I is being constantly compromised attackers taking advantage of the situation, trying to exfiltrate data so e-discovery can help you during litigation.
So try setting that up. I have a couple of recommendations, basically, along these lines and in the process we figured why not do the whole thing mobile? So it's not just our users who need to be mobile are administrators. It folks are also mobile.
So give them an application that can get them to speed that can get them to scale that can help them handle SLAs ASAP. That's the point right here. I'm trying to make. So look for solutions that help you manage your privileges, your identities on the go from a mobile.
Yes, your users need to have applications too. Self-service done from a phone account, unlocks done from a phone policy requirements, clearly stated documentation and best practices given to them password strengthening. So on and so forth because you have the convenience to implement and give them mobile applications on the call. So just quickly summing up, if there were to be just one takeaway that you wanna go back and implement right away, my first recommendation and the one that I want you to go back and do right away is self-service password reset.
Look for solutions that do multiple directories, help users do remotely have strong password set in the process, help single sign on MFA. And yes goes without saying notifying the users about the whole change. So enable your users as much as possible. And along those lines, we put together resources they'll be made available after the webinar. Folks can help us testing times ahead. Absolutely understand. We wanna be by your side when you do it. And now we are open to questions and over to Martin right now. No
Thank you, Jay, for all that information you provided.
And so let's directly jump into the Q a session. We have little time left, but we can answer additional questions via our email is required. So I just pick one or two questions out of the long list we have here. Absolutely. I think one, one of the, the most interesting for all of these types of solutions and for user solutions as well, is whether it's possible to use different MFA methods for different applications or for different groups of users
When it comes to MFA applications.
Yes, the whole deal about MFA is being able to do it granularly. You don't want, you know, to set up factors that essentially hinder the process. You will have to look for MFA options that don't probably require a hardware implementation, which you can't do right now. So biometric is ruled out. So if you can look to make use of what's already available, which is probably as easy as a mobile application, like a Microsoft mobile authenticator, give them that. And that would probably in my opinion, help scale and get the whole MFA implemented quicker.
Okay.
And one more question I've got here is can I set up custom dictionary of passwords that I don't want employees to use?
Absolutely. So that's one part of the tool that helps you stop users from using any dictionaries. We provide inbuilt dictionary, we update it quite frequently. And one recent support that we are extended is not just English words. You can use custom dictionaries with 15 language support. You can very much ask us and we be able to help, or you can bring your own Dray and install into the product and stop users from using dictionary words.
So all options available here.
So yes, with that, we are at the end of our seven webinar close to the top of the hour. Tracy, thank you very much for all the information you provided and thank you to, for supporting this webinar. And thank you for all of the attendees for listening to this coping call webinars.
Absolutely. I appreciate that thank you so much.