Hello, good afternoon or good evening or even good morning to you. Welcome to this webinar from KuppingerCole, supported by ARCON. Today we're talking about DORA and compliance and how privileged access management fits into that. I'm delighted to be joined by two people today, Rosemarie Hesterberg, who's a sales development representative for Europe and ARCON, and Frank Schmaering, who is a senior solutions engineer also from ARCON, so welcome to you both.
Apologies, first of all, for being a little bit late. We had a couple of technical hitches, so it means that I can't control the slides, so I'm going to ask the producer to move the slides forward, so please let's move on to the next slide. We have muted you all, so you don't need to worry about that. We'll do a couple of polls during the webinar and look at the results during the Q&A, and indeed that Q&A will also enable you to ask questions. You can enter questions in the panel that you should see on your right.
This webinar will be recorded and it will be available on our website, and the slide decks will be available as well in the next few days. So with that, let's move on to the agenda.
Well, it's very simple. I speak first, then Rosemary and Frank, and then we'll have our Q&A. So let's go into the first poll, which is this. We're not going to wait for the results, but I'll just go through the questions quickly, or rather the options. What is your primary concern regarding DORA compliance, which by the way stands for Digital Operational Resilience Act, in case you didn't know?
Is it A, understanding the actual requirements? Is it B, implementing the necessary technological solutions, ensuring ongoing operational resilience, or something else? Obviously you can't say what it is, but it might be something else. So that's the poll. We'll come back to the results at the end. So let's move on to my first slide, which is a quick introduction to DORA. So you may or may not know that DORA is an output of the European Union legislation.
It came into force a couple of months ago, and all countries within the EU must strictly adhere to it, and it's focused on the financial sector. It's basically a whole load, a raft of legislation, which if you wanted to, you could read, but basically it's up the game on the kind of cyber security standards and resilience standards that the financial sector and those companies that serve the financial sector must adhere to, and it's quite a big jump.
It means now that things like privilege access, which is where many, many attacks start, and should now be upgraded, or at least even if you don't have it, you should be thinking about getting it, and we'll talk more about that later. And it's not just privilege access, although we're focusing on this, on privilege access, but of course other areas of cyber security may need to be beefed up.
One quick, if you're watching this from the UK, obviously the UK is no longer in the European Union. However, it's highly unlikely that the financial services companies will have no dealings whatsoever with the European Union, so even if you're a financial services company operating with EU partners, then you will still have to comply with these rules, and in any case it probably makes sense to come up to the standard anyway, because it improves your cyber security posture. So next slide please. So what are the key, I've whittled these down to basically four areas which need to be focused on.
The key mandates of DORA, and they are risk management in ICT. ICT is an old-fashioned term, but it basically means risk management in your technology areas. Also incident reporting is something else that DORA is now particularly interested in. There was a time when companies could get away without incident reporting. GDPR tended to change the game altogether on that, and DORA makes it even more acute that incidents must be reported, they must be reported within strict timelines, and they must follow certain procedures.
You need to also think about your resilience testing again, which would mean more secure penetration tests for example, or actually just stress testing your entire networks to see how much it's vulnerable and so on and so on.
All that kind of stuff again, you could digital resilience testing is three smallish words, but actually to do that involves quite a lot of extra effort and would also involve probably working with vendors, probably working maybe perhaps with consultants to see whether for example your PAM is resilient enough, whether your other cyber security measures are resilient enough and so on. And number four there is third party risk management. Again third parties were until quite recently not exactly overlooked, but they tended to escape the umbrella of existing legislation.
Now if you work with third parties or partners or customers as in business to business customers, as is the case to be with most businesses today, particularly in financial sector, then you will be responsible for that as well. So you need to make sure that those third parties are also secure and or if they're not secure then you make plans to make them secure or you make sure that you are covered in some way in case the worst happens and that means things like cyber insurance. So next slide. So where does PAM, Privileged Access Management, come into this?
It's a very good question and well the face of it, PAM might seem a bit remote from all this. Privileged Access Management has always been seen as a bit of a niche area, niche application, niche platform etc which was seen as a way of protecting admin accounts or super user accounts for those that had access to admin duties or admin functions. However the world has changed. Privileged Access now covers a lot more than just those admin accounts.
It covers, potentially it can cover virtually every identity, every user on the network that at some point might access what we would call privileged assets and so the attackers know that a good way to get into the company is through these pathways which are not necessarily listed as traditional privileged accounts but they can seek out, find out that these accounts or these users, these identities will lead them to secure data. In the case of financial services obviously that would mean financial data, it would mean personal data etc.
So when you're looking at Privileged Access Management solutions today you will find that there is a lot more in capabilities that allows the Privileged Access technology to cover much wider breadth of identities and accounts and service accounts and things like that. Ultimately to ensure that only authorized users or identities have privileged access and Rosemary and Frank will talk a lot more about this when we focus more on the Archon solution after this presentation.
So PAM is one way, not the only way, but PAM is a very good way to reduce the risk of data breaches and such compliance violations of DORA. So let's move on to the next slide please. So here's some ways how Privileged Access Management can help and we're talking here now more about the kind of advanced Privileged Access that Archon and other vendors will provide on the market right now. We have moved from standing Privileged Access to least Privileged Access and at some point hopefully zero standing Privileges or ZSP.
We need to do that simply because of, as I mentioned before, the number of identities, the number of clouds, the number of resources is increasing all the time all the time and a static PAM of the talk which we traditionally have with a vault and password rotation etc is probably not going to keep up with the demand. We also things like DORA which with its focus on analytics and instant reporting is going to want to see evidence of real-time monitoring and auditing rather than a retroactive or retrospective look at what happened on the network.
It needs to strengthen authentication which sounds a bit of an obvious thing but the latest PAM will have superior authentication pieces that will stop even if the wrong identity has got hold of an account or an attacker has got hold of an identity perhaps that's a better way of saying it then Privileged Access Management of the best type should be able to detect some kind of activity which is abnormal and put do something to stop it and of course all of that should support incident response and reporting which is what I just said.
So basically when you're looking at DORA when you start to look at all the requirements of it you can start to then think about how a Privileged Access Management solution or a platform or even a single solution for a particular part of your business would work and you need to start thinking about how those capabilities map to the demands of DORA. So next slide I think is another one. Okay so this is where we get into kind of the nitty-gritty and the reality when all what I've just said hits reality.
So far all of that has been theory it's good theory and it would all work however actually implementing PAM can be tricky depending on how and where you do it what kind of solution you choose. You're going to have to think about not just perhaps your cloud infrastructure but also legacy systems that are still using weak access controls.
You've got to think about how you're going to actually integrate legacy systems, integrate clouds, integrate stuff for the future and to make sure that the PAM solution can scale with that and at the same time make sure that it will scale with the requirements of DORA right across your infrastructure. Probably the biggest challenge there is actually integrating any form of Privileged Access Management if there isn't one in existence or if you want to switch that out and replace it with another.
You also need to think about balancing security with operational efficiency particularly important in the financial sector where everything is done in real time people expect things to happen instantly. Also your employees, your users also want to get things done and this most particularly applies to people like DevOps who are used to working very agile ways and need to have access to stuff as quickly as possible.
All of that needs to be part of your PAM solution and of course you need to think about probably the second biggest challenge which is how you start to control those third-party and remote access risks. How you start working to engage PAM so that you don't fall flower DORA when you're using remote workers, when you're using contractors, when you're actually buying in services from third parties and don't forget those services can also just mean cloud services to help the business.
So you need to think about some of the solutions that are emerging now are things like continuous or automated just-in-time access controls and continuous monitoring and AI driven risk assessments and in the last couple years obviously AI has started to be used in privilege access management applications for those very things but continuous monitoring and a way of making sure that monitoring is then sends the alerts to right people or the right parts of a sock etc make sure that that works. So they're just two things there to think about when choosing PAM.
So if we look at the next slide how to integrate PAM with a wider cyber security structure. So basically you need to think about where PAM fits in perhaps you have an existing identity and access management layer you might want to start thinking about zero trust and you need to think about how to align with data governance and KIM tools that you may have across the organization. Now zero trust is something worth mentioning because zero trust is often wheeled out as the solution to every cyber security problem.
The problem with zero trust is to create a totally zero trust network is very difficult probably the best you can do is create zero trust in some parts of your infrastructure don't forget if everything is zero trust then it has an impact on operational efficiency as well.
So when people tell you about zero trust it's best to say they take it from the very base idea of yes there are areas where we would like to implement zero trust or zero trust would be good but you really need to think about how your infrastructure works how your organization works and how privilege access management could fit into any potential zero trust architecture that you design but it's not something that you can create overnight and it's not something that probably many organizations would have the skills in-house to do but certainly it's a good ambition it's a good goal but there's a lot you can do with PAM right now and integrating it with other tools that will bring you close to zero trust and certainly would mean that you are closer to meeting DORA requirements so don't get hung up on zero trust is what I say.
Next slide please. So just quickly from my part of this DORA compliance is about cyber security as much as it is about PAM although we're focusing on PAM DORA means that you need to think about your cyber security umbrella that protects all the organization and then how PAM fits into that because PAM is a key enabler of this.
If you haven't thought about DORA and I'm sure there's if you're in the financial sector that then you most organizations will but even if you find yourself in the situation where suddenly you realize DORA does apply to your organization but you haven't really prepared it's not too late but you need to start thinking about it right now and finally being proactive about PAM isn't just about not getting into trouble PAM can also help your business it can help build a resilient future it can help with actually help with operational efficiency if it is done well.
So with that I'll hand over now to Rosemarie and Frank and I'll see you later. Thank you. My name is Rosemarie Heesterberg and I'm the BDR of ARK in Europe and I'm in IT since very long I guess. I'm here with my dear colleague Frank Schmering from ARK in Europe. We are very excited to share how our solution can help you navigate the complexity of DORA compliance. ARK's mission is to provide global organizations with a platform that visualizes, manages and secures the complete life cycle of all types of human, non-human and machine-based identities.
This comprehensive approach ensures that businesses are protected from all identity-based risks whether they originated from within or outside the organization. Regarding risk management Frank will demonstrate how our platform helps in identifying, accessing and mitigating risks as per DORA guidelines. DORA aims to ensure that these institutions can maintain digital operational resilience across all aspects of their business. Third-party risk management. Do you have control on your supply chain?
Well finally incident reporting ensures timely and accurate reporting in the time with DORA's requirements. Now I'll hand it over to Frank who will walk us through the technical aspects. Frank could you please start by sharing us how our solution addresses the risk management guidelines of DORA. Thank you Paul, thank you Romy. Am I audible? Perfect.
So thanks Paul for the introduction into the Digital Operational and Resilience Act and how privileged access management is a fundamental part of the regulation adopted by the European Union that aims to ensure that financial institutions can withstand and recover from operational disruptions. As you outlined Paul earlier towards cyber attacks and making sure that those measurements and the requirement that DORA brings into the entire vertical sets the requirements related to operational resilience including cyber security as well as you mentioned Paul the third-party risk management.
In terms of PUM which focuses on securing managing and monitoring privileged accounts and the users with elevated access within an organizational IT system the key DORA requirements are focused on strengthening resilience against cyber threats ensuring controls that are in place for critical functions.
The main DORA requirement actually relates to related to PUM are the risk management and governance, access control and monitoring, the resilience to cyber security incidents and cyber incidents in general, third-party risk management, audit and reporting as well as as a follow-on separation of duties, SLD management.
In summary and that is the interesting about the initial poll is to understand the DORA requirements where DORA emphasizes that privileged access management must be part of the overall operational resilience framework you touched upon on Paul ensuring that official access and critical access is tightly controlled and monitored and resilient in the face of disruptions of threats and cyber security threats to align with those DORA requirements.
Archon from the PUM solution perspective should incorporate one of the following features which is what you also discussed just in time access which grants privileged access only when necessary and for a limited duration reducing the risk associated with those standing privileges. MFA is a huge topic which enhances then the security by requiring multiple forms of verification, different form factors related to its criticality whether it's a phishing resistant or non-phishing resistant MFA to privileged accounts and assets before getting access to the infrastructure.
Automated password management which includes the like of password vaulting, auto generation of passwords alongside of different policies for the connected target applications whether I do integrate a mainframe only valid with 16 characters or other target applications which will which have the ability to work with 64 characters passwords to ensure that privileged credentials are securely managed and regularly updated.
The next key figure is the session monitoring and recording which provides the read time monitoring as well as the recording of privileged sessions enabling through auditing and also forensic analysis.
As you also mentioned Paul the user behavior plays a vital part in it next to granular access controls where Archon provides role-based policies and the principle of least privileges ensuring that users have access only to the resources that are necessary for their roles and for their job functions while everything can be then tied up towards compliance reporting where we offer a built-in reporting capability to generate compliance reports and audit trails facilitating the regulatory compliance and demonstrating also the adherence to internal security policies.
While the regular PEM requirements on door route we are obviously accommodating these out of hand which goes into additional questions. You touched upon on third party management requesting access for third parties to any kind of privileged either users for human identities or non-human identities for service accounts for risky assets where workflow management plays a vital role which is also auditable within the entire exercise in order to drive the security requirement to meet the DORA regulatory.
And next to that is one of the the biggest points arising as you outlined Paul AI artificial intelligence as well as the user behavioral analytics where Archon PAM focuses on analyzing the user and system behavior to identify anomalies that could indicate potential security risks such as fraud or insider threats or external cyber attacks.
Under DORA behavioral analytics contributes to operational resilience and risk management in a couple of ways towards anomaly detection proactive risk mitigation user and entity behavior analytics called UEBA as well as followed by automated response and incident risk reporting with immediate action on those incidents where based on the DORA compliance identity methods and the identity security must facilitate and all the different four pillars that you initially discussed around what you said old word around ICT risk management incident reporting as well as the operational resilience and the third party risk monitoring.
Each and every topic has a mandate to exist within the DORA regulation that financial services and institutions needs to establish comprehensive frameworks for ICT risks in general including identification the assessment and mitigation of the threats to digital assets to systems as well as to operations.
Now institutions are required to implement policies and the necessary procedures and technical measures to obviously safeguard their operations against potential disruptions caused by cyber attacks system failures and other related IT related risks while the incident reporting must be established and outlines clearly the necessary protocols for reporting significant related incidents which includes the obligation to notify component authorities within specific time frames if incident exceeds thresholds of severity.
The aim to promote transparency timely response and coordinated actions to address cyber threats threats in general data breaches as well as system outages which drives into the operational resilience you also discussed that earlier on Paul. The operational resilience is the heart of DORA and the DORA requirement focusing on the ability on financial institutions to withstand and recover from disruptive events.
DORA outlines the requirements for the robust business continuity plans disaster recovery strategies as well as stress testing practices where it emphasizes that institutions must be able to continue critical services even in the face of severe disruptions ensuring that customer trust and financial stability are being maintained which is a fundamental thing while afterwards third-party risk monitoring.
It was a nice question that Rosemary raised earlier on do you have control about on your supply chain where managing third-party risks particularly in relation to critical access to IT assets from service providers. DORA requirements talks about the assessment and monitoring of these risks posed by third-party vendors including cloud services or outsourced IT functions. Imagine the core banking infrastructure.
DORA requires from that institutions to implement proper oversight contractual safeguards and risk management measures to mitigate the impact of third-party failures of their operational resilience. A huge huge topic well going down to each and every topic where Archon can help on mitigating the risk as well as meeting the DORA requirement is the topic risk management.
There is a small excerpt from the requirement that you see on the screen followed by two pictures talking about to ensure that financial institutions can withstand operational disruptions including cyber attacks technical failures and other risks that could compromise their ability to operate effectively.
Here's in a more detailed breakdown of risk management there are additional requirements specifically in the context of privileged access management which is risk identification and assessment which discusses the comprehensive risk identification where financial institutions must regularly identify and assess the risk related to information systems including risks posed by privileged access. This involves identifying potential threats to systems that could be exploited through elevated user access.
Next to vulnerability assessments where regular vulnerability scans should be performed on systems where privileged access is being granted on on-prem as well as in cloud. This includes evaluating the security of privileged accounts user permissions and potential vulnerabilities and third-party service providers who may have privileged access. Now one thing you touched on upon was the CION the cloud infrastructure and entitlement management capability where especially in modern IT infrastructures we are primarily concentrating on implementing PAM on a human identity base.
What about all those non-human identities all those service accounts bot API accounts does that expose additional risk to operational continuity when those are being attacked and breached where you must evaluate the impact of risks related to those kind of accounts as well to compromise the risk related to that. Considering how a data breach or unauthorized activity could affect the availability and integrity of critical systems.
The mitigation of risks is something also which is learning access control measures looking on sharing multiple accounts with a particular department or identities share privileged credentials including weak approval processes where techniques around like least privilege needs to be ensured or just-in-time access to accommodate those kind of issues while then going into the root cause analysis ensuring that I have just for a certain duration the necessary permission just-in-time with just enough access.
And what we see during the implementations in large FSIs is the lack of accountability who owns particular non-human identity accounts service accounts API accounts do I need to provide also segregation of duty management on top of my day-to-day user including then the ability on look on possible privileged accesses that I have within the entire infrastructure. One of the fundamental things that we are driving forward is the account discovery for human accounts as well as for non-human accounts in an on-prem as well as in the cloud way on both assets in a hybrid IT landscape.
The third measurement where risk management discusses is the third-party risk management and we'll come to that later on. Incident as well as response recovery also a topic that we are going to discuss at later in a later stage where else business continuity and resilience must be in place from the policy perspective ensuring the resilience in case of disruptions. Do I have business continuity plans in place where DORA emphasizes that institutions must have obviously backup systems and processes in place to continue operation in the event of an cyber attack or major disruptions.
Lastly the risk reviews and reporting the governance topic is a huge requirement on DORA looking on periodic risk assessments which are required to carry out regular risk assessments to stay ahead of emerging threats to privileged access and systems. This includes conducting quarterly or b-annual evaluations of privileged access permissions reviewing how any changes in IT systems might affect that certain risk profile which includes the ability to launch internal and external audits and governance on top of the accesses that I'm having.
Next to that what Romy was discussing is the incident reporting in the context of DORA this is a critical component of maintaining the operational resilience especially for financial institutions where from the incident reporting requirements under DORA with a particular focus on privileged access management and other cyber security concerns is the definition of incidents clearly stated in the requirements however do I need to tackle and face operational incidents I need to discuss the ability to come up with definitions on cyber security incidents which are a key part of the definition of the incidents particularly those involving privileged access that could compromise the integrity timelines of incident reporting as well as the types of reportable incidents the incident reporting content that needs to be outlined when a major attack has happened well the pump solution Archon pump can provide the necessary measurements and executions on that to enable the controls for the accesses not only to third parties not only to SAS environments to my hybrid environment implementing the necessary permissions based on job function job profile on external risk indicators whether I can perform a certain command on a Unix box or on a router or on a firewall or on a database which goes in hand with a multi-factor authentication I need to provide the verification up front before I gain access to critical accesses which allows me and the administrators and third parties to build the level of security based on certain risk figures ITDR is also a huge topic next to DORA which brings in the risk indicators from external sources in order to provide judgments do I come from a trusted geo location from a trusted IP range in order to gain access to a certain critical infrastructure operational resilience refers to an organizational ability to anticipate to prepare for as well as to respond to and recover from disruptions to its normal operations which is a huge topic within financial institutions whether they are due to cyber attacks natural disasters technical failures human errors or other unforeseen events the goal is to maintain or quickly restore critical functions and services to ensure that the organization can contribute to meet its obligations particularly to its customers stakeholders or regulators one of the key thing is the key principle of operational resilience where DORA defines the operational resilience as the ability of an organization to respond to and recover from and continue operating during and after a significant disruption or incident just if a server goes down for a day or a week the proactive risk management also towards privileged access management which gives me the ability for just in time to avoid any kind of zero-stranding privileges has the ability to reduce automatically the insider threats and the risks around the internal threats and attacks ensuring the compliance alongside with the regulations as we are primarily discussing DORA today there are other regulations which discusses the same requirements and have the same requirements around ISO 27001 PCI DSS or NIST 2 supporting and discussing zero trust frameworks that you also mentioned earlier Paul well which is obviously hard to accommodate at the moment since it touches all fashions of the IT towards ring fencing network fencing as well as dealing on privileged accesses and PAM is just one of the the Batman infrastructures to come to an entire zero trust framework allowing the least privileged principles with the ability on the user behavioral analytics in order to ensure the right access to the right time which goes in hand with the third-party risk management and monitoring is the access for third parties controlled in your organization is the supply chain being secured process-wise technology-wise usually what we see within organizations they have proper documented processes for employee life cycle management you have a starting point you have a leaving point a new hire will start and will get access to birthrights while you allow them the day-to-day operations think about the entire supply chain security and getting them in a controlled way where you can see the more or less spaghetti plate on the right picture talking about the different entry points within the business for external identities which is a huge topic within DORA discussing on the third-party identification verification the risk assessment and the risk exposure that each third party has and brings based on factors such as the level of access to internal systems the sensitivity of data handles the service criticality and the potential impact of disruptions this is an assessment of external vendors should include also cybersecurity vulnerabilities data protection practices financial stability of the third party as well as previous incident histories for example data breaches or service outages the third-party due diligence and oversight is a fundamental part to get the onboarding and management into a controlled way the vendor management onboarding processes then the identity onboarding of externals the birthright accesses that I might need to apply do they require an ID account with certain ID group memberships the access control towards just a few assets within the IT itself by then allowing them to work and adjust in time access driven exercise to remove any kind of standing privileges while auditability and monitoring is a fundamental part of access controls do they are allowed and are they allowed to execute certain commands and start certain programs within windows workloads or leverage certain non-human identities service accounts while ensuring the compliance and the reporting next to it and I could talk for hours believe me Romy and Paul just as a last part last words as can meet and comply with those DORA requirements that we are seeing now in financial institutions where our compound is a solution that helps financial institutions to manage monitor and control access to critical systems especially when users and third parties have privileged accesses this aligns directly with those DORA requirements on ensuring that privileged access cyber risks and the resilience of their critical systems are controlled and which are areas that Archon solutions are designed to protect and enhance while looking on the DORA requirements towards reporting and resilience Archon and the product portfolio of Archon has a lot more to offer around endpoint privileged management securing all the endpoints all the Unix desktops and windows desktops and macOS desktops that I have within an organization to remove immediately my standing admin privileges making sure that in a control way I can request privileged elevation in order to perform any kind of changes on the desktops itself you touched upon on DevOps Paul the enterprise world and secrets management is one of the core pillars of Archon pump where we have the ability to secure the pipelines whether it's an Ansible, Jenkins, Azure DevOps to remove all those hard-coded secrets and passwords while as an oversight solution the secure compliance management solution of Archon helps to meet the DORA requirements checking actively configurations of the IT infrastructure of those connected applications and immediately report against ITGC's ISO as well as DORA if I'm compliant or not.
Again I could talk on hours but my time is over thank you very much and I head back to Paul. Frank thanks very much and thanks also to Rosemary.
Okay before we dive into questions let's just take a look at the final poll please Oscar if you could bring that up I don't know we'll have time but anyway if you could answer this one while we're doing the questions so it's slightly related to this is Pam, Kim, cloud infrastructure and management non-human identity management and secrets management is then destined to converge so will we see a convergence of all those applications the options are yes it's inevitable no they deserve distinct needs we might see a partial convergence it's too early to tell so let's leave that up for a minute and let's dive into questions we have some Peter Keller actually has sent in a couple let's deal with the first one he says one requirement of DORA requires relates to monitoring privilege access so he says what kind of monitoring is conceivable so Frank or Rosemary over to you you're both muted actually yeah Rosemary yeah good thank you unmute button again what kind of monitoring is conceivable first of all we are looking on the user behavior looking on the necessary privilege access in order to train our compound on the user behavior on looking then on the ability to provide just enough access during the just-in-time provisioning for using the privilege access one requirement which relates to monitoring of privilege access is also the ability to look on geolocations where a particular identity is coming from and accessing from so there are a variety of different answers again that will just explore the remaining nine hours Peter will come back to you and answer that in detail yeah well actually he's had a follow-up question he's he questions whether Pam can actually enforce least privilege I'm sure you could have a lot to say about that he says in his view it can't so perhaps you could just quickly see if you can challenge him on that certainly what I initially discussed on looking on the user behavior in a certain view he's right that Pam can't really enforce least privilege however it can based on the AI and LLMs based on previous sessions we can learn in order to steer guidance and apply the least privilege principles also the ability on what kind of actions you are allowed to do in regards to firing Unix commands with workflow capabilities as one option in order to drive least privilege principles okay well as you said I'm sure that you could follow up with Peter on both of those quickly then before the next question I'll just give you some results of the polls the primary concern regarding DORA was indeed understanding the regulatory requirements which I guess is seem to be obvious but but secondly is implementing the necessary technological solutions and then ensuring ongoing operational resilience so probably in the order expect that the question on Pam Kim and HI most people think that convergence is inevitable 38 percent perhaps a partial convergence 31 percent no they serve distinct needs says 15 percent and it's too early to tell says the other 15 percent for my personal opinion for what it's worth I think there will be a partial convergence or perhaps maybe some areas will serve distinct needs but anyway let's go back to the questions and polls sorry Frank yeah oh fine I find that convergence in is inevitable since the the entire IT security risk exposure is coming down to the identity and non-human identity things which drives a lot of deployments which drives the entire IT risk so to speak so which includes secrets management securing dev ops and the pipelines securing also and working with the cloud infrastructure entitlement management capabilities in order to learn as you initially discussed as the convergence around the identity converging PUM and nowadays identity governance administration so looking on privileged identity lifecycle management or privileged account management lifecycle as well as the regular employee lifecycle management capabilities we've seen that convergence throughout the last three four years happening more and more like Archon has in its product offering and based on that I would require the risk indicators in order to work on cloud infrastructures I work on cloud entitlements do I have the ability to request them based on risk factors that I have towards risky access and towards non-VPN access so a lot of risk indicators are being required in our nest sorry I'm losing now an English word unnecessary nowadays in order to drive this convergence okay Frank your English is about a million times better than my German so don't apologize please let's quickly while we have a little bit of time Andre Zimsek I hope I pronounce that close he said in order to track and manage accounts in cloud and on-prem would you suggest two systems that are managed separately or just one system and route all traffic through it that's a great question simple answer one solution for everything yeah okay all right are there any automated processes for monitoring and controlling privilege access to critical systems and applications yes there are with our component just to keep it short okay what authentication mechanisms are used to secure privilege access i.e.
multi-factor authentication password vaulting etc I presume that's in your solution that is question related to your solution mfr mfa is being built in password vaulting is being built in from what you've seen on the slides earlier on from the icons capability especially multi-factor alongside but biometrics time-based one-time passwords as well as FIDO keys password vault is obviously what we have to secure the store secrets the store credentials including password rotation including the monitoring and the governance on top of them okay finally then are there any sorry how are logs generated for all privilege access activities and how long are they retained yes we are monitoring each and every user access the retention is something that we can certainly discuss it's based on the contract period for the time being and can be then obviously extended okay well that wraps up the questions we're almost out of time I'd like to thank you Frank and Rosemary very much for joining us today I also like to thank you for listening in or for watching wherever you are don't forget that this whole thing will be recorded or is recorded and will be available on our website in a couple of days and also don't forget the European Identity Conference where we'll be talking about PAM and a lot more and of course about convergence and compliance in Berlin starting on the 6th of May I think it is anyway it's that week of May in Berlin so please it's still time to book tickets and book travel etc but in the meantime thanks very much everyone for being with us today and I'll say goodbye for now see you in Berlin thank you
