Hello everyone. And welcome to this webinar supported today by one identity. My name is Paul Fisher. I'm a lead Analyst with coupling at Cole. We're gonna be talking today about how to deal with modern industrialized cyber threats. So let's have a quick look at that will pan out today. So first of all, I'll be looking at the infrastructure and cloud that we have, which affects how we deal with the, these threats. And then we'll look a bit more about that in detail and how that affects how we manage identities.
Then we'll be looking about cloud entitlement or dynamic cloud entitlement to be more specific and then a couple of takeaways for you. So that's my agenda.
Before we, we get into that just to some housekeeping so that you are muted, so you don't need to mute or unmute yourself.
We will run a couple of polls during the webinar, and then we'll look at the results of those during the Q and a, the Q and a of course, is your opportunity after we've both spoken to ask us some questions and don't forget also of course, that this whole podcast will be available quite soon after this, after today. And the slide deck will be able to download. So if any of your colleagues wish to look at it, then you're able to do so.
So let's get into infrastructure and cloud. This is a, a quotation from a guy who used to work at capital one. When he said that identity is the steam engine of the digital economy. When he said that, I think what he was alluding to was the fact that the steam engine on its own wasn't really a much use until it was applied. Things like locomotives and to manufacturing, et cetera. And we're kind of at the same stage with identity that we know that managing identity is key to getting the benefits that we want from digital economies and digital transformations, but in his view.
And he said this a few years ago, but it's still fairly true that we haven't quite got to the stage where we are managing identity in the cloud and managing it. And so that we are defeating cyber threats effectively.
So just before get into that, let's do the first of our polls. So we're asking you to vote on these. So what type of cyber attack most worries you, what keeps you awake at night?
So we have auctions of ransomware, a data theft via a fishing attack, or even data theft by any other attack, a denial of service attack, insider attack, which can mean literally someone inside your organization that is maliciously attacking you, or it can mean the insider that accidentally causes data to be lost. And finally, a sequel injection, which is a specific type of attack. So we'll just give you a few moments to vote on that. So I can see the votes are coming in thick and fast.
So again, it was ransomware, number one, data theft via fishing attack, denial of service attack, insider attack, and sequel injection. So, okay. So I think we'll close that poll now and carry on with my presentation.
So what I have here is what I would call a simple network. Most networks start out, or most organizations start out with a fairly, fairly simple network, which you might also describe as a simple threat landscape to use the sort of terminology that we're talking about today.
And I've, I've kind of base this really on the coping a Kohl's own organization. I, I, I have to stress that we don't actually look like these people, at least Idaho, I hope, but we have maybe 150 people in our organization. So we have Analyst, we have research managers, we have sales people, account managers, etcetera. And then of course, all sorts of excellent support staff that keep us going.
And we, we tend to use on the most part office 365 SharePoint and Salesforce to get our work done. So we use we're a SAS based organization. And most of that work is done through collaboration between human identities, which of course means people like me we're in different locations.
So we have people in different cities in Germany and UK United States. So that works fairly well.
It's fairly simple, but of course, things start to get a bit more complicated when you start adding in some of the things that digital transformation and of course the events of the last year or so have created so that we have a lot more remote working. We have people using different types of end points and like most organizations, we now have people using their own devices to do business work and those, those devices need to be protected so that we don't inadvertently allow fishing attacks to, to get in.
But where it gets more complicated perhaps is when you start adding in things like customer access, data management, any organization, as soon as it starts operating creates data, creates databases. We are no different. We have our web tools, we have a website, we have people accessing our website and we have people who have subscribed to us.
Therefore we have to conform with things like GDPR and even, maybe not right now, but it's not inconceivable that at some point, we'll probably start developing some code developing applications within the organization.
So you can see how quickly what starts off as a fairly simple network quickly becomes more complicated. And I, I take this, if you take this further, it it's. My theory is, and I use this side almost in every presentation I do now. And I call it the ever expanding it infrastructure. And that's pretty much where organizations go given, unless a company doesn't grow or an organization doesn't grow, there's unlikely that their infrastructure will stay the same.
And what tends to happen is that you build an original infrastructure, you start off small, but then like the universe, it expands and continues to expand. So within this here, we have all the, the colored dots represent things like databases.
They represent things like endpoints printers and, and data centers, et cetera. And then of course we have stuff in the cloud.
So all of that gets added to the more complicated organizations become, the more complicated the infrastructure tends to become, especially these days when organizations have lines of business, which tend to, or sometimes add to the infrastructure without going through it. So they'll spin up things on web services, sorry, on cloud services, such as AWS or Azure. And so within that, all the tiny dots, the increasing number of identities that a organization will deal with, as I said, we, as a small organization, have our employee identities, but we also have customer identities.
And then there are third party identities or vendors. So they're all looking to connect at some point in this ever expanding infrastructure.
So this is a breakdown is part of a, a wider survey, but it shows how this complexity is, is, is playing out in actually what people do and buy.
And it's, it's out absolutely common now for organizations to use more than one cloud or IAS provider. In fact, 42% here say that use three or more 69% say that they'll use proprietary access management tools that come with the cloud, which has to more complication on top of that. They might use their own in-house IAM platform, which generally means a specialized platform bought from another vendor. And the reasons that this happens is, is just what I've mentioned is that cloud deployment is no longer simply in the hands of the traditional it management, or even it security.
In fact, it's probably even further away from the it security management. And so different teams say DevOps, say marketing, for example, or even finance may well go ahead and access their own clouds, given that you can now set up a server in AWS in about five minutes. It's not surprising that this happens. And also you can set up and payment terms can be set up separately. And so on added to that, we may have individual employees that are working on a project that just decide to spin up something on cloud, because they it's easier than trying to do it on their own infrastructure.
And sometimes this is done simply because organizations prefer to not to be dependent on one vendor.
And so the other reasons there are, why do they use a proprietary IM tool?
Well, because they're there, it also, if they already using one, they feel like it an extra layer of security and so on. So that's kind of a snapshot of, and I think also in my opinion, a very accurate snapshot of where we are with cloud services in many organizations today.
And this, this, this complicated mix added to the way that the infrastructure is expanding, makes it harder and harder. And Alan will be talking more about this in a minute to control attacks, to control access to these cloud resources and to essentially know what's happening in your own organization.
So this slide here gives you a, a feel, I think for the complexity, if I highlight this. So we have here on the top left everything that could possibly be formed part of an organization.
So we have, you know, servers, everything that was in my simplified diagram there of the it infrastructure as the universe. So we have public clouds, private clouds. Then we have our endpoints, PCs, notebooks, et cetera, things. Things could be anything, maybe things that haven't, we haven't even thought about. And then of course we have the applications storage, et cetera. And that mix is, is, is not gonna disappear. That complexity will not disappear.
It will only increase as it says here, but we need all of this because the other side of all, this is the other reason why we're having more clouds spun up and why there is more extra complication because the business demands it, the business or the organization, even, even at that era, you know, not for profit, they're still in a competitive landscape.
That means that someone or something, or somebody wants the organization to be either a more efficient, more profitable or deliver a better service to their customers.
So I won't go right through all of this, but the common denominator, really, if you strip away some of the complexity there, what you are left with is really identities and resources, identities, and resources are what it's all about. Any organization is now fundamentally trying to match identities to resources. If you simplify it back to that, then you can start to think about how to do it and how to secure it and to make sure fundamentally that the right identities are getting access to the right resources and not bogus identities.
So perhaps we need to, and this is a bit of blue sky thinking, but maybe we need to start thinking better about how we map our cloud geography and how we could possibly start to emulate how the cloud works, particularly in like containerization. So we're starting to think about, you know, putting identity and access management or privilege access management, much closer to where access is needed. So we call it, you know, containerized or zero distance security.
The, the reason, one of the reasons for this is, as I said, that teams are moving outside the traditional CIO and CSO zone of influence. So if that is happening, it may be time to start thinking about building security or security management or identity management within the teams that are actually using these new ways of accessing resources.
So that again, if, is obviously it's not something that could happen overnight, but it's something that we can start to think about and we can learn the lessons of how DevOps in particular has managed to streamline its own operations and produce the results that the organization wants.
What we need to do is perhaps match that so that they can still do the stuff they want to, the speed that the company or the organization desires, but also make sure it's secure. So let's quickly now I realize that I might be going over time a little bit, but we're just gonna run our next poll.
Now you've just seen the slide, but how many clinical clouds was it, cloud service providers do you use, so do you have just the one only AWS as you and GCP more than those three, but sorry, more than three, but not including AWS Azure GCP or more than three, including AWS Azure GCP, or you actually possibly don't have the, an idea of how many you have, which is actually not meant to be a fun or trick question, because it's quite likely that some organizations won't know that part of the organization is using perhaps I don't know, as Azure for a particular project or AWS the way around, so that, that is running.
So, so you have maybe just one, maybe just a big three or more than three, but unusually not including AWS or GCP or more than three, including those three or no idea. This is just really, just to finally show you some ideas of how we can manage identities better in new, new clouds and infrastructures. And so if we look at this diagram here, what we, we've got our traditional areas in the middle layer of access entitlement.
So if we take our identities on the left admins, developers and users machines, I think we've covered pretty much, most things that would be using a network or infrastructure at the moment. And then at the moment, perfect access management and identity and access management.
And increasingly now we have cloud infrastructure and entitlement management applications and they together, if they're used well, can help us to manage the cloud, manage our infrastructures and make sure that we are better protected against cyber attacks and better protected against the industrialized cyber attacks, which are happening now.
So if we take access indictment and then allows access to the cloud services and to our resources. So that is pretty much a, a blueprint of how business identities are, will flow through organizations.
If they start to use what we call dynamic resource entitlement, access management, compliant, and cm technologies, which are, as we say, they're parts of privilege, access management, cm, and parts of identity and access management. So with that, I think that we can start to break down the organization, but also start to think about how we can start putting the different types of access management that we need closer to those areas, which are perhaps more vulnerable, including parts of DevOps and parts of the cloud.
So quickly then before I hand over to Adam, just some stuff to, to take away network expansion is inevitable. So there's not quite much point trying to stop it. But what we can do is start to think about decentralizing identity and decentralizing identity management that should say containerized, not containerized, apologize for that, but start thinking about the methods of containerization and how they can be applied to identity management in the cloud.
Perhaps we need to start thinking about how we let go of some areas of control, start allowing some autonomy within those areas, which are using dynamic access and fast access and how they can perhaps be entrusted to manage their identities themselves. But of course, to do that, they would need the right sort of technology. Alan will talk about that. And don't forget to embrace I identity and service, sorry, and ops, sorry.
That should be infrastructure as a service and ops automation. Automation is improving all the time.
So some of the stuff that used to be a human led operation can now safely be done by machine.
And so that then lets up resources that can be used to better manage the security of the clouds and start thinking about those dream solutions, which I mentioned right at the end there in the last slide dynamic resource access management is what we have described those solutions, which include C I E M, but also parts of some of the, the Pam platforms that actually are responding and can run at the speed of things like DevOps and other parts of the organization that need very rapid and very dynamic access to resources. So with that, I'll say thank you and hand over to Alan.
Thank you very much, Paul. So my name's Alan Radford. I'm what we call a global field strategist. What that means is that I work with customers and partners to help create maturity in digital identity for our customers and make sure that we as a vendor, keep our eye on the ball. The ball we keep our eye on is the answer to the question, what is the business problem we're trying to solve, which is a fundamental cornerstone of any successful cybersecurity initiative.
Now, one of the biggest problems in cybersecurity is identity sprawl. And this is why in this space, we'll all say to you, Hey, look, identity is perimeter. And that is why identity is the Quran, which we can protect security. Cause we're generally source of access and there's many types of identity. We're all very familiar with the user.
I myself, I'm a user.
As Paul alluded to earlier, he's a user at cup and increasingly we're investing in more and more cloud applications, more and more automation in the form of RPA, AI and so on. And we are generating more and more data every day. And that access to data is coming from our identities and the sprawl is getting outta control.
Now, when it comes to the infrastructure, I find that to be quite an interesting topic in of itself because you know, Paul spoke a lot about infrastructure as a service and we're all invested in infrastructure as a service to some degree. There's also a lot of investment in SAS platform service. And so on the, on premise is becoming a little bit different though, because I, myself, my on premise is here. My home office, my laptop, my phone, my watch. This is my on premise.
And wherever I roam is in fact, my on premise and, and as Paul mentioned earlier, capricola is, is a cloud based company and of itself.
So when we actually look at how we're executing access across that environment, it's very much coming from the new roaming and those identities around the employees, the privileged identities, the robots, the applications, and so on is in a constant state of motion. Everything everywhere is talking all the time.
I like what the quote that Paul said about identity, being the steam engine of the digital economy in a world where complexity is not going to disappear. Complexity is increasing. Where do we see opportunity there in capitalizing on that digital economy. Now in terms of zero trust, these are all resources. I'm a resource by robots or resource my applications for resource. My data's a resource and it's all communicating at all times. All of that access needs to be dynamic.
And historically, we've tried to get our heads around this by using things like groups and roles and other quite static constructs.
But the static constructs make sense in a fragmented elastic and evermore stateless world. Do we need something more dynamic? The policies themselves cannot afford to be static anymore. They also need to be dynamic. These entities, these identities are involve themselves more dynamic, take the human identities. For example, I'm working in the cloud.
I am continually changing the accounts that sorry, the applications that I'm accessing now to this day, I'll use some accounts for certain different things. In my personal life. I have hundreds of accounts. I can't even imagine how many apps I downloaded on my phone as a fad signed up to it, found out that it isn't free. It does in fact, want me to buy something and then I delete the app. The credentials are still there somewhere. Okay. And in the, in the world of enterprise, in the, in the world of business, we are giving our employees accounts.
We are giving our customers accounts.
We are giving external users accounts and they all have some level of privileges. They are all roaming. They are all accessing different applications that we are no longer hosting. Someone else is hosting them. We're subscribing from them and in, so doing allocating some risk into a contract in this remote world, the applications and robots are skewing these numbers. There is such a huge uptake. And we saw from, you know, some of the holes in research earlier that the number of applications is increasing.
The number of cloud applications specifically in particular, is increasing the accounts that we're using for that we're trying to decrease. We're trying to federate more. We're trying to do more SSO. We're also trying to do more MFA. The user experience is important to us. The time to get things done is important to us. And then that leads into more investment in automation where we can get things done quicker and have a far greater return on investment.
As a result, when we look at bots, some are attended, some are unattended, an attended bot would simply look over my shoulder as a human employee or user. And it would learn from me. And perhaps when I pause my task, it will take over to automate a piece of my process. And then I would resume an unattended bot would of course do what it says on 10 work in an unattended way and perform process.
There are in fact insurance companies out there that will process a claim for automobile insurance will process a claim, evaluate photos of the damage to the car, and actually transfer the funds from claim initiation, to settlement with zero human interaction that happens today. And we're still investing them the lines between human and non-human identities is becoming blurred. And as we move forward in security, we, we are increasingly blindsided by this fact.
And I'll give you an example in the, in the world of identity security, we as a vendor and our partners will, will typically talk to audit compliance, risk managements. It ops will also talk at the C level to CSO, CIO, et cetera. It's a security conversation and steering that security conversation into yes, and we need to close those audit points, but how do we turn this into a business enabler? How do we recognize the revenue from this and how do we drive the business forward from a maturity model? Okay.
But when it comes to RPA, it's not the same people investing. Okay.
The people investing in RPA tend to be line business. There's an example I can pick on of a supply chain management who invested in RPA and advocated the success of their RPA investment, which had huge return on investment, but they hung their hat on the success of that program. By creating the robotic identities in HR, I ask you how many entities in your HR system were born yesterday?
How many of them, less than five years old, would you care if they are that young and they've been provisioned into accounts payable, would you care if they have sort codes and account numbers in your payroll system, would you can. The root of all evils in process is avoiding the process.
And so often the drive for automation tends to overtake the need for compliance. And that's a gap that needs to close.
Another thing I'll highlight about the non-human identity side is when we talk about governance and things like separation of duties, it's very easy to overlook ownership, fundamental cornerstone of governance. My owner from a governance perspective would be typically my manager, if I am taking part in a role that's for accounts payable and Paul's taking part in a role for accounts receivable, that's fine because we can't print and sign checks for the company as one individual. There's a toxic combination there for a reason, fine compliant.
If I've got a bot doing accounts payable, and I've got bots doing accounts receivable, I mean, it's the same separation of duty, is it not? Unless I'm the bot developer, both bots.
Now, what do we do is the owner?
The application owner is the owner. The manager of the department is the owner. The developer of the bot is the owner, the application owner for the bot platform, the layers of orchestration that disrupt typical identity governance models that are based on the concept of a human resource existing in human resources and a non-human resource managed as a non-human resource. This is an emerging area. Now as an identity vendor, it's not so much an emerging area for us because we see it everywhere.
But what we're seeing everywhere is our customers realizing this is a thing and moving to do something about it. And that line of sale into, Hey, look, missed line of business. Please adopt this RPA solution and then governance and risk guys finding out about it. After the fact is a result of silos in the world of identity centric security. There are a lot of silos taking place.
We're all familiar with cultural silos, operations, marketing, support, contracts, legal, et cetera. And so on. All of these teams, all of these departments exist in their own cultural silos cultures.
Typically driven by leadership. A company will have a very distinct culture. That's driven from the leadership level. Departments and teams are no different in that regard. And they have their own cultures when it comes to security, their silos here as well, piece of research, 25 different systems to manage access rights, a specific function, managing access rights, but there's 25 different systems. Is there one team looking after these 25 systems? Are there 25 different teams? Is it one individual?
Typically there will be one individual who multiple applications sit on the shoulders of some of you might be on this call today, my condolences, but ask yourself how many systems have you got managing access rights?
We all know it's more than one. Do we want it to be more than one? Does it need to be a consolidated system? Now I mentioned at the start that I'm a, I'm a strategist. And one of the most important cases of any strategies to be informed here at one identity, we are informed by our customers. We're very pleased to be informed by, by analysts, such as Paul.
And we're very pleased to be informed by our partners, acting on that informa, collecting that information, acting that information is very important to our success, which is why for a long time. Now our strategy has been to consolidate these silos in identity access management. We've been a leader for some time. So in governance we've been a leader for some time in identity access management. We recently acquired one login we're leaders in the access management space.
We have been leaders in privilege, access management for some time now as well.
And we also stand out in active directory management security. These are siloed areas in the identity security space. It's been that way for a long time. And so we've been working hard as a vendor with our customers and partners to consolidate these silos under a single vendor. That's who we are at one identity. We have these security silos consolidated because for us identity is the centerpiece of security. And when you start combining these silos, it it's very enabling. And with the time I have left, I wanna give you some insights into why that's so enabling.
We've unified these silos into a single identity security platform, okay. That looks like this. And I won't bore you with a sales pitch, but it's worth being aware. We exist.
Hello, one identity. We are the only unified identity security platform in existence.
We cover these areas in identity governance, access management, privilege, access management, and active directory.
Typically, when I showed a slide to an audience, I asked the question, where do you start in the world of identity governance in the world of privilege, access management in the world of access management and the world of active directory anywhere you touch in identity security. The question where do you start can become a hard question to answer very quickly.
And typically our customers won't say one of these boxes, typically they would say all three on the left governance, access management privilege, access management, starting with all three of those cause increasingly customers are going to tender for governance requiring Pam as well. Customers are going to tender for Pam with governance requirements as well. And single sign on MFA is fundamental to, to all of it. And so these, those three boxes stand together.
Why am I leaving our active directory?
Cuz increasingly on premise active directory is a legacy system and more and more we're seeing customers want to move away from on-prem directory, but being forced to stay with it for the time being cuz too much relies on it. So it's something we recognize we need to live with. Not necessarily what we want. We want to move to a Azure ad or we want to move to the cloud. And some other shape or form on premise active directory is becoming more legacy.
And so that in of itself is often a place to start, but nevertheless, it belongs as part of this platform because it has a place still in the identity fabric that we live in recognizing time, few quick bullets for why this is valuable. Well, vendor consolidation is very, very valuable. Having those deeper integrations being pre-integrated not having to own so much code in house is highly beneficial and takes a lot of load off of our customers, lowering that cost of ownership as a result in terms of operational risk and also the team consolidation.
I've spoken about silos, consolidating security silos. It's not just about technology. Those teams being able to consolidate, shortening the list of skills needed shortening. The number of vendor skills to have is in of itself lowering a cost of ownership as well and helping with recruitment staff attrition. So often one of the biggest pain points for leadership is where do I find skills in the organization today who are asking horrific amounts of salary by consolidating these skill sets, we can get smarter and more strategic about how we actually build feed and water, our own teams.
And then of course, by having that streamlined approach to how this single platform is supported going forward and being able to support that both in house and with that single vendor, that one throat choke, if you will, all of these result in maturity benefits, Paul mentioned earlier about that digital economy capitalizing on that digital economy.
There's fragmented state out there. Some of you may be living in that fragmented state. Some of this will have resonated with you and there are silo tools and multiple attack services as a result getting to a basic state.
And I'll pick a, a very quick example. I've seen customers, particularly with complex environments in SAP would have in, in one example, an inhouse platform that does nothing but provision users into SAP and then a SAC, a separate vendor platform that does nothing, but do the separate duty calculations, two different tools, one application, thousands of cloud applications. How do you scale that you can get tactical there, you can consolidate those for stars.
And that's just for one provisioning separation duty governance use case for one application, but there's already benefits there, low hanging fruit and then moving forward into a unified state and having that visibility cross domain cross silo, when there's no more gaps between the silos you have that cross silo visibility, it's very, very empowering and allows you to remove friction as a result that then starts enabling the business in terms of getting smarter about orchestrating your identities through the cloud, getting smarter about integrating your wider ecosystem because identity security is only one piece of the puzzle security across the board is only one piece of the business and getting smarter about being able to scale.
And by being able to scale easily, further, enabling digital transformation resulting in improved productivity and decreasing time to access as an example of very easily increasing user experience and making it better. And that enablement is continuous. This isn't a fire and forget thing. This is something that continues to enable. So with that, that's what we do at one identity. Very pleased to be here with Paul today. And with that, thank you very much. Paul I'll hand back over to you
Before we kick off into, we have a little Q and a session.
I'll just give you the results of those polls that I did earlier. And the first one, what type of cyber attacks were people in worried about? And no surprise, 50% were worried about ransomware 33% worried about data theft by fishing attacks. And then no one was worried about denying the service. Interesting 17% were worried about insider attack and no one was worried about a sequel injection.
So sorry, I'm having a little of difficulty here with the tool, just trying to get the other poll results up.
How many different cloud providers do we have? 10% only have one again, results are not that surprising. 50% use the big three, AWS, Azure and GCP, and nothing else, 10% more than three, but not including those and 30% more than three. So pretty much in line with what we were saying, which about in both our presentations. So thanks for replying to that. So we do have some questions, Alan, for you.
And I don't know, we didn't speak that much about DevOps, but obviously people listening will have DevOps on their mind. And so someone, so how do you, how do you handle DevOps secrets, I guess they mean presumably through your solution, but in general.
Yeah. Great question. So when it comes to DevOps, DevOps is a little bit of different kettle of fish.
A lot of our customers wonder about when we are doing privilege access management use cases and we're talking about developers and in some cases, automation as well, how do we wrap mature processes around not just the change management process of the C I CD pipeline, but also how do we get a handle on these secrets that are be, that are floating around? And so it's not a one size fits all and I'm, I'm sure if there were any developers on the call. If we were talk, if we, if we had a visible audience, I'm sure there'd be a lot of nodding heads.
When I say that, you know, if you go to one company and you take part in their DevOps pipeline, go to another company and take part in their DevOps pipeline, they'll be completely different, completely different.
It's not a one size fits all. And it's very, very dynamic. What we call a high ephemeral rate. The rate at which the change is, is, is like measured in, you know, hundreds, sometimes thousands second in some cases. So we have two approaches.
One approach is from an enablement approach perspective where we actually have a broker which will bridge the gap between Pam and DevOps, a Pam secret, and a DevOps, a different things. A Pam secret I might give to a human being for, I dunno, two hours. It takes me time to type in what I want to type in, move my mouse, click on things I'm only human, right problem exists between between user and keyboard. We all have that phrase, but when it comes to DevOps, that's not the case in the time it takes for a piece of code to do.
What I've just been fumbling around doing is, is, you know, many cases less than a second.
And then that secret already needs to be generated available. So having a broker that can plug into Pam, what you are already using was something that our customers drove us to. And then separately in the market, we were also driven to build our own secrets vaults within our pan solution so that our customers can choose so that they can align.
Okay, we've got these DevOps applications, part, this pipeline where we want to actually plug these tools in, but then we also need another vault, more closely tied to Pam to facilitate other use cases. We take both approaches and sometimes parallel.
Fantastic. Thanks for that detailed answer related to that, I guess is the second question, which is, can you automate privileged tasks such as change requests from it, service management? I think I know the answer, but I'll let you give the answer anyway.
I mean, it'd be awful if I said no, wouldn't it? Yeah.
So it's, it's interesting. So we're, we are seeing that, we're seeing that question come up more and more actually a lot of customers have their change management processes tied into an I TSM platform. One more prolific than others. And we are very, very often seeing the use case of, I need it plugged into that process. I don't need a separate process. I need that one process. I need to be able to within that one process. So we've very often seen the use case where a ticket might be generated.
And as part of that change request for argument's sake, a command needs to be run on a particular asset. And so what we've done is we've partnered with several RPA vendors. We've partnered with blue prism, automation, anywhere UI path to build out use cases such as, Hey, look, if we know the task that needs to be performed, let's have the task automatically performed because we don't need a user to do it. If we know enough about the task and then that can be entirely driven from whichever workflow engine you, you choose because single platforms delivering that use case. So yeah.
Interesting that question come up.
Yeah. And you're right.
I mean, we, we hear also on our side as Analyst and advisors, people increasingly talking about the automation and also particularly from service management type things. So the next question is, again, it's related to privilege access. Can you log and record privilege sessions with playback index by key strokes file and clipboard transfer events? So yeah. Recording session management is, is, is hugely important. So what's the answer.
Absolutely.
Yes it's it's I would, I would suggest that everything listed there is really a basic function of project management, but I would, I would go further and say that, you know, there, there are, there are areas where you can actually get a lot more out of your session technology, for example, continuous or continuous authentication. Okay. So we use machine learning for what we call behavioral biometrics within sessions.
And because we are a session proxy, we're quite unique in that our session technology has more in common with a deep packet inspection firewall than it does with a piece of software and appliance that literally just filters the packets through as a proxy allows us to do some very powerful stuff like block command in transit rather than once it's reached the target. But part of that is to use machine learning, to understand key typing patterns, mouse, gestures, and so on.
So that we build up a biometrically behavioral profile so that if I sit down and I log into a session and I literally stand up and walk away and I allow Paul to sit down at my mouse and keyboard, we can tell that Allen is no longer at the mouse and keyboard without the webcam and take reactive remediated measures, whatever they may be. It's very, very powerful piece of technology we call behavioral biometrics.
Excellent. Yeah.
And again, that's something that, as things become more complicated, we need within our access management systems.
I'd add before the, before. There's sorry, Paul. I'd add before the next question, you know, we touched on automation, touched on RPA bit of food for thought for the audience. And I won't, I won't give the answer.
I'll, I'll let you, I'll let you all sleep on this. But if we look at a behavioral biometric profile of, and Paul and we see the squiggly, I wonder what the line looks like for an automated identity and non-human artificial identity.
Would it
Be straight line
That is, I'll have to think about that. So hopefully our listeners are as well. So tell us a bit about the implementation environments. Can your solution work on premises in the cloud, physical or virtual environments?
Again, kind of know the answer, but
Yeah. So our, so our strategy going forward with our unified security platform is to provide SaaS functionality. We provide identity governance, we provide ad management, we provide privilege access management as SaaS. We also provide the platform as a hybrid model because some customers will want an on premise mix with cloud. There are the minority of organizations out, there are fully cloud enabled. The majority are hybrid and there's still quite a few who are still predominantly on premise. We catered all three.
We invest in all three and all those delivery models. We don't have distinct businesses where we go, okay, well, we're going to do SAS with this. And then we're going to do on-prem with that, for everything we do as a vendor, we provide on-prem hybrid and add SAS as well.
Yeah.
And, and, and finally also, cuz Pam it's it's, it's not unheard of that. Organizations are still using very primitive methods to access, to manage privilege access, but they're still maybe a little bit afraid of jumping right in with a full end to end solution with everything, all the bells and whistles. So is it possible to start with a sort of a basic pan so that you perhaps just have password management and a little bit of session management and then build up?
Absolutely.
When I said earlier, you know, these three boxes on the left, you start with all three, like genuinely a big bang approach is madness. Okay. And I appreciate as a vendor, it's very, it is very easy for me to sit here and say, no, take the whole thing, but real world, that doesn't work. You need to start somewhere. But when you, when you start somewhere, it needs to have a strategy around it. Okay. If you are doing privilege, access management use case around something simple like, Hey, look, I just wanna wrap around these privileged users, my PCI DSS, highly regulated environment.
I need to know who has the root password for this account at any given time. And I need to be able to prove that the normal is zero fine. They need to all have Han you all need to fail, able to prove it fine.
But part of that is that you also need to be able to govern that you also need to be able to prove the separation of duty piece. So although you might be like starting the project by deploying Pam, you need to be aware that, well, once I've done that use case, I might actually need to layer governance around that to take the compliance box before I then implement the next Pam use case.
So it's not about deploying everything in one go it's about everything, having a place in your strategy. That's the point. But to answer the question more directly, yes, there there's. You can start anywhere cuz no one organization is the same as the other.
Okay. Well that's actually all the questions that we have.
You can, of course, as I said, after this, after we finished today, you can download the, the slide deck. I think there was a couple of links in there for people to get some further information. And of course you can contact us or contact Alan or one identity for further information with that. I think I've done everything. I think I've done the polls.
Not, I don't think I did the polls quite as I was opposed to, but I'll get, I'll get told off later by by webinar people, but we did at least get the results. So just leave you to say thank you so much, Alan, for your presentation and thank you all of you for listening today. And with that, I'll say goodbye.
Thank you, Paul. Thank you. Overall overall.
