I'm the chief information security officer for LogMeIn make us of last pass. And like Martin said, we really wanna start out right away with a poll. I think. Do we get the poll? Here you go. So what is more important to your business? Is it the user experience for your end users? Is it the security that the identity systems provide or is it more complicated?
And in this presentation, we wanna walk you through some of the rationalization that we have been making about where we, where the emphasis should be, where we want to go and why data driven analytics and why metrics are so important in order to make this a successful kind of event. This is the first time log in is at, at the EIC. We're really happy to be here. It's my first EIC as well.
Although I've been in the community for many, many years, glad to see a lot of new faces here and really excited to see how we can now really engage with last pass and with our identity offerings in this, in this environment. I don't know, do we have some results from the pulse yet?
Takes a little bit time. All right. So while we go through those pulses, I do want to walk you a little bit through memory lane.
So, oh, here we go. Fantastic.
So like, like we expected, it's complicated and I think I'm really glad to see that the vast majority of people here share this kind of overall assessment, it user experience is really important. And I agree with you, Martin, that that is one of the most important factors. And one of the best innovations we've seen over the last years, security is also really still important.
But at the same time, the balance between the two, making sure that you have a good security environment that is user friendly and delightful for, for, for the end user to essentially interact with is a, is a critical key and how that really can be measured up against each other is something that we've been starting to look at.
So as, as I go through this presentation, when it first started out down memory lane a little bit, where do we start with access management? In the past, we had big systems. Passwords were invented at the MIT 1961.
The CTTS CTS S the time sharing system developed the is accredited to have developed the first password environment, not too surprising. That was in 19 61, 19 62. We had the first password breach at the CTS S for the same reasons why we have password breaches today, financial gain free access to computers, but overall security was pretty good. We had everything under control. It was a high friction environment though. People didn't like this necessarily. They try to get around it today. We're in a much better position.
Our user experience authenticating to our phones through biometric means our ability to move around and have some form of blended access across the board is something that makes it a lot easier, but security has not necessarily been benefiting from, from that.
What we feel is that in the future, by using a good, good metrics and good understanding about how users are actually interacting with the systems, we provide them, we can almost almost deliver frictionless environment.
We can use location based data and other things for risk based access decisions, and really improve the overall experience as well as the security across the board. So a quick thought quick thought about what are metrics, what kind of metrics are we looking at? I can't really manage anything as a CSO that I cannot measure. So what's important to me is I need to define KPIs, key performance indicators. I need to define K key risk indicators in order to really be able to understand how my users are actually interacting with the identity systems or security systems in general, that we have.
And in an ideal world, those kind of KPIs and K are actually fed by real metrics metrics that I can get out of my systems that really tell me about how the overall system is being used in the case of user experience.
That's not, not always easy. How do you measure user experience? How do you define a key performance indicator for, for user experience?
Generally, what we see is like user experience looks roughly like this. We have a really nicely designed kind of path. We do understand how users want to use that, but since we don't really measure this upfront or on ongoing basis, what happens all too often is that the users really figure out how, how to get around those kind of systems. That's not really desirable. That is great user user experience, but not necessarily greater security.
What we really wanna do is like improve on this through the better understanding how systems are being, being used, how they can be optimized and how we can overall better understand where we are for the user itself. It's really important to just get the job done. They don't really want to think about, do I need a dongle?
Do I need a password? Do I need biometrics? They want get the job done as much as possible.
So their, their main question is really how hard can it be to define, to create a system that ultimately provides a decent environment, but also keeps things safe enough. They have to deal today with all kinds of systems in all kinds of things that have been making their life easier, and also have been making it more secure. This includes all kinds of multifactor authentication systems. We use passwords, we use dongle keys devices we're using now biometrics in order to be able to, to truly, oops, here we go. That was the slide I was talking about. We use multifactor tokens.
We use keys devices biometrics in order to ease this overall. But at the same time, we also still go back to the password. Reality is as much as we would like to get rid of the password today, it is still there.
And it's like, that is an environment that still needs to be measured in meaningful ways. Measuring password security is not really easy because most of the times it's a secret. It's a shared secret, but it's a secret that should not be really disclosed. So how do you measure password security?
You can't implement policies on system and you can enforce those, but at the same time, there are so many ways on how to beat those kind of policy systems. If you look around often enough passwords, start with a capital letter, they end on an exclamation mark. And the last second last character is a number that goes up by one every single time you have to change the password.
It's like, sorry, it's like just reality. So how can you really measure this? And how can you really get a little bit more clarity? What we've done with enterprise password management?
What we really understand really well from a logging in a last pass perspective is to define a security score.
Security scores can really help us to bring clarity to what kind of passwords, what kind of metrics can be applied in order to better understand how users are interacting with the systems and using passwords, both those in those environments, where we can enforce policies as well as in those environments where we cannot. So what we do we use, we look at duplicate passwords, we look at weak passwords. Are they long enough? Are they complex enough? We look at shared passwords.
So if you share a password like a Netflix account with your family or Twitter account with a marketing department, often enough, the, these passwords are actually very weak because you do wanna share this with other people and having a strong password around that is obviously important as well.
The overall average strengths of PA all the passwords at a particular user has, are critical critical in this. We do wanna look at the vulnerable sites that users have been using passwords in the past and make them aware that something really needs to change.
And then finally, we do want underst better understand how MFA tokens are being used across the board. How can you do this?
It's like, those are a lot of different things that you really wanna understand. Sometimes you can enforce them through password policies on the system, and sometimes you cannot. Sometimes you will always have a very hard time looking at duplicate passwords because one shared secret with one system should not really be shared with another system. So the concept of enterprise password management in this environment then really goes back into making sure that you have a shared environment on the user device, very, very user centric that allows them to store their passwords.
Use very strong passwords at different ones at every site. But at the same time, not share this with, with a company or with, with a provider like us.
What, what it does allow us to do is it does allow us to compute on those devices on the mobile phone for the user on the laptop for the user. It allows us to compute these kind of factors into a security score across the board, and then ultimately make this visible through an admin dashboard to the end user. This is kind of cool, cause at the end of the day, now, as a, see if I roll this out, I can see how many users are using this. How many users are using duplicate passwords?
How many users are using passwords that have been disclosed in the Adobe breach in the LinkedIn breach, or what have you, and then really start to better understand how the overall password hygiene of my users actually looks like not only in systems that implement SSL, not only in other kind of approaches for identity, but also in all those kind of legacy systems that we still have to deal with today.
And we'll probably deal with for a long time.
So what that ultimately means is that going back to our metrics, we can really focus on defining KPIs and Caris based on actual data that is available. So for the, for the, this environment, we have these kind of security scores. We have an understanding about how many users are actively using the environment. So have a good user experience across the board.
And we can define a KRI like the risk of a credential theft that will ultimately help you to understand where you stand from a risk perspective and communicate that out to senior leadership, communicate that out to your respective boards and the stockholders at large, you can define KPIs that really measure now the overall user access posture across the board, based on your understanding of how your users are actually interacting with systems, both within the environment, both within your federations, as well as on the outside things that you did not have control about before.
And I think this, this kind of understanding this kind of in depth ability to report on how your overall risk posture is with regards to the passwords or the access that you have across your environment is critically important. For example, it's may I'm in Europe. So I have to talk about GDPR, I guess. So it's for article 32, we all know requires an adequate amount of technical organizational measures. This really helps in this kind of environment.
If you can really go in and demonstrate to a regulator that you have done the right things around password management, that you are looking at the overall scores and are trying to influence them through security awareness training, and other efforts to reach out to your users. It really helps you to demonstrate your due diligence with regards to the overall security of the, of the data that you're processing for your customers and end users.
So all of that is super interesting. All of that really helps.
I think our users and folks general, but what this really comes down to now is like, how, how do you, how do you engage this? How do you really measure this across the board? It's good to know that your average password score is maybe 48 or maybe it is 64, but how do you really measure up against your peers, against your partners, competitors, whatever, on a worldwide basis in your industry, in your sector? What we started doing in 2018 is to create the global password security report. This is a report that we compiled based out of the 47,000 customers that we have on the enterprise side.
We aggregated all the information across how users have been using passwords. In this environment. We looked at how does this distribute across different industry sectors, different geographies, different sizes of companies and published this in this report is gonna be something that we wanna do going forward on a yearly basis around cybersecurity awareness month in, in October.
So to really help our customers, but also people in general understand where we are from a password password posture on a worldwide basis.
Some interesting reads, there are super interesting things that I did not necessarily expect. We found that for example, smaller companies tend to have better password hygiene than larger companies. We also found that the geographic distribution or, or even industry sector really doesn't matter that much.
There's, there's a very psychology about changing password or managing password seems to be really much more of a human thing versus like an industry thing, despite regulations, despite all kind of other enforcements across the board. So where does that leave us?
We, we really understand now where we are. We understand how things are going.
We, we look at the, the overall future landscape of where we wanna be security and productivity user experience are really at the center of it.
Obviously we feel that enterprise password management is important, but we really also want to start now looking also with the help of, of folks here in this room and at this conference to look at the broader picture, and that does include privileged access management. It does include MFA. It does include SSO. And it does also obviously include enterprise password management for us.
This really results in a unique blend for, for the security process that you wanna define for your company. Obviously the risk appetite can be very different across organizations. If you're a startup and you really want to innovate fast, you wanna grow fast, you are willing to take a larger risk doing that. So in a very conscious way, by understanding how access actually works for you is very helpful because it, it, it puts clarity and transparency around how this environment ultimately works.
So what, what do we come up with with regards to recommendations? These are generally ideas that we, we, that we really want put at people's heart.
And, but also then start to reach out to industry in order to go across know your IM strategy and your business goals. Like I said, it's like, you really wanna be able to understand and measure where you are from a identity posture, from a password hygiene posture, for example, but, and then really align this with your, with your business goals.
If you're mature industry, a highly regulated industry, your risk appetite is likely a lot lower versus the, the prototypical startup that really goes in and wants to innovate fast and maybe a little bit looser around the edges in order to support those kind of goals. This may lead ultimately to refining your, your security program within your organization, those kind of decisions as if they aren't being made very consciously, can really help rationalize things and make it much more straightforward for your, for your leadership, for your board, for your investors, to understand what's going on.
There is really no single solution across the board. You have to leverage partnerships for us. This means reaching out to our partners in the, in the industry with regards to multifactor single sign on with regards to how we want to deal with the, the different ways of people accessing our, our environments or our customers environments, and for a company, it really means to build a pass a overall I am strategy that has all the necessary building blocks, whether it's BPA, SSO, multifactor, etcetera, etcetera, and also enterprise password management in order to support your goals.
Finally, you really wanna minimize the user experience impact across the board by the security controls that you have, like, like we've shown on this little picture up front. If you design a great security systems, without people in mind, you end up being in a situation that your users always will find ways around that measuring the ability of users or willingness of users to go around your controls, measuring then the effectiveness of the controls and how you roll them out is really helpful.
And that is where again, where we go in and say that key risk indicators, key performance indicators driven by actual metrics across the board are extremely helpful to drive this through. So with this, I kind of want to close on time. I would like to say, I just would like to encourage you to just stop by at the last past booth. We're just outside. We do have a little game. You can crack our vault. You can try to get into the, into that vault and win a price.
Stop by say hi, we can walk you a little bit deeper through how the admin dashboards, how the enterprise policy enforcement within the password manager work and how that can ultimately help you across the board to drive it better, better password hygiene in your environments. Thanks a lot.
So thank you very much. Got trust out of your is standard password, which is commonly used
Across the world. Okay. So this is actually this, this code. I think I'm not given way too much. It's a very secure, important date in security history. Okay. That's the hint.
So if you have a good thing in mind, it's not May 25th, 1920. I thought it might be 1, 2, 3, 4, 5 as all the passwords are. You can try. Absolutely. Again.
Thank you, buddy. So thank you very much. Thanks a lot again. Thank you. And I.
