KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okta’s vision is to enable everyone to safely use any technology. Trust is critical to our business and our customers' success. Markus Grüneberg will speak about the modern digital identity and how to use them to build a robust security strategy. In this keynote he will present among maturity stages Okta's role model for Zero Trust.
Okta’s vision is to enable everyone to safely use any technology. Trust is critical to our business and our customers' success. Markus Grüneberg will speak about the modern digital identity and how to use them to build a robust security strategy. In this keynote he will present among maturity stages Okta's role model for Zero Trust.
Hello, and welcome to my presentation about the identity as key to zero trust maturity. And I'm really happy to welcome you to my keynote. When we step into the topic, let's look at the current state of identity today in the last couple of decades, disruptive technology technologies, such as cloud mobile, social, et cetera, as well as a move to highly personalized products and services has transformed the dynamics of the digital world. These digital disruption has marked as a new error for us in both our personal and professional lives.
We live in a world where our daily lives are surrounded by application and completely immersed into the digital experience that these applications deliver. And our brains are constantly rationalizing and evaluating every experience consistently or UNC consistency. Identity is a new parameter when asked in 21 to rank core zero trust requirements. The number one priority was people for one third of all, organizations followed by devices and data. Leading companies are adopting strong authentications across resources for employees, customers, partners, contractors.
And of course our suppliers, while moving from typical network based infrastructures to more individualized device based access decisions. At the same time, we live in a new digital world that his wife with cyber techs being attacked, being targeted at users like employees, consumers, partners, and contractors, and constantly, we see font page news telling us user targeted attacks through tactics like fishing when somewhere credential stuffing and more.
And yeah, a little sight note. Of course, I know there's an elephant in the room right now, but back to the presentation. But how many of you have seen these kind of articles? What happens if to your perception of the company? I still know there is these kind of elephant in the room at you to Okta right now, trust is really challenging and you can build and invest years to build trust. And just only a moment to lose it. Large complex complex systems are difficult to hack, but was it fairly easy to hack in comparison? And it comes at no surprise today.
89% of all that application takes are cost due to credential abuse, credential based attacks occur when attack a steel credentials to gain access bypass and organization security measure and steel critical data. The most common form is Fisher. And this is not limited to any particular segment, or this is a skill issue for companies as every individual form employees to customers, to partners is a potential target for cyber tech. And as we know, people are the weakest link because of human error. How many of you have received a phishing email or text for example, that you thought as well.
And I think we see some of that kind of fishing attempt due to the crime role in these times as well. So what is the typical business goal to implement and zero trust model? And the business goal is quite simple. You want to ensure that the right people have the right level of access to the right resources and the right concepts text that is assessed continuously as my, my previous speaker. Before you have to combine all the, all these kind of things from users, devices, access to the, to networks on through the data spots.
For example, with identity as your company's new parameter identity access management becomes a central control point across users, devices, data in the networks. In fact, Gartner recently singled out identity first security as one of the top security and risk trends this year, since this provides visibility and control over which user have access to what resources and minimize risks such as compromise credentials or incorrect provisioning or authentication. But of course they are challenges.
Challenged is challenged today by security leaders or CIOs is always the evolving complexity, never before company infrastructures changes Z fast and business requirements are changing all the times. Nowadays the business almost introduced the application. It is almost seen just as an enabler. So security leaders, we talk are struggling to keep up with rep evolving landscape.
Meanwhile, their role is evolving to go beyond the department of know, to help ensure the business is agile and can embrace with new technologies quickly. If they are tasked with doing all this with sparse security resources, I think all of us know that we have a lack of security stuff and it stuff. So prior to prioritization becomes pretty critical. And the great question is on the huge question, where should to start the vision to get there is pretty simple.
Yeah, like, like mentioned in, in other talks or when you, when you're looking for such kind of frameworks, you would like to ensure that the users are authenticated and the devices are secure. You need to broker access to all of needed resources and right. The right access to the right amount of time, any technology automated scale without friction. So in observing how zero trust and I prioritization have shifted over the last year, it's clear that the pandemic organization moved zero trust and many teams were allocated more bit budget to get there globally.
About 90% say we are working on seal trust initiatives, how we plan to start them within the 12th or 18 months in our mind, everything starts when we look to this simplified journey with access authentication and author initiative, but how to use and combine wisely. When we look into these characteristic, how can authentication as a starting current be done, let's take a brief look at the exact ingredients of this receipt for success. The user with his digital identity needs a device. So we need contextual data about the users and devices and ideally beyond.
So in Okta's world, when we speak about authentication authorization, we think that you should be authenticate with something, you know, some like your password and security discretion or something. What is in your mind, something you have, like your one time token, your security key, or pro probably and special device and something you are so like how to combine and security question, for example, with typical functions, like we see it every day within your smartphones. When we use things like face ID, for example. So why not in this new world?
And when we speak about new access controls and multifactor authentication, why not combine these kind of authentications based on assurance levels? So when we use these things, you know, you have, or you are, of course we can implement adaptive access controls for the networks or data you want to provide to the users based on the endurance level.
And very simplified way would be if a user would like to enter, for example, the, a holiday or vacation request, you can say, okay, he could do it from any device from any location, but we want to ensure that he use, for example, his own smartphone and connect to and Workday account. So of course, and memory secret, like in password and, and to factor token would be enough to get an authentication. But when you think forward and you, you ask for how to give access to intellectual property or to production network environments, or how to grant access for very sensitive areas.
Many organizations invested a lot in device security, for example, to have a very strong endpoint EDR implemented, they harden it endpoints. They implemented data loss prevention controls to this applications. So you are also able within adaptive access controls and on the pause, for example, on the highest ASLU level that you can combine it to say, okay, it has to be authenticated from the, the company device combine with biometric signals. And of course, for example, and second factor like in push authentication.
And I, I still know that in the old world of, and in the modern world of contextual awareness, it's pretty difficult to implement these within your identity infrastructures. So for this, we implement the zero trust, reference architecture, how Okta see the world and would like to support their customers to get, or to, to step into the maturity game of zero trust networks. So how does Okta's use the S to make decisions? This is done at the application level through policies.
Our modern policy framework allows organizations to modern security outcomes for access to resources based on industry accepted identity based practices. This framework is extensive and can grow and adapt with your security needs. We have made administering complex scenarios for easy administration by balancing usability to improve the user experience.
Our goal should be to work together, to develop a single control plane, to manage risk based access for everyone to any everything they need access as described before at the heart of this control plane should be a risk engine that takes different signals to help DataMine if excess should be granted easily, regardless it's passwordless or stepped up to MFA, or even you should deny access with this model, we combine identity the contextual information to authorization and give and centralized access approach to all of the resources companies uses today.
Doesn't matter, is it on-prem through API levels or is it in the cloud to existing applications? So as organizations work to implement a Azure trust architecture built around identity driven security practices, we find the roughly follow four primary stages of maturity.
Of course, the first one is fragmented identity. Those security leaders are at different stages of what they see as a German. Some are at zero at stage zero with a really fragmented in identity, lots of passwords everywhere, maybe no cloud integrations, or just some cloud integrations or several cloud integrations with several multifactor applications and active directory on premises.
For example, within the next stage unified identity access management, some are at stage one with some unified identity access management approach, supporting employees, contractors, and partners, maybe even rolling out modern multifactor authentication, like two factor authentication from Okta. A lot of companies are somewhere between these stages when they really start to think about their maturity curve and want to start moving towards to stage two and stage three, stage two is really when we start bringing contextual awareness as express and try to describe them.
This is very short keynote. Before the contextual access gives you more opportunities to grant access based on your insurance level. What information do we need to know about the user and the device to make smart access decisions, and where do we get that information? All those signals from everybody thinks about provisioning employees, or contractors or partners.
How are we going to automate that onboarding process to keep everything up to date by that employee or contractor or partner is with the organization, but in the stage, we also need to think about deprovisioning that whole life cycle management.
I think everybody of you is familiar with the typical user journey, onboarding, moving, moving challenges, and offboarding processes, and how to disable, for example, that kind of users from your infrastructure, then you leave or left the company and then last, but certainly not least we have vital service and APIs, how we are going to secure those endpoints. As we move through this maturity curve, as part of this last stage, we really get into risk based analyzes and continuous and adaptive authentication. We are thinking about zero trust capabilities across manage and unmanaged devices.
Where are you on this journey? Like I said, a lot of our customers find themselves somewhere around stage one, but really want to move through stage three. They have projects that are part of the trust initiatives, but don't really know how to get there efficiently or how to break it down. And I think this maturity call curve helps you to think about the different stages. Everybody wants to have past lot less passport, less access. I want my end users to have that frictional experience, but that's on the way on the end of this maturity course.
And there is a lot of pieces that we need to think about to get to that state. So Okta provides and comprehensive solution and single unified framework for ITT access management and APIs. The same services are available for all IM use cases. Okta is vendor agnostic and gives organization the freedom to choose which services and vendor they like to use with the confidence that Okta will support them and does not have an application again of its own Okta use a cloud.
First architecture, Okta develops the capabilities organization needs to manage the transition into a cloud first infrastructure enterprises that want to move beyond initial, vast deploy deployments and into broad cloud application adoption require a solution to help adopt, deploy, secure, and manage these kind of services. Okta provides a complete turnkey solution that addresses the needs of it, users, developers, and business leaders across the organization.
So I still hope that this gives you some input about how Okta thing, why the identity is the key to and good and strong zero trust maturity. Thank you. Great.
Thank you, Marcos. Great presentation. And an important thing you mentioned is the context. And this goes hand in hand to what Alexei say talked about in his presentation. So the device location, the network, the application is for sure relevant and Okta is considering this as far as I understood very specifically to achieve a level or stage two or three level of maturity in zero trust. So very great presentation. Thank you. And for sure we have questions from the audience. The first question is you claim that biometric authentication is very secure. Has this ever been proven?
He, he, the, the, the question, the one who asked the question states, I'm sure that many biometric properties can easily be stolen at public places and reused later, only from my own experience, I can say, depending on your smart phone and let's call face identification, whatever, some of your older ones also work with a picture, what do you answer to such a question, Marcus? Yeah, no, it's a great question. And of course even biometric isn't the true answer to anything.
And so I would like to mention, for example, if you seen in the news where I didn't rename the name for this minister, but he said, okay, the fingerprint paying with the fingerprint is safe. And the cars computer club in Germany offered his fingerprint as print out, and everybody is now avail able to use his fingerprint to authenticate. And I know that you can, for example, with good cameras, make shots of your finger and you can print this fingerprint. You can use this fingerprint to unlock device, But don't show it.
Yes, yes. And this is what Okta mentioned. Okta doesn't say biometric is secure at all, but the, we would like to combine the access. And this means it's not the, just the biometric identifier. So of course you can combine it for example, with and specific device, the device and location, the device and the network and location. And in addition, you use this kind of biometric identification and of course spoofing could work. But I think when you compare it to the security state today, we provide a very simplified way to combine these kind of a depth of excess controls.
And of course makes, makes it very hard for techers to bypass this kind of authentication. That's the answer to the question. Thank you again, Marcus.
Very, very long one. So the next session will also be with Marco, so you can stay in the call for sure. We will have a short interview. And when we prepared this interview, we had a very interesting discussion about zero trust, and that is something like existing technology com existing processes, combined, and new methodologies, something I already mentioned in my intro.
And again, to our audience, feel free to ask any question for sure. Zero trust related to us, use the chat, use the tap on the website. We are really live and I can ask the question to Marcos and we can discuss, discuss this here live. So I'm really happy Marcos again for having you here for a short interview. And the first question is again, regarding to the zero trust reference architecture. So we heard about zero trust in the previous speakers talk. So the one from Alexei, Alexei SA, and now in yours, you talked about the Okta zero trust, reference architecture.
Why do you focus so much on the identity? Yeah, I, I think, or we think when you, when you look into the it security frameworks and architectures in the past, very often, the parameter was your firewall and probably your email gateway. And especially with the area of industry four, zero, and the error of more and more clouds applications. And we have seen this within the pandemic when the most of the employees started to work from home and they're dialed in with their VPN to their home networks.
We seen that kind of heavy traffic or traffic jam on the broadband connections to of these companies. And so the most companies stated things like, oh, when you are in video conferences, please disabled the VPN and have the phone session there. And this demonstrates in a very simplified way that when you now look for the most fitting centralized point, where to start within your security architecture, the most companies mentioned the people or the employees are the new parameter, and of course, connected to the people are their digital identities.
And when you look for the most fitting simplified approach, the digital identity is the thing you need to have access to start working, to collaborate, to authenticate others. So this is the reason that Okta focus so much on identities and try to provide the best in class solution for this Great answer.
And especially, I mean, we all realized what happened two to three, is it three years, two years ago when everybody has started to work from home and all the gateways, the VPN service broke down, even the Microsoft architecture was a little bit overwhelmed from all the people using social collaboration tools or platforms. And then definitely you have to use something like the identity and gain access to, to non company network areas or past to get access to the system, sort of cloud based stuff. Others does not really make sense. Next question would be in zero trust models. There is the Maxim.
And I also stated that never trust always verify. So what dimensions of trust actually exists in the world or of zero trust or what is something that I can trust? So we talked again about application network device and so on. Can I trust this device? Can I trust your device? Or can I trust an statement of authentication from an maybe federated IDP? Yes.
And let's, let's split that question. So of course, when I think about for example of dimensions of trust, and especially when we, when we speak about them in, in terms of contextual access controls, of course, we like to combine these dimensions of trust us feels we don't have just this kind of user trust and we can't trust the user anytime. And probably even the mindsets shift of the user.
So, and in the, in the modern world, of course, we need to, to have location trust, device trust, and of course, time trust. So I think especially today, it's pretty important that you, when you have granted any kind of access, how long should the access be established within the connection?
So, especially what are you, are you able to, to close a connection when you know that this user is not longer trustful and today, when you speak about, for example, for cloud to cloud authentications, you are not the owner of the infrastructure. So you need to have APIs for this to, to close this kind of insecurity gap.
So, in, in, in terms of the dimensions of trust is of course as mentioned, I think a couple of times today's was user location device and time. And when you speak about identity Federation services, that is also pretty challenging cause of you do not have any longer, the one solution within your infrastructure. It's not your active directory or your elder in your infrastructure.
You have, for example, other active directories you need to work with. And of course, sometimes you need a kind of an Federation provider or an identity manager management provider who act as a glue between these kind of services, especially when your existing identity architecture does not fit for example, to a specific cloud platform.
And, and I think this is a really interesting point. We, so I had an advisory project where we exactly had something like a discussion, but this is more level of how, what is level of trust for a certain identity identified or authenticated identity, but it goes hand in hand, can I trust an federated identity identity provider on a certain level with the statement about this identity? Is this a real person or not a real person?
And this is something coming back to zero trust trust, which I can then take under consideration consideration consideration to see whether this is potentially a risky access and the context is not working. So I at the end decline the access or do not allow it. And this is basically what, what you said for sure that it is very something like policy based. You have a combination of multiple information about the user, about the identity device network and so on, and then decide on something like risk based approach.
Whether I accept it or not, or maybe not accept an access from a non-company own device to internal confidential data, for instance. But, but I would like to add beside of denying things is of course we have a lot of, of misuse and, and attack attempts, but in the most cases, what hinder the business, and this is when you are allowed to have access in the real life, but you can't grant access to the application due to, for example, embed implemented too fast to travel policy.
Yeah, you, you, you dropped off your VPN and you re authenticated within your infrastructure. And I said, oh no, you, you, you moved multiple kilometers within seconds. It isn't allowed. So I think today it's the most important is to maintain the user experience and keep them high, to have access in an easy way. And then you see risk signals. Yeah. Like to fast, to travel, just dynamically enhance the access approach.
Like of course you, for example, you, you, you, you start access from your home computer or from, from your company computer and you disable the VPN and you have now the second approach to an service provider, why do not enhance the authentication process within second factor, like a multifactor on an push notification on your mobile device and makes it let you need to, the business needs to stay alive, I think is also one of the most important things. Exactly.
So blocking everything is, could not be the solution only if it's really an very critical access temp or something like that in all the cases step up authentication or adaptive authentication or whatever makes absolutely sense. So modern infrastructures are connected more and more operational it in the field of T the devices talk to each other. So where are the users here? Yeah. Yeah. This is one of the very hard question.
So the, of course, when you speak about operational it and the pure IOT world, where the device is connected to another device, this is probably a model where we think about certificate based authentication, for example, but in the modern world, when you think about what do I need to do to combine a device was in specific or within special service. Let's let's name one sample of this. You are a customer of an energy provider and you got your smart meter and you would like to combine your personal app with your real existing hardware device.
And of course in this time you need access to E P or cm resources within the company. And would you like to go access for all of these devices, to all of your resources everywhere across of their authenticated through certificates? Or would you like to have the approach if you combine it with the user cause of the user let's let's name it say own the session. So the user say, yeah, I'm the owner of the contract. I scan the, for example, QR code of the device.
And in this time, this device is connected within the CRM system of the company and is allowed to have access to the bank and resources, for example. And of course within the operational, it, we see more and more like other nice example would be the Fitbit industry. User devices are often talk today from device to device, but very often even controlled by identities and digital identities. And I think the user is always somebody or the digital identity is always somebody who will authenticate devices in the future. Absolutely.
And that's a really good point and it gives me a good handover to the, to the last question, because for instance, if you buy something like an smart voice assistant from a bookstore in the internet, maybe you heard about it. It's if you turn it on the first time you're already authenticated, they know who you are, they did something like scanning the QR code or the, or the device ID and connect already to, to you as a customer of them. And this is, I was really impressed the first time, I dunno when it was 2015 or 14, so really early, but it, it was a huge surprise. And that's my question.
Zero trust is commonly discussed more in the business to business context world. Do you know any other good examples of zero trust in the business to consume world? So B2C?
Yeah, I, I like your example from the bookstore cause of, I was a bit surprised first time when they asked me, is it allowed to store the wifi password on their infrastructure? And of course I always said no, but when you have support a multitude of, of environments within your family and your grandma and your mother-in-law and et cetera, of course you are, you are closer to enable the button for example. And when you, when we think about good examples of zero trust in the business to consumer world, I often see for example, E tickets.
Yeah, you, you, you buy an E ticket. And so you, you, you, you get access to an external, for example, for, for railway transportation service or on concert. And you have just your NFT token, for example, to authenticate that you are authorized. And when I see that kind of business to customer scenarios, I think especially in the future, I do not like that bookstore upload password app approach. It would be more easy when we haven't kind of that zero trust reference architecture, where I just tell the vendor of the equipment I purchased, for example, the television.
And when I come home, you need to integrate your television into your home network. And why not in the future, when you proved the purchase with your personal identification and you have your personal zero trust network, of course this ID is connected right now to your personal identity. So why do you need to grant access for your wifi? Or should you just grant access by check mark on your app and say, yeah, this device is allowed to this wifi in my personal environment.
And yes, I see very nice examples of zero trust in the business to consumer world. And I think they will come a lot more, especially I think, in healthcare and of course in consumer electronics. Perfect. So it's time for a last statement. Marcos already 20 minutes of our interview have gone. It's incredible fast, maybe some words about what to do first or next. If you want to start your journey with zero trust. Yeah.
I, I would like to, to follow the guideline from Alexei a yeah, he demonstrated in a very nice way from identity to data. I think identity is a very, very nice approach. And please have a look for the most unified solution in the market who supports you to have that kind of one approach to implement that kind of adaptive access controls for your employees and customers. And I think here Okta is in a pretty good journey and we are looking forward that yeah, our audience or your audience double check this with our company. Perfect. Then again, thank you very much, Marcos.
It was a pleasure for having you as an interview partner. It was a great presentation. Thank you very much and have a good day. Thank you. Bye.
