Welcome to this cooking call webinar, remote work and IAM, a unique opportunity for security leaders. This webinar is supported by last pass. Lock me in the speakers for today. My name is Matthias I'm director of practice IAM, and to explain it, at least once it's identity and access management, and I'm doing that for cooking a call Analyst, I will be joined later by Barry McMahan.
He is senior manager for, I am at lock me in and I'm looking forward to that before we start a very, very quick look at some of the upcoming events and a look at the housekeeping, but that will, I promise be very quickly.
We are currently executing very successfully, our Casey life events, and there are three already planned and upcoming. And I would really like to recommend that you consider joining them it's high level content. And it's really true that these are world class speakers. It's an online only event and you can join and register for free.
Next thing that will be up is future of digital identity. So we are talking about decentralized identity about self-sovereign identity, and as you can see, privileged access management and enterprise identity success will be the next two events. So really recommend it. I will be there as well. So join us there. That would be great. So that's the, for the short commercial break here, and if we continue to the housekeeping and as I promise, this was really very quickly audio control.
First of all, this go to webinar is organized that we are muting the participants all centrally, and we are doing that.
Yeah, we are controlling these features, so there's no need to mute or unmute yourself. This webinar is recorded and the podcast will be made available short term usually tomorrow or the day after. And we will also provide the slide decks for download. So you don't have to take notes. We will have PDF versions of the slide deck there as well.
When you go again to the landing page of this webinar, so that will change and have the video and the slides on very important questions and answers. There will be a Q and a session at the end of this webinar. So you can at any time enter your questions and I really encourage you to do so, so that we have this questions and answer session packed with your questions and that Barry and I can provide the answers to your questions.
And that is really a recommendation that you do that whenever you come across, something that you think is worth asking me or Barry in the final section, and that leads us to the agenda.
You see, we have three items here. First of all, me starting out with the business benefits of identity and access management between flexibility, increased service, improved compliance, and cyber defense, which lays a bit the ground. And then Barry will join us. And he will list five drivers where IAM can support the business needs to benefit. And that's important both the business and the security team.
So also to find the balance here, and I'm looking very much forward to how to engage the senior decision makers best and speak in the language they understand. So he's more from the service provider vendor point of view. I'm from the Analyst point of view, we are both trying to convince organizations to do the right thing and how to make them do that. That's what he will be talking about. Third part questions and answers. And we want to look at having that at 20, 20, 20 minutes. So I'll try to speed up and show you my content right now.
So that in, at the 20 minutes after the hour, Barry can then join it. Now, at least that's the plan.
So we start as the title of this webinar already indicated with the remote work, as the sudden challenge, how to provide access while maintaining security. And that is really a challenge. And if you think back today, one of the lockdown of the work from home scenario, that was really a challenge and what needs to be managed. We need to manage these five types of information.
We have users that need to be identified authenticated when they work from home, they, we have, they have devices, maybe their own because they had no, they had no chance to take their business device back to them home, or they don't have a portable one. So there are the challenges with bring your own device there as well. When you are working from home or working from anywhere, there is a network in between that you are not necessarily able to control, unless it is your corporate one, think VPN, we need to manage and control the applications and the systems that we want to access.
And at the core is data that needs to be protected and governed in the right way. So these are the five items that many organizations were yeah. Challenged to deal with in that situation and very quickly, and I don't read that all out. So the challenges were really about fast onboarding when having to move to a different solution. Many organizations had the, had the challenge to move to an alternative version of it because they were not capable of, of really providing sustainable infrastructure to everybody.
So there needed to be maybe a fast onboarding process onto a new system, just to, and many, just as an example, of course chose something like office 365 and teams just to communicate that requires trustworthy identification. Is this really the materials that he, he claims to be strong, authentication, important aspect. I just touch about touch this very quickly, much better than username and password password is really where you should aim at.
And then if you could, if you go through this this very quickly, you need to have the necessary rights for every employee at any time in all these systems, because what does not go away is the requirement for compliance. Of course, and Barry will talk about that as well, enabling as much self-service and automation as possible, or to put it the other way around first automation and ever possible. And self-service then full support for all required systems or provide an alternative there.
Nevertheless, as I mentioned, transparency and insight into what users are doing and which authorizations they're using, what they're doing with them, documentation compliance evidence, and of course the necessary level of security across all systems. And that was true also for this day one, the re reality before often that were modern digital companies already before.
But nevertheless, there is the saying that COVID more for digitalization than any management initiative before in reality, for many organizations, there was still an on premises, employee identity and access management, very limited, very, very focused on, yeah, the employee, the partner, maybe the freelancers, maybe many organizations used VPNs.
And I think many of you can tell great stories about how good that worked out or when trying to dial in the first day or the first week via the VPN into the corporate network. Many organizations had just the beginning cloud strategy.
Maybe they were not yet ready, willing to move towards the cloud. Of course, no adequate scalability. There have already maybe been some existing compliance and governance challenges. And this work from home adding to this, they had traditional perimeter security and believed and trusted in that, whether that was true way back then as well. So really firewalls and everything that you need here. Many processes and systems required presence to really be there. And of course, traditional business models.
So that were the challenges that there were that many organizations including us, although we were rather digital, I believe, and I'm quite sure that they were thrown into the situation to deal with that.
And if we go back to the slide before, this is the point where identity and access and management comes into play. So if both Barry and I have IAM in our job description, that must be important. It needs to be so IAM is the necessary security infrastructure here. So here it is. And what can it do? What should it do? Where is it right in that, in that equation?
First of all, of course, identities for users are managed authenticated and much more devices might be registered via their device ID and they are related to identities. So an identity and access management might know what my iPhone looks like and what what's what's it idea is. And that I can use this as a second factor. For example, the network we skip because identity and access management in that situation is not of real help in brackets could be for authentication and for, for encryption here without you need identities as well, but we skip it for now.
We have access controls within the applications to make sure that every authenticated identity from the right device can access the right systems and can access the right data. So that is where identity and access management came into play on day one, whether it was the traditional on-prem one, or whether additional solutions had to be created, or whether the organization already was ready and up and running with an IAM from the cloud or hybrid. So that was the starting point with the, yeah, with the crisis, really imposing some, some business challenges here.
If we take a step back, what happened before? What happened in the meantime and what happens right now, of course, identities have developed over time. So identity and access management is nothing new. This is something that really started out with the traditional user management users within systems, mainly accounts per system. Then identity management really came into place.
So one identity with many accounts, provisioning workflows, but mainly focused on employee identities. Next step was federated identities.
Organizations wanted to trust identities provided by others by third parties, but other trust organizations with business partners and to give them access on their systems without having to maintain their identities. That was the next step. So identity Federation, of course, with standard protocols, you know, them or to open it, connect, sample, whatever you want.
Next step, very big thing a few years ago, and still consumer identity management. So spotlight on the consumer and customer. So moving consumer identities away from proprietary CRM, so offices to some central consumer identity management, and today this has changed more or less completely. We have lots of types of identities, public shared universal identities, decentralized identities. We have identities for devices and you use your ID wherever you need it. And ID and access management systems need to be capable of all of this that we see right now here.
So if we look at these identities, this intern means for a digital organization for organization doing digital business, new challenges. And these challenges are just right here. So now that we are still in lockdown, more or less, and now that these digital business models or these digital business models have come into play, we have lots of mores here. So we have more users, partners, externals customers, consumers, but also systems, devices, sensors, IOT, devices, whatever you can think of. So these identities need to be managed adequately. We all access more services.
We extend our it, we use cloud services. We use as a services platforms from office 365 to wherever you want to go. We have more data.
Of course, if we do more digital business, we have more data. It's still the employee data, but it's also context data, customer data, intellectual property. This is something that we store within our business process and, and process them there.
So this is really important. We have financial data and that might be critical. That might be data that is really to be protected because it does not be, it is not allowed to publish that before a certain point in time. On the other hand, we have shared data, product flyers information for everybody and the end.
So business means more responsibilities. Of course, also more opportunities. That's true, but we need to maintain security and trust. We need to maintain, for example, principle of least privilege segregation of duties, governance, and everything that is required here.
So, and much more it's meant literally it's much, much more that we need to have a look at. So that is the, the digital business view. So if you turn around by 180 degrees, we look at the expectations of the consumer, the identity that they are using, and also very quickly.
So I just show it all at once. This is really the combination of all of this and more so the consumer really wants to use the identity they want to use whenever they decide which one. So if I think of me, myself, so I have, as I mentioned, I'm, I'm, I'm using an apple idea. I have a Google ID.
I don't use too much my Facebook ID, but of course I use my copy, a call ID for different purposes. So I want to have control about my identity. I use them on different types of devices while requiring and requesting privacy and security here. I want to pay with that. So I want to pay with Google, apple, whatever you have. So it's not only about access. It's about secure, seamless, controlled payment at commerce.
Of course, when we want to onboard a system, when we want to onboard into yeah.
A service that needs to be seamless and it should be really straightforward, it's no cumbersome registration and know your customers or really these checks. I think all of you hate these large forms that you, that organizations think you should fill in before joining their service. I usually then just quit. And finally, an aspect that's really gaining importance here is this work life convergence, an identity needs to be, or has to work borderless.
So whether for work purposes or for life purposes, I think that is a development that we need to take care of in the future, even more. And maybe all this is just bring your own identity.
We are cooking a cold, think of all this within a picture that has been shown in some of our presentations already. And I just want to show it to, to get this bigger picture. We think of all this as one identity fabric. So some interwoven infrastructure that's provides standardized shared services for shared identities. So to the left, we have three examples of all these identities.
And more that I mentioned before to the right, we have the services that we want to access, and they might be in legacy systems or on premises data centers. They might be federated somewhere, maybe run by the managed service provider or at a partners side of the partners cloud at the partners data center. And they might be hybrid cloud native, whatever they might be. The idea is that the consumer to the upper left has access to the legacy system because there is an a payment system running on that legacy infrastructure and they need to have access to go there.
And the same is true for the employee having to have access to all of the, the right, including the cloud infrastructure while using the adequate identity as described before. So it come from the left and they use the processes and, and the, the ways of authenticating and, and identifying themselves. And they of course then access these systems in the appropriate adequate manner.
And what we need to have in the middle is an IAM that is capable of providing identification, access management, access governance, all the types of administration and insight course going on, and also managing the consent. So your agreement to process and use this data. So that is the very quick picture of all this identity fabric, a set of services that ties this all together via APIs, provides the glue as an identity in excess management. And that leads me to my final slide.
And that is the, the, the slide where I then afterwards will want to hand over to Berry.
So this is the slide where I am really plays out its strengths, though. I, I look at the slide as the, the moment where I put the ball on the penalty point on the, in, on the, on the soccer field. So we need to have, I am for these four really important purposes. First of all, administrative efficiency, that was maybe the most important thing on day. One of this stay at home era. So workflows automation, self service.
Second, we need to make sure that all that happens is well managed well controlled. All identities are in an ideal world, uniformly administrative on all systems in this hybrid reality of this Analyst speak digital transformation. We need to make sure that all this happens with the adequate level of security and trust.
So we need to secure identities. We need to make sure that the identities are secured. We understand them what they are. We have to make sure that access and authorizations are well managed, trusted identification very quickly, again, strong authentication.
And finally, all of this needs to be well documented. There needs to be evidence that needs to be information who has access to what, who should have access and how is this access used? And that's the reason for this big red button to the left. This is something that you must have when an auditor comes around and says, Hey, what has been materials doing? What are his access rights across all systems? Can you really provide evidence that he does not violate the principle of least privilege that he does not violate segregation of duties requirements?
And that's the point where I would like to hand over to Barry McMahan and he will take over here, but I want to remind you of this Q and a session, questions and answers you have now 20 more minutes. And of course also through, during the Q and a session to add your questions about really moving towards a more modern and more scalable approach towards identity and access management and how to convince your management there. So add your questions please, so that we can start with a huge list of good questions from your side after Barry has taken over.
And now I'm quiet a hand over to Barry Barry, are you there?
Thanks.
Yes, I'm here. So, yeah, as the slide says, my name is Barry. I'm a senior manager at IAM identity and access management at last pass, which is one of the products that logs.
And, you know, a lot of the stuff that Matthias has already covered will knit very well with what I'm gonna show you. So what I'm gonna share is some more of the customer slash client based conversations, concerns, challenges that I hear back from sales and my own client engagements. And what I will say is, is that all of this material is based off a particular report that we've published earlier on in the year. So please reach out to me, look me up on LinkedIn, reach out to me with any questions, queries, or if you want a copy of the report with, with all these details.
And it goes into a lot more detail than I'm gonna go into.
Anna said, please get your questions in a good, robust, healthy Q and a session is always the best part of these things. So I'm gonna kick off my, my piece with perception. So this fits very well. What Matt said earlier in terms of how central IAM is, but what about the perception of the team that's doing the work, the security leaders as I call them when how and do they get brought into the business initiatives?
Well, the report that I mentioned earlier shows that almost 60% of new business initiatives start without security being involved at all. And that's, that's really down to perception, right? Perception is reality. As a slide says, it can be very hard to change someone's perception. You need the opportunity to change the perception, which can be impossible if they won't engage with you, or as we all know, they may have a particular stereotype of you in mind.
So take security.
For example, when people consider security, they think of it in the broadest sense of the word, and depending on where they stand, like these two gentlemen here they'll have different perceptions on whether security is a good thing or a bad thing. Fortunately, security leaders find it hard to shake off the tag of being blockers. If you like, even when security blocks activities for all of the right reasons, it can have a negative impact on the perception of security. In addition to this people don't always see the value security can bring. Maybe it's not always obvious.
And sometimes they don't see the value because they engage them too late. And security are considered the bad guys. If you like, cuz they need the project to go back a few steps or maybe change direction. Totally. So perception is a strong area for consideration and perception is a strong area for consideration, not only within the business, but also in the corporate world too.
And the perception the market has of you will all often determine how successful your business will be now separate, but also very heavily linked to perception is trust in the digital economy. Trust is vital.
You know, this is something that we pay us linked to and mentioned earlier on, you know, for us last pass trust is something that we take very, very seriously people in organizations globally trust us and our offerings and, and log me in offerings to keep their data safe and secure. But it's much more than that. They expect that we will be responsible, that we'll be honest, we'd be transparent and that we lack with integrity and so on. And as log me in is a 100% SAS based business trust in our products is vital for our growth and success. And so why is trust so important for our business?
Well, as you can see, there are many elements that go into gaining trust and they can take some time to acquire if at all, once acquired or gained trust needs to be maintained and nurtured to keep the perception of your business aligned with market expectations.
And so from a corporate perspective on a senior business level, trust is very, very high on the agenda. With trust. You can gain a loyal customer base in turn, building a strong brand in turn, adding to your customer base in turn building a strong brand.
So trust is very, very important for any organization addressing their target market. If they can gain the target market's trust, then they can be very successful. Trust is about making people feel a certain way. And people feel very, very, very strongly about how their data's handled to do business in the digital economy.
You, you need people to share data such as addresses names, date of birth, credit card details, et cetera. And without it, you don't have a business in 2018, there was a global survey done of 10,000 consumers and it found that 70% of them stated they would stop doing business with an organization if it experienced a data breach.
So data breach equals your consumer base, potentially thinking well, that's gonna impact my trust and therefore impact loyalty and impact the brand. The business really cares about this.
And all we have to do is look at one of the best known breaches that there's still fallout from today. And that's Equifax. A CSO online article recently reported that two years after the data breach, the company had said it spent, and this is mind boggling.
1.4 billion on cleanup costs, including incremental costs to transform the technology, the infrastructure, and improve the applications and data security a lot again of what Matthias showed earlier on in 2019, sorry, in June, 2019, Moody's then downgraded the company's financial rating in part because of the massive amounts of need to spend on InfoSec in the years to come.
So even though they're trying to do the right thing, now, they're still feeling that the effects of that breach again, I'm sure many of you in this webinar will be very familiar with the Verizon data breach investigations report, the IBM cost of data breach report.
Even some of the reports that we produce on a annual basis, like the global state of the password reports on all of these have a very common team.
Core access management practice is the source of many data breaches Verizon globally and regularly mentioned in their reports that poor credential management and weak credentials are a source for 80% of all data breaches. And so the reality is if you don't take access management, seriously, you're running a serious risk risk of being breached. For example, in our recent global survey called psychology of passwords globally, 53% of people don't change their passwords after a breach in Germany, that's a huge 66% that don't change their password after a breach.
And so with this in mind, I always ask the question, are hackers really hacking? And in my view, no, they're simply logging in with your credentials, especially when the psychology of password research that I mentioned earlier found that 64% of people in the UK and in Germany reused their passwords for fear of forgetting them. And so why do people do this?
Well, this is gonna build on something that Matthias touched on earlier on where you mentioned the work life converging.
And so what, one of the things I've experienced from talking to departments, but also talking to security leaders is that there's a huge tension between productivity and security. So in the productivity camp, the different departments you might have in there would be HR, developers, engineering, sales, marketing, and so on. And on the security side, obviously you have the security team and everyone is doing what they do for all of the right reasons.
You are, you have security trying to de-risk the, the risk profile, sorry, trying to protect the business and manage the risk profile of the business. But on the flip side of that, then you have, you have the product, the, the other departments on the productivity side, trying to do as much as they can to get their job done. And so we see a lot more of that now, given COVID right, many people are downloading free applications to help them do their jobs and do it quicker back to the applications and data that Matthias mentioned. But are they doing it in a safe manner?
Are they taking all the right precautions? Well, maybe not.
So a little bit of sport, I'm not a Liverpool supporter. So I'm gonna put that out there right now. I'm sure there may be some on this call and I might get some, some comments for, for saying I'm not a Liverpool supporter, but this is an important slide for me. And it always gets a bit of a laugh, right? So LA last night Liverpool were crowned premier league champions.
Last year, there were crowned European champions, but one other accolade that that Liverpool have, or maybe their supporters have is that last year in the UK, the national security national cybersecurity center did produced a report. And the found that over 80 280,000 breaches breached accounts had Liverpool as their password. Like that's phenomenal.
And so, you know, this, this doesn't really matter if it's Liverpool, it just highlights the fact that people will create credentials and passwords based on something that they care about, something that they can relate to and something that's easy to know.
And so you can profile hackers continuously do this. They profile people to find out what to care about, to find out about their pets, to find out about their sporting team. And that's how they, that's how they make easy, easy breaches. All right. And so how does this transfer then into the, into the business?
Well, the business is looking at a certain amount of priorities. And so, you know, here we see 12 security priorities for European businesses. And what we find is that managing users and identities highlighted there by the red arrow ranks in at number two. So this is very positive, right? It's a priority. And so there's investment your type first. I'm gonna leave that slide for now, but I will come back to that slide in, in, in a couple of minutes.
And so here we go, I get into the five drivers to support the business needs.
So Matthias did a very good job upfront of setting out why identity and access management is so important to the business and how it fits in what we found. And as I mentioned at the very start of my piece, what, what we continuously find is that security leaders have a, have a difficult time translating the value of all of that technical elements into a language that the business can understand. And so therefore they're challenged in terms of investment, but they're also challenged in terms of perception. And then the business thinks that they're not delivering on the business needs.
And so what, what we've done here in our report is what we try to align is the business challenges, the security challenges, and actually find the common team and find the solution to that common team.
And so I'll start off with going through the first three drivers, and then I'm gonna go into driver number four and five in a little more detail. So in driver one, we see user experience is the, is the key driver, right? And so I'm sure everybody on this call and webinar knows that we shouldn't underestimate this. It's something that everybody cites, but it's very, very hard to get, right?
And so the business focus for this, if we look at some of the priorities that I showed a moment ago, you know, should be security, culture and awareness, managing users, access entities, making it easy for people to log in, making it easy experience for people to want to log in. But the challenge on the security side is that that means more access points, again, due to COVID and mobility even before COVID hit.
So, and then in addition, trying to balance the old on the new balancing, remote working and security, being less connected with the end users to end users aren't sitting in the office anymore.
So the solution here is to reduce friction, reduce security in inverted comments, getting in the way. So meet people where they are in terms of technology, such as authentication or mobile devices can have a very positive impact on user experience and culture and awareness is very high and it's high because we look back at the tension that I showed earlier on between security and productivity.
People can sometimes perceive security, be a blocker. So traditional approaches to identity are a point of friction for users. And that's why that all needs to change on-prem solutions. For the most part, our source of friction, given the proliferation of SaaS solutions and SaaS applications. So this means cloud-based identity solutions become a key enabler to simplify access for users, security needs to win the hearts and minds. They need to engage at the top the top.
So they need to engage at the top down approach and also the bottom up approach to put security on the agenda at the top, but also be more engaged with the teams on the ground.
Look at driver number two, managing identity at digital scale to enable digital transformation. One of the things that COVID has, has really shown us over the space of overnight, if you like, or over a couple of days, is that, you know, the security perimeter and where people are accessing business resources from has literally shifted, shifted globally.
And so the solution here is to provide a consistent approach to access and authentication, to reduce the exposure to internal, external threats. So the likes of MFA for authentication, SSO across all compatible apps and password management for what SSO can't cover. So for where security is involved, then they can add that stamp of credibility or seal of approval if you like. So this also helps address the driver in the previous slide about user experience, you know, as was the case pre COVID 19 workforce mobility was on the rise.
And again, consistent, see at scale adds here and adds huge value. You know, post COVID, whenever post COVID will come, we're gonna be living in this hybrid world where many people are not gonna go back to the office, or some of them will go back to the office part-time. And so you need to have a solution that will allow the organization to be as flexible as possible. We look down at driver number three, propagating compliance without sacrificing usability. And so looking at the bar chart earlier, compliance ranked in at number four, but security is challenged, right? Security.
Isn't challenged to maintain the norm or adopt what adds credibility to the business, but they can't focus on everything. So they need to consider is where does compliance fit? Do they need to deliver it in house? Can the leverage a vendor or can the leverage of vendors offering to support their compliance and audits needs?
So leverage and so compliance, ISO compliance and other regulatory requirements such as C five in Germany adds value and is more cost effective in terms of people and time investment. And it also provides, sorry, improves brand reputation.
And it's something that the business can champion through their service provider offerings. It's important to note here that there are organizations out there that specialize in a lot of these things. And so therefore trying to build your own industry within the business can actually be a very, very difficult and not a very worthwhile worthwhile activity. So now I'm gonna look at identity driver.
Number four, every business is looking for efficiencies and with security, we have people who want to, we want working smarter, not harder, and we want them to stop doing the low value tasks or at least take them away from them. So the security challenge is dispar solutions who are not for purpose solutions and that revol results in low value tasks that need manual support, which leads to challenges and talent retention.
And so here, I'm showing you that what are, what our report detailed in terms of improved staff retention.
These are the benefits that, that people are reporting following adopting a unified security platform and so improved staff retention. I don't need to tell you guys how important and how difficult it is to try and retain staff in the, in the security sector. Reducing operating cost is always a big, a big driver.
And then the adoption of low value and sorry, the automation of low value and repetitive tasks is, is something where then people it's not about taking headcount outta the team, but it's actually about refocusing them people on adding value to other tasks across the business, and then identity driver number five. So this is where the security team is seen as a true, a true value driver. Know this is full alignment between the business and security teams. We see at the core seamless identity and access management experiences.
We see in the context, we see contextually where authentication solutions that knows where people are such as geofencing, IP, address ranges, et cetera, for authentication purposes. And then we see consistency in terms of applying consistent approaches to both internal and external users to reduce the track exposure. So you can really see where all of the other four drivers come together to make this final driver managing enterprise risk through trusted identity, a real core part of the business.
And so then I go back to the slide I showed earlier, right?
Looking back in this slide, we see management identities as in, at number two, but actually going through the five drivers in a bit more detail. What we find is, is that it actually encompasses nearly all of these priorities, some to a greater degree, some to a lesser degree, but certainly a strong identity and access management capability within your business does influence all of these priorities that, that have been found to be resonating with European organizations. So this is always a question, right?
Whenever anybody's looking to invest in a platform or anybody's looking to do digital transformation, one of the big questions you can ask is what's the return on investment, right? And so we've looked at this through cost optimization, all right, through unified security approach. And what we found was that there, there are efficiency efficiencies to be made, but it's not about taken.
As I said earlier on headcount out of the business, it's actually about getting the headcount focused on the strategic things.
Recall that I mentioned that across Europe, 60% of business initiatives don't have security involvement, the start, but this is where you can refocus these these days that you can claw back from having a uniform security approach. So I'm sure a lot of people will say, that's quite quite staggering. If you had to employ a security person within your team, I'm sure that would add up to, to quite the cost outlet to cover them number of days. So that's something that you can reinvest with into your business.
And so what does a unified security platform look like while some of you may be one of the 25 million people globally that use last pass personally, or work in one of the 70,000 organizations worldwide that use last pass as a business solution.
Last pass enterprises, you can see on the screen, there is a password manager and SSO solution in one, because we believe that SSO is vital to the business, but it only covers part of the password challenge. And as a password manager covers the rest.
So our SSO solution is fully, self-service no professional services required for setup or in life and all deployment instructions and instructions are on a website for over the 1200 plus apps that you can integrate. You also get a dedicated customer success manager to, to help you get up and running and, and ingrain it within your business. Authentication, as we know, is, is, is really, really important. So we have last passed MFA, which can be purchased as a standalone or part of a bundle.
It's a biometric based MFA with policy controls in the background, such as geofencing login, approved IP address range approved day for access and approved times for access, for example.
And then as I mentioned, the bundle, when you bundle it all together, you get last pass identity. So that's the password manager, SSO and MFA all in one with over 110 plus policies in the background that you can use to get the right solution in for your business. And so that just leaves me with a couple of key takeaways.
So, you know, key takeaway one is build influence position identity as an enabler for digital transformation and the new normal that's very important. It's, it's excellent to know the importance of IAM within the business, but it's also very important that you communicate that in a way that business leaders can understand, and you can do that very well through the five drivers. There you take a platform approach to identity, as I've just shown, you can deliver SSO and advanced authentication for SaaS applications and secure.
The work from home person identity is really about securing the person and getting the person to behave in a certain way. And if you can do that, your business would become inherently inherently more secure and reduce the risk profile of the business, and then use identity to optimize risk management.
You know, as, as we showed earlier, that's one of the top business benefits that enter European enterprises expect from security. The security teams should use identity as a means to drive business value and engage the board. And that just leaves me to say, thanks very much for your attention and listening to my part of the presentation. I hope there's plenty of questions.
As I said, please do feel free to reach out to me via the Q and a session or via LinkedIn or otherwise. I'm always happy to take any queries or questions that people may have.
So Mateus, I'll hand it back over to you.
Great. Thank you very much, Barry. That was really interesting. And I think there, yeah, well, the questions of course, I have also to, to insist to, to the audience that they add even more questions to the list of questions, because this is your chance to have your questions answered by Barry and or me. And so that's first of all.
Yeah, that, that, that's an interesting question. And, and I think that is also something that you are covering already. The question is that when, when 66% of, of people are not changing their password or using it is the world, from your opinion, from your point of view, and is this also reflected in your solution moving towards password password, less authentication?
Yeah, it's a good question. So, you know, with, with last pass, right, that's something that we're moving more and more towards, right? So if you're using our enterprise solution and I'll just speak from our perspective, right? Cuz I think it's a good way of looking at it. So last pass has been protecting corporate and consumer passwords for years, but we know that passwords are a source of friction. And so that's why we put a, a huge emphasis on SSO.
That's very easy to adopt because you know, there are SSO solutions that can be very heavy and, and, and a big resource requirement on an organization. Ours is very easy to adopt, very, very lightweight, but covers all the security angles. And so we're helping organizations remove passwords in that way. The other thing we have to our authentication, our MFA piece is that that's a passwordless MFA.
And so, you know, if you are, if you are looking to authenticate into, into whatever particular environment with a lot of authentication apps, you will have to type in the passwords. So that's another password for people to remember. So as we're evolving our product suite, we are trying to remove the passwords out outta people's minds, if you like. So we're trying to store them either remove them or, or make them a lot less. I think passwordless is where, where the world is going. Right. But passwordless has been talked about for quite some time.
And the debt of the password has been talked about for even longer and my own view and a lot of analysts and a lot of other people will agree that the password is not really going anywhere, right? It's it's, you can reduce the volume of passwords that you have, which is what you should do, or certainly the volume of passwords that people need to remember, which is what you should do, but passwords are not going away anywhere.
Anytime soon, they would still exist in one form of another. They may just be masked in a certain way or otherwise.
But what I would say is is that if you can, in your organization, you know, look at the password problem where you can remove them, put in SSO where you can't remove them or whatever applications won't go to SSO use enterprise password management, so that you can have a view of what passwords within your organization or the security score in your organization, which is, which is, which demonstrates the password hygiene and gives you visibility across your organization. And then last but not least overlay MFA capability on top of it.
So even if people are reusing passwords or have weak passwords or aren't demonstrating the right behavior, if there's access requests, they will need to authenticate that access request. So I guess in summary reduce the number of passwords that people have or need to remember, but also overlay your authentication purposes. Cause passwords are not going away anywhere anytime soon.
Right? I would fully agree.
I, I, I did, I did a, a panel moderation five years ago, which with the title, how do we kill the password? And we ended up with the, with the, with the resume that, that we really said, okay, we cannot kill it, but we will make it star.
Yep. So
That it really is less important. And especially in this work from home scenario, if I authenticated 20 times a day on the same machine in the same office and the same network, maybe there should be a simpler solution for re authentication. That could be something that's password less than
Good question is here.
And that really digs also a bit deeper into what the, you mentioned before, when it comes to, to yeah. Making the management, the senior management that is the people with the money to, to, to convince them towards, towards moving towards such a solution. As for example, you provide or just a much more mature. I am the question read, I just read out how can you convey value of IM products to high ups that is not as easy to produce hard financial metrics like ROI or for soft benefits. So it's really talking the right language to the, to the senior management, right?
Yeah.
This is a tricky one, right? And this is something that, as I said, that, that our report that we published is, is based on right.
What, what we were finding was, and maybe if I can just go back a little bit, right. We were finding was we were talking with clients and prospects, whatever else. And they love the idea of IAM at the core adding value, but adding, but the perception was them adding value from within the security team. So this will remove our dashboards or multiple dashboards solutions.
And one, this will integrations, all this kind, where they were challenge then was they got very excited about all that stuff. But when they tried to communicate that value to senior management, senior management didn't understand it. And the reason they didn't understand it was because they couldn't see the value in that. It was like, well, why, why would I get rid of your dashboards?
Or, you know, why do I want to change this? Why do I want to change that? And so what, what, what we've looked at through the five drivers here is to focus on what the business cares about and how identity and access management can add value in that way. So the business cares about brand, right? There's a long way to go between brand and trust and loyalty and identity and access management solution. And so what you need to do is you need to say, well, imagine if you want to grow your business into, let's say south America, you wanna grow your and expand your business into south America.
Fantastic. We can help you do that more securely with the solutions that IAM can provide and we can reduce the risk profile of the business. So you don't talk about identity, access management. You talk about the growth strategy of the business and how you can enable secure growth and extension of the business.
It may be that the organization let's say for arguments, sake, engineering or marketing, want to take on third parties, but they don't want to necessarily have them in and out of the business all the time and get them set up with different profiles.
Well, imagine being able to go to a department lead and say, I can actually simplify a lot of that for you. If we use an identity and access management solution, and maybe it's the, we, we build them a profile. We leave the profile on, but actually we revoke their multifactor authentication profile whenever they leave the business. And so that's a very easy thing to do, and then they can join the business again, or we can control what hours they're in. Most departments will go, that's fantastic. How do I get that? So you need to go to the departments.
You need to see how you can influence their user experience and the value, and then take that value back and use that value to communicate to the board on things that they care about.
So, as I said, compliance, user experience, all these different things. And one of the big things is awareness and education. That's a huge thing. Security can no longer just put something in place and then expect people to use it. People can go around it. That's not the way security works anymore. So it's about evangelizing the benefits of security.
So making sure that you keep it, the language business focused, that you've socialized what you want to do, or how, how you plan to do it with all the other department leads and understand the language from their perspective. And actually when you're pitching this then to the board and trying to get money, you're not actually talking about you're, you're not actually talking about security. You're talking about helping secure these departments, which is a very different conversation and they will, they will champion you as well, because they're going, yes, this is what we need.
This is what we need. This is what we need. Once you get that credibility. And once your back sitting at the table, then it's a very, it's a totally different conversation. Have people will see you as needing to be at that table all the time. So talk about business value, not about the technical element of things,
Right.
I, I fully agree because we, as Analyst are also often in the situation to, to, to help our customers more move towards the right situation. But talking to the right people in the right languages is really a challenge.
And, and in the question it was mentioned, you cannot use something like an ROI, what would be then an adequate metric, a key metric that would resonate with the board when it comes to yeah. Improving here. Is it something like onboarding time or migration time or yeah. Or is it just money earned money, improved services?
So, yeah, so, so all of, all of them are important. I think it also helps you. I think another key factor is talking about proactive security, right? Not reactive. So this is what these solutions will help us do and be proactive and protect us from this, that, and the other, like, you know, it it's demonstrating the value that security offers. I think I mentioned earlier security near nearly needs to operate and play in sight, but people need to not know that it's there.
And so, you know, the, the key like KPIs, you know, should be about, about security awareness, security training, the adoption of new security protocols with these new security platforms. What can you measure?
Like, so I'm gonna talk about last pass here for a second, right? And this isn't trying to pitch it in any way, but I think it's a good example.
We have customers who, when we deploy last pass enterprise and last pass identity across their business, and they onboard their people, they get a security score, which is an aggregated benchmark from all global companies. And so they get a security score and they get ranked against that. So they may have a security score of 25, right.
Which means that maybe they don't have MFA enabled, maybe everybody's using what same passwords, maybe they're using weak passwords. And so what security can do to influence that is run a series of programs and educate people. And after a couple of weeks, you'll see the security score going up to maybe 50 or 60% that shows you just how much more secure your organization is versus before you started. That gives you that is a key KPI for a lot of security people we work with because they can then turn around and go.
Our risk profile of being breached is a lot less because now we have a score of 60, which means this, this and this, and we're gonna influence that more to get up to 80. And that would mean that as Verizon and all these others say, we're now not gonna be a statistic of that 80% who have been breached due to poor credentials.
Okay, great. And I, and I fully agree that we need to have some metrics and if they are derived from well based if definitions, that is really something that you can communicate and when whenever an, an arrow is going in the right direction, that is up in that case. So improving security, that is something that can be quite easily communicated. I
Think one of the things that, one of the things I'd also say with case is that, you know, the password is the elephant in the room, right?
Try not to look past that elephant solve the problem of the elephant first, and that will solve a big part of your problems. And then you can look beyond that. A lot of people acknowledge that there's a password problem and try loads of other ways to solve the loads of other things, solve your password problem first, and then see where that brings you.
Right. And fully agree. Then the first presentations that we did when COVID 19 had hit was really some recommendations to start protecting your working environment in that weird times.
And introducing multifactor authentication, finally, whenever possible was one of the key recommendations because you cannot get rid of the password, but yeah. Make it just less important because it's not enough. I think that is really something that we did as Analyst as well. When we're talking about recommendations about this current situation, are there additional recommendations for, from your side when it comes to securing remote working environment and, and making sure that all these nice security guidelines are actually looked at and, and, and heard to?
Yeah, I think, you know, one of the things I tried to get across in my presentation was that, you know, you know, I was always told that a child, good behavior starts at home. Right. I think good, good security behavior also starts at home, your work remotely.
You know, I think there's, there's such an overlap, as you mentioned in, in your piece as well, between the work environment and the home environment now, and the applications and the devices, you know, we deal with organizations who had to move everybody remotely, overnight, and there was no laptops. There was no mobile devices for them. They had to use all of their own stuff at home.
And so, you know, I think now is a prime time for organizations to, you know, when people are up and running and productive, I think now's the right time for them to go, okay, this is how this is the behavior we expect to see from a security perspective.
When you're managing and monitoring your credentials, you may have been keeping them a PostIt notes in the past. You may have been keeping them in a boot, locked in your drawer at work, whatever else that you're not gonna get back to for the next six months. So this is how we're gonna do it.
So more organizations are adopting it from a, a clean slate approach. So deploying a password manager or last pass enterprise or, or, or other identity platforms and starting it from scratch. Others are driving greater adoption through more awareness through, you know, I've seen one organization using very, very funny videos to convey the benefit of, of good security and online hygiene, because let's be honest about it.
You know, people need to be secure online. You know, if it's at work, that's one thing. If it's in their personal life, that's, you know, it's equally as important people care more about their own personal information than they do about their corporate information.
And so trying to show them how easy it is for them to protect themselves, but also how easy it is for them to get hacked or have to credential stolen is also very important as well. So awareness given the distance that security teams are away from people.
Now, I think awareness is, is one thing I don't think you can ever over communicate it, but I think communicate in a way that people can understand. I typically use the example of, you know, when, when I was at school, if somebody talked to me about applied physics, my eyes glazed over, like after that part of the conversation, I, I, it didn't matter what they said. I think for security professionals, I think when we start talking about cybersecurity, people's eyes also glazed over. So maybe that's changed the narrative around that.
Maybe let's just talk about protecting yourself when you're logging in at home and businesses and corporate organizations will reap the benefit of that.
Great. Thank you. And unfortunately, we are running out of time because our audience was adding questions, which is great.
And we, there are still a few left, but we are at the end of our time. So thank you very much, Barry, for this, for your insight, for this great presentation, for the open answers to these questions that we had. If there are any further questions, I would like the audience to get in touch with, with Barry and or me whenever there are any questions. So if you can find me of course, on LinkedIn, or you can find us on LinkedIn on whatever platform you can can think of, send us a mail just via the contact info that is on the landing page of this webinar. Download the slide deck tomorrow.
And maybe you want to revisit the video as well. So from my side, thank you very much there. Any famous, last words, Barry, you want to add before we close down?
No. Just thanks everybody for the, the engagement. Yeah. Reach out to me with any questions or if you want copies of the report or connect with me on LinkedIn and Matthias. Thanks very much for very engaging webinar.
Thank you very much, Barry. And thanks to the audience for that time. And I'm looking forward to having you in one of our upcoming virtual events webinar, or the Casey life events.
Again, looking forward to that. Thanks again, Barry. Bye byebye.
