KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Well, good afternoon. Good morning, ladies and gentlemen, welcome to another co call webinar. And the topic for today is the seven keys to a successful privileged account management strategy. Bridging the gap between user enablement, enablement and business protection effectively. My name is Alexei Gansky. I am a senior Analyst Analyst Analyst Analyst at co call and joining me today is ma Haber, who is vice president of technology at beyond trust. So webinar today is supported by beyond trust. Before we begin just a few words about company call in case you do not know us yet.
We are an Analyst Analyst company specializing in all aspects of information security and identity management. We are based in, in Germany, but we have a global reach with a team of Analyst spending from United States, UK Europe, and towards Singapore and Australia. We do three types of activities. These are research services, advisory services and events, events, free events like this webinar today and the proper real world conferences. And the biggest of those is our European identity and cloud conference, which will take place next time in May, 2016 and Munich, Germany.
This will be our 10th EAC. So you are very welcome. So there'll be a lot of usually interesting agenda topics to attend. And of course there will be a lot of celebration. It's been our 10th anniversary before we begin a few guide guidelines for the webinar. You are all muted centrally, so you don't have to worry about that feature. We are recording the webinar and we will make the podcast recording available on our website tomorrow. And of course we will notify each register attendee with the link to that recording.
We will have a Q and a session at the end of the webinar, but please submit your questions. As soon as you, if you come up with 'em using the questions tool in the go to webinar control panel. So traditionally we have our agenda split on three parts.
First, I will introduce the concept of, or reiterate the concept of privileged account management. Try to explain why privileged accounts are the primary target for techers nowadays and introduce a holistic approach to developing PA strategy.
Next, I will hand over to more Haber and he will talk about best practices and the top seven PA capabilities. And of course provide, you can create tips on how to begin the current management project and how to progress and what to expect at the end. And as I mentioned at the end, we will have the Q and a session.
So without further ado, let me show you the traditional diagram, which we begin almost every equipping core webinar with this is a notorious computing to the three of biggest it trends, which shape, which define our digital society in nowadays, this being cloud computing, mobile computing and social computing, because of this three mighty horses driving us into our digital future. We now have a lot of data, a lot of corporate data spread anywhere in the world, in the cloud, in the data center, somewhere at your partner.
And we have a lot of different types of devices spinning from desktops and server servers and notebooks, tablets, and smartphones, which need to access that data anywhere at any time. And of course we have, whereas new types of identities, we have to incorporate into our it strategies, be not just employees, but partners, customers, business, fleet, prospects, and so on. This is really defining the way our, our corporate infrastructures are being built.
If we have a quick look at the typical computer networks 10 years ago, you will see that there was a very strong security parameter used relatively few mobile workers outside and also relatively few potential threats looking out there in the internet fast forward 10 days. And we have completely different picture. We have multiple locations. We have our corporate data spread anywhere on premise in data centers, in the cloud or in transit. And of course we have different locations, not just our own, but our partners and suppliers.
We have a vast majority of our working force working on the way or the mobile users now. And of course we have a lot of new threat vector, not just hackers, but cyber surveillance from national agencies and social networks. So the typical computer network, the typical corporate network now is much more complicated, has much more people involved in management. And of course there is no security perimeter anymore.
All this has left to profound paradigm shift in information security from perimeter security, since there is no perimeter anymore, we now know that traditional defense mechanisms leave too many gaps. They cannot protect from new types of threats, like fishing, malicious insiders, and so on. And we really have to assume that the hackers are already inside our networks. So we have to shift from perimeter security to protection against insight rates.
We have to realize that not only a hacker can already be working in our network, but they can have malicious insiders being dis granted employees or rogue administrators, or simply lost credentials, which are already been owned by a malicious user. In any case, we have to realize that this privileged credentials, this administrator accounts, or simply accounts with elevated privileges are number one target. And you have to realize that you will be hacked. It's not a matter of when it's not a matter of if, but when, so you really have to concentrate on protected those accounts. Yeah.
As I mentioned, pay it outside Rotax or using zero day exploits or botnets or fishing or other types of social engineering, or be it inside Rotax or from rogue employees or wanting to steal your data to fraudulent bookkeeping employees, to whistleblower bent on some kind of social justice in any case, or all this be a part of an advanced attack across your infrastructure against your corporate data. It doesn't really matter. Where does that come from outside or inside? The target is still your privileged account count in a one way or another compromise.
Administrative credential was the reason for each and every high profile data breach this year. And in the recent years, one thing that people tend to underestimate is the amount, the number and number of types of different privileged accounts. A typical network intrinsically has this. Isn't just our traditional administrators, those super users, or those windows admins who can do anything by design. This are also multiple server accounts or on windows or those demons on Unix servers, which also usually run at elevated privileges.
Those are database administrators, hypervisor administrators in your virtual machine infrastructure. Those are often hard coded credentials in your web application. Those are admins and operators and other elevated accounts for enterprise applications like SAP. All of them can be abused and there is really much more of those accounts than you would expect.
And some of those accounts are, of course cannot be changed, cannot be disabled because for network devices like your routers and switches and other, maybe industrial hardware, they usually have only one embedded account for engineering access. However, it's, it would be a big mistake if you concentrate only on shared privileged accounts. One thing we should realize that our privilege management spent not just across shared admin credentials, but also on normal users with our elevated credentials, your CFO is probably privileged enough to make really large financial transaction.
And of course the hacker taking control over his account can do a lot of financial damage. And of course you have to understand that our privilege management is not just about controlling, shared passwords. It really is about a lot of other stuff. For example, probably cannot manage your CFOs password, but at least you have to control his actions. And look for, there is a lot of different sources of risk, privileged accounts of other types exposed. They can be broadly categorized in three areas. The first one is abuse. The most obvious one, your data can be stolen.
Your data can be corrupted, or your services can be brought down by attack to deny your legitimate access to your data. Those stolen data can be stole or given to blackmailers or, you know, they can be used to attack specific persons and their families. And really the danger here goes far beyond the digital realm. So what to say, of course, open a lot of possibilities for misuse, be it simple curiosity of an admin, be it deliver abuse of privileges. Like I mentioned, someone authorizing a financial transaction, which he's normally not authorized to do.
And of course there are people bent on social justice. Some of them even we security experts consider positive some. So definitely not think of those anonymous guys. And of course there is always a place for mistakes, honest, accidental damage or accidental disclosure of your data, which is, can be especially dangerous when a person that's working with super user privileges that are basically no controls, no barriers for him to destroy damage, to disclose everything. So in fact, privileged account management is a little bit more complicated than just, you know, securing your passwords.
In fact, or if you look at the O bureau P account management requires a holistic approach, it involves not just technical measures. It involves a lot of organizational issues. A lot of careful planning, surely quite a few technical solutions to automated or security controls. And last but not least, it has a lot to do with trust assurance. You really have to involve your colleagues from HR, probably your internal security colleagues into this strategy, because, you know, how do you assure trust of your employers given the highest access without background checks?
For example, in fact, at this point, I would like to point to our website keeping call.com/reports, where we publish quite a lot of research, various topics. And of course, specifically on this free leadership brief on privileged account management configuration published recently by a colleague of mine, Mike, Small, as I say, it's available for free. We just have to create an account on our website. And it contains a lot of information in a very condensed form.
Now our topic, the webinar mentions seven keys course, one can debate whether seven, it's just a nice round number, but I try to list seven really prior a list of seven criteria, which I let's say we at call consider the most critical steps into developing your holistic PRM management strategy. First of course, is implementing the principle of least privilege everyone and everything like every person in every device are in your network should only be able to access what's necessary for them to do their daily job. Privileged accounts should not be used for daily work.
Second, you have to implement segregation of duties each and Emory action, which can be deemed dangerous or critical for your business processes has to be approved. And of course the request and approval of has to be performed by two separate individuals, no user or no admin should be able to authorize his own privileged actions. Number three is control the use of shared accounts. Since many different people can access the same shared account. You really have to control and trace their actions. You have to record their actions.
You have to keep the password, you know, secure it world, and you really have to check them out immediately before we needed action and check them in and probably rotate them as soon as action is finished, which is what the principle number four is doing. We should only allow the privilege access only when needed privilege access is by definition are limited to short period of time and has to be revoked after finishing that specific task let's go on, or number five is you have to limit the scope of leverage.
Unfortunately, by design many platform contain accounts which have super user capabilities like the route user in Unix or admin administrator user in windows, there are no built in controls to limit capabilities of such users, but there are that platform specific technologies which can be deployed on top of those systems to provide more granular control for those privileges and to limit those similarly limitless super user capabilities. Number six, you have to implement stroke authentication. Really. This is one of the most critical points.
The more privilege your account is, the more critical is to have a strong multifactor adaptive authentication, but that's identity really have to consider not using passwords at all, but switching into some talkings or biometrics or any other strong methods of authentication and finally principle number seven, you really have to monitor everything. Each privileged activity must leave an audit trail, not just for compliance, not just for forensics, just sometimes you or not just have to find out who is to blame, but really to understand how to fix what they have done.
And of course there are solutions on top of that, which not just offer Euro detection and monitoring, but alert in, in the middle blocking of those ions actions. So these are the seven keys, but unfortunately there are other considerations which have to, which are important enough to, to be mentioned.
So yes, obviously you have to deploy a privilege management system or a privilege management strategy involves a lot of different complicated technological steps, which you could probably try to implement yourself, but it'll be way too difficult. So you have to go and look for a complete solution, which, which are available from many vendors, which will help you automate all those basic principles, those seven keys across different platforms, systems, devices, and identities.
You really have to integrate which account management into your existing security infrastructure, because as a standalone system, without identity and other business context, you probably won't be able to fulfill it functionality optimally. You really have to make it an integral part of your multi multilayer security infrastructure. You have to plug it into your anti-malware vulnerability management network protection and so on.
And of course you have to plug it into your centralized or management analytics, be it a complicated SIM solution, be it some kind of a managed analytics and management service, your Palm, your privileged account management have to be available into in that central pain of glass. What you're saying. And as I mentioned earlier, you have to assure trust. You really have to use where else non-technical measures tool. Sure.
That individuals who are given privileged account privileged access in your company are checked and they're really reliable enough to be interested with it or privileged access. So these are my seven or 11 keys to developmental successful holistic privileged account management strategy. And at this point I would like to hand over to more who will be diving deeper into technical details and specific considerations and best practices. And of course, or we'll explain how to begin and progress PTO da am, project, and what to expect at the end. Marie it's now Thank you very much. Good afternoon.
Good evening, everyone. The pleasure to speak to you on behalf of beyond trust, regarding how to solve the, or create a successful privilege account management strategy. Hopefully you can see my slides.
Yes, Yes. And are they coming through correctly? Fantastic. So what I'd like to do is cover just a couple of the pitfalls as outlined before, and also some of the things that you need to consider in order to have a successful privileged account management strategy. First let's identify what a complete strategy entails. Some of this was covered in the previous slides.
You have to consider everything from accounts, assets, user systems, and even the activity in order to make the strategy work successfully accounts themselves can be automated accounts or session accounts, dedicated accounts, or even accounts that exist on white box appliances that are really all or nothing accounts they're either root or you have no access. They don't have any granularity for role-based access.
You need to consider the assets themselves, whether they're servers, workstations, whether they're network devices, whether they are those white box appliances, or even cloud as a part of the privilege account strategy, where do those administrative accesses or administrative access are located? What type of systems are there and how do people connect to them? Do you allow a direct connection? Are you sending them through a proxy? Do they have to VPN in, where are those assets? How are you gonna secure the privilege AC activity to it and even record sessions when necessary.
Now you also have to consider users, users themselves can be any type of user. They can be a service account. They could be associated with an identity and access management system. They could be service accounts. They could really be anything. And all those users, where are those accounts? If you wanna link the two together, have credentials that are hard, coded in a file. Do they use two factor or what is the technique for authentication and authorization? So consider those when you're trying to complete your privilege account management strategy.
Now there are many different types of systems out there. And this is in addition to the assets. These could be just logging into the operating system like on the asset, or they could be complex multi-tier type applications, some of which may require single sign on in order to pass all the way through from end to end, consider that when you talk about the infrastructure, especially if you're in an environment that may even have applications that are loaded on your mobile devices, that require you to log in and then literally access all the way through the backend.
And no matter what type of privileged access you have consider activity, how much recording, how much session monitoring, how much keystroke logging, how much playback or searching do you need? And you must also consider geographical considerations, government considerations as a part of the activity monitoring, what data are you allowed to track? What are you allowed to record? What is legal, what country you're in and can that data be sent out to a parent company overseas, or must it remain within the country's borders activity.
Monitoring is key to look for those breaches, but you must also consider where that data ends up in the end. Now this is a huge challenge. There's a lot of gaps in coverage. There are a lot of different tools out there that allow you to do one piece or another or change passwords or do lease privilege. But what ends up happening is you end up with a lot of different point solutions. One vendor does X one vendor does Y one vendor doesn't cover this or some other type of problem. The key here is to change or fill that gap.
Find a technology like beyond trust that can handle all the different platforms. Let's just say, Unix, Linux, windows, and Mac, all in one shop. So you're not left trying to integrate them in a very painful type of way. Using a single platform, knowing where to begin is an easy way to get started.
So, first off you have to ask yourself, what's your biggest risk? Where do you have shared accounts? Where are your crown jewels? Where is that sensitive information that a lot of people have privileged access to? Do you still have admin access on your desktops? How can you remove it and make 'em standard user? What programs will not function or what tasks just like changing the system clock won't function. After you remove admin access, helping prioritize those BI excuse me, biggest risks will help you get to that proper privileged account management strategy.
And then how are you gonna maintain it? So closing the gaps is key finding single sets of technology or solutions that allow you to basically integrate the data, see the data in one shot, track users, accounts, and systems holistically, and then literally starting your project anywhere in the mix, based on the biggest risks that your organization faces. Now like my counterparts at a coupling your goal, we have a seven step process that makes that successful as well.
They outlined it at a different level, but when you come to the technology and the strategy, those seven line up very nicely, the first part is to improve accountability and control over privileged passwords. Now I'll focus on the word privilege because there are multiple definitions for the word privilege that are out there. The industry community normally looks at it as anybody above standard user, anybody with rights to make a change, look at data or even administrator or root that's a privilege.
However, here in the United States, the word privilege defined by the us government or specifically the FBI is anybody that has access to a backend system regarding privileges. This is actually a definition that is given out during talks or, you know, cybersecurity events, but it's actually defined in the cybersecurity act for the us. So when you're talking to organizations or you're thinking about it in self, make sure you have a clear definition of the word privilege.
Is it just the ability to log in or does it definitely mean route or admin access now either way that you look at it, it is the accountability and control of it. The control of can log in regardless of the privileges and then what admin type price or route access do they have? One of the more common problems that we see if there are still admin access at the desktop or too many people know the local admin or domain admin account to make those changes in correspondence with application control, there is no reason an end user should have admin access to their desktop.
None doesn't matter if they're developer doesn't matter if they're help desk personnel or anybody. There are plenty of great tools out there and great solutions to making sure they operate in least privileged mode, such that they can perform their tasks every single day and attacks like pass the hash don't work anymore. And this is complimented by application control. If you're familiar with the Australian signals ate or any of the other government initiatives, worldwide application control is huge.
When you go down the route of least privilege, it's inherent that you can do that too, by trusting programs by their publishers, their digital signatures by their path, by their hash, a variety of methods to making sure only what's intended to run runs, updates and patches occur when needed and users can't download or drive by have drive by attacks from someplace else. Leveraging the application level risk is just much important when you consider that application control as well. It's almost like a reputation. Is there a known vulnerability? Has that application been exploited?
Is it properly, digitally signed? Is it the only one that exists in the environment who's running it and where those are key decision points, whether you decide an application to run or not. Now that same principle applies to servers. It doesn't matter where Unix, Linux, windows doesn't matter. Why should anybody really log into a server as an admin?
Well, the simple argument is, is, well, they gotta do their task. Well, that's fine.
They can, but allow them just log in privileges and specify whether the commands or the application has the privileges to run, but not the entire user. If someone has access to an Oracle database, why should they have full access to all of the Oracle commands? Just give them the ones that they need to perform their tasks and save root or admin or domain admin for those firefights, for those critical situations, if they just run MMC or they are responsible for cycling IIS or installing maintenance software, that's all they get. Now we're talking about multiple platforms.
We're talking about multiple tasks, everything from password to lease privilege, to monitoring, to recording on changes. Having a single pane of glass is key. Having it in a single location that correlates, Hey, user X, they were on all of these different platform systems, applications across the board. Here's all their activity. That's part of closing the gap. When you look at them separately, you end up with a bigger problem, multiple vendors, multiple tools, multiple ways of looking at it.
And you're left trying to correlate the results, tying that together and placing advanced threat analytics on top of it to see behavioral patterns. First time applications have been launched and other anomalies make that single pan of glass key. The integration of the parrots disparate systems. We've cover understanding how, where what, when doesn't matter, where, and then be able to do this in real time. If this is batch driven, it ain't gonna help you looking at a report from a week ago. Just means that a week ago, you could have been breached. Think about it.
The time to figure out the compromise is normally 200 days. That's a statistic that's well established out there. We need to bring that into hours, minutes, finding out this information in real time or close to real time is key in order for successful strategy. So from an outcome standpoint, you need to be able to control the accounts, assets, users, regardless, and you need a streamlined place to put all this data that gives you complete visibility across the environment.
A firm foundation, an appliance, a software install, a virtual machine someplace with a firm foundation that's hardened, secured, licensed key driven, not necessarily running open source technology where patches might not be applicable because someone hasn't, you know, looked at that piece of code in years, a firm foundation, where people can go knowing it's secure and maintained with what's called cots commercial off the self shelf software. The results to you will turn into a lower cost of ownership, as crazy as it sounds.
When you remove admin rights from the desktop, you will see help desk calls go down. People can't install software malware, doesn't take cold as easily changes to the configuration or the desktop don't occur. So those simple help desk calls tend to go away really, really quick return on investment.
It allows you to make risk based decisions as well when applications need to be authorized for the environment or approved knowing what they are having background regarding the frequency of vulnerabilities and patches and things like that that need to occur in order for a successful deployment it's readily available to you.
You can control the applications themselves and access to the systems, the accounts, regardless by the identity, by the time the location do they VPN in, are they on the network, et cetera, all of which will translate into great reporting for you, knowing that you have a secure platform, that the data is secure and also making it available as a reporting or an auditing standpoint to whomever needs it wherever they need it. And that goes back to the proper geolocation that I mentioned earlier. If the data needs to stay in a region or a country, only people in that region or country can see it.
And they actually will notify the end user that they are being audited when something occurs that nature very key in terms of privilege accounts. Now, from a standpoint, we have multiple solutions. We have privilege management, which I talked about in depth that's least privilege or enabling secure administrative access on Unix, Linux, windows, and Mac, all of which rolling into one console, secure privilege, password and session management, the ability to store your passwords automatically rotate them and have complete session recording keystroke, logging all in one solution.
However you want to deploy it. And it doesn't really matter if it's talking to a server, a switch or router, or even a custom device, all in one place consolidating your authentication. Why do you have to have separate password files on all Unix and Linux systems or even a Mac? Why not just use ad so active directory bridging, allowing a user on those non window systems to log in with ad credentials and authenticate against ad. And then finally the complete auditing and protection for SQL exchange file systems and active directory.
Tell me all of the changes that have occurred when they've occurred, who did them, why, and even have backup and recovery for it. It provides a comprehensive solution for all of the Pam strategy that we've just talked about. What is your entry point? Where do you need to start? Is it on lease privilege? Is it a password? Is it just understanding the changes that occur? Doesn't matter where in the cycle you start just that there is a tool to start handling those bigger pain points. And this plays into beyond insight.
I'd like to introduce you to it on this slide beyond insight is the IP risk management platform for all of beyond trust solutions, not only the privilege account management solutions we're talking about today, but retina, vulnerability management as well. What makes these two platforms unique tied together into beyond insight are multiple patents and multiple integrations. The capability to see when a privileged account is running, what the risk on the asset is, what is the risk of the applications they're executing all coming into a single location.
The beyond inside it risk management platform comes with every one of beyond trust solutions. You can choose to deploy it or not, but the platform is the management console for everything that we're talking about on this slide. So the simple question is why would I choose power broker as my privilege account management strategy solution? Because it has a broad market base. The core technology has been around since 1985, in 1985. We introduced the units and Linux components in the mid nineties.
We introduced windows and this year we just introduced Mac all manageable and modular from a single solution. All of the reporting from a single solution, you're not dealing with multiple vendors to solve each of these as separate targeted components. And with over 30 years experience, we can help you proactively monitor and manage these threats and mitigate many of them like past the hash because the technology doesn't fall or have faults that would allow you to be subject to that type of hack. So now I'd like to turn it over for a quick poll question.
Would you like to be sent to free trial of one of our privilege account management products? Okay. You should see, you should now see the real poll on your screen. So please choose one of the answers. And in the meantime, let me remind you that you can submit your questions for the Q and a session, anytime, preferably now. And in a few minutes, we will begin the, the Q and a session. Excellent. While people are answering those poll questions. I see a couple of questions have already come in. Do you wanna read those out? And then we'll close out the poll after a few of them. Okay.
We should, we can probably answer one question informally. So to say, first question is, do you have to start at step one to see the benefits of an end to end privileged account management strategy?
Well, let me or first add a few kind of my own observation on, on that. I believe that if you are even thinking in steps, you are probably thinking about some kind of a letter and which is completely wrong. You have to think about it.
Other, I don't know, puzzle or Lego model, where you have individual pieces, which you can combine freely and they just click together and you always end up not always provided you have or started with the right tools. You probably always end up with the some which is bigger than each individual component standalone.
So to say, I hope you see it just like that. I, I would agree a hundred percent. I also it's about risk and appetite. What are the biggest risks or pain points? Are you having a lot of infections coming from desktops? Are you worried about a lot of shared accounts on servers or trying to protect those crown jewels on servers? It doesn't really matter where you start, but if you're thinking about that as my colleague has indicated, you're already thinking about a strategy.
If you have a single project to remove admin rights, and you're not thinking the bigger picture, then the entire conversation is just a point solution. Try to think of it as a strategy, try to prioritize the risks that you experience. If you can't an auditor might be able to help you with that, but you really can start anywhere in the cycle knowing that the end goal is multiple components, multiple modules, and having a view that allows you to see across the enterprise. Okay. Great.
Well, I consider the waling has stopped already, so we should probably close this window and switch back to me for the proper Q and a session. Right? Okay.
As I said, please submit your question through this question tool and we already have quite a few. And let me read the next question aloud. So how does your solution address activities by administrators? I assume that your main, that super user sudo comment or on Linux, right? This was the question is, is how do you mitigate the complexities of deploying the solution? Is that the Question?
No, I just read it aloud. How does your solution address hearing activities by administrative Oh, viewing activities by No, no, no. I assume that, yeah, PDO, you know, that Linux command to, oh, Pseudo. Yeah. To I'm sorry, Functionality. So there's two, two different methods to do that.
In, in terms of our products, we have power broker, Unix, Linux. We also have power broker pseudo. The pseudo is a pseudo replacement or enhancement. It allows the propagation of PSDO files or other types of commands so that you don't necessarily have to replace it in the case of power, broker, Unix, and Linux. It is a replacement of that technology. There are policy files that allow you to basically specify which commands, which locations should run as an admin and which excuse me, root or elevated, and which one should not.
So depending on the way that you want to migrate your enterprise to completely removing P or not, the entres has technologies to be able to help you. Okay. Sounds reasonable. And now our next question is, yeah. How do you mitigate the complexities of deploying something so broad across the environment? The complexities really come down to what you're trying to do. If you're just trying to handle this as a point solution where I just need to be able to report on active directory changes, then you're in a project mode.
If you're thinking a holistic strategy, which is the point of this webinar and what we're really trying to solve with these privileged accounts start with, what do I need to see as an end result? What do the auditors expect? What does my management expect? Privileged user activity, monitoring of sensitive systems, egress of data, things of this nature. When you look at it in that fashion, the use cases that are really important to the business you end up with, I need to see all of it and I need to see it in one console. So therefore the complexity starts with, I know what my strategy is.
I know where my biggest pain points are. I'm gonna start with that project knowing I've got multiples, but architect with the centralized management console, in our case beyond insight to bring all the data together. As I move as modules through my life cycle or begin to implement them, it's really not that hard considering you may have a very complex environment, but very easy architecturally when you consider or know, I have to solve these pain points, start with, I need that single vision. Start with that single deployment, go after the project and roll all the data together. Okay.
But you are talking about people who already know their problems. What about those who just, you know, have a vague feeling that something is missing, but they cannot really explain what exactly can you support those types of potential customers as well? Certain certainly we have a variety of tools, some of which are free that can help you find privilege account problems. Where are user accounts within your environment? What are their password ages? We also have auditing tools. That'll help you identify where accounts are present or where account changes are occurring. That are unauthorized.
If you really don't know where to start, the biggest thing to do is start giving visibility and we have tools that can help you and with a little guidance from us or our partners, or even an Analyst helping you say, look, this is where we see the biggest problems. Let's see if it's true in your environment, you can identify where the biggest pain points are to start that process. Okay. Sounds good.
And by the way, let me step aside for a second now and make a shameless promotion for our own website, where you can find a lot of reports are both free and not exactly which would help you a lot to understand, you know, just, I mean, you as potential customers for beyond trust or any other PAA vendor that where you find information, which will help you to understand the, the depths and breadths and scope of all the potential problems and where to look for solutions.
So to say, which leads from which goes from free and concise reports like this leadership brief, I already mentioned simply download today to reviews of specific products like P store broker auditor tools, which more we just mentioned. So if you need more informed, you are very welcome. And of course you can find a lot of multi-vendor comparisons on different topics of privilege management.
And again, please submit your questions or using the questions tool, and we already have the next one. Could you give some examples of integrations between your products and how that integrations between your products and how that differs from the PMM tools in the market? That's a really interesting question. There are quite a few much longer than I could actually cover on this webinar. If you were to look at any of the disciplines that we've talked about in this slide, you'll find that there are point solutions for every single one, and none of them are integrated.
Very few of them will even integrated into your SIM GRC solution or even have analytics. So what we've done at beyond trust is we've integrated them. And many of them have patents that have been awarded. For example, simple use case when you're dealing with least privilege, let's just say on windows and I double click on an app that app might actually require real domain credentials. It has to authenticate using a real username and password. It may be a script that goes out and talks to multiple servers.
It may be an application like big fix or Al terrace, which is a, a great set of solutions, but they can't run with a modified security token. They need real credentials. So typically what people people will do is they'll right, click on it and do a run as, or they'll check the shortcut to say, run as administrator. And they have to type in real credentials. The problem is, is we don't want to do that. We don't want to give out creds for admins anymore. So one of the integrations, which is patented is a rule match.
When you double click on that application, it goes to our password, safe technology, completely seamlessly under the hood. No questions asked and retrieves the proper password for that application. And does the run ads without the end user ever seeing the username or the password. And even if you open up task manager, they don't know who the account is. So applications that need real credentials from a lease privileged standpoint are fully integrated into the password safe technology.
In addition, to being able to change on those same systems, the passwords of local accounts, help desk or service accounts from the agent standpoint and not the manager. So if it's a laptop with a backdoor help desk accounts or anything else, he can change the password and not rely on it being on the network where the manager can see him. Those types of use cases are key. And that's just one of many, many type of integration points between the privilege products or even vulnerability assessment, to be able to click on an app and go, Hey, I know that's a vulnerable app.
Retina's already told me it is. I'm gonna not allow you to have admin access, or I'm even gonna deny it from running because it hasn't been patched in, you know, 80 days or whatever it may be. That's key to handle the complexity because since all of these solutions are integrated and from one vendor, we have patents that have been awarded and we bring all that data to the single console. That's again, looking at it as a strategy. If you're focused on a project, you're not gonna get those benefits.
If you're thinking about a strategy, you're gonna get use case discussions that only the integrations can bring in the single platform. Okay. Sounds interesting. And I have a kind of a follow-up question on that. So you just mentioned, you can seamlessly run an application under a different credential, right? Not the user who is actually locked in. Can you do it the other way around? What if I'm already locked as an admin, but can you kind of force me to use my own credentials to identify who I am?
Yes, we can go in both directions. So one of the things is we have patented technology that when you double click on an app, we can modify the security token and require you to enter a justification as to why you're using that app. Whether you're a standard user or an admin. The key here is, is the modification work. If I'm an admin and I wanna strip out permissions for an app, other words, I'm logged into servers and admin, but I want MMC to only run with local credentials. So it can't connect to a remote machine. I can strip out the permissions. So that only work locally.
You can't do a connect to server, so it can work in either direction. And if you wanted the rule to match with the password safe, to be a whole different set of credentials, you could as well. So to answer your question, yes, it can work in both ways. Okay. Right.
So again, please submit the question. This is probably your last chance to submit the question. And in the meantime, could you please maybe elaborate a little bit on that integration between privilege management and auditing? So how exactly do the work together? Certainly part of retina, which is our vulnerability assessment solution is we offer a tool called the retina community version. This is a free product that does vulnerability assessment, but also does a complete asset inventory, including user accounts.
So if you wanted to see where the age of user accounts are or things like that by all means welcome to download that free version from our website. In addition, we have the auditing and protection suite power broker management suite. That's designed to monitor all of the changes of that inactivity, excuse me, changes in active directory or changes in the file system or sequel, or even exchange to report back on what is actually occurring.
So you can use either one as a full product to figure out what's happening from now forward, or as a discovery tool in the community versions to say, what is the state of my enterprise. Okay, great. Okay. So please continue asking questions. We have the next one, which is probably for me. So is there any way to get a copy of the slides?
Well, first of all, you will definitely be able to download the whole recording of the webinar tomorrow from our website. And you can also download the slides, at least in PDF format, which are already there. So you can just go to our website, find this appropriate webinar and download those slides directly, or you will probably find it under code.com/webinars. And we have, the next question is what are typical integration approaches for strong authentication solutions?
For example, the company has already a two factor authentication based on UBI, keys in place, and might want to use it with your PIM solution. I guess that's the question for you?
So yeah, so two factor is fully supported. If you're using something like our password safe technology, you would log in with two factor and then you would start the session automatically based on the request. So if I needed access to the back end server, your two factor brings you into the console, allows you to make the request. And then the connection is made to that backend server. It acts as a proxy. You're not actually talking directly to that server. Now that connection itself could expose the username and password.
If you want, doesn't have to, you fully can record the session as well, so that you can basically have that audit trail, but essentially two factors supported and we act as a proxy to broker the connection. And then once that connection is done, password is scrambled.
Now, in addition to that, we do support advanced workflows so that when someone requests access to that system, a manager or multiple people have to approve it, and that can be done by time date, et cetera. So if I request access to a sensitive system, an email gets sent to the manager at his time date window that they're supposed to receive it. It can be someone else in another time and they have to approve that access.
So you have a dual control type of system where when you have to log to even request with two factor and then approve who can have access and when based on however you set up the solution. Okay, great. But I guess the question was a little bit more specific. So do you support UBI keys? I'm sorry.
UBI, UBI, keys, UBI key from the UBI core company, the Swedish, I would say nowadays one of the most popular providers of hardware strong, authentic. Yeah.
I, sorry. It's just hard to hear you. Yeah. Certain parts of our technology support that if you could drop a quick email to our sales department, I will happy to get you direct inquiry as to how and what we do to support that. Okay. So I have noted down the name of the person who was asking that, and I will give you, I mean, I'll try to put you both in contact, thanks. And by the way, speaking of UBI just reminded me for another interesting topic. We've been closely following here, keeping a call.
What's your stance on fighter Alliance or in general, like what's your views on the future of standardization efforts in this area of strong authentication? My views on strong authentication is I'm sorry, it's just hard To hear you also, you know, you know, fighter Alliance is now working on a set of standards for strong authentication for multifactor authentication. We at KU find it extremely promising because instead of, you know, supporting multitude of different proprietary technologies from different vendors, you could just support a standard.
Have you been following the development or do you plan to, We are following the development of that. And it is something that is in our backlog based on adoption and more importantly, client requests that will be considered as our future solution set. Many times there are standards out there that seem good, but the adoption is difficult or just not that far reaching.
So if this is something that is important to you, please make sure the analysts know and make sure my teams know whether you're talking to our sales team, if you're an existing client or another route, but it is definitely something that we're looking in and very interested in, in terms of the standardization, but market demand really does dictate what we develop into our solutions and adopt Well, we're we as Analyst, Analyst, Analyst, Analyst actually see quite a lot of adoption recently, specifically from Yubico because, you know, they have recently with a lot of efforts collaborating with Google and top and other large web services on the internet.
So it's, I mean, it's a hint from keeping a call to beyond trust. You should really look into that. I really do appreciate that.
I, I know it's an arts backlog. I know what we're after I'm looking for the best justification for my clients is to how fast I did release it or when so very well taken. Thank you. Great. Okay. So as there are no more questions at the moment now you really have the very last chance to submit one more. We'll wait another minute. And like another person asked or here is the URL URL of our website. call.com latest tomorrow. You will find the recording of this webinar and download of the slides available at call.com/webinars.
And again, since there are no further questions from the audience left, I can only thank you very much, Marie, for joining me in this webinar today. Thank you very much for all the attendees, for being with us. I hope to see you again in our future webinars and maybe some of you will attend our conference in Munich next may. So I will meet some of you in person will speak led to thanks again and have a nice day. Thank you very much.
